What Is iOS User Enrollment?

 

In 2019, Apple introduced a new way of enrolling devices into an MDM (Mobile Device Management) platform – User Enrollment, available for devices running on iOS 13 or later. Apple has designed User Enrollment to make companies feel safer implementing BYOD (Bring-Your-Own-Device) policies, by protecting the privacy of personal data and securing corporate data. With User Enrollment, Apple intends to base Bring Your Own Device (BYOD) deployments on three different pillars:

1. Managed Apple ID alongside Personal Apple ID
2. Cryptographic separation of personal and corporate data
3. Limited management capabilities for MDMs

Managed Apple ID Alongside Personal Apple ID

Apple describes User Enrollment as a “multi-persona system,” wherein a single user has two separate Apple IDs: a Managed ID for work use and a Non-Managed ID (Personal ID) for personal device use. This means that a managed work Apple ID will run parallel to the user’s personal Apple ID on their iOS devices. After enrolling their personal devices into their enterprise’s network, users will notice clear divisions between business and personal data.

IT admins can create a managed Apple ID using Apple Business Manager (ABM), which can then be used by the MDM server for communication. 

Under the User Enrollment system, third-party apps will only support either the personal or managed Apple ID, clearly delineating apps intended for personal or business use.  First-party apps like Notes, however, can switch between the two Apple IDs and sync with the corresponding iCloud drive (Enterprise or Personal) as needed. 

Cryptographic Separation of Personal and Corporate Data

With this new setup, IT admins using an MDM will no longer have access to device identification information like serial number, IMEI number, or MAC address. No identification IDs are shared with the MDM server. Instead when enrollment starts, an Enrollment ID is created and used as the primary identifier by the MDM server for communication. This ID is destroyed when the enrollment is terminated.

When a device is being enrolled using User Enrollment, iOS creates a separate managed APFS (Apple File System) and uses a separate method for authentication, authorization, and encryption. This Managed Apple ID is destroyed and the managed data is removed only when the enrollment is terminated. This allows businesses to remove all business-related data if an employee leaves a company, including data from Notes and other first-party apps with dual-ID support, without deleting or impacting personal device content in any way.

Limited Management Capabilities for MDMs

By creating a managed profile distinct from personal use, User Enrollment sets clear boundaries for what MDMs can and cannot view or modify. It ensures that IT admins using MDM software do not have the ability to view or modify personal apps installed on the device by the end-user.

This increases employees’ peace-of-mind when enrolling in BYOD programs, as they can be certain that their personal apps and data will not be monitored or deleted. 

With regards to iOS, IT admins can no longer set or clear device passcodes, wipe any personal data off of a device, and perform other device-level operations, such as running root-level commands, and controlling or changing app settings. The admins can only apply passcode policies for 6 digits or simple passcode.

To learn how to use iOS and iPadOS User Enrollment in SureMDM, click here.