Category filter

Apple User Enrollment for iOS devices

User Enrollment for iOS devices is an enrollment method designed for Bring Your Own Device (BYOD) deployments where the user, instead of the organization, owns the device. It primarily focuses on enhancing user privacy and enterprise security.

User Enrollment requires a Managed Apple ID to establish a user identity on the device. Managed Apple IDs are created by an organization and provide end-users access to specific Apple services. This Managed Apple ID can co-exist with the personal Apple ID of the user without interacting with one another.

Once the User Enrollment profile is set up, separate encryption keys are created on the device to protect the organization’s data. These encryption keys are used to separate the managed data from the user’s personal data on the device. When the device is disenrolled, the encryption keys are securely destroyed to prevent unauthorized access to the organization’s data.

Unlike Automated Device Enrollment, where the MDM has complete control over the device, User Enrollment supports only a limited set of payloads and restrictions on the device. For instance, critical MDM commands such as, enable/disable lost mode, allow/clear activation lock, etc., cannot be executed. Additionally, device-specific information such as serial number, UDID, IMEI, MEID, etc., cannot be retrieved from the MDM console.


  • Choose unsupervised devices running iOS 13.0+ or iPadOS 13.1+.
  • Configure the APNs certificate on the Hexnode UEM portal.
  • Enroll your organization in Apple Business Manager.
  • Create Managed Apple IDs to authenticate the user for MDM management.


  • Ensure that the Safari browser in your iOS/iPadOS device is in Mobile View to download the User Enrollment profile. If Safari is in Desktop Site View, only the Device Enrollment profile can be downloaded.
  • This feature is supported only on Enterprise, Ultimate and Ultra pricing plans.

Setting up User Enrollment in the Hexnode UEM portal

  1. Log in to your Hexnode UEM portal.
  2. Go to Enroll > Platform – Specific > iOS > Email or SMS.
  3. Choose the authentication mode as Authenticated Enrollment.
  4. Select the Ownership of the device as Personal.
  5. Choose the Apple Enrollment Type as User Enrollment from the below options:
    • Device Enrollment
    • User Enrollment
  6. Click on Next.
  7. Configure the necessary details for sending enrollment requests and hit Send.

Enrollment requests comprising the enrollment URL, username, and password will be sent to the users via email or SMS.

On the device,

If Ownership is selected as Personal and Apple Enrollment Type is selected as User Enrollment from the portal,

  1. Open the Safari browser and enter the enrollment URL specified in the enrollment request.

    For example,

  2. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  3. Enter your “Managed Apple ID” and click on Download Profile.

If Ownership is selected as Let the user choose from the portal,

  1. Open the Safari browser and enter the enrollment URL specified in the enrollment request.

    For example,

  2. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  3. Enter your username and password and select I own this device. Click on Authenticate. Alternatively, selecting My organization owns this device will enroll the device using Device enrollment.
  4. Next, select how you want the devices to be managed by Hexnode UEM:
    • Manage entire device – To manage the device completely without limitations on MDM capabilities.
    • Manage only work-related data and apps – To manage corporate data by creating a separate volume on the device with limited MDM capabilities.
  5. Select Manage only work-related data and apps and enter your “Managed Apple ID”.
  6. Click on Download Profile.

Finally, after the enrollment profile is downloaded, navigate to Settings > Enrol in Hexnode UEM and click on Enrol My iPhone. Here, you need to enter the password of your Managed Apple ID. Once the enrollment is successful, you can see the downloaded Hexnode MDM profile in General > VPN & Device Management.

Once enrollment is complete, the newly managed account will be displayed in the Settings app on iPhone and iPad. Users can view details about what is being managed on their personal device, such as specific settings or restrictions implemented by their organization, as well as the amount of iCloud storage space provided by their organization.

With User Enrollment on iOS devices, users can view the amount of iCloud storage space provided by their organization


  • You may install the Hexnode UEM agent on the device to achieve advanced management capabilities with the end users’ permission. To initiate the installation:
    1. Set up a VPP account in the Hexnode portal.
    2. Purchase the app licenses for Hexnode MDM through the Apple Business Manager.
    3. Deploy the Hexnode MDM app to devices.
      • For those VPP licenses already purchased, the deployment is initiated automatically soon after the enrollment, given the user’s Managed Apple ID exists on the VPP account.
      • The VPP app licenses can also be purchased after enrollment. In that case, the admin can log into the Hexnode UEM portal and initiate the deployment from the Device Summary page. (Click on the sync icon in the MDM App Installed field under the Enrollment details). Alternatively, you can use the Install Application action or the Required Apps policy.
    4. The deployment is completed only when the user approves the installation from the device. So, click Install on the app installation prompt on the devices. However, the user can deny it if required.
  • When a user is signed in with both a personal Apple ID and a Managed Apple ID, “Sign in with Apple” will default to using the Managed Apple ID for managed apps and the personal Apple ID for unmanaged apps. During the sign-in process via Safari or SafariWebView within a managed app, the user can opt to enter their Managed Apple ID to associate the sign-in with their work account.
  • Users will be able to access personal iCloud Drive files separately from their organization’s iCloud Drive files within the Files app.
    With User Enrollment on iOS devices, iCloud Drive will appear separately for personal and organizational data in the Files app

MDM functionalities in User enrolled devices

Compared to other enrollment types, User Enrollment severely limits the permissions that an MDM has when administering a device. Unlike device enrollment, device details such as Serial Number, UDID, IMEI and MEID cannot be retrieved in this case.

Here is a comprehensive list of available Hexnode UEM functionalities on devices enrolled using User Enrollment.

  1. Remote Actions
  2. Passcode

    Despite what passcode requirements are specified, there are certain exceptions in the passcode policy on the devices enrolled using user enrollment:

    • No simple value allowed.
    • Minimum passcode length is 6.
    • Complex characters cannot be mandated.
  3. Restrictions
    • Allow Device Functionality
      • Siri
      • Allow Siri while device is locked
      • Screen capture
    • Allow Application Settings
      • Sync managed data with iCloud
      • Backup enterprise-deployed iBooks
      • Fraud warning
    • Allow Security and Privacy Settings
      • Today View on lock screen
      • Control Center on lock screen
      • Lock screen notifications
      • Force encrypted backup
      • Send diagnostic data to Apple
  4. App Management

    Deploy and manage Enterprise and VPP apps using the Required Apps policy or Install Application action from the Hexnode UEM console. Only applications installed via these methods through the Hexnode UEM console will be considered managed. Applications manually installed by users on their devices will remain unmanaged and cannot be converted to managed apps. You can also add Web Clips to the Home Screen on iPhone and iPad devices.

    User Enrollment requires an Apple VPP token associated with your Hexnode UEM portal to install managed apps from the App Store on devices.

    Once the device is disenrolled from Hexnode UEM, all the managed apps and data will be removed, and the device will return to its original state before enrollment.

  5. Network
  6. Security
  7. Accounts
  8. Expense Management
  9. Configurations
  • Enrolling Devices
  • Managing iOS Devices