Apple Deployment Programs VI: User Enrollment
Overview
With Matrix42 Silverback, you can use Apple User Enrollment to enroll and manage user-owned iOS/iPadOS and macOS devices. The purpose of the User Enrollment method or approach provided by Apple is to provide an enrollment solution specifically for bring-your-own-device (BYOD) scenarios. User Enrollment is a distinctly different enrollment method than the also available regular device enrollment, enrollment through the Device Enrollment Program, or supervised enrollment methods, and was introduced by Apple at the 2019 Apple Worldwide Developer Conference. User enrollment is integrated with Managed Apple IDs, which are owned and managed by your organization and provide your employees with access to certain Apple services, such as establishing a user identity on personal devices. The user must successfully authenticate to complete enrollment, and the Managed Apple ID can be used alongside the personal Apple ID the user has already signed in with; the two don't interact. At the same time, User Enrollment has a much stronger focus on user privacy, implemented with a level of security that organizations and end users should feel comfortable with as it sets up the personal device so that work data is stored on a separate volume and in managed applications, away from the user's personal data and applications. For administrators, this also means that user enrollment provides a limited subset of capabilities for managing personally owned devices, which are highlighted in the User Enrollment Limitations section at the end of this article.
Supported Platforms
- iPhone
- iPad
- macOS
Prepare Apple Requirements
Prepare Service Discovery
With the release of iOS 18, iPadOS 18, and macOS 15, Apple has introduced a significant change in the enrollment process for User Enrollment. The system transitioned finally from the traditional profile-based enrollment to the more seamless and modern account-driven enrollment. The Account-Driven User Enrollment starts from the settings application on device, where the user have to enter their Managed Apple ID (e.g. maria.miller@imagoverum.com). Based on the domain portion, the device sends an HTTPS GET request for the URL https://<domain>/.well-known/com.apple.remotemanagement (where <domain> is the extracted domain/FQDN portion of the user identifier). This means that you must publish a file on your web server for your domain so that Apple can reach the service and retrieve enrollment information. This file contains the URL of your Silverback server and must be available for the corresponding device to be enrolled. For example, if your Managed Apple IDs are ending with imagoverum.com, you must ensure that the file is accessible at the following URL:
https://imagoverum.com/.well-known/com.apple.remotemanagement
The file contains your Silverback URL with the appendix /ssp/enrollment/byod and the Version identifier, which must be mdm-byod.
You can download the example file here: com.apple.remotemanagement.json. After the download, open the file with an Text Editor of your choice and modify the BaseURL to your own Silverback URL and save the file. Afterwards, provide the file to your Webserver Administrator and provide the additional information that this file should have the content-type application/json.
Create Managed Apple ID
- Login to your Apple Business Manager or Apple School Manager
- Navigate to Users
- Press +Add
- Enter a First Name
- Enter a Last Name
- Under Managed Apple Account, enter a username
- We recommend to use a naming convention which will be covered with Silverback Variables, e.g. {firstname}.{lastname}@imagoverum.com
- Enter as username e.g. maria.miller@imagoverum.com or mmiller@imagoverum.com
- Under Roles Select Staff
- Select your Location
- As Email Address use e.g. the corporate email address of the user or any other personal email address where the temporary Managed Apple ID password should be send to
When a federation is active, the email domain must match the accounts's federated Managed Apple Account domain.
- Add additional information (optional)
- Click Save
When a federation is active, the process is already finished here. Otherwise you need to create a Sign-In for the users.
- Click Create Sign-In
- Select Send as an email
- Click Continue
- Click Done
Prepare Silverback
Grant users access to Self Service Portal
During enrollment, users are redirected to the Silverback Self Service Portal to authenticate to the system and associate the device with the identity in Silverback. This means you need to have at least the following scenarios in place:
- You have created local accounts for your users
- You have added a valid LDAP connection
- Or you are using an Identity provider
Configure Self Service Portal (optional)
After the above mentioned authentication in the Self Service Portal, users must provide their Managed Apple ID. You can simplify the process by providing either a placeholder that displays the format users should use or you can define presets, based on System Variables.
