Information about User Enrollment into MDM
User Enrollment is designed for BYOD—or bring your own device deployments—where the user, not the organization, owns the device. User Enrollment also requires Managed Apple IDs, which:
Are owned and managed by an organization
Provide employees access to certain Apple services
Are created manually, or automatically using federated authentication
Can also be used to sign-in for roles within Apple School Manager or Apple Business Manager
User Enrollment and Managed Apple IDs
User Enrollment is designed for devices owned by the user and is integrated with Managed Apple IDs to establish a user identity on the device. Managed Apple IDs are part of the User Enrollment profile, and the user must successfully authenticate in order for enrollment to be completed. Managed Apple IDs can be used alongside a personal Apple ID that the user has already signed in with, and the two don’t interact with each other.
How to prepare for User Enrollment with federated authentication
Apple School Manager and Apple Business Manager work with Microsoft Azure Active Directory (AD) to automatically create Managed Apple IDs. To allow your users to take advantage of User Enrollment, your organization must first:
Configure Microsoft Azure AD
If you have a local version of Active Directory, additional configuration must be taken to prepare for federated authentication.
Enroll in Apple School Manager or Apple Business Manager
Configure an MDM solution
Set up federated authentication in Apple School Manager or Apple Business Manager
(Optional) Manually create Managed Apple IDs
If you don’t want to use the user’s Microsoft Azure AD email address as their Managed Apple ID.
Sign-in process for User Enrollment
When User Enrollment is properly configured, users are given a URL to enter into Safari. Once entered, enrollment and any configuration profiles are downloaded. A User Enrollment screen appears and the user clicks or taps “Enroll My (iPhone, iPad, Mac),” then:
With federated authentication: Enters their Microsoft Azure AD email address and password
Without federated authentication: Enters their Managed Apple ID user name and password
When enrollment completes—if the user has already signed in with their personal Apple ID—the user sees an additional account in Settings > Passwords & Accounts on iPhone and iPad and in System Preferences on Mac.
User Enrollment payloads, restrictions, queries, and commands
Because the user owns the device, User Enrollment has a limited set of payloads and restrictions that can be applied to the device. For the complete lists, see:
User data and organization data separation
When User Enrollment is complete on an iPhone or iPad, a separate volume is created on the device and contains managed versions of:
Mail attachments and body of the mail message