What the heck is Account-driven Apple User Enrollment?
In this article, i’ll discuss Apple’s enrollment method called ‘User Enrollment’ which can help you support “bring your own device” deployments in your business or enterprise environment.
This is also featured in WWDC 2019 and WWDC 2021. The new fall iOS/iPadOS 15 release will introduce a revamped version of this management mode, called as account-driven User Enrollment.
Enjoy!
The term ‘User Enrollment’ is designed by Apple for BYOD — or bring your own device type where the user (you and me), not the organisation or company, owns the device.
What is User enrollment or account-driven user enrollment?
User enrollment is introduced by Apple during WWDC 2019 and WWDC 2021 where they introduced a revamped version of it. It’s available on iOS, iPadOS and macOS. Instead of managing entire BYOD device using mobile device management solution (such as Airwatch, InTune etc.), they are managing an enterprise user identity on the device in the form of configuring a managed Apple ID.
There’re three core components that form the basic of user enrollment such as Managed Apple ID, Data Separation and Management Capabilities.
Managed Apple ID
In short, this managed Apple ID allows iOS device to create a new separate, cryptographically protected APFS volume specific to the managed data of the BYOD user. So, any data installed by the MDM vendor will associate with this managed Apple ID. Any other personal data, personal apps, photos etc., will stay on personal Apple ID of the device.
Managed Apple IDs is available through Apple Business Manager and Apple School Manager.
This is mainly design to keep personal and company data separate by associating a personal Apple ID with personal data and a managed Apple ID with corporate data.
User enrollment is similar to what Google Android Enterprise has already achieved, they’ve been calling it ‘Work profile’
Data Separation
During the user enrollment, a managed APFS volume is created. Data from managed apps and accounts are stored securly on this volumen away from personal content. The volume and cryptographic keys will be removed after user un-enroll the device.
Management Capabilities
It’s mostly an additional privacy created by the separation and protection of a user’s personal data and the securing of corporate data. I’m sure some of your power users and tech-savvy users will love this.
Another benefit is BYOD devices using this enrollment method can now use Apple watch to unlock their iOS devices by using numeric PIN instead of alphanumeric.
What are the challenges?
- Due to the nature of this user enrollment method, MDM vendor can no longer access any persistent identifiers, any soft of PII associated with the device, especially what apps user has installed. You might say it’s a good thing since you don’t want company to know what you have on your device. However, most companies have their on premise Wi-Fi which requires to check your mobile device’s UDID to verify that your device is enrolled to company approved MDM vendor. This will not be possible if you used ‘User enrollment’ method.
- You will need to re-enroll your mobile device to user enrollment method if you already enrolled using different method.
- This really depends on your company security policy where 2FA (Two factor authentication) is enforced or not. If it is, you will need to provide 2FA token.
What is required to enable User Enrollment?
This is a question for technical person (your IT team) to know. You will need federated authentication. Remember the managed Apple ID I talked earlier? It is an enterprise identity created on behalf of users by Apple Business Manager through federation to IdP such as Azure AD or any other IdPs. You will need to enable it so that your company email address will become a managed Apple ID.
The rest is just user communication, onboarding and getting clearance from your Info Sec dept.
Hope you enjoy this article. Feel free to reach out to me if you have any queries!
If you want to read more, please go to www.keephustlingtech.com.