- Login to your Silverback Management Console
- Navigate to Admin
- Navigate to Self Service Portal
- Configure either a Apple ID placeholder for the Self Service Portal, e.g. firstname.lastname@imagoverum.com
- Or define Apple ID presets, e.g. {firstname}.{lastname}@imagoverum.com
- Click Save
Perform a Device Enrollment
The steps shown for user enrollment relate to the perspective of the respective user:
- The user opens Settings > General > VPN & Device Management > Sign in with to Work or School Account
- The user enters the Managed Apple ID, e.g. maria.miller@imagoverum.com
- The user will be forwarded to the Silverback Self Service Portal to authenticate
- The Username in the Self Service Portal will be taken from the entered Managed Apple ID
- When Identity Providers are configured and Direct Forwarding is enabled , the user will be forwarded to the IdP to enter the username
- After signing in, the ownership in the Self Service Portal will be set to User Enrollment for Apple devices
- The Managed Apple ID will be pre-filled (if configured) automatically or the user has to enter the ID manually
- After pressing Start, the profile will be download automatically and the user needs to Sign In to iCloud with the Managed Apple ID
- After finishing the sign-in process, the user needs to Allow Remote Management and enter their Passcode
- The enrollment will be finished.
 |
 |
 |
Device Management and Limitations
Device Overview
When user enrollment is complete, the device will appear as a managed device in your Silverback Management Console. The ownership will be set to Personal by default. Open the Device Information and review the available information and actions under More. You will notice that you have limited information and limited device actions. As mentioned in the introduction to this article, this is due to the privacy of personal devices. Refer to the next chapter to learn more about the restrictions.
User Enrollment Limitations
Because User Enrollment is a modified version of the MDM protocol with a much greater focus on user privacy, implemented with a level of security that organizations and end users should feel comfortable with, User Enrollment provides a limited subset of capabilities for managing personally owned devices. This includes the following limitations:
Please note that the following list may not be up to date. We recommend verifying the official description on Apple's User Enrollment MDM Information to ensure you have the most accurate and current information including an overview about all supported profiles for the User Enrollment.
Device Actions
- Clear Passcode is not supported
- Factory Wipe is not supported
Device Overview
- Serial Number isn't exchanged
- IMEI isn't exchanged
- MAC Addresses aren't exchanged
- Network Information aren't exchanged
- Available OS Updates aren't transmitted to the backend
- Personal installed apps aren't listed
Applications
- Take management if the app is already installed is not supported
General Profile Support
Only the following subset of all Silverback profiles are supported:
- Exchange ActiveSync
- Extensible Single Sign-On
- Google Accounts
- Passcode
- Restrictions
- Single Sign-On
- Web Clips
- Wi-Fi
Passcode Profile
The system allows the Passcode profile type, but ignores all keys. Instead, the presence of the Passcode profile forces these settings:
- Force
PIN = enabled (will be automatically set in the background if the Passcode Profile is enabled) - Allow Simple = disabled
- Minimum Length = 6
Restrictions Profile
A smaller subset of all available restrictions are supported on devices that are enrolled using user enrollment. These include the following:
- Allow Diagnostic Data to be Sent to Apple
- Allow Enterprise Books Backup
- Allow Enterprise Books Sync
- Allow Lock Screen Control Center
- Allow Lock Screen Notifications View
- Allow Lock Screen Today View
- Allow Managed Apps Cloud Sync
- Allow Open In From Managed to Unmanaged Apps
- Allow Open In From Unmanaged to Managed Apps
- Allow Remote Screen Observation
- Allow Screen Capture
- Allow Siri
- Allow Siri While Locked
- Force Airdrop to be considered Unmanaged
- Force AirPlay Outgoing Requests Pairing Password
- Force Apple Watch Wrist Detection
- Force Encrypted Backup
- Force Fraud Warning
- Force Managed Pasteboard
- Force On-Device Only Dictation
- Force On-Device Translation
Additional Information
If you are distributing applications through the Volume Purchase Program, be sure to select a operation method that meets all of your organization's requirements. For example, if you are provisioning devices via the Device Enrollment Program and do not allow personal Apple IDs, then the Preferred options are available to you to effectively use a mix of the various Volume Purchase Program operation methods. If you use the Device-Based Assignment option as an example, license assignment will not work because devices enrolled via User Enrollment do not submit a serial number to the system, and therefore no license can be assigned to the serial number.