Device Management MDM
| Docs

applivery.com

Login

User enrollment

Docs Device Management Apple MDM User enrollment

Starting in iOS 13 and macOS 10.15 Catalina, Apple introduced a new enrollment method called User Enrollment.

This is a notably different mode of enrollment than the previously available through Apple DEP, Enrollment link, or Supervised mode.

While these modes still exist, User Enrollment (sometimes referred to as UEMDM) aims to address Bring Your Own Device (BYOD) deployment scenarios specifically.

Private beta feature

Please note that User Enrollment is still in private beta for a limited number of clients. If you want to learn more, please contact us at [email protected].

Why Another Enrollment Mode? #

Existing enrollment and supervision methods are very powerful. Administrators can wipe, lock, and heavily restrict access on a DEP-enrolled and supervised device. In macOS, administrators can run any type of root-level commands or scripts and apply highly intrusive configurations at the device and app levels. Additionally, administrators can list and obtain detailed information about the devices even about apps that have not been deployed through an MDM solution. In other words, administrators have almost full control over managed devices.User Enrollment aims to solve this use case by restricting what MDMs can do. Instead of having full access to the devices, business, and personal spaces are isolated. Commands and operations performed by the MDM are limited and restricted to tun under the business side of the device, providing a more comfortable scenario for end-users that can still get access to business services without requiring the users to sacrifice their privacy. This, in the end, provides a more balanced scenario between security and privacy, allowing users to easily switch from work to personal life.

What’s different from other enrollment methods? #

Device Information:
The MDM is no longer able to retrieve device-identifying information, such as a serial number, universal device identifier (UDID), IMEI, or Mac addresses. Instead, the device provides an anonymized identifier specifically created for the MDM enrollment. If a device is unenrolled from the MDM and then re-enrolls at a later time, a new identifier is generated, maintaining the anonymity of the end-user and the hardware.

App Management:
MDMs can still install and remove Apps but now they can just see the information about managed Apps. The rest of the Apps installed by the user remain private and will not be visible by the MDM and they can not be configured as managed apps.

Additionally, some native apps are prepared for User Enrollment scenarios, providing also the possibility to isolate information at the App level.

Profiles & Configurations:
Just a few profiles and configurations are available and can be enforced on the device:

  • Wi-Fi.
  • Per-app VPN.
  • Account-related profiles, like email, calendar, contact, and Exchange/ActiveSync.

 

Commands:
User Enrollment also prevents administrators from setting or clearing passwords, wiping the device, and performing other device-level configurations.

What’s different from other enrollment methods? #

The User Enrollment method relies on Managed Apple IDs for user identification. This also enables two important features:

  • App & media licensing: apps must be managed through Apple Business Manager and VPP so that necessary licenses are provisioned.
  • iCloud access: Apple provides business-level iCloud services, such as shared storage for an organization. The Managed Apple ID acts as a credential to provide access to these resources.

We highly recommend reading the documentation related to Managed Apple IDs to fully understand the benefits and features.

How is data separation being managed? #

As part of the User Enrollment process, a new and separate APFS volume is created in the device. This new volume acts as a virtual hard drive with its encryption and is isolated from other data volumes in the device. This volume will store all User Enrollment-related data.When the device is unenrolled, the volume is erased, removing also all managed apps and managed data stored on it, returning the device to the original state before enrollment.
Was this article helpful?
Content
Try for free
  • Free Demo
  • 14-day free trial
  • Multi-language

— talk to an expert —

Schedule a demo