As an IT specialist, you’re tasked with developing robust security technology solutions, identifying ways to protect user data, and ensuring that students/teachers are using personal devices in the classroom in the safest way.
Well, good news for you: managing those Apple devices will be easier from now on. Way easier. Apple just introduced a new lightweight form of management called User Enrollment, which has a much greater focus on user privacy with a level of security that K-12 Schools and Districts can be more comfortable with.
The main goal of this new option is to balance the needs of IT to protect students when using technology in the classroom, as well as to manage apps and settings available for educational purposes, while also allowing users’ private personal data to remain separate from IT oversight.
1) Managed Apple IDs
Basically, the new User Enrollment option has three elements that we will cover in-depth individually:
- A Managed Apple ID that works alongside students’ and teachers' personal Apple IDs;
- Cryptographic managed volume to separate personal and work data;
- Limited set of device-wide management capabilities for IT.
1) Managed Apple IDs
The first component of User Enrollment is the Managed Apple ID, which, in short, is a special school-created and school-owned account that provides access to Apple services . It’s associated with all educational apps and data on the device and in the iCloud Drive. You can create an Apple ID using Apple Business Manager or Apple School Manager, which can federate with Microsoft Azure Active Directory to create a Managed Apple ID.
For User Enrollment, Managed Apple IDs will have a key function: establishing a work identity on the device, in which the user must successfully authenticate in order for enrollment to be completed. From this moment forward, the school’s managed apps and accounts will use the Managed Apple IDs iCloud account that the students and teachers just logged into.
At the same time, their personal Apple ID will work alongside the managed Apple ID, but the two won’t interact with each other. This separation will be presented next. This means that third-party apps are then either used in managed or unmanaged modes, meaning that users won’t be able to run the apps in both modes at the same time. For those built-in apps like Notes and Files, they will work through account-based, so the app will use the appropriate Apple ID depending on which account they’re operating on at the time.
We highly recommend that you check what Managed Apple IDs are, what their use is, and how to create them at Apple Business Manager User Guide: https://support.apple.com/guide/apple-business-manager/what-are-managed-apple-ids-tes78b477c81/web
2) Data Separation Volume
To separate school's data from personal data, User Enrollment creates a separate APFS volume for managed accounts, apps, and data on the device at the time of the enrollment. In a few words, APFS, or Apple File System, allows space to be shared between volumes on a disk. As we have discussed before, to ensure the highest level of privacy and to address any security concerns, this managed volume is cryptographically separated from the rest of the device and not backed up.
The managed volume will host the local data stored by any managed third-party apps, school's Notes, and iCloud Drive docs. Also, it will host a managed keychain that stores secure entries along with authentication credentials for managed accounts, mail attachments, and full email bodies. Best of all: when the device is removed from MDM, it automatically destroys the volume and the keys.
This is a game-changer for any K-12 school and district that are using Apple devices, and it will provide the most straightforward, trustworthy experience for all IT, students, and teachers. Personal apps and data can’t be managed by IT admins, so teachers, students, and parents can always be sure that no personal information will ever be read or erased.
3) User Enrollment Management Capabilities
So what control does the IT department have over user information? Well, Apple hit the nail on the head with this one. User Enrollment, working alongside with the MDM, will give IT the ability to manage a limited set of configurations and policies associated with the user instead of the entire device. For that, Apple restricted the MDM to have access to any identifier for the device; instead, an “enrollment ID” is created and used to communicate with the MDM server and is destroyed when the device is removed from the management solution.
In other words, the user will have access to both personal and school's data with absolutely no chances that their personal data will be erased, modified, or even viewed by the IT admin.
Here’s a list of what User Enrollment can do:
- Configure accounts
- Configure Per-app VPN
- Install and configure apps
- Require a passcode
- Enforce certain restrictions
- Issue an MDM command or query gathering information about apps, accounts, and configuration provided by the MDM solution
- Unenroll the device and cause all organizationally provided data, apps, and accounts to be deleted
What User Enrollment cannot do:
- Obtain any persistent device identities (like Serial Number, UDID, or IMEI); instead it uses a unique value to identify the device for the duration of the enrollment
- Require complex alphanumeric passcodes
- Clear the device passcode or lower the security of the device
- Enforce certain restrictions
- Take over management of an app that a user installed themself
- Issue an MDM command or query gathering information about apps downloaded with the user’s personal Apple ID
- Remotely wipe the entire device
- Access any cellular features
- Add payloads that collect logs on the device
- Add any supervised restrictions to the user’s device
User Enrollment is revolutionizing the way technology is used in K-12 Schools and Districts. BYOD provides an easier way to bring technology into the classroom and provide great learning experiences for students and teachers because they can use a device they’re already familiar with, while knowing that IT is keeping their private information private. If your K-12 institution is interested in using User Enrollment and enhancing the BYOD program with your students and their families, the first step is to set up an MDM account and talk to one of our specialists to ensure the most successful deployment. You can sign up for your free account by clicking on the button below:
Create your MDM Account for Free