Nội Dung Chính

User Enrollment with Apple Business Manager

Apple Business Manager is a place for IT teams to automate device deployment, purchase and distribute content, and manage roles in their organizations. Apple Business Manager implements User Enrollment – an enrollment option designed for companies implementing BYOD (Bring Your Own Device). User Enrollment is a modified version of the MDM protocol with a much greater focus on user privacy, implemented with a level of security that enterprises need.

User Enrollment allows the administrator to:

Install and remove managed applications
Install and remove network configurations
Install a partial VPN scoped to managed apps and accounts
Require the usage of a password

User Enrollment registration is supported on [email protected] When the administrator assigns the device user to User Enrollment mode, the In-App registration will download the User Enrollment Profile to the device.

User Enrollment applies to unsupervised devices with iOS 13.0 through the latest version as supported by MobileIron. Devices lower than iOS 13.0 will be considered “device enrollment” regardless if the device user has been enabled for User Enrollment. User Enrollment utilizes the user’s managed Apple ID, which is required and associated with all enterprise apps and data on the device and in MobileIron Core.

Difference between standard MDM enrollment and User Enrollment

This section addresses the difference between standard MDM enrollment and User Enrollment with Apple Business Manager.

Standard MDM enrollment

Below is what a Core server can do in a standard MDM enrollment, but will not be able to do in User Enrollment mode in iOS 13.0.

The MDM server:

Cannot erase the device.
Does not see the personal apps the device user has installed on the device.
Cannot convert user-installed apps into MDM-managed apps.
Cannot clear the device passcode (i.e. unlock the device).
Cannot set a long, complex device passcode requirement.
Cannot configure a device-wide VPN or Wi-Fi proxy, nor can it do any management of the cellular functionality.
Cannot see device identifiers like the UDID, serial number, or IMEI.
Cannot apply many device-wide restrictions (such as restricting the app content rating), block iCloud, and apply any the supervised restrictions.

NOTE:

When retiring and re-registering devices from Core, devices are registered as Standard MDM.

User Enrollment with Apple Business Manager

In User Enrollment, the MDM server can still do everything needed to manage enterprise apps, accounts, and data.

User Enrollment can:

Install in-house apps or apps via user-based (Apple) Apps & Books licenses
Enforce passcode payload settings:
- allowSimple = false
- forcePIN = true
- minLength = 6
Query data related to enterprise-managed apps, certificates, and profiles
Configure a per-app VPN for apps, mail, contacts, and calendars that have been installed by MDM
Enforce some restrictions, like managed open in, managed contacts, managed data on the lock screen, and several others

Enterprise data is stored in a separate Apple File System (APFS) volume, which is created at enrollment, and encrypted separately from device user data. This volume contains data stored by managed apps; enterprise Notes; enterprise iCloud Drive docs; enterprise Keychain entries; managed mail attachments and bodies; and calendar attachments. Un-enrolling from MDM destroys the volume and the keys.

The final requirement of User Enrollment is the user’s managed Apple ID that must be associated with all enterprise apps and data on the device and in iCloud Drive. Managed Apple IDs were first utilized by Apple School Manager and are now utilized by Apple Business Manager for User Enrollment.

All third-party apps can only be either a personal app or a managed app through Core. The MDM service cannot start managing apps that the device user has already installed. In this case, the administrator will need to request the device user to delete the personal app before installing the app through MDM. The MDM service cannot start managing apps that the user has already installed. However, some system apps like Notes and Files will support both work and personal accounts.

Difference between User Enrollment vs Device Enrollment

This section covers the difference between User Enrollment and device enrollment. User Enrollment applies to devices iOS 13.0 and macOS 10.15 through the latest version as supported by MobileIron.

Devices lower than iOS 13.0 will be considered “device enrollment” regardless if the device user has been enabled for User Enrollment.

NOTE:

User Enrollment for Apple Business Manager does not allow for wipe or unlock. However, the user portal will still have those options available even though they will not work.

Table 1.

User Enrollment vs Device Enrollment

Functionality

User Enrollment

MAM

Device Enrollment

DEP

Erase the device and see user’s personal apps

Yes

Convert managed to unmanaged or vice versa

Yes
Yes

Clear device passcode, configure device-wide VPN or Wi-Fi proxy nor manage cellular functionality

Yes
Yes

See device identifiers like serial number, IMEI

Yes
Yes

Apply supervised restrictions

Yes*
Yes

Can install and configure apps and accounts

Yes

Yes
Yes

Can configure a per-app VPN for apps, mail, contacts, and calendars that have been installed by MDM

Yes

Yes
Yes

Can enforce some restrictions, like managed open in, managed contacts, managed data on the lock screen, and several others

Yes

Yes
Yes

Can query data related to enterprise-managed apps, certificates, and profiles

Yes

Yes
Yes

NOTE:

The “Apply supervised restrictions option” will work for Device Enrollment if the device is supervised using Apple Configurator, otherwise it is unsupported.

Requirements for enabling User Enrollment

Below are the requirements for enabling User Enrollment:

An Apple Business Manager account
Managed Apple ID – Managed Apple ID to be associated with each enrolled device. This Managed Apple ID provides authentication for MDM management and app licensing. When the MDM pushes down apps and media, necessary Apple licenses are assigned to the Managed Apple ID associated with the device.
Device users who are synced to LDAP are to be assigned to a device management role and associated with a Managed Apple ID.

Next steps

Connecting Core to Apple Business Manager