Zero-touch deployment with Jamf and Apple Business: practical decisions in 2026

Apple Business changed the blueprint for zero-touch deployment — literally. If you're planning or reviewing your zero-touch setup in 2026, here's what's changed, what still requires Jamf, and where the two tools work best together.

What zero-touch deployment actually means

Zero-touch means a device arrives from Apple or a reseller, a user opens the box, signs in, and ends up with a fully configured Mac or iPhone — right apps installed, Wi-Fi configured, FileVault on, policies applied — without IT touching the hardware.

The infrastructure underneath that experience involves three things:

• Automated Device Enrolment (ADE) — Apple's mechanism that binds a device to your MDM before the user sees Setup Assistant
• An MDM — either Jamf Pro with a PreStage Enrolment, or Apple Business's built-in MDM with a Blueprint
• Identity — how the device knows who the user is from the moment they first sign in

All three have changed or expanded in the last six months.

PreStage Enrolments vs Apple Business Blueprints

Since Apple Business launched, organisations have two routes for ADE configuration: Jamf Pro's PreStage Enrolments or Apple Business Blueprints. They serve the same broad purpose — define what Setup Assistant shows, which MDM a device enrols into, and the initial out-of-box experience. But they're not equivalent.

Apple Business Blueprints are simpler. Assign a Blueprint to a device group or Managed Apple Account, and when the device boots it enrols silently, the user signs in with their work Apple Account, and the Blueprint pushes apps and settings. For a ten-person company or a single-platform deployment with uniform requirements, this is genuinely sufficient.

Jamf PreStage Enrolments give you more control: custom Setup Assistant panes, departmental segmentation by prestage, custom enrolment completion actions, and staging rings — and critically, they feed into the full Jamf policy engine. The device isn't just enrolled; it's a node in your smart group hierarchy from minute one.

Our general rule: if your deployment needs a conditional — "Finance gets FileVault enforced and a DLP profile, contractors get only Wi-Fi and Self Service" — you need Jamf. If everyone gets the same thing, Blueprints may be enough.

Setting it up: Jamf Pro and Apple Business together

For Jamf-managed deployments, Apple Business is still your device source. You're not replacing ADE — you're using Apple Business as the portal for MDM assignment. The difference from the old Apple Business Manager is that Blueprints now sit alongside your Jamf PreStages, and you need to be deliberate about which tool owns which part of the experience.

Step 1: Assign devices to Jamf

In Apple Business, go to Device Assignments and point your device group at Jamf Pro as the MDM server. This works identically to how it worked in Apple Business Manager. The device boots, reaches Apple's activation servers, and is redirected to your Jamf instance.

Step 2: Configure your PreStage

In Jamf Pro, the PreStage defines the Setup Assistant experience. Key settings to review:

• Platform SSO — if you're using Microsoft Entra or Okta, Platform SSO is the cleanest way to bind the Mac's local account to a corporate identity at first login. Jamf Pro 11.26 added automatic Entra device registration for devices using Simplified Setup for Platform SSO, which means the Conditional Access token arrives during enrolment rather than after a helpdesk ticket.
• Enrolment completion — use Jamf's enrolment complete trigger to kick off your policy chain: configuration profiles, software installs, and startup scripts.
• Supervised mode — ensure supervision is enabled. Without it, a long tail of MDM commands silently fail.

Step 3: Wire in identity

This is where most deployments go wrong. The typical mistake is treating identity as an afterthought — enrol first, sort the user account later. With Managed Apple Accounts and Platform SSO, you can do this correctly from Setup Assistant itself.

If you're using Managed Apple Accounts provisioned through Apple Business's identity provider sync, the user signs in during Setup Assistant with their work Apple Account. Platform SSO then ties the local macOS account to that identity in one step, with no second login prompt.

Step 4: Test the full flow end-to-end

Before deploying at scale, wipe and re-enrol a test device. The full flow — unbox to ready desktop — should take under ten minutes. If it runs long, the bottleneck is almost always software installation during enrolment. Move heavy installs to a policy triggered after enrolment completes, so Setup Assistant doesn't hold the user at a waiting screen.

The first-day user experience

When everything is wired correctly:

1. Unbox the device 2. Connect to Wi-Fi 3. Sign in with Managed Apple Account 4. Wait briefly while Jamf installs profiles and apps in the background 5. Arrive at the desktop — configured, compliant, and identity-bound

The quality bar to aim for is "sign in once." If users are hitting a second login prompt for Jamf Connect, or manually registering with Entra, or being asked to approve a profile after first login — those are gaps in the identity wiring, not expected behaviour.

Common pitfalls

Skipping supervised mode. Easy to miss in a PreStage configuration and invisible until you try to push a command that silently fails.

Not accounting for Managed Apple Account provisioning lag. Accounts synced from your identity provider don't appear instantaneously. A device assigned before the account exists will hit an error at Setup Assistant. Build at least a two-hour buffer between account provisioning and device assignment in your onboarding workflow.

Blueprint and PreStage fighting over Setup Assistant. If a device is assigned to an Apple Business Blueprint AND a Jamf PreStage, the Blueprint's Setup Assistant configuration takes precedence. You'll see unexpected panes — or missing ones. Pick one tool to own the Setup Assistant experience and keep the other out of that lane entirely.

Assuming zero-touch is retroactive. It's an enrolment-time feature. Devices already enrolled won't automatically receive the new experience. Retrofitting requires a refresh cycle or a directed wipe and re-enrol for machines that need to meet the new standard.

Connecting the automation layer

If you're deploying at any scale, the Apple Business Admin API is worth connecting alongside your Jamf deployment. The pattern we use:

• Apple Business API provides device inventory and enrolment state — what Apple knows
• Jamf Pro API provides compliance state, profile state, and policy inventory — what your MDM knows
• A nightly reconciliation job flags devices present in Apple Business but not enrolled in Jamf, and any enrolled devices with a stale enrolment date — these are usually wipes that need reprocessing

The Admin API doesn't replace Jamf's own APIs here, but it fills the gaps around device sourcing and user assignment that Jamf can't see from its side of the fence.

The short version

Zero-touch in 2026 is more capable than it has ever been, but the moving parts are also more numerous. Apple Business adds Blueprints and Managed Apple Accounts into the mix alongside Jamf's PreStages and policies. Used well together, the result is a device that is enrolled, configured, and identity-bound before the user finishes their first coffee. Used carelessly, you get two tools competing to own the Setup Assistant experience and a confused user holding a half-configured Mac.

If you want to review your current zero-touch setup or design one from scratch, get in touch — we run a structured scoping call that covers exactly this ground.