Skip to content

Apple User Enrollment

Apple User Enrollment is a management mode designed for devices owned by the user, that is, for a Bring Your Own Device (BYOD) scenario.


You can’t enroll supervised devices in Apple User Enrollment management mode.

Managed Apple ID

User Enrollment uses a Managed Apple ID to establish a user identity on the device and sign in to Apple services such as iCloud.

Managed Apple IDs are owned and managed by your organization. For each user, you create a unique Managed Apple ID and password in Apple Business Manager. Users must enter the Managed Apple ID credentials to enroll their device with Sophos Mobile.

Instead of manually creating Managed Apple IDs, you can configure federated authentication with Microsoft Entra ID (Azure AD) in Apple Business Manager. In this case, Apple Business Manager manages the creation of Managed Apple IDs, and users sign in with their Microsoft Entra ID (Azure AD) email and password. For details, see the Apple Business Manager documentation.

On the device, the Managed Apple ID exists alongside the user’s personal Apple ID. When the user unenrolls the device from Sophos Mobile, iOS removes the Managed Apple ID from the device.

For details on Managed Apple IDs, see Apple Business Manager User Guide: Use Managed Apple IDs in Apple Business Manager.

Separation of personal and work data

Devices enrolled in User Enrollment mode have a managed Apple File System (APFS) volume to store work data. This volume contains the following:

  • Managed apps and app data
  • A managed keychain
  • Documents from the Managed Apple ID’s iCloud account
  • Data from the Mail, Calendar, and Notes apps for the Managed Apple ID

When the user unenrolls the device from Sophos Mobile, iOS deletes the managed APFS volume.

Management capabilities

Because the user owns the device, you only have limited Mobile Device Management (MDM) capabilities.

You can’t access the user’s personal data. You can only manage and query items, such as apps, certificates, and policies, on the managed APFS volume.

You can’t access device identifiers such as the UDID, IMEI, or MAC address. Sophos Mobile identifies the device by a specific ID that iOS creates when the user enrolls it with Sophos Mobile. If the user unenrolls the device and then enrolls it again, the device gets a new ID, and Sophos Mobile treats it as a new device.

Because the MAC address isn’t available to Sophos Mobile, you can’t use Network Access Control (NAC) for User Enrollment devices.


You can set rules for the device password but you can’t reset it if the user forgets it.

App management

On Apple User Enrollment devices, you can only install apps you bought in Apple Business Manager (previously known as Apple VPP apps).

Either install these apps through Sophos Mobile or assign them to the Managed Apple ID to let the user install them from the App Store.

Each app can only be installed once on a device, either for the personal Apple ID (personal app) or for the Managed Apple ID (managed app). The following rules apply:

  • You can’t install a managed app if the user has already installed the same personal app.
  • The user can uninstall a managed app, but it remains managed if the user reinstalls it.
  • To let a user install a personal app that you previously installed as a managed app, you must uninstall the managed app through Sophos Mobile or remove the app license from the Managed Apple ID.
  • Mail, Notes, and Calendar are account-based and can store data for both the Managed Apple ID (on the managed APFS volume) and the personal Apple ID (on the system APFS volume).