Hitchhiker’s Guide to Apple’s User Enrollment
Apple's Fall OS releases are now available, and we are excited to announce the new changes! We have heard many questions from customers and prospects as to the new User Enrollment flow for iOS 13 and macOS Catalina. Although these changes to the Bring Your Own Device (BYOD) scenario are exciting, we wanted to highlight some considerations as you explore BYOD within your organization.
The Three E's
With iOS 13 and macOS Catalina, there are now three different types of enrollment:
- User Enrollment
- Device Enrollment
- Automated Device Enrollment
Device Enrollment is the name for the traditional enrollment workflow (web, Configurator, or Hub-based) that many long-time admins readily understand. Automated Device Enrollment is the new name for enrollment via the Device Enrollment Program (or now, Apple Business Manager). In both cases, these enrollment flows granted the mobile device management server more access than required in a BYOD scenario. Apple created a third, new enrollment flow called User Enrollment specifically to address privacy-focused BYOD use-cases. We see this new flow as the future of BYOD and recommend that organizations managing Apple devices explore this new option.
About User Enrollment
User Enrollment is a new lightweight device onboarding workflow aimed at BYOD use cases where privacy is paramount. User Enrollment leverages Managed Apple IDs (from Apple Business Manager) for BYOD users to gain access to work applications without exposing any personal data (device identifiers, installed apps, and so on). Think of User Enrollment as a happy medium between unmanaged devices and fully managed devices. For more details about User Enrollment, watch the What’s New in Managing Apple Devices WWDC 2019 video. Workspace ONE UEM version 1909 fully supports User Enrollment.
Mapping Out User Enrollment Behaviors
We are excited about feedback regarding your intended uses for User Enrollment, but offer up the following as a list of potential considerations resulting from privacy-focused behaviors in the new enrollment flow:
| Privacy-Focused Device Behaviors | Potential Considerations |
|---|---|
| Devices do not provide uniquely identifying network information (MAC addresses) to MDM. |
|
| Devices do not provide a list of User-Installed Applications to MDM. |
|
| Devices do not allow MDM to perform highly impactful device-level actions (device wipe, passcode settings/clearing, and more). |
|
Mapping Out Enterprise Considerations in Apple Business Manager
In addition to device behavior considerations, enterprises should consider the following features of Apple Business Manager before adopting User Enrollment:
| User Enrollment Features | Enterprise Considerations |
|---|---|
| Apple Business Manager supports federation only to Azure Active Directory. |
Azure Active Directory is the first identity provider supported by Apple Business Manager. Although we expect Apple to add more identity providers in time, organizations with other identity providers (such as Okta, Ping, Google Cloud Identity, and others) cannot automate Managed Apple ID provisioning. |
| Managed Apple IDs automatically get iCloud storage for collaboration and document storage. |
Apple Business Manager administrators do not get centralized administration of iCloud storage provisioned through Apple Business Manager. As such, administrators have no control over content ownership transfer (e.g., employee termination or job change), data retention, and other enterprise-critical features. |
Additional Resources
- [VMware] User Enrollment in Workspace ONE
- [Apple] What's New in Managing Apple Devices
- [Apple] What's New for Enterprise and Education WWDC (June 2019 v1.2) - Appleseed for IT Program (Login Required)
- [VMware] Getting Ready for Apple Fall 2019 Releases