The User Enrollment feature coming in the new iOS and macOS

Today we’re using a standard enrollment via link process for managing iOS devices in our org. While we own some of these devices, we do have employees that bring their own iPhone in and want to use it.

We haven’t had any complaints that I know of about the current enrollment process for BYOD. We do push down a VPN profile which it sounds like the new “User Enrollment” won’t allow. I guess we would need to determine how to use the per-app VPN if we wanted to continue down this path.

This blog has a good write up on User Enrollment:

Is anyone planning on using this feature in their deployment?

I’ve worked with a number of industries where users were hesitant to enroll their BYOD devices due to the level of control the org gets from standard MDM enrollment. I think this enrollment method will help drive adoption.

Definitely interested in testing it once the EMM providers build support for the feature.

Until now we promote BB Dynamics in App-Only mode for BYOD to have an enterprise container without any MDM profile on the device.

in MDM an administator of a registered ios device is able to retrieve the installed apps, remove the passcode or wipe the entire device - at least the privacy controls of the registered uem prohibit this features to individuals

MAM was often no choise, since you want to integrate the device to customers infrastrcture and need to get certificates and wifi profiles

UserEnrollment seams to be what google did with android enterprise, let’s see whether controlling wifi or vpn will possible

Does anyone knows, if there is a visible segregation between work and personal data?

Apple have stated in the sessions during WWDC that WiFi payload deployment is possible
VPN is also possible, however your are limited to the domains owned by your org for example if your domain name is only subdomains like will be accepted will not work

Fetching restrictions on a user enrolled iOS device does not seem to work. It seems to be so even in the latest GM. The MDM command returns “Restrictions” is not a valid request type. Anyone has any idea why?

the enrollment is a bit easier for the enduser, the visibility is still the same as per MDM Profile managed, but privacy is honored in the user enrollment setup

DemoVideo @Youtube