User authentication ensures that incoming enrolment requests are from authorised users, and that the users device information is captured prior to proceeding with certificate enrolment
After the user is authenticated, iOS generates a certificate enrolment request using the Simple Certificate Enrollment Protocol (SCEP). This enrolment request communicates directly to the enterprise Certificate Authority (CA), and enables the Phone or iPad to receive the identity certificate from the CA is response.
Once the device is installed, the device can receive encrypted configuration information over the air. This information can only be installed on the device it is intended for and contains the settings needed to connect to the MDM server.
At the end of the enrolment process, the user will be presented with an installation screen that describes what access rights the MDM server will have on the device. By agreeing to the profile installation, the user's device is automatically enrolled without further interaction.
Once the iPhone or iPad are enrolled as managed devices, they can be dynamically configured with settings, queried for information, or remotely wiped by the MDM server.