IBM Security MaaS360

 View Only

Apple User Enrollment to Diversify UEM Enrollment Methods

By SAKET AGRAWAL posted Thu June 18, 2020 11:14 AM


Apple has historically supported two enrollment methods: Managed Mode Enrollment (Also known as Device Enrollment) and Supervised (DEP / Apple Configurator). The trade-offs between the methods made implementing some BYOD policies difficult and could create resistance from users.  With the introduction of User Enrollment (UE), balancing between corporate requirements and personal needs is better. 

Managed Mode Enrollment did not provide full management capabilities—you need Supervised for that—or full user/work data separation, wherein an app can only work either with personal or work data. In Supervised mode, there was no way for the user to prevent someone with Admin privilege from viewing their personal apps, taking management over those apps, wiping the device fully, or performing other strong actions. Thus, neither management nor privacy objectives were fully achieved.

The addition of User Enrollment makes a clearer delineation between fully managed (Supervised) and BYOD (User Enrolled) devices is clearer. User Enrollment is supported for iOS and macOS devices with version iOS 13+(non supervised) and macOS 10.15+ Catalina.

Apple introduced User Enrollment with the iOS 13 release with the goal to increase adoption of BYOD in enterprise deployments. Highlights include: 

  • Separation between Corporate and Personal data
  • Improved UX

The three pillars of User Enrollment are:

  • Leveraging Managed Apple IDs
  • Full Data Separation
  • A better balance between management and privacy

Managed Apple

User Enrollment requires that a Managed Apple ID is associated with each enrolled device. The Managed Apple ID can be created manually by an administrator via Apple Business Manager. To enroll a device with User Enrollment, MaaS360 must deliver an MDM payload (i.e., the payload for configuring Mobile Device Management (MDM) settings, regardless of whether your solution is MDM, enterprise mobility management (EMM) or unified endpoint management (UEM)) with an additional key of Managed Apple ID device upon receiving this configuration and the user clicking the configuration under settings tab for installation, prompts an authentication screen wherein a user needs to provide his/her password for the Managed Apple ID.

Data Separation

All the work data on User Enrollment mode is stored on a partition fully separated from personal data. This includes:

  • App containers
  • Notes
  • iCloud Drive documents
  • Keychain
  • Mail attachments and full email bodies
  • Calendar attachments

Un-enrolling a device erases the whole partition.

Reduced Management in Favor of Privacy

The current model for Apple MDM enrollment is effective—an MDM administrator can wipe, lock, and heavily restrict access on supervised devices via Apple Device Enrollment Program (DEP). Additionally, an administrator can retrieve information about installed applications that were not installed by the device management platform, whether MDM or the more robust UEM. For a device enrolled via User Enrollment, these management capabilities are restricted to preserve privacy while not sacrificing security.

Here are just a few examples of the what User Enrollment accomplishes:

  1. MDM and UEM solutions can no longer erase an entire device. Personal data is therefore better protected.
  2. Administrators do not have visibility into the personal side of a device. No personal third-party apps are visible to employers.
  3. The device passcode cannot be cleared with the Unlock Token command. (This change also means that UEM administrators cannot help if a user forgets an enrollment passcode.) As a trade-off, only 6-digit, non-simple passcodes can be enforced.
  4. Supervised Mode restrictions are not applicable for User Enrollment devices.
  5. No serial numbers or UDIDs are used to identify a device; instead a separate “Enrollment ID” is created and used.

Apps Support

User Enrollment mode supports Enterprise, WebApps & User assignable VPP apps whereas normal iTunes apps and VPP device assignable apps are not supported on the User Enrolled device. View of personal apps can be restricted if Privacy setting is enabled. Apple does not provide this feature but MaaS360 can restrict viewing of non-managed apps.

If you have questions or need further help please contact you IBM account manager of post questions to the Discussion forum of this MaaS360 Community Group.

How to Setup User Enrollment via MaaS360

MaaS360 Knowledge and Content Manager, Matt Shaver, breaks down how to configure User Enrollment in your console to prepare for Apple success:

Additionally, register here for the upcoming webinar on June 25th to learn more about how MaaS360 can support User Enrollment and how User Enrollment can be useful in your organization.