It's called User Enrollment. It was designed by Apple to protect user-owned device privacy while also providing IT with the tools they need to keep your data safe with a limited set of configurations and policies associated with the user instead of the entire device. What does this mean for you and why is it important? Scroll down to find out more.
iOS 13, iPadOS, and macOS Catalina will have a profound impact on schools and companies. Previously, there have been many concerns about transparency and data privacy when it comes to students or employees bringing their own devices to school or work.
But not anymore, because Apple's brand-new lightweight form of management called User Enrollment will enhance Bring Your Own Device (BYOD) programs by making it easier for IT professionals, support, technicians, and administrators to protect user privacy.
This will allow users to access their personal and work/school data without the possibility of their personal data being erased, modified, or even viewed by the IT administrator.
In every company or school, people bring their own devices, but they don’t want IT administrators to manage their entire device. At the same time, the IT staff feels uncomfortable to having to deal with users' personal information. That's about to change. The new User Enrollment option is meant to better balance the needs of IT to protect sensitive data and manage the software and settings available to users.
At the same time, users’ private personal data remains separate from IT oversight. This is a game-changer, because users can feel extremely secure when partaking in corporate Bring Your Own Device (BYOD) programs because of the transparency and trustworthiness of the limited access IT has. For schools and companies, it means that they can then adopt BYOD with peace of mind and in an easier way than ever before.
For end-users, the enrollment process with the MDM has been simplified. They simply need to go the Settings app to start the enrollment after the enrollment profile has been downloaded. Once there, they will need to authenticate using their Managed Apple ID. An additional encrypted volume associated with the Managed Apple ID will be created automatically on the device.
This is where all the enterprise apps and data for the device will be stored, separating it completely from the users’ personal data. The MDM service will never have access to this personal volume, in fact, it doesn't even know it's there. This means that only the company or school’s managed apps and accounts have access to the benefits of the Managed Apple ID.
Personal data plays a huge part in society. Increasingly, people seek greater control and clarity about how their personal data is used and protected by the organizations they interact with. And with Apple’s privacy-focused releases, MDM is becoming as indispensable as ever. In a nutshell, MDM will gain user permission to operate in a confined space on user devices, thus having a restricted and transparent range of management operations, but at the same time ensuring that company and/or school information is always kept safe.
In addition, MDM will ensure that you have the best experience with your Apple device, installing, for example, the applications and software your institution wants to install for you. MDM will only access the work and/or school information, while your personal information remains encrypted and inaccessible by the MDM software. Briefly, the MDM does not even have access to your personal information. Most important: once the device is removed from MDM, all data and information that was managed by the institution is automatically deleted.
BYOD is here to stay – especially as new tech-savvy generations enter workplaces and workspaces. People are bringing their own iPhone, iPad, and Mac devices into their places of work for professional activities. While this is appreciated by most, you, from the Corporate IT team, know that this can be a major security concern. You are then asked to develop robust security solutions and identify ways to control the usage of personal devices.
Well, good news for you: managing those Apple devices will be easier from now on. Way easier. Apple just introduced a new lightweight form of management called User Enrollment, which has a much greater focus on user privacy, implemented with a level of security that enterprises can be more comfortable with.
The main goal of this new option is to balance the needs of IT to protect sensitive corporate data and manage apps and settings available to users, while at the same time allowing users’ private personal data to remain separate from IT oversight.
Basically, the new User Enrollment option has three elements that we will cover in-depth individually:
The first element of User Enrollment is the Managed Apple ID, which, briefly, is a special company-created and company-owned account that provides access to Apple services – associated with all enterprise apps and data on the device and in the iCloud Drive. You can create an Apple ID using Apple Business Manager or Apple School Manager, which can federate with Microsoft Azure Active Directory to create a Managed Apple ID.
For User Enrollment, Managed Apple IDs will have a key function: establishing a work identity on the device, in which the user must successfully authenticate in order for enrollment to be completed. From this moment forward, the company’s managed apps and accounts will use the Managed Apple IDs iCloud account that the employee just logged into.
