User Enrollment and MDM
User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device.
The four stages of User Enrollment into MDM are:
Service discovery: The device identifies itself to the MDM solution.
User enrollment: The user provides credentials to an identity provider (IdP) for authorization to enroll in the MDM solution.
Session token: A session token is issued to the device to allow ongoing authentication.
MDM enrollment: The enrollment profile is sent to the device with payloads configured by the MDM administrator.
User Enrollment and Managed Apple IDs
User Enrollment requires Managed Apple IDs. These are owned and managed by an organization and provide employees access to certain Apple services. In addition, Managed Apple IDs:
Are created manually, or automatically using federated authentication
Are integrated with a Student Information System (SIS) or uploading .csv files (Apple School Manager only)
Can also be used to sign in with an assigned role in Apple School Manager, Apple Business Manager, or Apple Business Essentials
When a user removes an enrollment profile, all configuration profiles, their settings, and Managed Apps based on that enrollment profile are removed with it.
User Enrollment is integrated with Managed Apple IDs to establish a user identity on the device. The user must successfully authenticate for enrollment to be completed. The Managed Apple ID can be used alongside the personal Apple ID that the user has already signed in with; the two don’t interact with each other. User Enrollment is designed for devices owned by the user.
User Enrollment and federated authentication
User Enrollment works with Google Workspace or Microsoft Azure Active Directory (AD) and Apple School Manager or Apple Business Manager and a third-party MDM solution. It also works with device management in Apple Business Essentials. For your users to take advantage of synchronization with Google Workspace or Microsoft Azure AD and User Enrollment, your organization must first:
Configure Google Workspace or Azure AD
If you have a local version of Active Directory, additional configuration must be taken to prepare for federated authentication.
Sign up your organization in Apple School Manager, Apple Business Manager, or Apple Business Essentials
Set up federated authentication in Apple School Manager, Apple Business Manager, or Apple Business Essentials
Configure an MDM solution and link it to Apple School Manager, Apple Business Manager, or Apple Business Essentials, or use the device management that’s built right in to Apple Business Essentials
(Optional) Create Managed Apple IDs
User Enrollment and Managed Apps (macOS)
User Enrollment has added Managed Apps to macOS (this feature was already possible with Device Enrollment and Automated Device Enrollment). Managed Apps that use CloudKit use the Managed Apple ID associated with the MDM enrollment. MDM administrators must add the InstallAsManaged key to the InstallApplication command. Like iOS and iPadOS apps, these apps can be automatically removed when a user unenrolls from MDM.
User Enrollment and per-app networking
In iOS 16 and iPadOS 16.1, or later, per-app networking is available for VPN (known as Per App VPN), DNS proxies, and web content filters for devices enrolled with User Enrollment. This means that only network traffic initiated by Managed Apps is passed through the DNS proxy, the web content filter, or both. A user’s personal traffic stays separated and won’t be filtered or proxied by an organization. This is accomplished using new key-value pairs for the following payloads:
How users enroll their personal devices
In iOS 15, iPadOS 15, and macOS 14, or later, organizations can use a streamlined User Enrollment process, built right into the Settings app to make it easier for users to enroll their personal devices.
To do this:
On iPhone and iPad, the user navigates to Settings > General > VPN & Device Management and then selects the Sign In to Work or the School Account button.
On Mac, the user navigates to Settings > Privacy & Security > Profiles and then selects the Sign In to Work or the School Account button.
When they enter their Managed Apple ID, service discovery identifies the MDM solution’s enrollment URL.
The user then enters their organization user name and password. After the organization’s authentication succeeds, the enrollment profile is sent to the device. Additionally, a session token is issued to the device to allow ongoing authorization. The device then begins the enrollment process, and prompts the user to sign in with their Managed Apple ID. On iPhone and iPad, the authentication process can be streamlined by using enrollment single sign-on to reduce repeated authentication prompts. Finally, after the user is signed in, the new managed account is displayed prominently within the Settings app (iPhone and iPad) and System Settings (Mac).
When enrollment is complete, users see an additional account on that device—in Settings > Passwords & Accounts (iPhone and iPad) or in System Settings (Mac). This allows users to still access files in their personal Apple ID-created iCloud Drive. The iCloud Drive for the organization (associated with the user’s Managed Apple ID) appears separately in the Files app.
On iPhone and iPad, Managed Apps and managed web-based documents all have access to the organization’s iCloud Drive, and the MDM administrator can help keep specific personal and organizational documents separate by using specific restrictions. For more information, see Managed App restrictions and capabilities.
Users can see details about what is being managed on their personal device and how much iCloud storage space is provided by their organization. Because the user owns the device, User Enrollment can apply only a limited set of payloads and restrictions to it. For more information, see User Enrollment MDM information.
How Apple separates user data from organization data
When User Enrollment is complete, separate encryption keys are automatically created on the device. If the device gets unenrolled by the user or remotely using MDM, those encryption keys are securely destroyed. The keys are being used to cryptographically separate the managed data listed below:
App data containers: iPhone, iPad, and Mac.
Calendar: iPhone, iPad, and Mac. Devices must be running iOS 16, iPadOS 16.1, macOS 13, or later.
Keychain items: iPhone, iPad, and Mac.
Note: The third-party Mac app must use the data protection keychain API. For more information, see the Apple Developer documentation kSecUseDataProtectionKeychain.
Mail attachments and body of the mail message: iPhone, iPad, and Mac.
Notes: iPhone, iPad, and Mac.
Reminders: iPhone, iPad, and Mac. Devices must be running iOS 17, iPadOS 17, macOS 14, or later.
On iPhone and iPad, Managed Apps and managed web-based documents all have access to the organization’s iCloud Drive through existing Managed Open In restrictions. The MDM administrator can help keep specific personal and organizational documents separate.
If a user is signed in with a personal Apple ID and Managed Apple ID, Sign in with Apple automatically uses the Managed Apple ID for Managed Apps and the personal Apple ID for unmanaged apps. When using a sign-in flow in Safari or SafariWebView within a managed app, the user can select and enter their Managed Apple ID to associate the sign-in with their work account.
System administrators can manage only an organization’s accounts, settings, and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organization-owned Managed Apps also protect a user’s personal content from entering the corporate data stream.
MDM can | MDM can’t |
|---|---|
Configure accounts | See personal information, usage data or logs |
Access inventory of Managed Apps | Access inventory of personal apps |
Remove managed data only | Remove any personal data |
Install and configure apps | Take over management of a personal app |
Require a passcode | Require a complex passcode or password |
Enforce certain restrictions | Access device location |
Configure Per App VPN | Access unique device identifiers |
| Remotely wipe the entire device |
| Manage Activation Lock |
| Access roaming status |
| Turn on Lost Mode |
Note: For iPhone and iPad, administrators can require passcodes with a minimum of six characters and prevent users from using simple passcodes (for example, “123456” or “abcdef”) but can’t require complex characters or passwords.