Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Jun 11, 2021
5 min read
We look forward to what Apple brings to the device management table every year at its midyear event: Worldwide User Conference (WWDC). Without a doubt, the “What’s new in managing Apple devices” session is one of the most exciting sessions that we anticipate, and Apple never disappoints. This time, we saw other detailed sessions on important device management features. One of these deep-dive sessions covered the new account-driven user enrollment. Apple is obsessed with security and we can see how it is reflected in their announcements this year.
User enrollment is a device management option for BYOD deployments, where the devices to be managed are owned by the user and not the organization. It helps to assure both the user and the organization that their respective data is secured.
Apple has announced that Managed Apple IDs will support iCloud Drive in iOS 15 and macOS Monterey. iCloud Drive would also follow the Managed Open-In restrictions for managed app and data access.
In macOS Monterey, Macs enrolled with user enrollment would remove the managed apps with an MDM command or when the devices are disenrolled from the MDM. Just like in iOS, the managed app data is stored on a different volume.
Managed Open-In has now expanded to include Copy & Paste. Organizations can control the data being pasted across the managed and unmanaged apps. Apple has also introduced Required App for unsupervised devices which allows the admin to install one pre-approved app silently without prompting the user.
The onboarding for user enrollment in iOS devices used to be initiated and controlled by an MDM enrollment profile. The new user enrollment establishes the organization’s identity as the entry point. An additional layer of security is established during the enrollment flow. The MDM server can now verify the user even before the MDM profile is downloaded to the device. How does it work?
The user goes to the new VPN and Device management section in the Settings and taps the new “Sign in to Work or School” button. There, the user has to enter their organizational ID which triggers the service discovery step. After the authentication, the assigned managed Apple ID is pre-populated in the next screen, where the user is expected to enter their password. After this authentication also succeeds, the user then allows the management of their device. The user then has to enter the device passcode to create a separate encrypted partition for enterprise data and to authorize the MDM enrollment. The device is enrolled in the MDM only after following all these steps.
In the onboarding flow that we discussed above, the server authenticates the user before sending enrollment data. In iOS 15, Apple has also announced the option for organizations to re-authenticate the user at any point of time. MDM server can now validate authorization on every request from the client and ask the user to re-authenticate their identity credentials. If the user’s authentication attempt fails, the server may no longer trust the device. The MDM server can then remove any sensitive data or apps from the device or completely disenroll the device.
Bringing and using personal devices for work is always a cause of security concerns within an organization. However, with focused features and updates like account-driven user enrollment, it is definitely going to be easier for administrators to manage Apple devices in a BYOD environment. Apple has announced many great and revolutionary features for device management this year. Read WWDC 2021: What’s new in Apple Device Management to learn what else is in store for you.