By Jon Xavier

The Apple Developers Conference has come and gone, and with it news of lots of changes to device management in macOS 10.15 Catalina and iOS 13. Apple is overhauling many different systems that will affect Apple admins, but one of the more interesting is the announcement of user enrollment for mobile device management (MDM).

While Apple could probably put a little more effort into naming things (remember user-approved MDM? Are they making this confusing on purpose?), this new type of enrollment is a big deal because it addresses a long-standing weakpoint for the Apple MDM protocol: Bring Your Own Device, or BYOD.

The perennial BYOD problem in the Apple world has been that management required IT admins to ask for uncomfortable levels of control over devices they didn’t actually own.

Using Apple MDM for BYOD was a bit like demanding the keys to an employee’s house so you can verify it has door locks. Maybe you do have legitimate reason you need to know about those locks—that’s where the employee stores their company laptop when they’re not at work, after all. But it’s so invasive that nobody who valued their privacy would agree to it, and there really should be a better way to accomplish the same thing.

Enter user enrollment: the better way.

What is user enrollment?

Essentially, user enrollment offers admins a middle ground between Totally Unmanaged and Real Ultimate Power when a user enrolls their own device in the company’s MDM.

User enrollment provides some visibility into the device state without verging into levels of surveillance that might spook a device’s owner, and it puts most of the device’s apps and settings outside IT’s reach while cordoning off an enterprise zone where they have more control. Rather than being able to see the device’s serial number, MAC address, and other unique identifiers, with this type of management a unique, anonymized device identifier is generated when the device is enrolled. This is all the admin has access to for inventory purposes.  

The announcement also signals wider adoption in Apple Business Manager (ABM) of Managed Apple IDs, something to this point used solely as an admin login.

Managed Apple IDs are a special class of Apple ID that’s owned by an organization, rather than an individual user. In Apple School Manager (ASM), ABM’s education-oriented sister program, admins can issue them to students and teachers for device login and then push apps from the Volume Purchase Program (VPP) to those users, rather than assigning them to the device itself. This allows ASM to support lab devices that change hands regularly as students cycle through their classes.

Apple Business Manager can now leverage Managed Apple IDs similarly to separate apps that are owned by the user from those owned by their employer. When a device is user enrolled, Apple creates a separate APFS volume specifically for managed apps. The containers for any apps that are deployed through VPP will be saved to this volume, along with the data they generate—managed mail, contacts, calendar data, data synced from a corporate iCloud account, keychains, and any Apple Notes associated with a Managed Apple ID.

Admins can see and manage things in this volume, but not the main device itself. The OS makes everything appear as a single volume, so nothing changes from an end-user experience standpoint. If the device is ever un-enrolled, this volume is automatically deleted when that happens—a kind of mini remote wipe.

You also lose the unique device identifier on unenrollment—once a device is gone, it's gone. Even if the user re-enrolls, they'll get a different identifier.

What’s included in user-enrolled MDM?

Per Apple, here’s what you can do with user-enrolled MDM devices:

  • Create Managed Apple IDs for users and assign these to devices.
  • Create Managed Apple IDs automatically with federated identity management through Azure Active Directory.
  • Assign app licenses purchased through VPP to Managed Apple IDs, and push those apps to the devices associated with those users.
  • Uninstall managed apps and delete their data.
  • Keep track of BYOD devices in your inventory system through a unique, anonymized identifier generated when the device is user-enrolled.
  • Require a 6 digit passcode on iOS.
  • Push a small number of configuration profiles, mostly account and credential-related. These include WiFi, per-app VPN, email, calendars, contact lists, keychains and Exchange/ActiveSync.

And here’s what you can’t do:

  • Retrieve normal device identity data like serial number, device identifier, IMEI, or mac addresses.
  • See or interact with apps installed through means other than user-enrolled MDM. Some of Apple’s native apps, like Apple Notes, will be user-enrolled MDM aware by default, which makes them visible to admins and allows user data to be segmented from managed business data.
  • Reset passcodes.
  • Push or enforce most configuration profiles, but especially anything that restricts the user or changes the way the device functions. Notably, forbidden actions include some things that are important from a security and compliance standpoint: passcode enforcement on macOS, encryption, content restrictions, network traffic proxies, media management, etc.
  • Remote lock or remote wipe a device. Unenrolling a device will cause the volume with managed data to be deleted when the device next checks in, however.

All-in-all, user enrollment strives to balance the needs of IT and users into a package they both can live with. It might not offer everything an admin wants, but if the alternative is not managing the device, that’s probably a compromise worth taking.