User Enrollment into MDM
User Enrollment is designed for BYOD—or bring your own device deployments—where the user, not the organization, owns the device. User Enrollment also uses Managed Apple IDs, which:
Are owned and managed by an organization
Provide employees access to Apple services
Provide sign-in for roles within Apple School Manager or Apple Business Manager
Are created manually, or automatically using federated authentication
User Enrollment and Managed Apple IDs
User Enrollment is integrated with Managed Apple ID to establish a user identity on the device. The Managed Apple ID is part of the User Enrollment profile, and the user must successfully authenticate for enrollment to be completed. The Managed Apple ID can be used alongside the personal Apple ID that the user has already signed in with; the two don’t interact with each other. User Enrollment is designed for devices owned by the user.
User Enrollment with federated authentication
User Enrollment works with Microsoft Azure Active Directory (AD), Apple School Manager or Apple Business Manager, and an MDM solution. For your users to take advantage of User Enrollment, your organization must first:
Configure Microsoft Azure AD
If you have a local version of Active Directory, additional configuration must be taken to prepare for federated authentication.
Enroll in Apple School Manager or Apple Business Manager
Configure an MDM solution
Set up federated authentication in Apple School Manager or Apple Business Manager
(Optional) Create Managed Apple IDs
Sign-in process for User Enrollment
When User Enrollment is properly configured, users are given a URL to enter into Safari. Once that URL is entered, enrollment and any configuration profiles are downloaded. A User Enrollment screen appears and the user clicks “Enroll My (iPhone, iPad, Mac),” then:
With federated authentication: Enters their Microsoft Azure AD email address and password
Without federated authentication: Enters their Managed Apple ID user name and password
When enrollment is complete, users will see an additional account in Settings > Passwords & Accounts on iPhone and iPad and in System Preferences on Mac.
User Enrollment payloads, restrictions, queries, and commands
Because the user owns the device, User Enrollment has a limited set of payloads and restrictions that can be applied to the device. For the complete lists, see: