Account-driven Device Enrollment is an enrollment method introduced with iOS 17, iPadOS 17, macOS 14, and visionOS 1.1, designed for corporate-owned devices that are not registered in Apple Business Manager (ABM). It allows organizations to manage devices with a broad set of MDM capabilities while still leveraging a Managed Apple Account for authentication — without needing a DEP setup or sharing an enrollment link.
It sits between Account-driven User Enrollment (BYOD, limited MDM capabilities) and Automated Device Enrollment (zero-touch, fully supervised) in terms of management scope and deployment complexity.
Both a Managed Apple Account and a personal Apple Account can be active on the same device simultaneously, with full separation of work and personal data.
Supported Devices and Minimum OS Requirements
Device | Minimum OS |
|---|---|
iPhone | iOS 17 |
iPad | iPadOS 17 |
Mac | macOS 14 Sonoma |
Apple Vision Pro | visionOS 1.1 |
How does enrollment work?
To enroll a device, the user navigates to Settings > General > VPN & Device Management (on iPhone/iPad) or System Settings > General > Device Management (on Mac) and selects the Sign In to Work or School Account button.
This initiates a four-stage process:
The device uses the user's organizational identifier (e.g. [email protected]) to automatically locate the organization's MDM enrollment URL by querying a well-known resource at the domain:
https://<domain>/.well-known/com.apple.remotemanagement
The MDM server responds with a JSON document indicating the enrollment type (mdm-adde for account-driven Device Enrollment) and the enrollment URL.
The user authenticates with the MDM service using their organizational credentials. Upon successful authentication, the MDM service issues a secure access token that is stored on the device and used for all subsequent requests. This token also enables continuous verification of the user's authorization throughout the device's enrollment lifecycle.
On iPhone, iPad, and Apple Vision Pro, this process can be further streamlined using Enrollment SSO (Single Sign-On), which reduces repeated authentication prompts and allows token renewal to happen automatically through the organization's identity provider.
Using the access token, the device retrieves the enrollment profile from the MDM service. To complete enrollment, the user must sign in with their Managed Apple Account. Once enrolled, the Managed Apple Account is displayed prominently in Settings and System Settings.
The access token remains active after enrollment and is included in all requests to the MDM service. This allows the service to continuously verify that the enrolled user is still authorized. When the token expires, the user may be prompted to re-authenticate — or, if Enrollment SSO is configured, this happens transparently in the background.
What can IT administrators manage?
Account-driven Device Enrollment provides a broader set of management capabilities than Account-driven User Enrollment, making it suitable for corporate-owned devices.
Key capabilities include:
Capability | Available |
|---|---|
Query serial number and device identifiers (UDID, IMEI) | ✅ |
Query installed apps list | ✅ |
Query device time zone, phone number, roaming status | ✅ |
Configure VPN (full device) | ✅ |
Configure per-app VPN | ✅ |
Require and enforce complex passcode | ✅ |
Remotely erase all content and settings | ✅ |
Enforce software updates | ✅ |
Manage FileVault (macOS) | ✅ |
Set device name (macOS) | ✅ |
Manage Activation Lock (macOS) | ✅ |
Silent app installation | ✅ |
Install and manage certificates | ✅ |
Configure Wi-Fi and email profiles | ✅ |
Manage Activation Lock (iOS/iPadOS) | ❌ (requires Automated Device Enrollment) |
Configure Always On VPN | ❌ (requires Automated Device Enrollment) |
Configure Global HTTP Proxy | ❌ (requires Automated Device Enrollment) |
Set device name (iOS/iPadOS) | ❌ (requires Automated Device Enrollment) |
Enable Lost Mode | ❌ (requires Automated Device Enrollment) |
Supervision
Account-driven Device Enrollment does not result in supervision on iPhone, iPad, or Apple Vision Pro. However, on Mac computers with macOS 11 or later, Device Enrollment — including the account-driven variant — does enforce supervision automatically.
This means Mac devices enrolled this way gain access to supervision-only management capabilities not available on iOS/iPadOS devices enrolled through the same method.
How is work and personal data separated?
When enrollment is complete, the operating system automatically creates separate encryption keys on the device. If the user unenrolls, or if the MDM service remotely unenrolls the device, the operating system destroys those keys, cryptographically removing all managed data. The following content is kept separate between the work and personal contexts:
Content | Minimum OS |
|---|---|
Managed app data containers | iOS 15, iPadOS 15, macOS 14, visionOS 1.1 |
Keychain items | iOS 15, iPadOS 15, macOS 14, visionOS 1.1 |
Mail app (attachments and body) | iOS 15, iPadOS 15, macOS 14, visionOS 1.1 |
Notes app | iOS 15, iPadOS 15, macOS 14, visionOS 1.1 |
Calendar app | iOS 16, iPadOS 16.1, macOS 13, visionOS 1.1 |
Reminders app | iOS 17, iPadOS 17, macOS 14, visionOS 1.1 |
Additionally, if a user is signed in with both a personal Apple Account and a Managed Apple Account, Sign in with Apple automatically uses the Managed Apple Account for managed apps and the personal Apple Account for unmanaged apps — no manual selection required.
When should I use Account-Driven Device Enrollment?
This method is a good fit when:
Devices are corporate-owned but not purchased through Apple or an authorized reseller (and therefore not eligible for DEP/ABM automatic assignment).
You need more management control than BYOD (Account-driven User Enrollment), but don't have a full ABM/DEP setup in place.
You want a modern, frictionless enrollment experience that doesn't require sharing a link or QR code — just a Managed Apple Account sign-in.
You are managing Mac computers and want supervision enforced automatically without a physical setup process.
It is not recommended when:
You need the device to be supervised on an iPhone or iPad (use Automated Device Enrollment instead).
You need features like Lost Mode, Always On VPN, or Global HTTP Proxy on iOS/iPadOS.
The deployment scenario is BYOD (use Account-driven User Enrollment instead).