User enrollment is designed for Bring Your Own Device (BYOD) deployments, where the user owns the device instead of an organization. Limited set of MDM payloads and restrictions, compared to the MDM payloads and restrictions available to non-BYOD deployments. Available for the following OSs: - iOS - iPadOS - macOS User enrollment works to balance privacy and security concerns End user: Privacy and personal data are protected Organization: Organization's data is protected Three core components to user enrollment: - Managed Apple ID - Data separation - Management Capabilities Managed Apple ID: - Provide access to Apple services - iCloud - Available via Apple Business Manager (ABM) / Apple School Manager (ASM) - Authentication federation support - Currently only with Azure Active Directory Data Separation: - During enrollment, a separate APFS volume with its own set of cryptographic keys is created on the BYOD device - Data from managed accounts and managed apps are stored on that separate APFS volume - Allows organizational data to be logically separated from personal data - As part of the unenrollment process, this separate APFS volume and its cryptographic keys are erased from the device Management capabilities - Limited to those which control the organization's content which is stored on the separate APFS volume - Privacy protections - User mantains control of their personal data - Device is not considered supervised if enrolled using User Enrollment Listing of available MDM functions can be seen at 2:19 in the session video. Changes for iOS 15 and macOS Monterey: - Managed Apple ID - Managed apps - Onboarding - Ongoing authentication Managed Apple ID: - In iOS 15, Apple has improved access to the managed Apple ID in Settings - When a device is user-enrolled with a Managed Apple ID, the Managed Apple ID account will now appear in the top level of Settings - Details and settings for that Managed Apple ID's iCloud services can be viewed. - Personal and Managed Apple IDs are clearly displayed as being separated accounts - End users can easily distinguish between which parts of the system are managed by the organization and which are managed by themselves - New in iOS 15 and macOS Monterey, iCloud Drive is now supported for Managed Apple IDs - In iOS and iPadOS, the Managed Apple ID's iCloud Drive shows up as a separate iCloud Drive entry in Files.app - In macOS, it appears as an additional Location entry in the Finder's sidebar - iCloud Drive will respect managed Open-In restrictions for managed apps and data access Managed apps: - Managed apps first available for macOS device enrollments as of macOS Big Sur - Allows organizations to deploy custom configuration payloads on a managed device, like they can on iOS - Allows organization to remove an app either with an MDM command or when the device un-enrolls from MDM - In macOS Monterey, functionality is being extended to include user enrollments - Like on iOS, app data container is located on a separated APFS volume with its own set of cryptographic keys - Managed apps and data are removeable either with an MDM command or when the device un-enrolls from MDM - As part of the unenrollment process, this separate APFS volume and its cryptographic keys are erased from the device - Managed apps which use CloudKit will use the Managed Apple ID associated with the user enrollment - InstallAsManaged will need to be set to use a value of TRUE with the InstallApplication MDM command. - Managed apps have the following conditions - Installs into /Applications - Only should contain a single app bundle - Apple recommends the use of: - Data Protection Keychain - App sandboxing (to ensure data is stored on the separated APFS volume) - Enhancements to managed apps - Restrictions for Managed Open-In have been expanded to include Copy/Paste - Allows organizations to control data from being copied and pasted from managed apps / data to personal apps / data and from personal apps / data to managed apps / data - Ability to specify that a Required App is installed when a device enrolls in management - Consent from the user to install without prompt is gathered during MDM enrollment - Only the one Required App will install without additional user approval - For more information on managed copy / paste and Required App, please see the "What's new in managing Apple Devices" session video available at the following link: https://developer.apple.com/wwdc21/10130 Onboarding - In iOS 15, a new User Enrollment onboarding workflow has been developed - Establishes user's organization identity as the entry point - Onboarding workflow illustration can be seen at 6:52 in the session video. - Enables new security features for User Enrollment - Additional security layer is now part of the MDM enrollment workflow - MDM server can now verify the user before the MDM profile is downloaded to the device Four components to onboarding workflow: - Service discovery - User authentication - How the MDM server validates the user - Session Token issuing - How ongoing authentication is performed between the device and the MDM server - Enrollment - Installation of the MDM payload onto the device - Onboarding workflow demonstration can be seen at 8:06 in the session video. - AuthenticationServices workflow (part of the above demo) can be seen at 10:44 in the session video. - End to end onboarding workflow demonstration can be seen at 13:34 in the session video. Getting Started New User Enrollment and ongoing authentication is available today with iOS 15. Need to do five things: - Set up and publish a discoverable web domain - Using an HTTP well-known resource file for your enterprise domain - Integrate your MDM server with your organization's identity provider - Needed to perform user authentication during enrollment and to take advantage of the ongoing authentication process now part of the onboarding workflow - Create Managed Apple IDs from Apple Business Manager (ABM) / Apple School Manager (ASM) - Or use already created Managed Apple IDs - Used to populate the AssignedManagedAppleID key in your MDM server's payloads - Update your MDM payload to include the new EnrollmentModekey - For more information, reference the Device Management documentation