BYOD – How to configure Apple User Enrolment

What is Apple User Enrolment?

Apple User Enrolment is specifically designed for bring-your-own-device (BYOD) with an emphasis on employee privacy. 

Traditional MDM management provides full control of the device including the capabilities to see which apps are installed, see the device location and even to wipe the device. User Enrolment removes these capabilities by creating a separate partition on the device. Companies control the work partition but have no visibility or control of the device itself – this protects privacy and alleviates concerns for employees. 

This management option is ideal for use cases where an employee or contractor owns the device and expects a level of privacy around their device usage.  

 

Data Segregation

The User Enrolment process will generate an Apple File System (APFS) volume on the device that will store company provisioned apps and associated data separate from personal data. 

The APFS volume refers to the additional file system partition created on the device – it is not visible to the user. This volume is how the operating system functions to separate out user and organisation data.  

This APFS volume will store: 

• Managed apps and associated data  

• Managed mail config  

• Data including contacts and calendar,  

• Keychain data 

• iCloud data 

MDM administrators can manage the separate partition, but not the entire device.  

Specific device information such as the IMEI, serial number and MAC address will not be available to the MDM. The device will create a unique identifier when the APFS volume is created.  

The MDM platform will be able to install and remove apps like with traditional management but will not have any visibility on apps that the user has installed. Apps installed by the user cannot be taken under management.  

 

Managed Apple IDs

An employee will set up their device using their personal Apple ID and then they will use a Managed Apple ID to enrol into the MDM partition.  

Managed Apple IDs are essentially Apple IDs using your company user account (identity) that are created by integrating Apple Business Manager with Azure Active Directory. You can learn more about Managed Apple ID’s in this article.  

 

Policies and Controls

There are limited MDM policies and controls for User Enrolled devices. 

Policies that can be applied to the managed partition include 

• Disabling app data storage and enterprise book backup in iCloud 

• Enforcing AirDrop as an unmanaged destination 

• Blocking of screenshots and screen recordings 

• Sharing of documents 

An administrator can perform the following actions  

• Push, validate and remove apps 

• Push and remove books 

• Push and remove limited settings 

• Lock the device  

• Get device and certificate information  

•  

Enable User Enrolment in Microsoft Intune

User Enrollment for iOS is in Preview for Microsoft Intune. Microsoft details what policies and settings are supported in preview via this link. 

To enable User Enrollment in Microsoft Intune  b 

1. Go to Microsoft Endpoint Manager Admin Center > Devices > iOS/iPadOS enrollment 

2. Select Enrollment targeting > Enrollment types (preview) 

3. Select Create profile > iOS / iPadOS > Select a name, and select User Enrolment or Determine based on user choice 

   

Enable User Enrolment in VMware Workspace ONE UEM

To enable User Enrolment in VMware Workspace ONE UEM  

1. Go to Group & Setting > All Settings > Devices & Users > General > Enrollment > Authentication 

2. Select Enabled to enable User Enrolment  

3. Select Require Hub Enrollment for iOS 

4. Save 

   

Conclusion

Apple User Enrolment provides a new way to empower and enable your employees to use personal devices. You can ensure your corporate data is secure while respecting employee privacy in ways that were not previously possible.

If you’re interested in learning how to enable BYOD in your business, check our BYOD 365 service, or contact us.