Category filter

Apple User Enrollment for iOS devices

User Enrollment for iOS devices is an enrollment method designed for Bring Your Own Device (BYOD) deployments where the user, instead of the organization, owns the device. It primarily focuses on enhancing user privacy and enterprise security.

User Enrollment requires a Managed Apple ID to establish a user identity on the device. Managed Apple IDs are created by an organization and provide end-users access to specific Apple services. This Managed Apple ID can co-exist with the personal Apple ID of the user without interacting with one another.

Once the User Enrollment profile is set up, a separate Apple File System (APFS) volume containing the managed apps and data will be automatically created and encrypted on the device. Such containerization allows organizations to manage corporate data without interfering with end users’ personal data. However, unlike Automated Device Enrollment, where the MDM has complete control over the device, User Enrollment supports only a limited set of payloads and restrictions on the device. For instance, critical MDM commands such as, enable/disable lost mode, allow/clear activation lock, etc., cannot be executed. Additionally, device-specific information such as serial number, UDID, IMEI, MEID, etc., cannot be retrieved from the MDM console.


  • Choose unsupervised devices running iOS 13.0+ or iPadOS 13.1+.
  • Configure the APNs certificate on the Hexnode UEM portal.
  • Enroll your organization in Apple Business Manager.
  • Create Managed Apple IDs to authenticate the user for MDM management.


  • Ensure that the Safari browser in your iOS/iPadOS device is in Mobile View to download the User Enrollment profile. If Safari is in Desktop Site View, only the Device Enrollment profile can be downloaded.
  • This feature is supported only on Enterprise, Ultimate and Ultra pricing plans.

Setting up User Enrollment in the Hexnode UEM portal

  1. Log in to your Hexnode portal.
  2. Go to Enroll > Platform – Specific > iOS > Email or SMS.
  3. Choose the authentication mode as Authenticated Enrollment.
  4. Select the Ownership of the device as Personal.
  5. Choose the Apple Enrollment Type as User Enrollment from the below options:
    • Device Enrollment
    • User Enrollment
  6. Click on Next.
  7. Configure the necessary details for sending enrollment requests and hit Send.

Enrollment requests comprising the enrollment URL, username, and password will be sent to the users via email or SMS.

On the device,

If Ownership is selected as Personal and Apple Enrollment Type is selected as User Enrollment from the portal,

  1. Open the Safari browser and enter the enrollment URL specified in the enrollment request.

    For example,

  2. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  3. Enter your “Managed Apple ID” and click on Download Profile.

If Ownership is selected as Let the user choose from the portal,

  1. Open the Safari browser and enter the enrollment URL specified in the enrollment request.

    For example,

  2. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  3. Enter your username and password and select I own this device. Click on Authenticate. Alternatively, selecting My organization owns this device will enroll the device using Device enrollment.
  4. Next, select how you want the devices to be managed by Hexnode UEM:
    • Manage entire device – To manage the device completely without limitations on MDM capabilities.
    • Manage only work-related data and apps – To manage corporate data by creating a separate volume on the device with limited MDM capabilities.
  5. Select Manage only work-related data and apps and enter your “Managed Apple ID”.
  6. Click on Download Profile.

Finally, after the enrollment profile is downloaded, navigate to Settings > Enrol in Hexnode and click on Enrol My iPhone. Here, you need to enter the password of your Managed Apple ID. Once the enrollment is successful, you can see the downloaded Hexnode MDM profile in General > VPN & Device Management.


You may install the Hexnode UEM agent on the device to achieve advanced management capabilities with the end users’ permission. To initiate the installation:

  1. Set up a VPP account in the Hexnode portal.
  2. Purchase the app licenses for Hexnode MDM through the Apple Business Manager.
  3. Deploy the Hexnode MDM app to devices.
    • For those VPP licenses already purchased, the deployment is initiated automatically soon after the enrollment, given the user’s Managed Apple ID exists on the VPP account.
    • The VPP app licenses can also be purchased after enrollment. In that case, the admin can log into the Hexnode portal and initiate the deployment from the Device Summary page. (Click on the sync icon in the MDM App Installed field under the Enrollment details). Alternatively, you can use the Install Application action or the Required Apps policy.
  4. The deployment is completed only when the user approves the installation from the device. So, click Install on the app installation prompt on the devices. However, the user can deny it if required.

MDM functionalities in User enrolled devices

Compared to other enrollment types, User Enrollment severely limits the permissions that an MDM has when administering a device. Unlike device enrollment, device details such as Serial Number, UDID, IMEI and MEID cannot be retrieved in this case.

Here is a comprehensive list of available Hexnode UEM functionalities on devices enrolled using User Enrollment.

  1. Remote Actions
  2. Passcode

    Despite what passcode requirements are specified, there are certain exceptions in the passcode policy on the devices enrolled using user enrollment:

    • No simple value allowed.
    • Minimum passcode length is 6.

    User Enrollment creates a separate volume on the device containing managed apps and data, but the passcode policy will be applied to the entire device.

  3. Restrictions
    • Allow Device Functionality
      • Siri
      • Allow Siri while device is locked
      • Screen capture
    • Allow Application Settings
      • Sync managed data with iCloud
      • Backup enterprise-deployed iBooks
      • Fraud warning
    • Allow Security and Privacy Settings
      • Today View on lock screen
      • Control Center on lock screen
      • Lock screen notifications
      • Force encrypted backup
      • Send diagnostic data to Apple
  4. App Management

    Deploy and manage Enterprise and VPP apps using the Required Apps policy or Install Application action from the Hexnode UEM console. You can also add Web Clips to the Home Screen on iPhone and iPad devices.

    User Enrollment requires an Apple VPP token associated with your Hexnode portal to install managed apps from the App Store on devices.

    Once the device is disenrolled from Hexnode, all the managed apps and data will be removed, and the device will return to its original state before enrollment.

  5. Network
  6. Security
  7. Accounts
  8. Expense Management
  9. Configurations
  • Enrolling Devices
  • Managing iOS Devices