Implementing User Enrollment with Apple Business Manager

Apple Business Manager is a place for IT teams to automate device deployment, purchase and distribute content, and manage roles in their organizations. Apple Business Manager implements User Enrollment - a modified version of the MDM protocol with a much greater focus on user privacy, implemented with a level of security that enterprises need.

User Enrollment allows the administrator to:

  • Install and remove managed applications
  • Install and remove network configurations
  • Install a partial VPN scoped to managed apps and accounts
  • Require the usage of a password

User Enrollment registration is supported on [email protected] When the administrator assigns the device user to User Enrollment mode, the In-App registration will download the User Enrollment Profile to the device.

User Enrollment applies to unsupervised devices with iOS 13.0 or supported newer versions. Devices lower than iOS 13.0 will be considered "device enrollment" regardless if the device user has been enabled for User Enrollment. User Enrollment utilizes the user's managed Apple ID, which is required and associated with all enterprise apps and data on the device and in Ivanti EPMM.

Difference between standard MDM enrollment and User Enrollment

This section addresses the difference between standard MDM enrollment and User Enrollment with Apple Business Manager.

Standard MDM enrollment

Below is what a Ivanti EPMM server can do in a standard MDM enrollment, but will not be able to do in User Enrollment mode in iOS 13.0.

The MDM server:

  • Cannot erase the device.
  • Does not see the personal apps the device user has installed on the device.
  • Cannot convert user-installed apps into MDM-managed apps.
  • Cannot clear the device passcode (i.e. unlock the device).
  • Cannot set a long, complex device passcode requirement.
  • Cannot configure a device-wide VPN or Wi-Fi proxy, nor can it do any management of the cellular functionality.
  • Cannot see device identifiers like the UDID, serial number, or IMEI.
  • Cannot apply many device-wide restrictions (such as restricting the app content rating), block iCloud, and apply any the supervised restrictions.

When retiring and re-registering devices from Ivanti EPMM, devices are registered as Standard MDM.

User Enrollment with Apple Business Manager

In User Enrollment, the MDM server can still do everything needed to manage enterprise apps, accounts, and data.

User Enrollment can:

  • Install in-house apps or apps via user-based (Apple) Apps & Books licenses

  • Enforce passcode payload settings:
    • allowSimple = false

    • forcePIN = true

    • minLength = 6

  • Query data related to enterprise-managed apps, certificates, and profiles
  • Configure a per-app VPN for apps, mail, contacts, and calendars that have been installed by MDM
  • Enforce some restrictions, like managed open in, managed contacts, managed data on the lock screen, and several others

Enterprise data is stored in a separate Apple File System (APFS) volume, which is created at enrollment, and encrypted separately from device user data. This volume contains data stored by managed apps; enterprise Notes; enterprise iCloud Drive docs; enterprise Keychain entries; managed mail attachments and bodies; and calendar attachments. Un-enrolling from MDM destroys the volume and the keys.

The final requirement of User Enrollment is the user’s managed Apple ID that must be associated with all enterprise apps and data on the device and in iCloud Drive. Managed Apple IDs were first utilized by Apple School Manager and are now utilized by Apple Business Manager for User Enrollment.

All third-party apps can only be either a personal app or a managed app through Ivanti EPMM. The MDM service cannot start managing apps that the device user has already installed. In this case, the administrator will need to request the device user to delete the personal app before installing the app through MDM. The MDM service cannot start managing apps that the user has already installed. However, some system apps like Notes and Files will support both work and personal accounts.

Difference between User Enrollment vs Device Enrollment

This section covers the difference between User Enrollment and device enrollment. User Enrollment applies to devices iOS 13.0 and macOS 10.15 or supported newer versions.

Devices lower than iOS 13.0 will be considered "device enrollment" regardless if the device user has been enabled for User Enrollment.

User Enrollment for Apple Business Manager does not allow for wipe or unlock. However, the user portal will still have those options available even though they will not work.

 

Table 15.  User Enrollment vs Device Enrollment

Functionality

User Enrollment

MAM

Device Enrollment

DEP

Erase the device and see user's personal apps

No

No

Yes

Yes

Convert managed to unmanaged or vice versa

No

No

Yes Yes

Clear device passcode, configure device-wide VPN or Wi-Fi proxy nor manage cellular functionality

No

No

Yes Yes

See device identifiers like serial number, IMEI

No

No

Yes Yes

Apply supervised restrictions

No

No

Yes* Yes

Can install and configure apps and accounts

Yes

Yes

Yes Yes

Can configure a per-app VPN for apps, mail, contacts, and calendars that have been installed by MDM

Yes

No

Yes Yes

Can enforce some restrictions, like managed open in, managed contacts, managed data on the lock screen, and several others

Yes

No

Yes Yes

Can query data related to enterprise-managed apps, certificates, and profiles

Yes

No

Yes Yes

The "Apply supervised restrictions option" will work for Device Enrollment if the device is supervised using Apple Configurator, otherwise it is unsupported.

Requirements for enabling User Enrollment

Below are the requirements for enabling User Enrollment:

  • An Apple Business Manager account
  • Managed Apple ID - Managed Apple ID to be associated with each enrolled device. This Managed Apple ID provides authentication for MDM management and app licensing. When the MDM pushes down apps and media, necessary Apple licenses are assigned to the Managed Apple ID associated with the device.
  • Device users who are synced to LDAP are to be assigned to a device management role and associated with a Managed Apple ID.
  • For LDAP User / Group enrollment for single or bulk registrations, verify the managed Apple ID was generated correctly.
  • If the existing registration process is already using PINs, the registration will still work.
  • After registration, check the logs for any managed Apple ID failures.

Account-driven Apple User Enrollment

Next steps 

Connecting Ivanti EPMM to Apple Business Manager