Information about User Enrolment in MDM
User Enrolment is designed for BYOD — or bring-your-own-device deployments — where the user, not the organisation, owns the device. User Enrolment also requires Managed Apple IDs, which:
Are owned and managed by an organisation
Provide employees access to certain Apple services
Are created manually, or automatically using federated authentication
Can also be used to sign-in for roles within Apple School Manager or Apple Business Manager
User Enrolment and Managed Apple IDs
User Enrolment is designed for devices owned by the user and is integrated with Managed Apple IDs to establish a user identity on the device. Managed Apple IDs are part of the User Enrolment profile, and the user must successfully authenticate in order for enrolment to be completed. Managed Apple IDs can be used alongside a personal Apple ID that the user has already signed in with, and the two don’t interact with each other.
How to prepare for User Enrolment with federated authentication
Apple School Manager and Apple Business Manager work with Microsoft Azure Active Directory (AD) to automatically create Managed Apple IDs. To allow your users to take advantage of User Enrolment, your organisation must first:
Configure Microsoft Azure AD
If you have a local version of Active Directory, additional configuration must be taken to prepare for federated authentication.
Enrol in Apple School Manager or Apple Business Manager
Configure an MDM solution
Set up federated authentication in Apple School Manager or Apple Business Manager
(Optional) Manually create Managed Apple IDs
If you don’t want to use the user’s Microsoft Azure AD email address as their Managed Apple ID.
Sign-in process for User Enrolment
When User Enrolment is properly configured, users are given a URL to enter into Safari. Once entered, enrolment and any configuration profiles are downloaded. A User Enrolment screen appears and the user clicks or taps Enrol My (iPhone, iPad, Mac), then:
With federated authentication: Enters their Microsoft Azure AD email address and password
Without federated authentication: Enters their Managed Apple ID username and password
When enrolment completes — if the user has already signed in with their personal Apple ID — the user sees an additional account in Settings > Passwords & Accounts on iPhone and iPad, and in System Preferences on Mac.
User Enrolment payloads, restrictions, queries and commands
Because the user owns the device, User Enrolment has a limited set of payloads and restrictions that can be applied to the device. For the complete lists, see:
User data and organisation data separation
When User Enrolment is complete on an iPhone or iPad, a separate volume is created on the device that contains managed versions of:
Mail attachments and body of the mail message