At the 2021 WWDC event in June, Apple announced some exciting – and sweeping – changes to the way we’ll be managing Apple devices in the future. As exciting as the future looks when you think about the scope of Declarative Management – one of the headline changes – several other announcements are having a more immediate impact for end-user privacy and the BYO strategies of forward-leaning organizations.
One such capability is the account-driven onboarding experience for User Enrollment. Starting in iOS 15, users are no longer required to navigate to confusing URLs or scan a QR code to kick off enrollment. Instead, enrollment can be initiated directly in the Settings app under a new option to “Sign into Work or School.” Once enrollment is initiated, iOS streamlines the authentication and onboarding by no longer requiring users to download a profile, navigate to its landing page, and click through multiple prompts for installation.
This new process in iOS 15 is easier and quicker than its predecessor, with the goal of providing a better user experience to and driving higher rates of BYO adoption for organizations.
And, of course, increasing BYO adoption through User Enrollment is a good thing. The more a company’s employees can securely and privately connect with corporate resources using their personal devices, the more productive the company can be overall. Apple needed to make one other change, however, because in its previous form, User Enrollment could create outcomes that may not necessarily be desirable.
Aimed at ensuring optimal user privacy, User Enrollment was designed to utterly distinguish and separate apps installed by the user from those installed by Workspace ONE. This has several obvious benefits but is not without tradeoffs. For example, let’s say a user manually downloads a critical app (e.g., Intelligent Hub) prior to stepping through enrollment, then chooses to enroll their device at a later time. In this case, the previous version of User Enrollment would designate the existing critical app (Intelligent Hub) as a personal app and “wall it off” from work apps and resources. This renders any shared data or managed permissions inaccessible from any dependent managed apps.
Luckily, Apple has also solved this problem in iOS 15 with the Required App feature. This new feature allows admins to use Workspace ONE to mark a single app as “required.” If the app was already installed by the user prior to enrollment, the device will request permission to take over management. (If the app is not present, it is installed as a managed app during the enrollment process.) This allows the critical app to interact with all other work-related managed apps and resources.
Workspace ONE UEM admins can access this feature by editing the Required App field in Workspace ONE UEM Settings under Devices & Users > Apple iOS > Managed Settings. The default app in this field is Workspace ONE Intelligent Hub.
Visit the resources below for more information on account-driven User Enrollment and the Required App feature, as well as other features announced at WWDC 2021.
Additional Resources: