User Enrollment: A usable BYOD solution for iOS?
User enrollment simplifies BYOD management by separating work data from personal data.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Oct 27, 2022
7 min read
The 2019 Apple WWDC conference was indeed eventful, as Apple unveiled many brand-new features in the space of device management. “User Enrollment” for Apple devices stood out among almost all the other features. In principle, it was a fresh way to deploy Apple devices in an organization.
Until the introduction of User Enrollment, Apple had mainly three enrollment options: Automated Device enrollment, User-approved enrollment, and Enrollment via Apple Configurator 2. The IT staff will have complete control over every work gadget if they use any of these enrollment options. In addition to these enrollment methods, Apple also offered a tool called Supervision, which gave IT administrators more control over managed Apple devices.
User enrollment mainly relies on Managed Apple ID to create the separation between work data and personal data. Just like a normal Apple ID, Managed Apple IDs also let users sign into Apple devices and services.
Managed Apple IDs are maintained by the organization and the organization is in complete control of these IDs. IT can even perform management actions on this ID using Apple Business/School Manager (ABM or ASM).
During the enrollment process, a separate container or storage volume called the Apple File System (APFS) volume is created on the device. The Managed Apple ID gives access to this volume. The organization has full control over this volume and it is essentially a virtual hard drive with its own encryption.
The APFS volume stores all of the organization’s data, including:
When the employee leaves the company, the device is unenrolled and the volume is deleted from the device.
Some of the primary requirements to enroll iOS devices to any device management portal using User Enrollment are:
As we previously saw, User Enrollment is specifically designed to meet the BYOD requirements for Apple devices in the enterprise. For various reasons, many businesses support utilizing personal devices for work. First off, if a business encourages BYOD, it may spend much less on buying business devices. Employees not having to spend additional time adjusting to a new device and operating system is another benefit. The next thing is that BYOD makes remote work more fluid since employees feel more comfortable using their devices when not in the office.
Corporate data security is generally not an issue with User Enrollment because the APFS volume is a different entity and can be protected with encryption and other security features. The sole drawback of User Enrollment is that the management functions are constrained, and the device management solution won’t have complete control over the device. However, since the devices belong to the employees and the corporations do not necessarily need to have complete control over them, this is not a big concern.
Similar to Apple User Enrollment for iOS devices, Android features a feature called Android Enterprise that was created to deploy Android devices for business use. Device owner and Profile owner are the two enrollment options that Android Enterprise offer. In contrast to profile owner mode, which is used to register personal devices for work, the Device owner is typically used to control devices fully.
Both Android Enterprise and Apple User Enrollment theoretically allow for the separation of personal and professional data. However, there are many differences between the two functionalities, and they are very significant for device management.
|Feature||Apple User Enrollment||Android Enterprise|
|Managed account set up||Managed Apple ID – created manually.||Managed Google Play account – created automatically.|
|Data wipe on disenrolling||The entire APFS volume is deleted automatically.||Work container is deleted automatically.|
|App store||Only VPP apps and Enterprise apps can be deloyed.||Managed Google Play Store will be there on the work container.|
|Password restriction||Password can be set up for the device as a whole only.||Password can be set up just for the work container.|
|Container management||The management features for the work container offered in User Enrollment is very restricted.||Android makes sure that the work container is completely manageable by the organization.|
|Content management||You can manage documents and contacts from being copied between containers.||You can prevent content from being copied between personal and work containers.|
|App management||Apart from deployment of VPP and Enterprise apps other features like silent app installation and app configuration might not work for every app.||Extensive app management is possible in the case of profile owner mode in Android Enterprise. Silent installation, app configuration and more can be done.|
Hexnode recently announced its support for User Enrollment of iOS devices. What does this mean for an average IT admin? With Hexnode UEM and User Enrollment, you can easily create and manage work containers on your employees’ personal devices.
Hexnode also lets you remotely configure settings on the devices very swiftly within seconds, so even if the employee is miles away the work container on their device is always under the organization’s control.
To know more about how to manage BYODs with Hexnode and User Enrollment, click here.
With the introduction of User Enrollment, it is safe to say that Apple cares about BYODs. Before this all Apple was more focussed on complete device management. Employees are more willing to allow their devices to be enrolled into the company’s device management solution thanks to User Enrollment, which also makes BYOD management and enrollment simpler.
Sign up for a 14-day free trial and explore Hexnode's Apple device management features.Sign up