User Enrollment and MDM
User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device. It works with an identity provider (IdP), Google Workspace, or Microsoft Entra ID and Apple School Manager or Apple Business Manager and a third-party MDM solution. It also works with device management in Apple Business Essentials.
The four stages of User Enrollment into MDM are:
Service discovery: The device identifies itself to the MDM solution.
User enrollment: The user provides credentials to an identity provider (IdP) for authorization to enroll in the MDM solution.
Session token: A session token is issued to the device to allow ongoing authentication.
MDM enrollment: The enrollment profile is sent to the device with payloads configured by the MDM administrator.
User Enrollment and Managed Apple Accounts
User Enrollment requires Managed Apple Accounts. These are owned and managed by an organization and provide employees access to certain Apple services. In addition, Managed Apple Accounts:
Are created manually, or automatically using federated authentication
Are integrated with a Student Information System (SIS) or uploading .csv files (Apple School Manager only)
Can also be used to sign in with an assigned role in Apple School Manager, Apple Business Manager, or Apple Business Essentials
When a user removes an enrollment profile, all configuration profiles, their settings, and Managed Apps based on that enrollment profile are removed with it.
User Enrollment is integrated with Managed Apple Accounts to establish a user identity on the device. The user must successfully authenticate for enrollment to be completed. The Managed Apple Account can be used alongside the personal Apple Account that the user has already signed in with; the two don’t interact with each other.
User Enrollment and federated authentication
Although Managed Apple Accounts can be created manually, organizations can take advantage of synchronization with an IdP, Google Workspace, or Microsoft Entra ID and User Enrollment. To do so your organization must first:
Manage user credentials with an IdP, Google Workspace, or Microsoft Entra ID
If you have an on-premise version of Active Directory, additional configuration must be taken to prepare for federated authentication.
Sign up your organization in Apple School Manager, Apple Business Manager, or Apple Business Essentials
Set up federated authentication in Apple School Manager, Apple Business Manager, or Apple Business Essentials
Configure an MDM solution and link it to Apple School Manager, Apple Business Manager, or Apple Business Essentials, or use the device management that’s built right in to Apple Business Essentials
(Optional) Create Managed Apple Accounts
User Enrollment and Managed Apps (macOS)
User Enrollment has added Managed Apps to macOS (this feature was already possible with Device Enrollment and Automated Device Enrollment). Managed Apps that use CloudKit use the Managed Apple Account associated with the MDM enrollment. MDM administrators must add the InstallAsManaged key to the InstallApplication command. Like iOS and iPadOS apps, these apps can be automatically removed when a user unenrolls from MDM.
User Enrollment and per-app networking
In iOS 16, iPadOS 16.1, visionOS 1.1, or later, per-app networking is available for VPN (known as per-app VPN), DNS proxies, and web content filters for devices enrolled with User Enrollment. This means that only network traffic initiated by Managed Apps is passed through the DNS proxy, the web content filter, or both. A user’s personal traffic stays separated and won’t be filtered or proxied by an organization. This is accomplished using new key-value pairs for the following payloads:
How users enroll their personal devices
In iOS 15, iPadOS 15, macOS 14, visionOS 1.1, or later, organizations can use a streamlined User Enrollment process, built right into the Settings app to make it easier for users to enroll their personal devices.
To do this:
On iPhone, iPad, and Apple Vision Pro, the user navigates to Settings > General > VPN & Device Management and then selects the Sign In to Work or School Account button.
On Mac, the user navigates to Settings > Privacy & Security > Profiles and then selects the Sign In to Work or School Account button.
When they enter their Managed Apple Account, service discovery identifies the MDM solution’s enrollment URL.
The user then enters their organization user name and password. After the organization’s authentication succeeds, the enrollment profile is sent to the device. A session token is also issued to the device to allow ongoing authorization. The device then begins the enrollment process, and prompts the user to sign in with their Managed Apple Account. On iPhone, iPad, and Apple Vision Pro, the authentication process can be streamlined by using enrollment single sign-on to reduce repeated authentication prompts.
When enrollment is complete, the new managed account is displayed prominently within the Settings app (iPhone, iPad, and Apple Vision Pro) and System Settings (Mac). This allows users to still access files in their personal Apple Account-created iCloud Drive. The iCloud Drive for the organization (associated with the user’s Managed Apple Account) appears separately in the Files app.
On iPhone, iPad, and Apple Vision Pro, Managed Apps and managed web-based documents all have access to the organization’s iCloud Drive, and the MDM administrator can help keep specific personal and organizational documents separate by using specific restrictions. For more information, see Managed App restrictions and capabilities.
Users can see details about what is being managed on their personal device and how much iCloud storage space is provided by their organization. Because the user owns the device, User Enrollment can apply only a limited set of payloads and restrictions to it. For more information, see User Enrollment MDM information.
How Apple separates user data from organization data
When User Enrollment is complete, separate encryption keys are automatically created on the device. If the device gets unenrolled by the user or remotely using MDM, those encryption keys are securely destroyed. The keys are being used to cryptographically separate the managed data listed below:
App data containers: iPhone, iPad, Mac, and Apple Vision Pro
Calendar: iPhone, iPad, Mac, and Apple Vision Pro
Devices must use iOS 16, iPadOS 16.1, macOS 13, visionOS 1.1, or later.
Keychain items: iPhone, iPad, Mac, and Apple Vision Pro
Note: The third-party Mac app must use the data protection keychain API. For more information, see the Apple Developer documentation kSecUseDataProtectionKeychain.
Mail attachments and body of the mail message: iPhone, iPad, Mac, and Apple Vision Pro
Notes: iPhone, iPad, Mac, and Apple Vision Pro
Reminders: iPhone, iPad, Mac, and Apple Vision Pro
Devices must use iOS 17, iPadOS 17, macOS 14, visionOS 1.1, or later.
If a user is signed in with a personal Apple Account and Managed Apple Account, Sign in with Apple automatically uses the Managed Apple Account for Managed Apps and the personal Apple Account for unmanaged apps. When using a sign-in flow in Safari or SafariWebView within a managed app, the user can select and enter their Managed Apple Account to associate the sign-in with their work account.
System administrators can manage only an organization’s accounts, settings, and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organization-owned Managed Apps also protect a user’s personal content from entering the corporate data stream.
MDM can | MDM can’t |
|---|---|
Configure accounts | See personal information, usage data or logs |
Access inventory of Managed Apps | Access inventory of personal apps |
Remove managed data only | Remove any personal data |
Install and configure apps | Take over management of a personal app |
Require a passcode | Require a complex passcode or password |
Enforce certain restrictions | Access device location |
Configure per-app VPN | Access unique device identifiers |
| Remotely wipe the entire device |
| Manage Activation Lock |
| Access roaming status |
| Turn on Lost Mode |
Note: For iPhone and iPad, administrators can require passcodes with a minimum of six characters and prevent users from using simple passcodes (for example, “123456” or “abcdef”) but can’t require complex characters or passwords.