Does Apple really care for BYOD?

Brendon Baxter

Oct 27, 2022

7 min read

The 2019 Apple WWDC conference was indeed eventful, as Apple unveiled many brand-new features in the space of device management. “User Enrollment” for Apple devices stood out among almost all the other features. In principle, it was a fresh way to deploy Apple devices in an organization.

Until the introduction of User Enrollment, Apple had mainly three enrollment options: Automated Device enrollment, User-approved enrollment, and Enrollment via Apple Configurator 2. The IT staff will have complete control over every work gadget if they use any of these enrollment options. In addition to these enrollment methods, Apple also offered a tool called Supervision, which gave IT administrators more control over managed Apple devices.

Explore Apple device management with Hexnode
However, all of these enrollment methods had the minor drawback that they were only appropriate for devices owned by the company. But what about the BYOD bunch? How will companies manage employees using their own devices for work? User Enrollment was Apple’s answer to these questions. User enrollment not only separates personal data from work data but also ensures the safety of the corporate data, irrespective of the security structure of the device.

Containerization and BYOD

Containerization is the separation of work data and personal data into two different storage volumes or “containers” in the same device. Containerization has two main objectives; one is to ensure the employee’s data privacy and the other is to secure the corporate data.

BYOD and containerization are like two sides of the same coin. BYOD can’t work smoothly if there is no containerization in place and vice versa. When using a personal device for work, there has to be a clear distinction between personal and work data.

How does containerization work with Apple User Enrollment?

User enrollment mainly relies on Managed Apple ID to create the separation between work data and personal data. Just like a normal Apple ID, Managed Apple IDs also let users sign into Apple devices and services.

Managed Apple IDs are maintained by the organization and the organization is in complete control of these IDs. IT can even perform management actions on this ID using Apple Business/School Manager (ABM or ASM).

During the enrollment process, a separate container or storage volume called the Apple File System (APFS) volume is created on the device. The Managed Apple ID gives access to this volume. The organization has full control over this volume and it is essentially a virtual hard drive with its own encryption.

The APFS volume stores all of the organization’s data, including:

  • Managed apps and app data
  • Managed mail, contacts, and calendar data
  • iCloud drive downloaded and cached data
  • Apple Notes data associated with the Managed Apple ID

When the employee leaves the company, the device is unenrolled and the volume is deleted from the device.

Requirements for User Enrollment

Some of the primary requirements to enroll iOS devices to any device management portal using User Enrollment are:

  • Configure the APNs certificate on the device management portal.
  • Your organization needs to be enrolled in Apple Business Manager.
  • Managed Apple IDs to authenticate the user for device management.
  • Ensure that the device is unsupervised and running iOS 13.0+ or iPadOS 13.1+.
  • Ensure that the Safari browser in your iOS/iPadOS device is in Mobile View to download the User Enrollment profile.
  • If Safari is in Desktop Site View, only the Device Enrollment profile can be downloaded.

User Enrollment and BYOD: Why is it good for your business?

As we previously saw, User Enrollment is specifically designed to meet the BYOD requirements for Apple devices in the enterprise. For various reasons, many businesses support utilizing personal devices for work. First off, if a business encourages BYOD, it may spend much less on buying business devices. Employees not having to spend additional time adjusting to a new device and operating system is another benefit. The next thing is that BYOD makes remote work more fluid since employees feel more comfortable using their devices when not in the office.

Corporate data security is generally not an issue with User Enrollment because the APFS volume is a different entity and can be protected with encryption and other security features. The sole drawback of User Enrollment is that the management functions are constrained, and the device management solution won’t have complete control over the device. However, since the devices belong to the employees and the corporations do not necessarily need to have complete control over them, this is not a big concern.

Android Enterprise vs Apple User Enrollment

Similar to Apple User Enrollment for iOS devices, Android features a feature called Android Enterprise that was created to deploy Android devices for business use. Device owner and Profile owner are the two enrollment options that Android Enterprise offer. In contrast to profile owner mode, which is used to register personal devices for work, the Device owner is typically used to control devices fully.

Both Android Enterprise and Apple User Enrollment theoretically allow for the separation of personal and professional data. However, there are many differences between the two functionalities, and they are very significant for device management.

Feature-wise comparison
Feature Apple User Enrollment Android Enterprise
Managed account set up  Managed Apple ID – created manually.  Managed Google Play account – created automatically. 
Data wipe on disenrolling  The entire APFS volume is deleted automatically.  Work container is deleted automatically. 
App store  Only VPP apps and Enterprise apps can be deloyed.  Managed Google Play Store will be there on the work container. 
Password restriction  Password can be set up for the device as a whole only.  Password can be set up just for the work container. 
Container management   The management features for the work container offered in User Enrollment is very restricted.  Android makes sure that the work container is completely manageable by the organization. 
Content management  You can manage documents and contacts from being copied between containers.  You can prevent content from being copied between personal and work containers. 
App management  Apart from deployment of VPP and Enterprise apps other features like silent app installation and app configuration might not work for every app.  Extensive app management is possible in the case of profile owner mode in Android Enterprise. Silent installation, app configuration and more can be done.

Hexnode and User enrollment

Hexnode recently announced its support for User Enrollment of iOS devices. What does this mean for an average IT admin? With Hexnode UEM and User Enrollment, you can easily create and manage work containers on your employees’ personal devices.

Hexnode also lets you remotely configure settings on the devices very swiftly within seconds, so even if the employee is miles away the work container on their device is always under the organization’s control.
To know more about how to manage BYODs with Hexnode and User Enrollment, click here.

Apple really does care for BYOD

With the introduction of User Enrollment, it is safe to say that Apple cares about BYODs. Before this all Apple was more focussed on complete device management. Employees are more willing to allow their devices to be enrolled into the company’s device management solution thanks to User Enrollment, which also makes BYOD management and enrollment simpler.


Brendon Baxter

Product Evangelist@Hexnode. Read. Write. Sleep. Repeat.

Share your thoughts