First question: What kind of Apple Watch data will be visible on the MDM server?
Second is more or less an important request one should consider before implementing this solution: Many customers have implemented a COPE client design, where the iPhone is fully managed but personal use, incl. all Apple Services (iCloud, App Store, etc.) is explicitly allowed and wanted. However, in most cases, the Apple Watches are not leased/purchased by the company (especially if they don't have a use case for it / lacking matching business processes). Hence many Apple Watches are usually a fully personal device (BYOD), used along with the corporate iPhone.
With this way of implementation for the Apple Watch management, the company takes over the possession of the Watch with complete control, instead of a limited scope.
One situation that comes to my mind instantly: User is on the road, off duty, middle of nowhere, without his iPhone and needs to buy some water. He/She wants to pay with his/her personal Apple Pay Credit Card from the personal Apple Watch - and boom, administrator is resetting/unenrolling the Watch with all data being also deleted from the Watch. User cannot pay the water and maybe even more challenges arise from that situation. No option to pay the taxi/public transport to get home. How do you solve that? Why not just offering two scenarios?
- A) all corporate Watches will be automatically fully enrolled, like the presented solution (serial number/ other identifier known already before enrollment and maybe added to Apple Business Manager or to the MDM server to identify the corporate Watch during enrollment attempt)
- B) If no pre-known identifier is found, the Watch is considered personal. All personal Watches need to be enrolled too, but with a limited scope - any MDM/DDM payloads, Managed Apps become Managed on the Watch as well, anything private is not touched. Exactly the way an iPhone with COPE setup behaves. When an "unenroll Apple Watch" command is triggered, the watch stays paired with the iPhone, but all Managed content is erased only, without affecting private apps/data. So the user can no longer read mails from the managed corporate mail account but still the personal mail account. The user can no longer use other corporate apps, like the Outlook, Webex, etc. Managed Payloads are removed, like the password policy. No more corporate Wifi access or Per-App-VPN.
That way it would be ensured that the user is not affected in their private use of their personally owned Apple Watch and never has to fear, that any day, out of a sudden, the Watch stops working as expected due to a human/administrative failure or malfunction on the MDM server side.
For good reason we are not allowed to takeover full device management of personally owned iPhones/iPads, hence we shouldn't start now to do that on Apple Watches.