What is Apple’s “User Enrollment”?

Last updated July 22, 2019

At the Apple Worldwide Developer Conference (WWDC) this year, Apple announced a new mode of device enrollment, entitled “User Enrollment”. This enrollment mode is available in iOS 13 and macOS 10.15 Catalina. This is a notably different mode of enrollment than the previously available DEP enrolled, User Approved (UAMDM), or Supervised modes of enrollment. While these modes still exist, User Enrollment (sometimes referred to as “UEMDM”) aims to address Bring Your Own Device (BYOD) deployment scenarios specifically.

Why Another Enrollment Mode?

The existing modes of Apple MDM enrollment are powerful. A DEP enrolled and supervised device can be wiped, locked, and heavily restricted by an MDM administrator. In macOS, an MDM administrator is able to run powerful root-level commands and whitelist dangerous controls to applications and extensions. Likewise, an administrator can retrieve information about installed applications that were not installed by the MDM.

User Enrollment aims to severely restrict what the MDM can do to the device. Instead of the device being generally controlled by the MDM, the MDM has been given permission to operate in a confined space on the device, effectively providing business services to the end user without requiring the user to sacrifice their own privacy. On the same token, it increases the security around corporate data by cordoning off this data in a separate storage area. This results in a better balance of security and privacy for both the enterprise and the user in a BYOD scenario.

How Does User Enrollment Differ?

User Enrollment greatly restricts the permissions that an MDM has when managing a device compared to previous enrollment modes. Below is a summary of the changes.

Device Information

The MDM is no longer able to retrieve device-identifying information, such as a serial number, universal device identifier (UDID), IMEI, or mac addresses. Instead, the device provides an anonymized identifier that lives for the life of the MDM enrollment. If a device unenrolls and then re-enrolls at a later time, a new identifier is produced. This helps maintain the anonymity of the end user and their hardware.

App Management

The MDM is able to install and remove apps as it was able to before, however it can only see the apps that it is managing. Apps installed by the user will not be visible to the MDM, nor will the MDM be able to place any of these apps under management.

An app must either be installed and managed by User Enrollment or not. It cannot be both. Some native apps, such as Apple Notes, include User Enrollment-aware functionality, allowing them to include both managed business data and personal user data, separated within the app itself.

Profiles & Configurations

A narrow set of profiles will be supported, namely:

  • WiFi
  • Per-app VPN
  • Account related profiles, like email, calendar, contact, and Exchange/ActiveSync.

Profiles that restrict the user are largely not permitted. For instance, strict passcode requirements, configurations that proxy network traffic, and restrictions that block content are not allowed. Some restrictions, as they relate to enterprise features like Managed Open In are still supported.

Actions

User Enrollment removes an administrators ability to set or clear a passcode, wipe a device, and perform other device-level operations that encroach on an end user’s privacy and control of their own device.

Managed Apple ID Now Required

User Enrollment relies upon and requires that a Managed Apple ID is associated with each enrolled device. This Managed Apple ID currently provides two functions:

  1. App & media licensing: When the MDM pushes down apps and media, necessary VPP licenses will be assigned to the Managed Apple ID associated with the device.
  2. iCloud access: Apple is introducing business-level iCloud services, such as shared storage for an organization. The Managed Apple ID acts as a credential to provide access to these resources.

The Managed Apple ID can be created manually by an administrator within Apple Business Manager. Apple also supports federation with Azure Active Directory, allowing Managed Apple IDs to be automatically created within Apple Business Manager when identities exist in Azure. The MDM is responsible for specifying the Managed Apple ID that a device is to use during the time of device enrollment.

Managed Apple IDs do not conflict with regular Apple IDs. A user may continue to use their personal Apple ID on a device even when a Managed Apple ID is also being used by the same device.

Data Separation Provided By APFS

As both a security and privacy mechanism, a separate APFS volume is created during User Enrollment. An APFS volume, for the layperson, is essentially a virtual hard drive that has its own encryption and lives entirely separately of other volumes that host the OS or personal user data.

This volume is responsible for storing all User Enrollment-related data, such as:

  • Managed apps and app data
  • Managed mail, contacts, and calendar data
  • iCloud drive downloaded and cached data
  • Keychains
  • Apple Notes data associated with the Managed Apple ID

If the device unenrolls from the MDM, this volume is deleted, removing all managed apps and managed data with it. The device is returned to its original state before enrollment occurred.

Is User Enrollment Right For Us?

If employees are using their personal devices in your deployment, chances are that the answer is “yes”. Convincing employees in a BYOD scenario to grant your organization permission to see what apps they have installed, remove their passcode at any point, or wipe their device is a big ask and is unlikely to receive buy-in.

Outside of a BYOD scenario, User Enrollment doesn’t make a lot of sense. If a business owns the hardware being managed, it will likely want to retain the ability to unlock, track, and recover devices if need be. Enrolling using User Enrollment, if not immediately, will prove to be too restrictive down the road as additional business requirements develop.

Comments (2)

It seems that user enrollment doesn’t work with iPadOS Beta 6. It doesn’t ask for the password of the managed appleid. It works though with iOS 13 Beta 6:

Users have reported that User Enrollment is not functional in iOS Beta 6. We suggest trying an earlier beta version or waiting for subsequent beta versions for this functionality to return.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now