Like clockwork, Apple introduces new mobile device management features every autumn for iOS, macOS, tvOS and now the new iPadOS.
The biggest change this year was User Enrollment, a new management mode designed especially for BYOD MDM. Along with all the OS updates, there was a semantic change: Apple started to use new terms for the different types of Apple MDM.
User Enrollment, which was announced at Apple's Worldwide Developers Conference, is a new mode. This management mode arose from Apple's desire to have stronger boundaries between corporate and personal apps and data on devices in a BYOD ownership scenario.
User Enrollment is based on Apple's existing MDM protocol, but when an Apple admin flags the enrollment process as User Enrollment-based, the device only gives IT admins a limited set of capabilities. User Enrollment is available on iOS and iPadOS and in a limited form on macOS.
To get the device ready for users, IT can install the required apps, configure user accounts and set some device-wide policies, such as enforcing a six-digit passcode. The devices store enterprise data in a separate encrypted volume, and users must sign in to their devices with a managed Apple ID their organization provides.
What makes User Enrollment so BYOD-friendly is what IT professionals cannot do via this Apple MDM mode. It is not possible for an administrator to perform invasive device management functions, such as erase the device, command the device to unlock or view a list of apps installed by the user.
There are still a few caveats. Organizations need Apple Business Manager or Apple School Manager to create managed Apple IDs, and these services are not available in all regions. It will also take a while for IT and security teams to evaluate User Enrollment and create policies.
Despite these issues, the fact that the company created a whole new Apple MDM variant for BYOD is a signal of just how important BYOD ownership is in the enterprise. In addition, Apple is finally responding to the more strictly separated BYOD options that are available in Google's Android Enterprise work profiles.
The traditional Apple MDM mode, which has been available since 2010, is now known as Device Enrollment. Device Enrollment supports iOS, iPadOS, macOS and tvOS. IT can manage Apple Watches by applying restrictions to the devices they're paired to.
There are no regional dependencies to worry about either. Device Enrollment is quite flexible from an administration perspective.
With a light touch and various app-level policies that are available, IT can use this method for BYOD devices. Apple admins can also combine it with Apple Configurator to enforce supervised mode and lock down corporate-owned devices as needed.
Automated Device Enrollment
The Device Enrollment Program, available since 2014, is now called Automated Device Enrollment.
Automated Device Enrollment uses a zero-touch device provisioning process. IT can set brand-new devices to enroll directly into MDM when the users boot them for the first time; this method doesn't require any other user interaction. This also prevents users from circumventing MDM by erasing devices, which was an issue in some early large deployments.
The banner new feature for Automated Device Enrollment is setup assistant customization. This enables administrators to set up modern, web-based authentication flows or display custom content, such as terms of service, during the enrollment process.
Automated Device Enrollment is now common with any corporate-owned device management scenario. User Enrollment is likely to become common as well. However, the standard Device Enrollment model isn't going away.