Apple Pushes for Greater Privacy with User Enrollment
In collaboration with Paul Mounkes, Senior Product Marketing Manager
For years, executives and mobility admins alike have worked to define their Bring-Your-Own-Device (BYOD) strategies using solutions available in the marketplace. In the early days, the “wild west” nature of mobility caused many of these solutions to opt for strict controls and security-first policies that favored the needs of IT rather than end-users. Unfamiliar with mobile device management (MDM) and hesitant about their data privacy, users were too wary to adopt the technology even at the sacrifice of their productivity and work experience. In recent years, many organizations have swung to the opposite side by allowing solutions with little to no IT control and only managed user’s access to the organization’s apps. While successful for some, most admins still sought a stronger solution that could be trusted by both end-users and IT.
Apple has potentially created just that with the general availability of iOS 13.1 and the release of a new Apple management paradigm called User Enrollment. As an alternative to traditional full device enrollment, User Enrollment is geared explicitly towards BYO programs and leans heavily towards user privacy while also providing substantial enterprise control. User Enrollment is available in Workspace ONE UEM’s 1909 release and comes with several unique advantages that admins should consider when designing or revising their BYOD strategies.
This article discusses these details at length, and there are several resources already available for organizations to familiarize themselves with User Enrollment and all the Fall Apple updates in Workspace ONE.
As the name implies, one of the most impactful updates for users in User Enrollment is the enrollment experience itself. In traditional device enrollment, Workspace ONE drives the experience through either Safari or the Intelligent Hub app and provides authentication prompts that are generated by Workspace ONE. This workflow can be completely customized and tailored to an organization’s branding styles. At times, adoption rates can fall off when the user perceives installation of the MDM profile as ceding ownership of the device to the company.
With User Enrollment, the experience still starts in Workspace ONE via Safari. The end-user completes authentication, optional user-friendly prompts, and profile installation in the Settings app. The authenticated user account is an enterprise identity created in Apple Business Manager called a Managed Apple ID. Currently, Apple supports the creation and authentication of these identities only through federation to Azure AD from within Apple Business Manager. After completing these steps, a Workspace Services profile is applied only to the Managed Apple ID, and the device is considered “user enrolled” into Workspace ONE.
User Enrollment provides advantages to users and IT in the area of employee experience. The OS drives a streamlined, native experience with a more user-friendly, customizable text. All these components generate a cohesive, familiar workflow that should minimize user hesitation and improve adoption.
The second significant change surrounding User Enrollment is Workspace ONE’s access, or lack thereof, to the user’s data. After enrollment, iOS creates a newly partitioned APFS volume specific to the Managed Apple ID that separates work-related content from personal. The partition prevents any personal apps or data from being seen or managed, and any apps or data installed via MDM are associated with the managed volume only. This separation includes data stored in apps like Mail, Contacts, Calendar, device keychain, or any backups to iCloud or iTunes. This robust separation reassures the user that any app or piece of data tied to their iCloud account is kept private.
For the full list of changes associated with User Enrollment and managing devices in Workspace ONE, please review our customer webinar on the VMware Learning Zone.
Another significant change with User Enrollment is in the way IT manages 3rd party applications. As with the separation of user and managed data, User Enrollment prevents MDM from accessing personal app’s data and blocks MDM’s ability to manage the app entirely. If a user installs an app, iOS considers that app to be personally installed and associated with the user’s personal Apple ID. Workspace ONE has no management opportunities for that app, and no option to “convert” the app to be treated as managed.
Because User Enrollment uses an Apple ID as an identifier, it requires Workspace ONE to distribute apps through VPP with User-Based Licenses to allow MDM to tie the app to the Managed Apple ID. While this process is silent to users and requires no action from admins, it is an essential distinction. However, management of enterprise-developed applications can continue in the same fashion as today with no changes.
User Enrollment is one of the most important user-focused enhancements for managing Apple devices in recent memory, and we’re excited to see what types of innovation it sparks. It’s good for businesses when users feel that their data is private and protected, and this new advancement is sure to drive adoption to enable a more productive workforce
Get started today with User Enrollment in VMware’s Workspace ONE UEM 1909 release!
Take Action Now to Get Ready
• To learn more about these and other new features, please view our recorded webinar “Getting Ready for Apple Fall 2019 Releases with Workspace ONE.” This presentation offers a much more in-depth look into how you can use Workspace ONE in conjunction with these releases to further improve the employee experience and strengthen support for Apple devices in the enterprise.
• Stay informed about everything that’s happening with all of Apple’s Fall releases by checking out the resources we’re providing:
• Subscribe to the “Getting Ready for Apple Fall Updates 2019” knowledge base article to stay up to date on everything going on with Apple this Fall
• Read this blog titled “WWDC 2019: A Home Run for the Enterprise” to catch up on all the changes you’ll see in all of Apple’s fall releases.
• View our recorded webinar with Chris Burns and Senior Technical Product Manager John Richards, titled “Getting Ready for Apple Fall 2019 Releases with Workspace ONE,” for an in-depth look at how to use Workspace ONE in conjunction with these releases.
• Go deeper into what we’re doing with Workspace ONE. Over the next couple of months, we’ll be releasing a series of video blogs that breaks down each major topic. Stay tuned for links as we start with the following:
i. User Enrollment and how it affects BYOD
ii. All about macOS Catalina
iii. DEP custom screens
iv. Deep dive on iOS 13