At the same time, their personal Apple ID will work alongside the managed Apple ID, but the two won’t interact with each other. This separation will be presented next. This means that third-party apps are then either used in managed or unmanaged modes, meaning that users won’t be able to run the apps in both modes at the same time. For those built-in apps like Notes and Files, they will work through account based, so the app will use the appropriate Apple ID depending on which account they’re operating on at the time.
We highly recommend that you check what Managed Apple IDs are, what their use is, and how to create them at Apple Business Manager User Guide: https://support.apple.com/guide/apple-business-manager/what-are-managed-apple-ids-tes78b477c81/web
To separate work data from personal data, User Enrollment creates a separate APFS volume for managed accounts, apps, and data on the device at the time of the enrollment. In a few words, APFS, or Apple File System, allows space to be shared between volumes on a disk. As we have discussed before, to ensure the highest level of privacy and to address any security concerns, this managed volume is cryptographically separated from the rest of the device and not backed up.
The managed volume will host the local data stored by any managed third party apps, enterprise Notes, and iCloud Drive docs. Also, it will host a managed keychain that stores secure entries along with authentication credentials for managed accounts and mail attachments and full email bodies. Best of all: when the device is removed from MDM, it automatically destroys the volume and the keys.
This is a game-changer for any company that is using Apple devices, and it will provide the most straightforward, trustworthy experience for both IT and end users. Personal apps and data can’t be managed by IT admins, so users can always be sure that no personal information will ever be read or erased.
So what control does IT have over information? Well, Apple hit the nail on the head with this one. User Enrollment, working alongside with the MDM, will give IT the ability to manage a limited set of configurations and policies associated with the user instead of the entire device. For that, Apple restricted the MDM to have any access to any identifier for the device. Instead, an “enrollment ID” is created and used to communicate with the MDM server and is destroyed when the device is removed from the management solution.
In other words, the user will have access to both personal and work data with absolutely no chances that their personal data will be erased, modified, or even viewed by the IT admin.
Here’s a list of what User Enrollment can do:
What User Enrollment cannot do:
User Enrollment is revolutionizing the way technology is used in the workspace. BYOD makes employees happier and more satisfied because they can use a device they’re already familiar with, while knowing that IT is keeping corporate data safe. If your company is interested in using User Enrollment and enhancing the BYOD program with your employees, the first step is to set up an MDM account and talk to one of our specialists to ensure the most successful deployment. You can sign up for your free account by clicking on the button below:
Create your MDM Account for Free
You were told by your company that you can bring your personal Apple device to the workplace and use them with the company’s application. However, they have asked you to accept an “MDM Policy” so they can manage applications and remotely install configuration settings on your device. That certainly sounds like a breach of your privacy, no? Well, Apple just solved this issue by blocking any potential invasion of privacy at the lowest level than ever imagined before. The new User Enrollment will make you trust your company’s MDM Policy with your eyes closed.
But first, what’s an MDM? MDM stands for Mobile Device Management, and it allows IT administrators to control, secure, and enforce policies on Apple devices. The goal of MDM is to optimize the functionality and security of mobile devices while simultaneously protecting the corporate information. To be fair, MDM had a bunch of configurations that many users weren’t comfortable with, such as listing all the apps installed on the device or erasing it completely. As a result, many users weren’t comfortable enrolling their personal devices into an MDM solution.
But Apple just changed the rules of the game for the better. Apple just released User Enrollment, which provides IT admins with a limited set of configurations and policies for device management. This means that you can have the most private and trustworthy BYOD experience knowing that no one will ever have access to any of your personal information. Instead of managing your entire device, the IT department will provide you with a unique Managed Apple ID that will work alongside your own Apple ID and it will separate work and personal data on your device – it’s as simple as that.
Managed Apple ID works just like your personal Apple ID, but they’re created and managed by your organization. It will provide you access to all Apple services, and create a separate data storage for the applications used by the company. All your personal data and applications that were installed before you sign into your Managed Apple ID will remain as it is and will be completely invisible and encrypted to your IT department.
After signing in with your Managed Apple ID, the enrollment process begins, in which your Managed Apple ID is linked with the MDM solution. At this point, IT will have some limited functionalities to manage some settings and applications on your device. But here’s what they will not be able to do in User Enrollment mode:
But you might be asking what information the MDM can have, right? Well, none. The MDM will not have access to any personal information instead of a generic ID that was generated when you signed in with your Managed Apple ID. The MDM is restricted from accessing:
Apple’s new User Enrollment and MDM policies are a step toward a better balance of important concerns – it ensures that you have the highest level of privacy and the most trustworthy, transparent process while IT manages only the corporate data and applications. Apple made this possible, and in doing so, moved BYOD past the flash-in-the-pan stage. BYOD is here to stay more than ever before.
BYOD is here to stay – and it’s here to stay in K-12 schools/districts with the same rigorous security and privacy features as school-owned devices. Kids and teenagers are bringing their own iPhone, iPad, and Mac devices into the classroom every day, which can bring different challenges to your educational institution - especially when it comes to providing the most valuable and safe learning experiences when using these digital devices.
As an IT specialist, you’re tasked with developing robust security technology solutions, identifying ways to protect user data, and ensuring that students/teachers are using personal devices in the classroom in the safest way.
Well, good news for you: managing those Apple devices will be easier from now on. Way easier. Apple just introduced a new lightweight form of management called User Enrollment, which has a much greater focus on user privacy with a level of security that K-12 Schools and Districts can be more comfortable with.
The main goal of this new option is to balance the needs of IT to protect students when using technology in the classroom, as well as to manage apps and settings available for educational purposes, while also allowing users’ private personal data to remain separate from IT oversight.
Basically, the new User Enrollment option has three elements that we will cover in-depth individually:
The first component of User Enrollment is the Managed Apple ID, which, in short, is a special school-created and school-owned account that provides access to Apple services . It’s associated with all educational apps and data on the device and in the iCloud Drive. You can create an Apple ID using Apple Business Manager or Apple School Manager, which can federate with Microsoft Azure Active Directory to create a Managed Apple ID.
For User Enrollment, Managed Apple IDs will have a key function: establishing a work identity on the device, in which the user must successfully authenticate in order for enrollment to be completed. From this moment forward, the school’s managed apps and accounts will use the Managed Apple IDs iCloud account that the students and teachers just logged into.
At the same time, their personal Apple ID will work alongside the managed Apple ID, but the two won’t interact with each other. This separation will be presented next. This means that third-party apps are then either used in managed or unmanaged modes, meaning that users won’t be able to run the apps in both modes at the same time. For those built-in apps like Notes and Files, they will work through account-based, so the app will use the appropriate Apple ID depending on which account they’re operating on at the time.
We highly recommend that you check what Managed Apple IDs are, what their use is, and how to create them at Apple Business Manager User Guide: https://support.apple.com/guide/apple-business-manager/what-are-managed-apple-ids-tes78b477c81/web
To separate school's data from personal data, User Enrollment creates a separate APFS volume for managed accounts, apps, and data on the device at the time of the enrollment. In a few words, APFS, or Apple File System, allows space to be shared between volumes on a disk. As we have discussed before, to ensure the highest level of privacy and to address any security concerns, this managed volume is cryptographically separated from the rest of the device and not backed up.
The managed volume will host the local data stored by any managed third-party apps, school's Notes, and iCloud Drive docs. Also, it will host a managed keychain that stores secure entries along with authentication credentials for managed accounts, mail attachments, and full email bodies. Best of all: when the device is removed from MDM, it automatically destroys the volume and the keys.
This is a game-changer for any K-12 school and district that are using Apple devices, and it will provide the most straightforward, trustworthy experience for all IT, students, and teachers. Personal apps and data can’t be managed by IT admins, so teachers, students, and parents can always be sure that no personal information will ever be read or erased.
So what control does the IT department have over user information? Well, Apple hit the nail on the head with this one. User Enrollment, working alongside with the MDM, will give IT the ability to manage a limited set of configurations and policies associated with the user instead of the entire device. For that, Apple restricted the MDM to have access to any identifier for the device; instead, an “enrollment ID” is created and used to communicate with the MDM server and is destroyed when the device is removed from the management solution.
