User Enrollment: A usable BYOD solution for iOS?

Rick Cooper

Jul 11, 2022

8 min read

iOS devices are growing in popularity as enterprise devices for many reasons. They are easy to use and manage, their OS is widely regarded as more secure than many other types of devices, and they offer a great user experience. If you are a corporate, there are multiple ways in which you can enroll your fleet of iOS devices to your management software, but here we are interested in one in particular, ‘User Enrollment’.

What is User Enrollment?

Apple launched its User Enrollment feature with the introduction of iOS 13. User Enrollment is a feature in iOS that helps organizations manage BYOD devices. An employee’s device that is enrolled in the company’s management software under User Enrollment allows the organization to configure and manage the device. User Enrollment helps in enforcing security policies on managed data/apps while staying clear of personal user data.


Bring your own device (BYOD) refers to the practice of employees using personal devices for both organizational and work-related systems. Personal devices could include smartphones, personal computers, tablets and other organizational devices.

As more and more organizations support employees working from home, maintaining a flexible schedule, or connecting on the go while on work travel or commutes, BYOD solutions have become more prevalent.

What makes it different?

User Enrollment provides a separate, managed workspace on the device for corporate data. This helps to keep personal and corporate data separate, which is essential for security and compliance.

User Enrollment gives organizations fewer management capabilities for the corporate data on the device than other types of mobile device management. With User Enrollment, organizations can only manage and configure the corporate data on the device. They cannot access or manage personal data. Although it makes it more difficult to enforce security policies, this helps the employees ensure that personal and work data is properly separated and secured.

Compartment of data

During User Enrollment, a distinct APFS (Apple File System volume) is established as a security and privacy measure. APFS volume is effectively a virtual hard drive that has its own encryption and exists fully independently of other volumes that house the data of individual users.
All User Enrollment-related data is kept on this volume including:

  • Managed applications and app data
  • Managed contacts, mail, and calendar information
  • Data was downloaded and cached by iCloud drive
  • Keychains
  • Data from Apple Notes connected to the Managed Apple ID

When a device disenrolls from the MDM this volume is deleted along with all controlled apps and managed data. The device goes back to its initial condition.

Prerequisites for User Enrollment

1. Your organization needs to be enrolled in Apple Business Manager

Apple Business Manager is a web-based portal that helps organizations deploy and manage their Apple devices. It includes features such as an automated device enrollment process, bulk purchase and distribution of apps, and the ability to create and manage mobile device management (MDM) profiles. To use Apple Business Manager, your organization must enroll in the program first.

2. You will require managed apple id.

A Managed Apple ID is an account owned by an organization and used to access Apple Business Manager and other services. Organizations can create managed Apple IDs for employees, students, and others who need access to their resources.

Managed Apple IDs are created in the Apple Business Manager portal. To create a Managed Apple ID, you will need the following:

  • An Apple ID that’s not already being used as a managed Apple ID
  • The name and email address of the person who will be using the account
  • A credit card to use for billing purposes

To create a Managed Apple ID,

  • Sign in to the Apple Business Manager portal and click on the “People” tab.
  • Then, click the “+” button and select “Create a new managed Apple ID.” You will be prompted to enter the person’s name and email address.
  • Once you have entered this information, click the “Create” button.
  • You will then be asked to provide a credit card for billing purposes. After you have entered your credit card information, click on the “Create” button.

A new Managed Apple ID is created, and the person is sent an email with instructions on activating their account.

After the Managed Apple ID has been created, you can assign it to a device or user in your organization.

3. Ensure that the device is running iOS 13.0+ or iPadOS 13.1+.

To find the software version installed on your device, go to Settings > General, then tap about.

4. Configure the APNs certificate for your management software.

Let us understand how to create an APNs certificate by taking the example of one of the best out there. i.e., Hexnode.

5. Ensure that the safari browser in your iOS/iPadOS device is in mobile view to download the User Enrollment profile.

Upside: BYOD

There has been a significant increase in employees Bring Your Own Device (BYOD) to work recently. This trend can be attributed to the growing popularity of smartphones and tablets and the rise in support for Bring Your Own Device (BYOD) management policies. Apple’s User Enrollment goes in line with the principles of BYOD

Reduced costs

One of the biggest overhead costs that a company usually has to deal with is the purchase of corporate devices; there are multiple facets to the devices that the company has to handle. In certain huge companies, departments are hired for the safekeeping and deployment of these devices. This is in addition to the IT department that works on managing the working of enrolled devices. BYOD eliminates this cost by allowing employees to use personal devices for work, driving costs down massively.


These are the same devices that employees use for their everyday tasks. The benefit of this is that the employees don’t have to get accustomed to a new device, OS or layout when using their personal devices. This makes the navigation easier and cuts down the need for the employee to get familiarized with the device.


Allowing employees to work on their personal devices, it gives them the flexibility to work from anywhere and anytime. Since they are basically using the same devices, whenever an important task comes up. The tool to finish their task is always within reach.

Built-in security

BYOD can also help improve security by allowing organizations to take advantage of built-in security features on devices, such as fingerprint scanners and two-factor authentication.

Downside: Limited functionality

User Enrollment creates a managed profile separate from a personal profile, providing boundaries for what MDMs can and cannot view or edit. In addition, it ensures that IT administrators using MDM software cannot access or alter end-user-installed personal apps/data.

User Enrollment offers a small subset of management capabilities in comparison to supervised iOS devices, and the basic features are

  • Google Accounts, Contact Accounts, and Calendar Accounts
  • LDAP Accounts
  • AirPlay and AirPrint
  • SSO
  • Certificates
  • Email
  • WiFi
  • A basic set of restrictions
  • 6-digit Passcode
  • Fonts
  • Per-app VPN
  • Web clips

If you are looking for more features, sad to break it to you, but User Enrollment is not the ideal fit for you. It misses out on some of the crucial management capabilities

Some crucial feature limitations in comparison to device enrollment

Feature User Enrollment  Device Enrollment 
App management  Install and configure apps.  Ability to configure app permissions and management of personal apps. 
Device wipe  Complete device wipe is not supported.  Devices can be wiped in case they are stolen or lost right from the UEM portal. 
Restrictions  Significantly lesser restrictions.  Access to all restrictions that Apple provides support to. 
Device info  Access to limited device information.  Ability to retrieve detailed information like device location, device attributes etc. 
Profiles and Configurations Support includes
  • WiFi

  • Per-app VPN

  • Account-related profiles, like email, calendar, contact, and Exchange/ActiveSync

All the features offered in User Enrollment, but with important additions such as restricting weak passcodes, configuring proxy network traffic and other useful data encryptions are possible.

The above stated are just some of the management features that are not available when enrolling your device through User Enrollment.

So, is User Enrollment needed?

Organizations looking for further protection should still choose corporate-owned devices and supervision. Still, those inclined towards the perks of Apple BYOD have simple, affordable device management with a significantly enhanced end-user experience in the form of User Enrollment.

Rick Cooper

Product Evangelist @ Hexnode. Millennial by age. Boomer by heart.

Share your thoughts