I'm curious about suggested workflows for a 3rd party ACME server handling a request for a managed device. Specifically, when the MDM server does not control the ACME server like it likely would when using the ACME payload for the MDM client identity. i.e., an organization with a CA that can distribute client identities using ACME; how should ACME servers validate the request is authorized? The server, of course, would be able to validate that the attestation is valid from Apple, but how would an ACME server validate that the request is authorized for a device? I would assume that the ACME server would use the ClientIdentifier key similarly to a SCEP challenge. And that identifier should be populated in MDM either as a static challenge or dynamically fetched by MDM from the ACME service? Or possibly that the ACME service would need a connection (i.e., through a restful API) to the MDM server to validate it is a device under management and fetch the generated client identifier and therefore determine that the device is authorized to request certs from the enterprise CA? It would be great if the device could attest that it is under management and have an OID for the check-in URL or the APNS topic is registered against. This might eliminate the ACME server's need to authorize a request against the MDM server or help improves the validation of the request etc. In any case, I'm curious on folks' thoughts around this in general :)

Hi Folks, In order to facilitate users enrolling their BYOD devices via the new account-driven user enrollment flow, is there a way of deep-linking into the settings app, specifically the VPN & Device Management pane? Specifically from a webpage? Or will organizations need to instruct users which areas within settings to dig into in order to sign in and enroll?