What is Apple User Enrollment?
In this article, i’ll discuss about one of the enrollment types for mobile device management with Apple devices called ‘User Enrollment’. This is also featured in WWDC 2019. Enjoy!
The term ‘User Enrollment’ is designed by Apple for BYOD — or bring your own device type where the user (you and me), not the organization or company, owns the device.
What’s this about?
User enrollment is introduced by Apple during WWDC 2019. Instead of managing entire BYOD device using mobile device management solution (such as AirWatch, Intune etc.), they are managing an enterprise user identity on the device in the form of configuring a managed Apple ID.
Confusing?
I suggest you soldier on. In short, this managed Apple ID allows iOS device to create a new separate, cryptographically protected APFS volume specific to the managed data of the BYOD user. So, any data installed by the MDM vendor will associate with this managed Apple ID. Any other personal data, personal apps, photos etc., will stay on personal Apple ID of the device.
This is mainly designed to keep personal and company data separate by associating a personal Apple ID with personal data and a managed Apple ID with corporate data.
User enrollment is similar to what Google Android Enterprise has already achieved, they’ve been calling it ‘Work profile’
What are the benefits?
It’s mostly an additional privacy created by the separation and protection of a user’s personal data and the securing of corporate data. Your Information Security dept. will love it.
Another benefit is BYOD devices using this enrollment method can now use Apple watch to unlock their iOS devices by using numeric PIN instead of alphanumeric.
What are the challenges?
Due to the nature of this user enrollment method, MDM vendor can no longer access any persistent identifiers, any sort of PII associated with the device, especially what apps user has installed. You might say it’s a good thing since you don’t want company to know what you have on your device. However, most companies have their on-premise Wi-Fi which requires to check your mobile device’s UDID to verify that your device is enrolled to company approved MDM vendor. This will not be possible if you used ‘User enrollment’ method.
You would need to re-enroll your mobile device to user enrollment method if you already enrolled using different method.
This really depends on your company security policy where 2FA (Two factor authentication) is enforced or not. If it is, you will need to provide 2FA token.
What is required to enable User Enrollment?
This is a question for technical person (your IT team) to know. You will need federated authentication. Remember the managed Apple ID I talked earlier? It is an enterprise identity created on behalf of users by Apple Business Manager through federation to IdP such as Azure AD or any other IdPs. You will need to enable it so that your company email address will become a managed Apple ID.
The rest is just user communication, onboarding and getting clearance from your Information Security dept.
Hope you enjoy this article. Feel free to reach out to me if you have any queries!