User Enrollment: A Major Update to BYOD Announced at Apple WWDC19

A whole host of new updates announced at the Apple WWDC19 will be changing the management of Apple-based BYOD in the future, addressing many of the weaknesses that previously frustrated end users and enterprises.

Here is our summary of “User Enrollment” and the key changes to be aware of.

User Enrollment: Management parity across all Apple devices was a big topic at WWDC19
User Enrollment: Management parity across all Apple devices was a big topic at WWDC19

What Is User Enrollment for iOS 13, iPadOS and macOS?

The most eye-catching MDM announcement at the Apple WWDC19 was the new enrollment option for BYOD, called User Enrollment, which will bring about better user acceptance, more privacy for end users, more harmonized management across all Apple devices and enhancements to security and performance.

User Enrollment is a multi-persona enrollment option designed for companies implementing BYOD (Bring Your Own Device). Its foundation is based on providing device management capabilities for admins by separating data and by utilizing Managed Apple IDs.

It’s this new Managed Apple ID feature that now represents the user’s workplace identity, running parallel to the user’s personal Apple ID across their iPhones, iPads and Macs. Managed Apps all run with the enterprise ID; third-party apps are either managed or unmanaged.

After users are enrolled, they will notice clear divisions between business and private data. For example, the built in Files app will now seamlessly handle both accounts and display an Enterprise iCloud Drive and a Personal iCloud drive, if users have one.

A separate APFS volume is created during user enrollment for corporate data to ensure data separation. Managed versions of Notes, App Containers, Keychain, Emails, Calendar attachments and iCloud Drive documents are stored here.

Finally, a cryptographic backstop ensures that once a device is unenrolled, all managed data is removed for certain. Check out Apple’s video from WWDC19 to see it in action.

How Do You Enroll iPhones and iPads With User Enrollment?

In terms of deployment, admins create the Managed Apple ID in Apple Business Manager (ABM) or Apple School Manager (ASM) and support for the preceding Deployment Programs portal will stop by the end of the year.

As shown during the demo at WWDC19, users start by downloading an enterprise’s configuration profile by providing the Managed Apple ID.

Once downloaded, users head to Settings and click on “enroll” to start the newly streamlined User Enrollment process.

How Does User Enrollment Improve User Privacy?

While User Enrollment still fulfills its duty to protect a company’s intellectual property, this is achieved without compromising the freedom and privacy of employees who enroll their personal devices. Essentially, User Enrollment ensures that admins cannot accidentally manage personal data.

End users will be pleased to hear Apple pledge that:

  • MDM servers can no longer erase an entire device. Personal data is therefore protected
  • MDM servers have no visibility over the personal side of a device. No personal third-party apps are visible to employers
  • MDM servers cannot clear the device passcode with the Unlock Token command (this change also means that MDM servers cannot help if a user forgets an enrollment passcode. As a tradeoff, only 6-digit, non-simple passcodes can be enforced).
  • Supervised Mode restrictions have been depreciated and will eventually no longer apply to User Enrollment
  • No serials Numbers or UDIDs are used to identify a device, instead a separate EnrollmentID is created and used.

All in all, BYOD is now much better thought-out. While companies looking for extra security measures for their corporately owned devices will still opt for supervision, those wanting to offer BYOD will be able to provide an improved end user experience and still benefit from effective device management.

The Result: The Evolution of BYOD

Some are calling this “the biggest Apple MDM update since iOS 7 in 2013” and that “User Enrollment is going to dramatically improve iOS MDM for BYOD”.

Now that Apple has addressed many of the usability and privacy concerns surrounding BYOD schemes, companies will now be much better placed to encourage their employees to take part in BYOD so that everyone can reap its financial and practical rewards. You can learn more about how Cortado MDM can realize these benefits for your company on our website.

Comments are closed.