User Enrollment and MDM
User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device.
The four stages of user enrollment into MDM are:
-
Service discovery:The device identifies itself to the MDM solution.
-
User enrollment:The user provides credentials to an Identity Provider (IdP) for authorization to enroll in the MDM solution.
-
Session token:A session token is issued to the device to allow ongoing authentication.
-
MDM enrollment:The enrollment profile is sent to the device with payloads configured by the MDM administrator.
User Enrollment and Managed Apple IDs
User Enrollment requires Managed Apple IDs. These are owned and managed by an organization and provide employees access to certain Apple services. In addition, Managed Apple IDs:
-
Are created manually, or automatically using federated authentication
-
Are integrated with a Student Information System (SIS) or uploading .csv files (Apple School Manager only)
-
Can also be used to sign in with an assigned role in Apple School Manager or Apple Business Manager
When a user removes an enrollment profile, all configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it.
User Enrollment is integrated with Managed Apple IDs to establish a user identity on the device. The user must successfully authenticate for enrollment to be completed. The Managed Apple ID can be used alongside the personal Apple ID that the user has already signed in with; the two don’t interact with each other. User Enrollment is designed for devices owned by the user.
User Enrollment and federated authentication
User Enrollment works with Google Workspace or Microsoft Azure Active Directory (AD) and Apple School Manager or Apple Business Manager and a third-party MDM solution. For your users to take advantage of synchronization with Google Workspace or Azure AD and User Enrollment, your organization must first:
-
Google Workspace or Configure Azure AD
If you have a local version of Active Directory, additional configuration must be taken to prepare for federated authentication.
-
Sign up your organization in Apple School Manager or Apple Business Manager
-
Set up federated authentication in Apple School Manager or Apple Business Manager
-
Configure an MDM solution and link it to Apple School Manager or Apple Business Manager
-
(Optional) Create Managed Apple IDs
User Enrollment and managed apps (macOS)
User Enrollment has added managed apps to macOS (this feature was already possible with Device Enrollment and Automated Device Enrollment). Managed apps that use CloudKit use the Managed Apple ID associated with the MDM enrollment. MDM administrators must add the InstallAsManaged key to the InstallApplication command. Like iOS and iPadOS apps, these apps can be automatically removed when a user unenrolls from MDM.
How users enroll their personal devices
There are two main ways users can enroll a personal device in User Enrollment—through an account or through an enrollment profile.
Account-based user enrollment
In iOS 15 or later and iPadOS 15 or later, organizations can use a streamlined User Enrollment process, built right into the Settings app to make it easier for users to enroll their personal devices.
To do this, the user navigates to General > VPN & Device Management section in Settings, and taps the “Sign in to Work or School Account” button.
As they enter their Managed Apple ID, service discovery identifies the MDM solution’s enrollment URL.
The user enters their organization user name and password. After the organization’s authentication succeeds, the enrollment profile is sent to the device. Additionally, a session token is issued to the device to allow ongoing authorization.
Finally, after a user is signed in, the new managed account is displayed prominently within the Settings app.
After enrollment, users can still access files in their personal iCloud Drive. The iCloud Drive for the organization appears separately in the Files app. In iOS and iPadOS, managed apps and managed web-based documents all have access to the organization’s iCloud Drive—and through existing restrictions, the MDM administrator can help keep specific personal and organizational documents separate.
Users can see details about what is being managed on their personal device and how much iCloud storage space is provided by their organization.
Profile-based User Enrollment
With the existing profile-based User Enrollment flow, users are provided an enrollment profile using a customized URL, mail message, or by other means. After the enrollment profile and any additional configuration profiles are downloaded, a User Enrollment screen appears and the user clicks Enroll My (iPhone, iPad, Mac), then:
-
With federated authentication: Enters their Google Workspace or Microsoft Azure AD account
-
Without federated authentication: Enters their Managed Apple ID user name and password
When enrollment is complete, users see an additional account in Settings > Passwords & Accounts on iPhone and iPad and in System Preferences on Mac.
Because the user owns the device, User Enrollment has a limited set of payloads and restrictions that can be applied to the device.
How Apple separates user data from organization data
When User Enrollment is complete on an iPhone or iPad, a separate volume is automatically created on the device and contains managed:
-
Apps
-
Notes
-
Calendar attachments
-
Mail attachments and body of the mail message
-
Keychain items
In iOS and iPadOS, managed apps and managed web-based documents all have access to the organization’s iCloud Drive through existing Managed Open In restrictions. The MDM administrator can help keep specific personal and organizational documents separate.
System administrators can manage only an organization’s accounts, settings, and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organization-managed apps also protect a user’s personal content from entering the corporate data stream.
|
MDM can |
MDM can’t |
|---|---|
|
Configure accounts |
See personal information, usage data or logs |
|
Configure Per-app VPN |
Access inventory of personal apps |
|
Install and configure apps |
Take over management of a personal app |
|
Require a passcode |
Require a complex passcode |
|
Enforce certain restrictions |
Access device location |
|
Access inventory of managed apps |
Access unique device identifiers |
|
Remove managed data only |
Remove any personal data |
|
Remotely wipe the entire device |
|
|
Manage Activation Lock |
|
|
Access roaming status |
|
|
Enable Lost Mode |
Note: Administrators can require passcodes with a minimum of 6 characters and prevent users from using simple passcodes (for example,123456 or abcdef), but can’t require complex characters or passwords.
