User Enrolment and MDM
User Enrolment is designed for BYOD — or bring-your-own-device deployments — where the user, not the organisation, owns the device.
The four stages of User Enrolment into MDM are:
Service discovery: The device identifies itself to the MDM solution.
User enrolment: The user provides credentials to an identity provider (IdP) for authorisation to enrol in the MDM solution.
Session token: A session token is issued to the device to allow ongoing authentication.
MDM enrolment: The enrolment profile is sent to the device with payloads configured by the MDM administrator.
User Enrolment and Managed Apple IDs
User Enrolment requires Managed Apple IDs. These are owned and managed by an organisation and provide employees access to certain Apple services. In addition, Managed Apple IDs:
Are created manually, or automatically using federated authentication
Are integrated with a Student Information System (SIS) or uploading .csv files (Apple School Manager only)
Can also be used to sign in with an assigned role in Apple School Manager, Apple Business Manager or Apple Business Essentials
When a user removes an enrolment profile, all configuration profiles, their settings and Managed Apps based on that enrolment profile are removed with it.
User Enrolment is integrated with Managed Apple IDs to establish a user identity on the device. The user must successfully authenticate for enrolment to be completed. The Managed Apple ID can be used alongside the personal Apple ID that the user has already signed in with; the two don’t interact with each other. User Enrolment is designed for devices owned by the user.
User Enrolment and federated authentication
User Enrolment works with Google Workspace or Microsoft Azure Active Directory (AD) and Apple School Manager or Apple Business Manager and a third-party MDM solution. It also works with device management in Apple Business Essentials. For your users to take advantage of synchronisation with Google Workspace or Microsoft Azure AD and User Enrolment, your organisation must first:
Configure Google Workspace or Azure AD
If you have a local version of Active Directory, additional configuration must be taken to prepare for federated authentication.
Sign up your organisation in Apple School Manager, Apple Business Manager or Apple Business Essentials
Set up federated authentication in Apple School Manager, Apple Business Manager or Apple Business Essentials
Configure an MDM solution and link it to Apple School Manager, Apple Business Manager or Apple Business Essentials, or use the device management that’s built right in to Apple Business Essentials
(Optional) Create Managed Apple IDs
User Enrolment and Managed Apps (macOS)
User Enrolment has added Managed Apps to macOS (this feature was already possible with Device Enrolment and Automated Device Enrolment). Managed Apps that use CloudKit use the Managed Apple ID associated with the MDM enrolment. MDM administrators must add the
InstallAsManaged key to the
InstallApplication command. Like iOS and iPadOS apps, these apps can be automatically removed when a user unenrols from MDM.
User Enrolment and per-app networking
In iOS 16 and iPadOS 16.1, or later, per-app networking is available for VPN (known as Per App VPN), DNS proxies and web content filters for devices enrolled with User Enrolment. This means that only network traffic initiated by Managed Apps is passed through the DNS proxy, the web content filter or both. A user’s personal traffic stays separated and won’t be filtered or proxied by an organisation. This is accomplished using new key-value pairs for the following payloads:
How users enrol their personal devices
In iOS 15, iPadOS 15 and macOS 14, or later, organisations can use a streamlined User Enrolment process, built directly into the Settings app to make it easier for users to enrol their personal devices.
To do this:
On iPhone and iPad, the user navigates to Settings > General > VPN & Device Management and then selects the Sign In to Work or the School Account button.
On Mac, the user navigates to Settings > Privacy & Security > Profiles and then selects the Sign In to Work or the School Account button.
When they enter their Managed Apple ID, service discovery identifies the MDM solution’s enrolment URL.
The user then enters their organisation username and password. After the organisation’s authentication succeeds, the enrolment profile is sent to the device. Additionally, a session token is issued to the device to allow ongoing authorisation. The device then begins the enrolment process, and prompts the user to sign in with their Managed Apple ID. On iPhone and iPad, the authentication process can be streamlined by using enrolment single sign-on to reduce repeated authentication prompts. Finally, after the user is signed in, the new managed account is displayed prominently within the Settings app (iPhone and iPad) and System Settings (Mac).
When enrolment is complete, users see an additional account on that device — in Settings > Passwords & Accounts (iPhone and iPad) or in System Settings (Mac). This allows users to still access files in their personal Apple ID–created iCloud Drive. The iCloud Drive for the organisation (associated with the user’s Managed Apple ID) appears separately in the Files app.
On iPhone and iPad, Managed Apps and managed web-based documents all have access to the organisation’s iCloud Drive, and the MDM administrator can help keep specific personal and organisational documents separate by using specific restrictions. For more information, see Managed App restrictions and capabilities.
Users can see details about what is being managed on their personal device and how much iCloud storage space is provided by their organisation. Because the user owns the device, User Enrolment can apply only a limited set of payloads and restrictions to it. For more information, see User Enrolment MDM information.
How Apple separates user data from organisation data
When User Enrolment is complete, separate encryption keys are automatically created on the device. If the device gets unenrolled by the user or remotely using MDM, those encryption keys are securely destroyed. The keys are being used to cryptographically separate the managed data listed below:
App data containers: iPhone, iPad and Mac.
Calendar: iPhone, iPad and Mac. Devices must be using iOS 16, iPadOS 16.1 or macOS 13, or later.
Keychain items: iPhone, iPad and Mac.
Note: The third-party Mac app must use the data protection keychain API. For more information, see the Apple Developer documentation kSecUseDataProtectionKeychain.
Mail attachments and body of the mail message: iPhone, iPad and Mac.
Notes: iPhone, iPad and Mac.
Reminders: iPhone, iPad and Mac. Devices must be using iOS 17, iPadOS 17, macOS 14 or later.
On iPhone and iPad, Managed Apps and managed web-based documents all have access to the organisation’s iCloud Drive through existing Managed Open In restrictions. The MDM administrator can help keep specific personal and organisational documents separate.
If a user is signed in with a personal Apple ID and Managed Apple ID, Sign in with Apple automatically uses the Managed Apple ID for Managed Apps and the personal Apple ID for unmanaged apps. When using a sign-in flow in Safari or SafariWebView within a managed app, the user can select and enter their Managed Apple ID to associate the sign-in with their work account.
System administrators can manage only an organisation’s accounts, settings and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organisation-owned Managed Apps also protect a user’s personal content from entering the corporate data stream.
See personal information, usage data or logs
Access inventory of Managed Apps
Access inventory of personal apps
Remove managed data only
Remove any personal data
Install and configure apps
Take over management of a personal app
Require a passcode
Require a complex passcode or password
Enforce certain restrictions
Access device location
Configure Per App VPN
Access unique device identifiers
Remotely wipe the entire device
Manage Activation Lock
Access roaming status
Turn on Lost Mode
Note: For iPhone and iPad, administrators can require passcodes with a minimum of six characters and prevent users from using simple passcodes (for example, “123456” or “abcdef”) but can’t require complex characters or passwords.