Skip to main content
Matrix42 Self-Service Help Center

Apple Deployment Programs VI: User Enrollment

Overview

With Matrix42 Silverback, you can use Apple User Enrollment to enroll and manage user-owned iOS/iPadOS and macOS devices. The purpose of the User Enrollment method or approach provided by Apple is to provide an enrollment solution specifically for bring-your-own-device (BYOD) scenarios. User Enrollment is a distinctly different enrollment method than the also available regular device enrollment, enrollment through the Device Enrollment Program, or supervised enrollment methods, and was introduced by Apple at the 2019 Apple Worldwide Developer Conference. User enrollment is integrated with Managed Apple IDs, which are owned and managed by your organization and provide your employees with access to certain Apple services, such as establishing a user identity on personal devices. The user must successfully authenticate to complete enrollment, and the Managed Apple ID can be used alongside the personal Apple ID the user has already signed in with; the two don't interact. At the same time, User Enrollment has a much stronger focus on user privacy, implemented with a level of security that organizations and end users should feel comfortable with as it sets up the personal device so that work data is stored on a separate volume and in managed applications, away from the user's personal data and applications. For administrators, this also means that user enrollment provides a limited subset of capabilities for managing personally owned devices, which are highlighted in the User Enrollment Limitations section at the end of this article. 

Prepare Enrollments

Supported Platforms
  • iPhone
  • iPad
  • macOS
Create Managed Apple ID 
  • Login to your Apple Business Manager
  • Navigate to Accounts
  • Click Add New Account
  • Enter a Name
  • Enter a Last Name
  • Enter a Managed Apple ID Username
  • Under Roles Select Staff
  • Select your Location
  • As Email Address use e.g. the corporate email address of the user or any other personal email address where the temporary Managed Apple ID password should be send to
  • Click Save
  • Click Create Sign-In
  • Select Send as an email 
  • Click Continue
  • Click Done
Configure Self Service Portal (optional) 

During Enrollment via Self Service Portal Silverback will automatically pre-fill the Managed Apple ID field with the given preset

  • Click Save

Enroll Devices

Create Enrollment 
  • Open Self Service Portal
  • Login with your user credentials
  • Enter a phone number (optional)
  • Change the Ownership to User Enrollment for Apple devices
  • Enter your created Managed Apple ID or use the prefilled
  • Click Start
Enroll your device 
  • Open Camera on the iOS device
  • Scan the QR-Code
  • Open the enrollment page
  • Download the configuration Profile with pressing Allow
  • Click Close
  • Open iOS Settings
  • Tab Enrol in Silverback
  • Press Enrol my iPhone
  • Enter the passcode of the device, if needed
  • Enter the temporary Managed Apple ID password, which has been send to the user 
  • Tab Sign-In
  • Choose a verification method, either Text Message or Phone Call
  • Press Send
  • Either you need to enter the verification code given by the phone call or the code will be automatically detected
  • Now enter your temporary Managed Apple ID password
  • Enter a new password
  • Tab Change
  • Enrollment process will be finished and the device will be managed

User Enrollment Limitations

Because User Enrollment is a modified version of the MDM protocol with a much greater focus on user privacy, implemented with a level of security that organizations and end users should feel comfortable with, User Enrollment provides a limited subset of capabilities for managing personally owned devices. This includes the following changes:

Device Actions 
  • Clear Passcode is not supported
  • Factory Wipe is not supported
Device Overview 
  • Serial Number isn't exchanged
  • IMEI isn't exchanged
  • MAC Addresses aren't exchanged
  • Network Information aren't exchanged
  • Available OS Updates aren't transmitted to the backend
  • Personal installed apps aren't listed
Applications 
  • Take management if the app is already installed is not supported
Passcode Profile

The system allows the Passcode profile type, but ignores all keys. Instead, the presence of the Passcode profile forces these settings:

  • Force PIN = enabled (will be automatically set in the background if the Passcode Profile is enabled)
  • Allow Simple = disabled
  • Minimum Length = 6
Restrictions Profile

A smaller subset of all available restrictions are supported on devices that are enrolled using user enrollment. These include the following:

  • Allow Diagnostic Data to be Sent to Apple
  • Allow Enterprise Books Backup
  • Allow Enterprise Books Sync
  • Allow Lock Screen Control Center
  • Allow Lock Screen Notifications View
  • Allow Lock Screen Today View
  • Allow Managed Apps Cloud Sync
  • Allow Open In From Managed to Unmanaged Apps
  • Allow Open In From Unmanaged to Managed Apps
  • Allow Remote Screen Observation
  • Allow Screen Capture
  • Allow Siri
  • Allow Siri While Locked
  • Force Airdrop to be considered Unmanaged
  • Force AirPlay Outgoing Requests Pairing Password
  • Force Apple Watch Wrist Detection
  • Force Encrypted Backup
  • Force Fraud Warning
  • Force Managed Pasteboard
  • Force On-Device Only Dictation
  • Force On-Device Translation

Additional Information

If you are distributing applications through the Volume Purchase Program, be sure to select a operation method that meets all of your organization's requirements. For example, if you are provisioning devices via the Device Enrollment Program and do not allow personal Apple IDs, then the Preferred options are available to you to effectively use a mix of the various Volume Purchase Program operation methods. If you use the Device-Based Assignment option as an example, license assignment will not work because devices enrolled via User Enrollment do not submit a serial number to the system, and therefore no license can be assigned to the serial number. 

  • Was this article helpful?