How to enroll iOS devices with Apple User Enrollment
A recently added Apple feature, iPadOS and iOS User Enrollment, helps organizations manage devices with personal data without sacrificing end users' privacy.
When organizations need to manage personal iOS devices, Apple's User Enrollment can be a helpful feature.
The User Enrollment feature is a relatively new enrollment option that Apple introduced with iOS 13 and iPadOS 13.1. It allows IT administrators to establish a clear separation between personal data and company data on personal iOS devices such as BYOD and corporate-owned personally enabled devices.
For comparison, normal device enrollment doesn't allow for that separation. These methods cannot protect user privacy, and IT administrators have access to all of the devices' data and apps.
What is Apple User Enrollment?
This enrollment method relies on Managed Apple IDs to deliver privacy-focused device management for work devices that users also conduct personal matters on. Like personal Apple IDs, Managed Apple IDs sign users into Apple devices and Apple services. It's essentially the business version of personal Apple IDs. The organizations own the Managed Apple IDs, with the IT administrators managing them. IT can perform any required management actions for Managed Apple IDs via Apple Business Manager.
User Enrollment relies on Managed Apple IDs to provide that clear separation between personal data and company data: A personal Apple ID for the personal apps, data and services, and a Managed Apple ID for the company apps, data and services. Those different accounts don't interact with each other.
Once IT has completed the Apple User Enrollment process on an iOS device, the device automatically creates a separate volume containing managed versions of Apps, Notes, Calendar attachments, Mail attachments and Keychain. When managing that iOS device, the IT administrator can now only control the parts of the device that are connected to the Managed Apple ID.
That Managed Apple ID, however, is not connected to the device's local Apple App Store. That means the IT administrator who wants to deploy apps to that iOS device must rely on the Apple Volume Purchase Program and user licenses to roll them out to the BYOD or personally enabled devices.
IT can provision Managed Apple IDs via Azure Active Directory (Azure AD) and federate with Azure AD. Using that combination -- especially in tandem with Microsoft 365 -- provides the best user experience, as the user can employ the same credentials across devices and platforms.
How to enroll iOS 14 devices with Apple User Enrollment
Mobile device administrators can facilitate User Enrollment with a mobile device management (MDM) platform or a management platform with MDM capabilities. Managed Apple IDs and the Apple MDM push certificate are the only important prerequisites that IT needs in place for this process. However, the push certificate is not specific to the User Enrollment and is always required to manage Apple devices. Additionally, there is no direct configuration dependency, but the User Enrollment won't complete when Managed Apple IDs are unavailable.
Using Microsoft Intune's MDM capabilities for this example, IT admins can enable User Enrollment using an enrollment profile. That enrollment profile defines the settings that the MDM applies to iOS devices during the enrollment. The following six steps explain the process to create and assign an enrollment profile in Microsoft Intune. Different management consoles will have unique steps, but this is the general outline for any MDM to complete the process.
1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment types.
2. Open the Enrollment type profiles page. This is where IT administrators can create and manage enrollment profiles, which provide enrollment options to users setting up their Apple devices via the Company Portal app. On this page, select Create > iOS/iPadOS to open the Create enrollment profile type wizard.
3. On the Basics page, provide a name and description for the enrollment profile and click Next.
4. On the Settings page, select User enrollment and click Next (Figure 1).
5. On the Assignments page, configure the assignment of the enrollment profile and click Next.
6. On the Review + create page, verify the configuration and click Create.
Assigned Apple devices will start the MDM enrollment via the Company Portal app, and once the configuration process is complete, the device will be enrolled via User Enrollment. The IT administrator can also configure multiple enrollment profiles (Figure 2).
When multiple enrollment profiles apply to the same user during the enrollment, that could cause a conflict. It's possible to prevent this conflict by prioritizing the different enrollment profiles. The enrollment profiles with the highest priority will apply to the user during the enrollment, and the others will be overruled and not affect the device settings.