Category filter
Apple User Enrollment for iOS devices
User Enrollment for iOS devices is an enrollment method designed for Bring Your Own Device (BYOD) deployments where the user, instead of the organization, owns the device. It primarily focuses on enhancing user privacy and enterprise security.
User Enrollment requires a Managed Apple ID to establish a user identity on the device. Managed Apple IDs are created by an organization and provide end-users access to specific Apple services. This Managed Apple ID can co-exist with the personal Apple ID of the user without interacting with one another.
Once the User Enrollment profile is set up, separate encryption keys are created on the device to protect the organization’s data. These encryption keys are used to separate the managed data from the user’s personal data on the device. When the device is disenrolled, the encryption keys are securely destroyed to prevent unauthorized access to the organization’s data.
Unlike Automated Device Enrollment, where the MDM has complete control over the device, User Enrollment supports only a limited set of payloads and restrictions on the device. For instance, critical MDM commands such as, enable/disable lost mode, allow/clear activation lock, etc., cannot be executed. Additionally, device-specific information such as serial number, UDID, IMEI, MEID, etc., cannot be retrieved from the MDM console.
- Choose unsupervised devices running iOS 13.0+ or iPadOS 13.1+.
- Configure the APNs certificate on the Hexnode UEM portal.
- Enroll your organization in Apple Business Manager.
- Create Managed Apple IDs to authenticate the user for MDM management.
Ensure that the Safari browser in your iOS/iPadOS device is in Mobile View to download the User Enrollment profile. If Safari is in Desktop Site View, only the Device Enrollment profile can be downloaded.
Setting up User Enrollment in the Hexnode UEM portal
- Log in to your Hexnode UEM portal.
- Go to Enroll > Platform – Specific > iOS > Email or SMS.
- Choose the authentication mode as Authenticated Enrollment.
- Select the Ownership of the device as Personal.
- Choose the Apple Enrollment Type as User Enrollment from the below options:
- Device Enrollment
- User Enrollment
- Click on Next.
- Configure the necessary details for sending enrollment requests and hit Send.
Enrollment requests comprising the enrollment URL, username, and password will be sent to the users via email or SMS.
On the device,
If Ownership is selected as Personal and Apple Enrollment Type is selected as User Enrollment from the portal,
- Open the Safari browser and enter the enrollment URL specified in the enrollment request.
For example, https://portalname.hexnodemdm.com/enroll/.
- On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
- Enter your “Managed Apple ID” and click on Download Profile.
If Ownership is selected as Let the user choose from the portal,
- Open the Safari browser and enter the enrollment URL specified in the enrollment request.
For example, https://portalname.hexnodemdm.com/enroll/.
- On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
- Enter your username and password and select I own this device. Click on Authenticate. Alternatively, selecting My organization owns this device will enroll the device using Device enrollment.
- Next, select how you want the devices to be managed by Hexnode UEM:
- Manage entire device – To manage the device completely without limitations on MDM capabilities.
- Manage only work-related data and apps – To manage corporate data by creating a separate volume on the device with limited MDM capabilities.
- Select Manage only work-related data and apps and enter your “Managed Apple ID”.
- Click on Download Profile.
Finally, after the enrollment profile is downloaded, navigate to Settings > Enrol in Hexnode UEM and click on Enrol My iPhone. Here, you need to enter the password of your Managed Apple ID. Once the enrollment is successful, you can see the downloaded Hexnode UEM profile in General > VPN & Device Management.
Once enrollment is complete, the newly managed account will be displayed in the Settings app on iPhone and iPad. Users can view details about what is being managed on their personal device, such as specific settings or restrictions implemented by their organization, as well as the amount of iCloud storage space provided by their organization.
- You may install the Hexnode UEM agent on the device to achieve advanced management capabilities with the end users’ permission. To initiate the installation:
- Set up a VPP account in the Hexnode portal.
- Purchase the app licenses for Hexnode UEM through the Apple Business Manager.
- Deploy the Hexnode UEM app to devices.
- For those VPP licenses already purchased, the deployment is initiated automatically soon after the enrollment, given the user’s Managed Apple ID exists on the VPP account.
- The VPP app licenses can also be purchased after enrollment. In that case, the admin can log into the Hexnode UEM portal and initiate the deployment from the Device Summary page. (Click on the sync icon in the MDM App Installed field under the Enrollment details). Alternatively, you can use the Install Application action or the Required Apps policy.
- The deployment is completed only when the user approves the installation from the device. So, click Install on the app installation prompt on the devices. However, the user can deny it if required.
- When a user is signed in with both a personal Apple ID and a Managed Apple ID, “Sign in with Apple” will default to using the Managed Apple ID for managed apps and the personal Apple ID for unmanaged apps. During the sign-in process via Safari or SafariWebView within a managed app, the user can opt to enter their Managed Apple ID to associate the sign-in with their work account.
- Users will be able to access personal iCloud Drive files separately from their organization’s iCloud Drive files within the Files app.
MDM functionalities in User enrolled devices
Compared to other enrollment types, User Enrollment severely limits the permissions that an MDM has when administering a device. Unlike device enrollment, device details such as Serial Number, UDID, IMEI and MEID cannot be retrieved in this case.
Here is a comprehensive list of available Hexnode UEM functionalities on devices enrolled using User Enrollment.
- Remote Actions
- Scan Device
- Scan Device Location
- Lock Device
- Edit Device Attributes
- Install Application
- Uninstall Application
- Disenroll device
- Broadcast Message
- Associate Policy
- Add Devices To Groups
- Set Friendly Name
- Export Device Details
- Delete Device
- Passcode
Despite what passcode requirements are specified, there are certain exceptions in the passcode policy on the devices enrolled using user enrollment:
- No simple value allowed.
- Minimum passcode length is 6.
- Complex characters cannot be mandated.
- Restrictions
- Allow Device Functionality
- Siri
- Allow Siri while device is locked
- Screen capture
- Allow Application Settings
- Sync managed data with iCloud
- Backup enterprise-deployed iBooks
- Fraud warning
- Allow Security and Privacy Settings
- Today View on lock screen
- Control Center on lock screen
- Lock screen notifications
- Force encrypted backup
- Send diagnostic data to Apple
- Allow Device Functionality
- App Management
Deploy and manage Enterprise and VPP apps using the Required Apps policy or Install Application action from the Hexnode UEM console. Only applications installed via these methods through the Hexnode UEM console will be considered managed. Applications manually installed by users on their devices will remain unmanaged and cannot be converted to managed apps. You can also add Web Clips to the Home Screen on iPhone and iPad devices.
User Enrollment requires an Apple VPP token associated with your Hexnode UEM portal to install managed apps from the App Store on devices.
Once the device is disenrolled from Hexnode UEM, all the managed apps and data will be removed, and the device will return to its original state before enrollment.
- Network
- Security
- Accounts
- Expense Management
- Configurations
