Apple User Enrollment

Apple User Enrollment is a management mode designed for devices owned by the user, that is, for a Bring Your Own Device (BYOD) scenario.

Managed Apple Account

User Enrollment uses a Managed Apple Account (formerly Managed Apple ID) to establish a user identity on the device and sign in to Apple services such as iCloud.

Managed Apple Accounts are owned and managed by your organization. For each user, you create a unique Managed Apple Account in Apple Business Manager. Users must sign in to their Managed Apple Account to enroll their device with Sophos Mobile.

Instead of manually creating Managed Apple Accounts, you can configure federated authentication with Microsoft Entra ID in Apple Business Manager. In this case, Apple Business Manager manages the creation of Managed Apple Accounts, and users sign in to their Microsoft Entra ID account. For details, see the Apple Business Manager documentation.

On the device, the Managed Apple Account exists alongside the user's personal Apple Account. When the user unenrolls the device from Sophos Mobile, the Managed Apple Account and all associated data is removed from the device.

For details on Managed Apple Accounts, see About Managed Apple Accounts in Apple Business Manager.

Separation of personal and work data

Devices enrolled in User Enrollment mode have a managed Apple File System (APFS) volume to store work data. This volume contains the following:

• Managed apps and app data
• A managed keychain
• The Managed Apple Account's iCloud data
• The Managed Apple Account's data stored by the Mail, Calendar, and Notes apps

When the user unenrolls the device from Sophos Mobile, iOS deletes the managed APFS volume.

Management capabilities

Because the user owns the device, you only have limited Mobile Device Management (MDM) capabilities.

You can’t access the user’s personal data. You can only manage and query items, such as apps, certificates, and policies, on the managed APFS volume.

You can’t access device identifiers such as the UDID, IMEI, or MAC address. Sophos Mobile identifies the device by a specific ID that iOS creates when the user enrolls it with Sophos Mobile. If the user unenrolls the device and then enrolls it again, the device gets a new ID, and Sophos Mobile treats it as a new device.

Because the MAC address isn’t available to Sophos Mobile, you can’t use Network Access Control (NAC) for User Enrollment devices.

App management

On Apple User Enrollment devices, you can only install apps you bought in Apple Business Manager (previously known as Apple VPP apps).

Either install these apps through Sophos Mobile or assign them to the Managed Apple Account to let the user install them from the App Store.

Each app can only be installed once on a device, either for the personal Apple Account (personal app) or for the Managed Apple Account (managed app). The following rules apply:

• You can't install a managed app if the user has already installed the same personal app.
• The user can uninstall a managed app, but it remains managed if the user reinstalls it.
• To let a user install a personal app that you previously installed as a managed app, you must uninstall the managed app through Sophos Mobile or remove the app license from the Managed Apple Account.
• Mail, Notes, and Calendar are account-based and can store data for both the Managed Apple Account (on the managed APFS volume) and the personal Apple Account (on the system APFS volume).

Account-driven vs. profile-based Apple User Enrollment

There are two Apple User Enrollment methods: account-driven and profile-based enrollment. Account-driven enrollment is more streamlined because the workflow is built into the device’s Settings app.

For general information on Apple User Enrollment and the differences between account-driven and profile-based enrollment, see the Apple tutorial Enrolling User-Owned Devices.