User Enrollment is finally here with the release of Apple iOS 13.1. SOTI customers running SOTI MobiControl 14.4.3, and newer, automatically gain support for this new capability. In this blog, we will provide an overview of what User Enrollment is, and how to prepare for it.
User Enrollment is a new type of Mobile Device Management (MDM)/Enterprise Mobility Management (EMM) enrollment designed for BYOD-structured organizations. It secures company apps and accounts, while keeping the employee’s personal information private. EMM servers no longer receive personal identifiable information (PII) about the employee’s personal apps or device. User Enrollment also creates a cryptographically isolated managed volume that keeps work accounts and apps separate and secure from personal accounts and apps. When the employee/IT admin unenrolls the device, the managed volume and associated cryptographic keys are destroyed ensuring no trace of company data, apps or corporate passwords remain on the device. User Enrollment also requires that users log in with Managed Apple IDs, which are different from users’ personal Apple IDs. Managed Apple IDs have their own corresponding iCloud accounts that back up managed app and account data. These iCloud accounts are accessible on any device that the employee has enrolled into the EMM server via User Enrollment.
How are businesses impacted?
For an organization’s employees to take advantage of User Enrollment, Apple device administrators must create Managed Apple IDs in Apple School Manager or Apple Business Manager. To simplify the process, Apple introduced the ability to automatically create these IDs through integration with Azure AD. This integration allows organizations to federate authentication to make it easy for employees to enroll their devices using their corporate credentials. For authentication via on-premise AD or via an Identity Provider (IdP), employees will be required to first provide their AD/IdP credentials followed by their Managed Apple ID to complete the enrollment process.
User Enrollment restricts the type of information, configurations and actions that are available to Apple device administrators. These restrictions include:
- EMM servers can no longer read the device’s Unique Device Identifier (UDID), serial number, IMEI or MAC address;
- EMM servers can no longer read the list of personal apps installed on the device;
- EMM servers can no longer change unmanaged/personal apps into managed/corporate apps;
- EMM servers can no longer wipe the device;
- EMM servers can no longer set a passcode policy more complex than a 6-digit, non-simple passcode;
- EMM servers can no longer clear the device passcode;
- Only corporate domain traffic is routed through per-app VPNs;
- Logging profiles for troubleshooting can no longer be installed by the EMM server and must be installed by the user;
- EMM servers can no longer restrict the user’s personal apps or content, such as ratings restrictions or preventing backups of (unmanaged) app and account data to personal iCloud accounts.
Note: Devices enrolled into an EMM solution prior to iOS 13.1 will still retain all existing management capabilities even after they upgrade to iOS 13.1. Managed devices must be re-enrolled via User Enrollment to take advantage of the privacy and protection offered by User Enrollment.
To learn more about SOTI’s management of iOS devices, visit SOTI’s Apple management site.
Want to get more out iOS 13? Sign up for a trial of the SOTI ONE Platform and discover how you can secure and manage your iOS devices more efficiently, remotely support them wherever they are, and build apps for them in minutes.