How to Boost Enrollment of iOS and macOS Endpoints for Remote Workers

“Stay home” directives driven by the COVID-19 pandemic have forced enterprises to implement large-scale remote work initiatives. And while many organizations have responded relatively quickly with minimal interruption to business, others have found this drastic change a much larger pill to swallow.

Organizations that have been the least affected by the COVID-19 directives typically have one or both of the following in common:

  1. They already had flexible policies in place to support remote workers.
  2. The mobile devices used by their employees for work are corporate-owned business-only (COBO) or corporate-owned, personally enabled (COPE), both of which imply little if any privacy should be expected on the part of the employee.

Either way, these organizations had already established the foundation necessary to “turn on a dime” and get their employees working from their homes without missing a beat.

What about organizations that had not yet rolled out a comprehensive remote work initiative by the time COVID-19 directives were issued? Many of them continue to struggle to support a wide variety of employee workflows, while ensuring sufficient levels of enterprise security and user privacy. Why? Because if they had not yet fully embraced remote work, it’s more likely that they are now being forced to rely on the willingness of employees to leverage their personal devices for work, aka BYOD. And when it comes to BYOD initiatives, some employees are less open to sharing space on their personal devices with their employers than others. Concerns over privacy are often a deal breaker.

The good news is that today, Apple and MobileIron provide several different ways in which remote employees can enroll their personal iOS and macOS devices to gain access to all of the resources required to support their daily workflows, while at the same time easing privacy concerns and ensuring sufficient levels of security for the organization. The remainder of this blog will discuss three key BYOD enrollment methods for iOS and macOS devices, including how they work and key considerations from both the admin and user perspectives.


What are the BYOD enrollment options for iOS and macOS today?

With iOS 13 and macOS Catalina, you now have more options for enrolling employee-owned Apple devices into your BYOD security program. Here are a few ways you can do that today:


BYOD iOS and macOS Device Enrollment (using the MobileIron app)

This enrollment option can be used to onboard employee-owned devices that are enabled for work. To enroll devices in a BYOD program, users first register their personal devices through the MobileIron app or web page. MobileIron App for iOS is available from the iOS App Store and MobileIron app for macOS is available as an offline app. For Macs, it is recommended to use the web-page based registration. The MobileIron app for macOS devices can silently be pushed after the device is enrolled. Upon enrollment, a profile is pushed to the device to configure settings for company email, apps, and security. Although this allows IT to administer secure business apps, admins do not have controls such as clear passcode, clear activation lock, or granular system settings that can be pushed over the air. However, IT can still view all of the apps on the device. This level of IT visibility is one of the main reasons employees may hesitate to enroll their devices in a BYOD program.


BYOD User Enrollment from Apple

User Enrollment is Apple’s effort to boost BYOD solutions with improved privacy features while still allowing IT to support seamless app distribution, VPN, and single sign-on (SSO) on employee-owned devices. When a user enrolls the device, iOS/macOS creates a separately managed APFS volume that uses separate cryptographic keys. It essentially creates two distinct volumes for work apps and personal apps. When the user retires the device, iOS/macOS destroys the cryptographic keys and the volume. This removes all of the business data from the device without interfering with the user’s personal apps or data.

Although User Enrollment should help alleviate some user concerns about privacy, it still requires a profile to be downloaded and installed, which some users may not like. To address this concern, MobileIron offers another enrollment option — MobileIron AppStation — that does not require MDM profiles and only applies to iOS devices.


MobileIron AppStation enrollment

AppStation is a mobile application management (MAM) solution that enables IT to allow contractors and employee devices to use business apps. AppStation is designed for situations where it may not be ideal to fully control device settings by installing profiles. For example, a doctor may contract with hospital “A” in the morning and hospital “B” in the afternoon. In this case, it’s not practical for the doctor to carry two separate work devices, nor is it feasible to expect the doctor to retire and re-enroll each device every time he switches hospitals.

Instead, MobileIron AppStation can protect hospital A’s apps and data inside a secure container on the device. This prevents hospital B’s unmanaged apps or data from accessing them. Even if hospital B uses a similar app container solution, apps and data from hospitals A and B will still remain separate and secure on the device. AppStation also works in similar use cases that require short-term employees or contractors to access business apps from their personal devices without installing a profile.


Automated Device Enrollment with Apple Business Manager (ABM)

This device enrollment option is not strictly for BYOD, but can be applied to corporate-owned, personally enabled (COPE) devices i.e for iOS and macOS devices. Automated Device Enrollment gives IT a wide range of controls such as device wipe, clear passcode, clear activation lock, set/clear a lock passcode, dictate passcode strength, tweak granular phone settings, and deploy proxy controls. Admins also have visibility into all of the apps — including personal apps — on the device. The admin can take over management of an app, remove apps from the device, and much more. So while Automated Device Enrollment technically enables devices for personal use, it doesn’t offer much in the way of privacy features for BYOD programs.

As you can see, there are several iOS and macOS BYOD enrollment options that can enable organizations to meet both the security and manageability needs of admins, while also ensuring privacy for employees. Would you like to learn even more about BYOD enrollment options made available via MobileIron and Apple? If so, I’d like to invite you to register for MobileIron’s upcoming webinar:

How to Automate Enrollment of iOS and macOS Endpoints for Remote Workers



Thur, April 16, 2020



8 am - 8:45am PT



45 Minutes

Unable to attend the LIVE webinar? No worries! Go ahead and register. We will send you a link to the webinar recording so that you can watch on-demand.


Tohsheen Bazaz

Lead Technical Marketing Engineer

About the author

Tohsheen is a member of the MobileIron Technical Marketing team and focuses on Apple products. Identity and security are areas that interest him. Tohsheen has over seven years of industry experience in the field of security and networking.