In other words, the user will have access to both personal and school's data with absolutely no chances that their personal data will be erased, modified, or even viewed by the IT admin.
Here’s a list of what User Enrollment can do:
What User Enrollment cannot do:
User Enrollment is revolutionizing the way technology is used in K-12 Schools and Districts. BYOD provides an easier way to bring technology into the classroom and provide great learning experiences for students and teachers because they can use a device they’re already familiar with, while knowing that IT is keeping their private information private. If your K-12 institution is interested in using User Enrollment and enhancing the BYOD program with your students and their families, the first step is to set up an MDM account and talk to one of our specialists to ensure the most successful deployment. You can sign up for your free account by clicking on the button below:
Create your MDM Account for Free
You just found out that your school is starting a new program that allows you to bring in your own Apple devices. This is exciting because it means you can use a device in the classroom that you’re already comfortable using. But you might be worried about bringing in a personal device- what about your personal information? What does this mean for you? Don’t worry, Apple is making sure that your sensitive information can’t be viewed by anyone else with the new User Enrollment.
When you bring in your Apple device to use in the classroom, you’ll be asked to accept an MDM policy. But first, what’s an MDM? MDM stands for Mobile Device Management, and it allows IT administrators to control, secure, and enforce policies on Apple devices. The goal of MDM is to optimize the functionality and security of mobile devices while simultaneously protecting the school's information. To be fair, MDM had a bunch of configurations that many users weren’t comfortable with, such as listing all the apps installed on the device or erasing it completely. As a result, many users weren’t comfortable enrolling their personal devices into an MDM solution.
But Apple has changed the rules of the game for the better. Apple just released User Enrollment, which provide IT admins with a limited set of configurations and policies for device management. This means that you can have the most private and trustworthy BYOD experience knowing that no one will ever have access to any of your personal information. Instead of managing your entire device, the IT department will provide you with a unique Managed Apple ID that will work alongside your own Apple ID and separate school and personal data on your device – it’s as simple as that.
Managed Apple ID works just like your personal Apple ID, but they’re created and managed by your organization. It will provide you access to all Apple services, and create a separate data storage for the applications used by the company. All your personal data and applications that were installed before you sign into your Managed Apple ID will remain as it is and will be completely invisible and encrypted to your school's IT department.
After signing in with your Managed Apple ID, the enrollment process begins, in which your Managed Apple ID is linked with the MDM solution. At this point, IT will have some limited functionalities to manage some settings and applications on your device. But here’s what they will not be able to do in User Enrollment mode:
But you might be asking what information the MDM can have, right? Well, none. The MDM will not have access to any personal information, and will instead only see a generic ID that was generated when you signed in with your Managed Apple ID. The MDM is restricted from accessing:
Apple’s new User Enrollment and MDM policies are a step toward a better balance of important concerns – it ensures that you have the highest level of privacy and the most trustworthy, transparent process while IT manages only the school data and applications. Apple made this possible, and in doing so, moved BYOD past the flash-in-the-pan stage. BYOD is here to stay more than ever before.
You just learned that your school allows you to bring in your own Apple device to use in the classroom. This helps you create a digital environment that encourages student engagement when it comes to learning. However, you’re aware of the security implications related to bringing in your own device, and are asked to sign an MDM policy before you can start using your device at work. Will your personal information be kept safe? Who even has access to your data? Fear not, because Apple is here to ensure that there isn’t a breach of your privacy with the release of the new User Enrollment.
But first, what’s an MDM? MDM stands for Mobile Device Management, and it allows IT administrators to control, secure, and enforce policies on Apple devices. The goal of MDM is to optimize the functionality and security of mobile devices while simultaneously protecting the school's information. To be fair, MDM had a bunch of configurations that many users weren’t comfortable with, such as listing all the apps installed on the device or erasing it completely. As a result, many users weren’t comfortable enrolling their personal devices into an MDM solution.
