Starting in iOS 13 and macOS 10.15 Catalina, Apple introduced a new enrollment method called User Enrollment. With iOS 15 and macOS 14, Apple refined this approach into what is now officially called Account-driven User Enrollment — the current recommended method for BYOD scenarios.
This is a notably different mode of enrollment than those previously available through Apple DEP, Enrollment link, or Supervised mode. While these modes still exist, Account-driven User Enrollment aims to address Bring Your Own Device (BYOD) deployment scenarios specifically, requiring the user to authenticate with a Managed Apple ID to complete the enrollment process.
User Enrollment is still in private beta for a limited number of customers. If you want to learn more, please contact us at [email protected].
Why another enrollment method?
Existing enrollment and supervision methods are very powerful. Administrators can wipe, lock, and heavily restrict access on a DEP-enrolled and supervised device. In macOS, administrators can run any type of root-level commands or scripts and apply highly
intrusive configurations at the device and app levels. Additionally, administrators can list and obtain detailed information about the devices, even about apps that have not been deployed through an MDM solution. In other words, administrators have almost full control over managed devices.
Account-driven User Enrollment aims to solve this use case by restricting what MDMs can do. Instead of having full access to the devices, business and personal spaces are isolated. Commands and operations performed by the MDM are limited and restricted to run under the business side of the device, providing a more comfortable scenario for end-users who can still get access to business services without sacrificing their privacy. This provides a more balanced scenario between security and privacy, allowing users to easily switch from work to personal life.
What's different from other enrollment methods?
Device Information:
The MDM is no longer able to retrieve device-identifying information, such as serial number, universal device identifier (UDID), IMEI, or Mac addresses. Instead, the device provides an anonymized identifier specifically created for the MDM enrollment. If a device is unenrolled from the MDM and then re-enrolls at a later time, a new identifier is generated, maintaining the anonymity of the end-user and the hardware.
App Management:
MDMs can still install and remove apps, but can only see information about managed apps. The rest of the apps installed by the user remain private and will not be visible to the MDM, and they cannot be configured as managed apps.
Additionally, some native apps support Account-driven User Enrollment scenarios, providing the possibility to isolate information at the app level.
Profiles & Configurations:
Only a limited set of profiles and configurations are available and can be enforced on the device:
Wi-Fi.
Per-app VPN.
Account-related profiles, like email, calendar, contacts, and Exchange/ActiveSync.
Commands:
Account-driven User Enrollment also prevents administrators from setting or clearing passwords, wiping the device, and performing other device-level configurations.
Managed Apple IDs and Account-driven User Enrollment
The Account-driven User Enrollment method relies on Managed Apple IDs for user identification and authentication. This is what differentiates it from the older profile-based variant — the user actively signs in with their organizational Managed Apple ID to initiate and complete the enrollment, without needing to open a link or install a profile manually.
This approach also enables two important features:
App & media licensing: Apps must be managed through Apple Business Manager and VPP so that necessary licenses are provisioned.
iCloud access: Apple provides business-level iCloud services, such as shared storage for an organization. The Managed Apple ID acts as a credential to provide access to these resources.
We highly recommend reading the documentation related to Managed Apple IDs to fully understand the benefits and features.
How is Data Separation Being Managed?
As part of the Account-driven User Enrollment process, a new and separate APFS volume is created on the device. This new volume acts as a virtual hard drive with its own encryption and is isolated from other data volumes on the device. This volume stores all enrollment-related managed data. When the device is unenrolled, the volume is erased, removing all managed apps and data and returning the device to its original state before enrollment.