User enrollment mode

In support of Apple's user enrollment for iOS 13+ and macOS 10.15+ devices, MaaS360® extends user enrollment support on iOS 13+ non-supervised devices. With this capability, user data privacy is maintained on BYOD devices. Administrators can protect corporate content on BYOD devices by managing only corporate data instead of the whole user device management. The user enrollment mode is based on the Managed Apple ID that can be created from the Apple Business Manager account. MaaS360 currently supports only local Managed Apple ID for user enrollment.

What is supported in user enrollment mode?

User enrollment works based on an enrollment ID rather than the device serial number. Any feature that works on this system information is not available through user enrollment. The following capabilities are supported in user enrollment mode:

  • A separate disk partition is created for corporate resources on the device.
  • A limited set of device attributes is available for the administrator to view in the MaaS360 Portal after the user enrollment action is complete. Note: Any user or device sensitive information, such as UDID or the serial number, is not displayed in the MaaS360 Portal.
  • The administrator is allowed to perform a selective wipe action on employee-owned devices. Device actions such as reset passcode and device wipe are not allowed.
  • Any apps that are installed directly from the app store by the user are protected from being viewed and managed by an administrator. MaaS360 cannot convert apps that were installed directly by the user as managed apps.
  • User enrolled devices can get apps only with user-based VPP licenses. For more information, see Downloading the Apple VPP token from Apple Business Manager. Free apps must also be assigned user VPP license mode only. App management does not support device-based VPP licenses for user enrolled devices.
  • A subset of iOS MDM policies that are available with managed mode are also available for user enrolled devices. These attributes are tagged as UE in the user interface. Use the toggle option to filter policy settings that apply to user enrolled devices.