But Apple has changed the rules of the game for the better. Apple just released User Enrollment, which provides IT admins with a limited set of configurations and policies for device management. This means that you can have the most private and trustworthy BYOD experience knowing that no one will ever have access to any of your personal information. Instead of managing your entire device, the school's IT department will provide you with a unique Managed Apple ID that will work alongside your own Apple ID and separate work and personal data on your device – it’s as simple as that.
Managed Apple ID works just like your personal Apple ID, but they’re created and managed by your organization. It will provide you access to all Apple services, and create a separate data storage for the applications used by the company. All your personal data and applications that were installed before you sign into your Managed Apple ID will remain as it is and will be completely invisible and encrypted to your IT department.
After signing in with your Managed Apple ID, the enrollment process begins, in which your Managed Apple ID is linked with the MDM solution. At this point, IT will have some limited functionalities to manage some settings and applications on your device. But here’s what they will not be able to do in User Enrollment mode:
But you might be asking what information the MDM can have, right? Well, none. The MDM will not have access to any personal information, and will instead only see a generic ID that was generated when you signed in with your Managed Apple ID. The MDM is restricted from accessing:
Apple’s new User Enrollment and MDM policies are a step toward a better balance of important concerns – it ensures that you have the highest level of privacy and the most trustworthy, transparent process while IT manages only the school's data and applications. Apple made this possible, and in doing so, moved BYOD past the flash-in-the-pan stage. BYOD is here to stay more than ever before.
You were told that the school your child attends has a program that allows them to bring in their own Apple devices to use in class. This sounds great because the purpose of this is to enhance their education. But it also means that your child is bringing in a device from home that could have sensitive information on it. How can you know that this information, and your child, are kept safe? Well, that’s where Apple’s new User Enrollment comes in. This new feature means that you can rest assured knowing that personal data is kept safe from teachers, admins, and IT.
When your child brings in an Apple device to school, you’ll be asked to accept an MDM policy. But first, what’s an MDM? MDM stands for Mobile Device Management, and it allows IT administrators to control, secure, and enforce policies on Apple devices. The goal of MDM is to optimize the functionality and security of mobile devices while simultaneously protecting the school's information. To be fair, MDM had a bunch of configurations that many users weren’t comfortable with, such as listing all the apps installed on the device or erasing it completely. As a result, many users weren’t comfortable enrolling their personal devices into an MDM solution.
But Apple has changed the rules of the game for the better. Apple just released User Enrollment, which provides IT admins from schools and districts with a limited set of configurations and policies for device management. This means that you can have the most private and trustworthy BYOD experience knowing that no one will ever have access to any of your personal information. Instead of managing your child's entire device, the IT department will provide the student with a unique Managed Apple ID that will work alongside your own Apple ID, and separate educational and personal data on your child's device – it’s as simple as that.
Managed Apple ID works just like the personal Apple ID, but they’re created and managed by your child's educational institution. It will provide you access to all Apple services, and create a separate data storage for the applications used by the school. All your child's personal data and applications that were installed before you sign into your Managed Apple ID will remain as it is and will be completely invisible and encrypted to your IT department.
After signing in with your Managed Apple ID, the enrollment process begins, in which your Managed Apple ID is linked with the MDM solution. At this point, the school's IT department will have some limited functionalities to manage some settings and applications on your device. But here’s what they will not be able to do in User Enrollment mode:
But you might be asking what information the MDM can have, right? Well, none. The MDM will not have access to any personal information, and will instead only see a generic ID that was generated when you signed in with your Managed Apple ID. The MDM is restricted from accessing:
Apple’s new User Enrollment and MDM policies are a step toward a better balance of important concerns – it ensures that you have the highest level of privacy and the most trustworthy, transparent process while IT manages only the school's data and applications. Apple made this possible, and in doing so, moved BYOD past the flash-in-the-pan stage. BYOD is here to stay more than ever before.
This site was created by Mosyle, the new standard in Apple management. We strive to deliver the most enjoyable experience when managing and deploying Apple devices. We do this by offering the most secure, privacy-focused tools for IT and system administrators who want to streamline workflows while managing, deploying, provisioning, and scaling Apple deployment. Start using User Enrollment to improve your BYOD program in minutes: