IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
Apple has historically supported two enrollment methods: Managed Mode Enrollment (Also known as Device Enrollment) and Supervised (DEP / Apple Configurator). The trade-offs between the methods made implementing some BYOD policies difficult and could create resistance from users. With the introduction of User Enrollment (UE), balancing between corporate requirements and personal needs is better. Managed Mode Enrollment did not provide full management capabilities—you need Supervised for that—or full user/work data separation, wherein an app can only work either with personal or work data. In Supervised mode, there was no way for the user to prevent someone with Admin privilege from viewing their personal apps, taking management over those apps, wiping the device fully, or performing other strong actions. Thus, neither management nor privacy objectives were fully achieved.The addition of User Enrollment makes a clearer delineation between fully managed (Supervised) and BYOD (User Enrolled) devices is clearer. User Enrollment is supported for iOS and macOS devices with version iOS 13+(non supervised) and macOS 10.15+ Catalina.
Apple introduced User Enrollment with the iOS 13 release with the goal to increase adoption of BYOD in enterprise deployments. Highlights include:
The three pillars of User Enrollment are:
User Enrollment requires that a Managed Apple ID is associated with each enrolled device. The Managed Apple ID can be created manually by an administrator via Apple Business Manager. To enroll a device with User Enrollment, MaaS360 must deliver an MDM payload (i.e., the payload for configuring Mobile Device Management (MDM) settings, regardless of whether your solution is MDM, enterprise mobility management (EMM) or unified endpoint management (UEM)) with an additional key of Managed Apple ID device upon receiving this configuration and the user clicking the configuration under settings tab for installation, prompts an authentication screen wherein a user needs to provide his/her password for the Managed Apple ID.
All the work data on User Enrollment mode is stored on a partition fully separated from personal data. This includes:
Un-enrolling a device erases the whole partition.
The current model for Apple MDM enrollment is effective—an MDM administrator can wipe, lock, and heavily restrict access on supervised devices via Apple Device Enrollment Program (DEP). Additionally, an administrator can retrieve information about installed applications that were not installed by the device management platform, whether MDM or the more robust UEM. For a device enrolled via User Enrollment, these management capabilities are restricted to preserve privacy while not sacrificing security.Here are just a few examples of the what User Enrollment accomplishes:
User Enrollment mode supports Enterprise, WebApps & User assignable VPP apps whereas normal iTunes apps and VPP device assignable apps are not supported on the User Enrolled device. View of personal apps can be restricted if Privacy setting is enabled. Apple does not provide this feature but MaaS360 can restrict viewing of non-managed apps.
If you have questions or need further help please contact you IBM account manager of post questions to the Discussion forum of this MaaS360 Community Group.
MaaS360 Knowledge and Content Manager, Matt Shaver, breaks down how to configure User Enrollment in your console to prepare for Apple success: https://community.ibm.com/community/user/security/blogs/matt-shaver1/2020/06/15/ios-user-enrollment-in-maas360Additionally, register here for the upcoming webinar on June 25th to learn more about how MaaS360 can support User Enrollment and how User Enrollment can be useful in your organization.