What Is Apple’s User Enrollment for iOS?

Apple User Enrollment introduces big iOS 13 MDM changes and completely reworks Apple BYOD. We explain the iOS 13 User Enrollment feature, including how the iOS 13 managed Apple ID makes this big shake up possible.

Apple User Enrollment: Many iOS 13 MDM changes were announced at WWDC19
iOS 13 User Enrollment: Management parity across all Apple devices was a big topic at WWDC19

What Is Apple’s User Enrollment for iOS 13, iPadOS and macOS?

One of the most eye-catching iOS 13 MDM changes announced at the Apple WWDC19 was the new enrollment option for BYOD, called User Enrollment.

User Enrollment is a multi-persona enrollment option designed for companies implementing BYOD (Bring Your Own Device).

It brings better user acceptance, more privacy for end users, more harmonized management across all Apple devices and enhancements to security and performance.

At its core, User Enrollment provides device management capabilities for company admins, separates work/private data and utilizes the iOS 13 Managed Apple ID.

New: iOS 13 Managed Apple ID

This iOS 13 Managed Apple ID feature now represents the user’s workplace identity, running parallel to the user’s personal Apple ID across their iPhones, iPads and Macs.

Managed Apps all run with the enterprise ID; third-party apps are either managed or unmanaged.

After users register their devices for BYOD, they will notice clearer divisions between business and private data. For example, the built in Files app will now seamlessly handle both accounts and display an Enterprise iCloud Drive and a Personal iCloud drive, if users have one.

During the configuration process, a separate APFS volume is created for corporate data and ensures complete data separation. Managed versions of Notes, App Containers, Keychain, Emails, Calendar attachments and iCloud Drive documents are stored here.

Finally, a cryptographic backstop ensures that once a device is unenrolled, whether by an admin or the device’s owner, all managed data is removed for certain. Check out Apple’s video from WWDC19 to see it in action.

How Do You Enroll iPhones and iPads With iOS User Enrollment?

In terms of deployment, admins create the Managed Apple ID in Apple Business Manager (More info: Managing Devices with Apple Business Manager) or Apple School Manager (ASM). The preceding Deployment Programs portal has now been phased out.

As shown during the demo at WWDC19, users need to download an enterprise’s configuration profile, created by a MDM/EMM program. To kick things off, admins usually send an invitation email containing a QR-code, which they have to scan with their phones, to employees.

After providing their new Managed Apple ID, users head to the Settings app on their device and click on “enroll” to start the newly streamlined User Enrollment process.

How Does Apple User Enrollment Improve User Privacy?

While Apple User Enrollment still fulfills its duty to protect a company’s intellectual property, it is achieved without compromising the privacy of employees who enroll their personal devices. Essentially, User Enrollment ensures that admins cannot accidentally manage or see personal data.

End users will be pleased to hear these important iOS 13 MDM changes:

  • MDM servers can no longer erase an entire device. Personal data is therefore better protected.
  • MDM servers have no visibility over the personal side of a device. No personal third-party apps are visible to employers.
  • MDM servers cannot clear the device passcode with the Unlock Token command (this change also means that MDM servers cannot help if a user forgets an enrollment passcode. As a tradeoff, only 6-digit, simple passcodes can be enforced).
  • Supervised mode restrictions have been depreciated and will eventually no longer apply to User Enrollment (More info on the difference between supervised and BYOD here in the ultimate guide to iPhone device management).
  • No serial numbers or UDIDs are used to identify a device, instead a separate “Enrollment ID” is created and used.

While organizations looking for extra security measures will still opt for corporately owned devices and supervision, those wanting to offer Apple BYOD can now provide straightforward, cost effective device management (and GDPR conformity) with a vastly improved end user experience.

iOS 13 User Enrollment: The Evolution of Apple BYOD

Now that Apple User Enrollment has addressed many of the usability and privacy concerns surrounding BYOD schemes, companies will now be much better placed to encourage their employees to take part in Apple BYOD so that everyone can reap its financial and practical rewards.

User Enrollment with Cortado MDM

All changes in detail.
This free whitepaper shows all changes for administrators and end users.

Read Whitepaper »