Apple User Enrollment

What is Apple User Enrollment?

Apple User Enrollment (UE) is a form of mobile device management (MDM) for Apple products that supports the latest versions of iOS and macOS.

UE is primarily made for organizations and schools that embrace a bring your own device (BYOD) strategy. The MDM technique was announced at Apple's Worldwide Developers Conference (WWDC) event in 2019 and focuses on the protection of users' personal data while securing corporate data.

BYOD commonly refers to the use of consumer devices and applications in the workplace. These devices are commonly managed by an administrator who ensures that everyone has the same set of required tools and that all devices are secure. However, admins in organizations may not want to manage an employee or student's entire device. As a result, Apple created UE to find the balance between protecting the privacy of a user's personal data while simultaneously securing corporate data.

In the past, Apple has produced two separate tools that allow admins to focus on the management of devices in a BYOD environment: the Apple Device Enrollment Program (DEP), and the Automated Device Enrollment Program. The DEP provides device-wide management capabilities, while the Automated DEP includes device management capabilities as well as automated set-ups for organizations and schools.

However, both of these tools failed to address the privacy of users and organizations. This is why UE is more a re-work of Apple's BYOD tools. In the DEP and Automated DEP, an admin can restrict users and completely wipe or lock users out of their device. In contrast, UE attempts to limit what an MDM server can do to a device.

User Enrollment features

An admin with UE can manage the applications or data a user would need for business. Their abilities include:

• installing and configuring apps and accounts;
• enforcing six-digit passcodes;
• enforcing specified user restrictions;
• installing and configuring VPNs for mail, calendars and other apps;
• querying data related specifically to enterprise-managed apps and profiles;
• matching devices to their appropriate enrollment IDs.

Benefits of User Enrollment

The benefits of User Enrollment mostly include the additional privacy created by the separation and protection of a user's personal data and the securing of corporate data. Other benefits include:

• MDM servers cannot wipe all data on a device.
• Personal data on a device is not visible to MDM servers.
• MDM servers cannot authenticate the device with an unlock token command.
• Enrollment IDs are used instead of serial numbers or unique device identifiers (UDIDs) for device authentication.

How User Enrollment works

User Enrollment is built on three tools: Managed Apple ID, data separation and management capabilities.

An admin creates a managed Apple ID in Apple School Manager or Apple Business Manager (ABM). With Managed Apple ID, an admin can manage, add and remove IDs. Managed apps and accounts will use Managed Apple IDs, and personal apps and accounts will use Personal Apple IDs.

Data separation then separates personal and managed data. When a device enrollment starts, iOS creates an Apple file system (APFS) volume which manages apps and app data, iCloud and downloaded data, Apple Notes data and keychains -- which store any secured items such as passwords saved by third party apps.

UE management capabilities control the data separated in the previous step. UE management works on a modified MDM protocol. Some differences between protocols include the lack of access rights in UE protocol, profile service profiles cannot be linked, unlock tokens are not provided -- so MDM servers cannot pass through a device's passcode -- and, unlike device enrollment, UE does not use UDID and other persistent device identifiers; instead, it uses enrollment ID.

UE does not support a remote wipe command. Instead, options to erase managed data are offered.