Device Enrollment and MDM
Device Enrollment allows organizations to have users manually enroll devices into a mobile device management (MDM) solution and then manage many different aspects of device use, including the ability to erase the device. On Mac computers using macOS 11 or later, Device Enrollment also enforces supervision on the Mac.
When a user removes an enrollment profile, all configuration profiles, their settings, and Managed Apps based on that enrollment profile are removed with it.
Device Enrollment has a larger set of payloads that can be applied to the device. For the complete list, see Device Enrollment MDM payload list.
Account-driven Device Enrollment
In iOS 17, iPadOS 17, and macOS 14, or later, organizations can use an account-driven Device Enrollment process, that’s built into Settings and System Settings to make it easier for users to enroll devices.
To do this, the user navigates to Settings > General > VPN & Device Management or to System Settings > Privacy & Security > Profiles and then selects the Sign In to Work or School Account button.
As the user enters their Managed Apple ID, service discovery identifies the MDM solution’s enrollment URL. The user then enters their organization user name and password. After the authentication succeeds, the enrollment profile is sent to the device. Additionally, a session token is issued to the device to allow ongoing authorization. The device then begins the MDM enrollment process and prompts the user to sign in with their Managed Apple ID. On iPhone or iPad, the authentication process can be streamlined by using enrollment single sign-on to reduce repeated authentication prompts. After a user is signed in, the new managed account is displayed prominently within Settings and System Settings.
As with User Enrollment, organizational data is cryptographically separated from personal data (see How Apple separates user data from organization data). Due to this separation, some changes are required to the way apps and backups are handled. For example:
Apps installed before enrollment can’t be converted to become Managed Apps.
Managed Apps are always removed during unenrollment.
Restoring from a backup doesn’t restore MDM enrollment.
Users who sign in with their personal Apple ID can’t accept an invitation for Managed App distribution.
Because the discovery process uses the same com.apple.remotemanagement discovery file as User Enrollment, organizations can choose—based on the device model and Managed Apple ID of the user—which account-driven enrollment type (User Enrollment or Device Enrollment) should be used.
How Apple separates user data from organization data
The table below shows how Apple separates user data from the organization’s data with Device Enrollment.
Data | Can MDM see it? | Supported operating systems |
|---|---|---|
Capacity and space available | Yes | iOS iPadOS macOS |
Device name | Yes | iOS iPadOS macOS tvOS |
Installed apps | Yes | iOS iPadOS macOS tvOS |
Model name and number | Yes | iOS iPadOS macOS tvOS |
Operating system version number | Yes | iOS iPadOS macOS tvOS |
Phone number | Yes | iOS |
Serial number | Yes | iOS iPadOS macOS tvOS |
Device location | No | iOS (Supervised) iPadOS (Supervised) |
FaceTime or phone call logs | No | iOS iPadOS macOS |
Frequency of app use | No | iOS iPadOS macOS tvOS |
Personal calendars, contacts, mail, notes, reminders | No | iOS iPadOS macOS |
Safari browser history | No | iOS iPadOS macOS |
SMS or iMessages | No | iOS iPadOS macOS |