Apple User Enrollment
Apple User Enrollment is a management mode designed for devices owned by the user, that is, for a Bring Your Own Device (BYOD) scenario.
Restriction
You can’t enroll supervised devices in Apple User Enrollment management mode.
Managed Apple ID
User Enrollment uses a Managed Apple ID to establish a user identity on the device and sign in to Apple services such as iCloud.
Managed Apple IDs are owned and managed by your organization. For each user, you create a unique Managed Apple ID and password in Apple Business Manager. Users must enter the Managed Apple ID credentials to enroll their device with Sophos Mobile.
Instead of manually creating Managed Apple IDs, you can configure federated authentication with Microsoft Entra ID (Azure AD) in Apple Business Manager. In this case, Apple Business Manager manages the creation of Managed Apple IDs, and users sign in with their Microsoft Entra ID (Azure AD) email and password. For details, see the Apple Business Manager documentation.
On the device, the Managed Apple ID exists alongside the user’s personal Apple ID. When the user unenrolls the device from Sophos Mobile, iOS removes the Managed Apple ID from the device.
For details on Managed Apple IDs, see Apple Business Manager User Guide: Use Managed Apple IDs in Apple Business Manager.
Separation of personal and work data
Devices enrolled in User Enrollment mode have a managed Apple File System (APFS) volume to store work data. This volume contains the following:
- Managed apps and app data
- A managed keychain
- Documents from the Managed Apple ID’s iCloud account
- Data from the Mail, Calendar, and Notes apps for the Managed Apple ID
When the user unenrolls the device from Sophos Mobile, iOS deletes the managed APFS volume.
Management capabilities
Because the user owns the device, you only have limited Mobile Device Management (MDM) capabilities.
You can’t access the user’s personal data. You can only manage and query items, such as apps, certificates, and policies, on the managed APFS volume.
You can’t access device identifiers such as the UDID, IMEI, or MAC address. Sophos Mobile identifies the device by a specific ID that iOS creates when the user enrolls it with Sophos Mobile. If the user unenrolls the device and then enrolls it again, the device gets a new ID, and Sophos Mobile treats it as a new device.
Because the MAC address isn’t available to Sophos Mobile, you can’t use Network Access Control (NAC) for User Enrollment devices.
Warning
You can set rules for the device password but you can’t reset it if the user forgets it.
App management
On Apple User Enrollment devices, you can only install apps you bought in Apple Business Manager (previously known as Apple VPP apps).
Either install these apps through Sophos Mobile or assign them to the Managed Apple ID to let the user install them from the App Store.
Each app can only be installed once on a device, either for the personal Apple ID (personal app) or for the Managed Apple ID (managed app). The following rules apply:
- You can’t install a managed app if the user has already installed the same personal app.
- The user can uninstall a managed app, but it remains managed if the user reinstalls it.
- To let a user install a personal app that you previously installed as a managed app, you must uninstall the managed app through Sophos Mobile or remove the app license from the Managed Apple ID.
- Mail, Notes, and Calendar are account-based and can store data for both the Managed Apple ID (on the managed APFS volume) and the personal Apple ID (on the system APFS volume).
Account-driven vs. profile-based Apple User Enrollment
Restriction
Profile-based Apple User Enrollment is available for iOS and iPadOS 17 and earlier.
There are two Apple User Enrollment methods: account-driven and profile-based enrollment. Account-driven enrollment is more streamlined because the workflow is built into the device’s Settings app.
For general information on Apple User Enrollment and the differences between account-driven and profile-based enrollment, see the Apple tutorial Enrolling User-Owned Devices.