September 26, 2019

Hitchhiker’s Guide to Apple’s User Enrollment

Read about Apple's Fall OS releases in this blog post which highlights some considerations as you explore BYOD within your organization.

Apple's Fall OS releases are now available, and we are excited to announce the new changes! We have heard many questions from customers and prospects as to the new User Enrollment flow for iOS 13 and macOS Catalina. Although these changes to the Bring Your Own Device (BYOD) scenario are exciting, we wanted to highlight some considerations as you explore BYOD within your organization. 

The Three E's

With iOS 13 and macOS Catalina, there are now three different types of enrollment:

  • User Enrollment
  • Device Enrollment
  • Automated Device Enrollment

Device Enrollment is the name for the traditional enrollment workflow (web, Configurator, or Hub-based) that many long-time admins readily understand. Automated Device Enrollment is the new name for enrollment via the Device Enrollment Program (or now, Apple Business Manager). In both cases, these enrollment flows granted the mobile device management server more access than required in a BYOD scenario. Apple created a third, new enrollment flow called User Enrollment specifically to address privacy-focused BYOD use-cases. We see this new flow as the future of BYOD and recommend that organizations managing Apple devices explore this new option.

About User Enrollment 

User Enrollment is a new lightweight device onboarding workflow aimed at BYOD use cases where privacy is paramount. User Enrollment leverages Managed Apple IDs (from Apple Business Manager) for BYOD users to gain access to work applications without exposing any personal data (device identifiers, installed apps, and so on). Think of User Enrollment as a happy medium between unmanaged devices and fully managed devices. For more details about User Enrollment, watch the What’s New in Managing Apple Devices WWDC 2019 video. Workspace ONE UEM version 1909 fully supports User Enrollment.

Mapping Out User Enrollment Behaviors

We are excited about feedback regarding your intended uses for User Enrollment, but offer up the following as a list of potential considerations resulting from privacy-focused behaviors in the new enrollment flow: 

Privacy-Focused Device Behaviors  Potential Considerations
Devices do not provide uniquely identifying network information (MAC addresses) to MDM. 
  • Any organizations using MAC Addresses for Network Access Control queries to MDM for BYOD network access should rethink this approach. 
Devices do not provide a list of User-Installed Applications to MDM. 
  • Attempts to install an app which already exists in the list of user-installed apps fail with a non-specific error. 

  • Users must remove a pre-existing application before it can be MDM-installed, managed, and configured (Custom Settings or App Config).   

  • There could be potential conflicts or unexpected behaviors when apps allow dual persona (business and personal, such as Microsoft Office apps for iOS). Organizations are encouraged to test for desired results and behaviors in a BYOD environment. 

Devices do not allow MDM to perform highly impactful device-level actions (device wipe, passcode settings/clearing, and more). 
  • Organizations that require network proxying for BYOD devices need to rethink this approach. 

  • Organizations cannot set passcode complexity requirements. 

  • Organizations cannot enforce OS Updates on User Enrollment devices.


Mapping Out Enterprise Considerations in Apple Business Manager 

In addition to device behavior considerations, enterprises should consider the following features of Apple Business Manager before adopting User Enrollment:

User Enrollment Features  Enterprise Considerations 
Apple Business Manager supports federation only to Azure Active Directory. 

Azure Active Directory is the first identity provider supported by Apple Business Manager. Although we expect Apple to add more identity providers in time, organizations with other identity providers (such as Okta, Ping, Google Cloud Identity, and others) cannot automate Managed Apple ID provisioning. 

Managed Apple IDs automatically get iCloud storage for collaboration and document storage. 

Apple Business Manager administrators do not get centralized administration of iCloud storage provisioned through Apple Business Manager. As such, administrators have no control over content ownership transfer (e.g., employee termination or job change), data retention, and other enterprise-critical features. 


Additional Resources

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Overview iOS macOS Manage