Starting in iOS 13 and macOS 10.15 Catalina, Apple introduced a new enrollment method called “User Enrollment”. This is a notably different mode of enrollment than the previously available through Apple DEP, Enrollment link, or Supervised mode. While these modes still exist, User Enrollment (sometimes referred to as “UEMDM”) aims to address Bring Your Own Device (BYOD) deployment scenarios specifically.
Why Another Enrollment Mode? #
Existing enrollment and supervision methods are very powerful. Administrators can wipe, lock, and heavily restrict access on a DEP enrolled and supervised device. In macOS, administrators can run any type of root-level commands or scripts and apply highly intrusive configurations at device and app level. Additionally, administrators can list and obtain detailed information about the devices even about apps that have not been deployed though an MDM solution. In other words, administrators have almost full control over managed devices.
User Enrollment aims to solve this use case by restricting what MDMs can do. Instead of having full access to the devices, business and personal spaces are isolated. Commands and operations performed by the MDM are limited and restricted to tun under the business side of the device, providing a more confortable scenario for end-users that can still get access to business-services without requiring the users to sacrifice their own privacy. This, in the end, provides a more balanced scenario between security and privacy, allowing users to easily switch from work to personal life.
The MDM is no longer able to retrieve device-identifying information, such as a serial number, universal device identifier (UDID), IMEI, or mac addresses. Instead, the device provides an anonymized identifier specifically created for the MDM enrollment. If a device is unenrolled from the MDM and then re-enrolls at a later time, a new identifier is generated, maintain the anonymity of the end-user and the hardware.
MDM’s can still install and remove Apps but now they can just see the information about managed Apps. The resto of the Apps installed by the user remain private and will not be visible by the MDM and they can not be configured as managed apps.
Additionally, some native apps are prepared for User Enrollment scenarios, providing also the possibility to isolate information at App level.
Profiles & Configurations:
Just a few profiles and configurations are available and can be enforced in the device:
- Per-app VPN
- Account related profiles, like email, calendar, contact, and Exchange/ActiveSync.
User Enrollment also prevent administrators from setting or clearing passwords, wipe the device and perform other device-level configurations.
User Enrollment method relies in Managed Apple IDs for users identification. This also enable two important features:
- App & media licensing: apps must be managed through Apple Business Manager and VPP so that necessary licenses are provisioned.
- iCloud access: Apple provides business-level iCloud services, such as shared storage for an organization. The Managed Apple ID acts as a credential to provide access to these resources.
We highly recommend to read the documentation related to Managed Apple IDs to fully understand the benefits and features.
How is data separation being managed? #
As part of the User Enrollment process, a new and separate APFS volume is created in the device. This new volume acts as a virtual hard drive with its own encryption and is totally isolated from other data volumes in the device. This volume will store all User Enrollment-related data.
When the device is unenrolled, the volume is erased, removing also all managed apps and managed data stored on it, returning the device to the original state before enrollment.