“User enrollment creates a separate APFS (Apple File System) partition with a different set of encryption keys which is used to house corporate data.”
Device enrollment has always been a challenge for BYO devices
Employers struggle to convince employees that they should give control of their personal devices to the IT department. Employees worry about the company tracking their location, seeing their photos, reading their personal messages and monitoring their browsing and social media. Although some of these capabilities are not even technically possible, the end-user’s perception is their reality.
Mobile devices are extremely personal. Most of us have more personal data on our devices than in any other place including our home. Throughout the years, I’ve seen a number of MDM deployments become highly political, sometimes with unions even getting involved due to the sensitivity of personal data on the devices and the fear of the company abusing it.
Personal vs Company Data
Both iOS and Android (BYOD Devices) have addressed this problem with a set of capabilities in their respective operating systems that work to isolate and separate work data from personal data. This includes apps, data, and security measures. Effectively all company data is separated into its own “walled garden” within the phone and then the company can only control the work section of the phone. All personal data and apps remain untouchable for the company.
Android addressed this problem of personal versus company data separation back in 2014 with the Android Enterprise “work profile,” and Apple finally caught up with iOS 13.2. User Enrollment was announced in WWDC 2019 (and shipped with iOS 13.2,released in October 2019).
User enrollment is different to device enrollment!
Like Android Enterprise “work profile”, iOS user enrollment creates a separate workspace (although not visibly distinguishable) for corporate data. The MDM solution manages the separated workspace rather than the entire device, which provides additional privacy and a sense of security to users.
How does it work?
User enrollment creates a separate APFS (Apple File System) partition with a different set of encryption keys which is used to house corporate data.
With user enrollment, MDM software is limited to managing the new APFS partition and a few select device functions e.g. unlock and PIN policies.
-
MDM cannot retrieve device identifying information i.e. serial number, IMEI
-
MDM cannot initiate a full device wipe
-
MDM is limited to configuring the following profiles – WiFi, per-app VPN and account related profiles
-
MDM can only see the applications that it has deployed, not apps from a public app store
The user enrollment relies on creating a corporate Apple ID (which can be created in Apple Business Manager) for the user to enroll the device.
Furthermore, as of November 2019, Apple Business Manager supports federation with Azure Active Directory which allows the corporate Apple ID to be created automatically during the enrollment process. This is a very significant development in enterprise mobility.
How does it benefit the end-user?
With user enrollment for Byod Devices it is now possible to manage corporate data only – without having any visibility of personal apps and personal data on the device. This goes a long way to reassuring users that their personal data is not visible to their employer.
In many BYO programs, a stipend is given to employees who meet the compliance requirements of the policy. This benefits employees by reducing their phone bill and shows that their company wants to invest in them.
How does this benefit the company?
Now it is possible to write a BYO policy which is not draconian and one-sided. Employers can deploy Office 365 and other apps to their employee devices without encroaching on their personal privacy. Corporations can reduce the capital expense of purchasing devices and simultaneously improve employee satisfaction by eliminating the need to carry two phones around.
