iOS 13 User Enrollment: What you need to know

iOS 13, the latest version of Apple iOS, introduces many new features designed for the enterprise. Of all these capabilities, the new User Enrollment feature will probably generate the most enterprise buzz. Like MobileIron, protecting personal privacy has always been a top priority for Apple, and the new User Enrollment feature is another way Apple is addressing customer concerns about the safety of their personal data on mobile devices.

Now you might be wondering: What is User Enrollment and will it affect how you onboard devices today? Answering that question depends on understanding Apple Device Enrollment and how the three core components of User Enrollment will change how that method works.

Apple Device Enrollment: A short history

Not long ago, Apple revolutionized device onboarding through the Device Enrollment Program (DEP), now referred to as Apple Business Manager (ABM). Although it was a quick way to automatically enroll and manage institutionally owned devices, it wasn’t a good option for BYOD enrollment because it only applied to devices purchased and controlled by IT.

To enroll devices in BYOD programs, Apple provided a method to onboard devices through a unified endpoint management (UEM) solution. This method, known as Device Enrollment, required users to first register their personal devices in UEM, and then pushed a profile to the device to configure settings for company email, apps, and security. IT maintained some control over app security and could see which apps were installed on the device — including personal apps. This level of visibility deterred some users from enrolling their devices in BYOD security because they didn’t trust IT enough to give admins any visibility or control over their personal apps.

(Note that although admins could see personal apps and location data, and also wipe phones and tablets set up through Device Enrollment, MobileIron provides an option to prevent admins from collecting personal app and location data or wiping employee-owned devices.)

So what’s new about User Enrollment in iOS 13?

User Enrollment is basically Apple’s attempt to give BYOD users more peace of mind when using their own devices for work. It accomplishes this in three key ways:

  1. Cryptographic separation of personal and work data
    With the new User Enrollment capability, iOS 13 and macOS Catalina can now separate an individual’s personal and work information on the same Apple device. Devices that are set up through User Enrollment have a separately managed APFS volume, which also uses separate cryptographic keys. In short, this provides completely distinct spaces for personal and business identities on the same device.

    User Enrollment will make BYOD solutions more compelling for users who insist on carrying two devices, or who have concerns about IT’s footprint on the device. The technology alone will not increase BYOD participation, however. Companies will still need to do some heavy lifting in order to educate users about the privacy advantages of User Enrollment.
  2. Managed Apple ID
    Apple introduced the concept of Managed Apple IDs for the education sector through Apple School Manager (ASM). In Fall 2019, Apple aims to bring the same concept to customers via Apple Business Manager (ABM). (Side note: Apple announced that the legacy DEP portal will be discontinued by the end of 2019, so if you haven’t transitioned to ABM by now, you should do it very soon.)

    Managed Apple IDs are Apple IDs that are tied to a user’s corporate email ID and are required for User Enrollment. But that’s not all you need. If you want to federate identities, User Enrollment only works with Azure Active Directory (Azure AD) today. By syncing your corporate users between Azure AD and ABM, admins allow Apple to identify users with verified Apple IDs while still handling authentication through Azure AD. This eliminates the need to maintain separate user passwords between ABM and Azure AD.

    This means if you are not using Azure AD but want to onboard Apple devices through User Enrollment, you will have to manually create users in ABM and painstakingly manage the passwords of those users on ABM. If, like me, you can’t imagine taking on that massive task, I would wait for User Enrollment to become available with other directory sources to make your life easier.
  3. Limited set of device-wide management capabilities
    In iOS 13, User Enrollment limits how much control IT admins have over the device. For instance, IT cannot configure a device-wide VPN or Wi-Fi proxy, view device identifiers like UDID and IMEI numbers, remotely unlock a device with a PIN, or apply other device-wide restrictions other than managed "open-in" and a few other rules that apply to corporate apps and data.

The good news is, User Enrollment is just one option for onboarding Apple devices. While a lot has been made about the privacy capabilities, remember that MobileIron has always made it possible to separate personal and work apps and data for BYOD users.

To learn more about BYOD, check out this blog “Boosting BYOD enrollment: It’s all about user privacy .”

Watch the webinar here to learn more about iOS13 and macOS Catalina on mobile device management.

Tohsheen Bazaz

Lead Technical Marketing Engineer

About the author

Tohsheen is a member of the MobileIron Technical Marketing team and focuses on Apple products. Identity and security are areas that interest him. Tohsheen has over seven years of industry experience in the field of security and networking.