{"id":13441,"date":"2022-06-07T03:31:20","date_gmt":"2022-06-07T03:31:20","guid":{"rendered":"https:\/\/www.applivery.com\/?post_type=docs&p=13441"},"modified":"2024-10-10T23:48:45","modified_gmt":"2024-10-10T23:48:45","password":"","slug":"user-enrollment","status":"publish","type":"docs","link":"https:\/\/www.applivery.com\/pt-br\/docs\/mobile-device-management\/apple-mdm\/enrollment-apple-mdm\/user-enrollment\/","title":{"rendered":"User enrollment"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Starting in iOS 13 and macOS 10.15 Catalina, Apple introduced a new enrollment method called User Enrollment.<\/p>

This is a notably different mode of enrollment than the previously available through Apple DEP, Enrollment link, or Supervised mode.<\/p>

While these modes still exist, User Enrollment (sometimes referred to as UEMDM<\/em>) aims to address Bring Your Own Device (BYOD) deployment scenarios specifically.<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t\t
\n\n\t\t\t\t\t\tPrivate beta feature<\/span>\n\t\t\t\n\t\t\t\t\t\tPlease note that User Enrollment<\/strong> is still in private beta for a limited number of clients. If you want to learn more, please contact us at sales@applivery.com<\/a>.<\/span>\n\t\t\t\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t

Why Another Enrollment Mode?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tExisting enrollment and supervision methods are very powerful. Administrators can wipe, lock, and heavily restrict access on a DEP-enrolled and supervised device. In macOS, administrators can run any type of root-level commands or scripts and apply highly intrusive configurations at the device and app levels. Additionally, administrators can list and obtain detailed information about the devices even about apps that have not been deployed through an MDM solution. In other words, administrators have almost full control over managed devices.\n\nUser Enrollment aims to solve this use case by restricting what MDMs can do<\/strong>. Instead of having full access to the devices, business, and personal spaces are isolated<\/strong>. Commands and operations performed by the MDM are limited and restricted to tun under the business side of the device, providing a more comfortable scenario for end-users that can still get access to business services without requiring the users to sacrifice their privacy. This, in the end, provides a more balanced scenario between security and privacy, allowing users to easily switch from work to personal life<\/strong>.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t

What\u2019s different from other enrollment methods?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Device Information:<\/strong>
The MDM is no longer able to retrieve device-identifying information, such as a serial number, universal device identifier (UDID), IMEI, or Mac addresses. Instead, the device provides an anonymized identifier specifically created for the MDM enrollment. If a device is unenrolled from the MDM and then re-enrolls at a later time, a new identifier is generated, maintaining the anonymity of the end-user and the hardware.<\/p>

App Management:<\/strong>
MDMs can still install and remove Apps but now they can just see the information about managed Apps. The rest of the Apps installed by the user remain private and will not be visible by the MDM and they can not be configured as managed apps.<\/p>

Additionally, some native apps are prepared for User Enrollment scenarios, providing also the possibility to isolate information at the App level.<\/p>

Profiles & Configurations:<\/strong>
Just a few profiles and configurations are available and can be enforced on the device:<\/p>

  • Wi-Fi.<\/li>
  • Per-app VPN.<\/li>
  • Account-related profiles, like email, calendar, contact, and Exchange\/ActiveSync.<\/li><\/ul>

    \u00a0<\/p>

    Commands:<\/strong>
    User Enrollment also prevents administrators from setting or clearing passwords, wiping the device, and performing other device-level configurations.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t\t

    What\u2019s different from other enrollment methods?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    The User Enrollment method relies on Managed Apple IDs for user identification. This also enables two important features:<\/p>

    • App & media licensing:<\/strong> apps must be managed through Apple Business Manager and VPP so that necessary licenses are provisioned.<\/li>
    • iCloud access:<\/strong> Apple provides business-level iCloud services, such as shared storage for an organization. The Managed Apple ID acts as a credential to provide access to these resources.<\/li><\/ul>

      We highly recommend reading the documentation related to Managed Apple IDs to fully understand the benefits and features.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

      \n\t\t\t\t\t

      How is data separation being managed?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\tAs part of the User Enrollment process, a new and separate APFS volume is created in the device<\/strong>. This new volume acts as a virtual hard drive with its encryption and is isolated from other data volumes in the device<\/strong>. This volume will store all User Enrollment-related data.\n\nWhen the device is unenrolled, the volume is erased<\/strong>, removing also all managed apps and managed data stored on it, returning the device to the original state before enrollment.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

      Discover how Apple devices can be enrolled by the user to support Bring Your Own Device (BYOD) scenarios<\/p>\n","protected":false},"author":1,"featured_media":32390,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"content-type":"","inline_featured_image":false,"footnotes":""},"product":[315],"doc_category":[319],"doc_tag":[],"class_list":["post-13441","docs","type-docs","status-publish","format-standard","has-post-thumbnail","hentry","product-apple-mdm","doc_category-enrollment-apple-mdm"],"aioseo_notices":[],"year_month":"2026-06","word_count":633,"total_views":"2851","reactions":{"happy":"1","normal":"0","sad":"0"},"author_info":{"name":"applivery","author_nicename":"applivery","author_url":"https:\/\/www.applivery.com\/pt-br\/blog\/author\/applivery\/"},"doc_category_info":[{"term_name":"Enrollment","term_url":"https:\/\/www.applivery.com\/docs\/mobile-device-management\/apple-mdm\/enrollment-apple-mdm\/"}],"doc_tag_info":[],"knowledge_base_info":[],"knowledge_base_slug":[],"_links":{"self":[{"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/docs\/13441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/comments?post=13441"}],"version-history":[{"count":8,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/docs\/13441\/revisions"}],"predecessor-version":[{"id":49210,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/docs\/13441\/revisions\/49210"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/media\/32390"}],"wp:attachment":[{"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/media?parent=13441"}],"wp:term":[{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/product?post=13441"},{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/doc_category?post=13441"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/www.applivery.com\/pt-br\/wp-json\/wp\/v2\/doc_tag?post=13441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}