User Enrollment for iOS devices in MaaS360

User Enrollment is a new mode of enrollment that is designed for employee-owned (BYOD) devices that are also used for work.

User Enrollment creates a separate volume for work apps and data. The management capabilities are restricted to the storage area that contains corporate data, while the personal volume, where the user's personal information is stored, remains private and inaccessible from administrators. Note: User enrollment is supported on iOS 13+ devices only.

What is supported in user enrollment mode?

User enrollment works based on an enrollment ID rather than the device serial number. Any feature that works on this system information is not available through User Enrollment. The following capabilities are supported in User Enrollment mode:

  • A separate disk partition is created for corporate resources on the device.
  • A limited set of device attributes are available for the administrator to view in the MaaS360® Portal after enrollment. Note: Any user or device sensitive information, such as UDID or the serial number, is not displayed in the MaaS360 Portal.
  • The administrator is allowed to perform a selective wipe action on employee-owned devices. Device actions such as reset passcode and device wipe are not allowed.
  • Any apps that are installed directly from the App Store by the user are protected from being viewed and managed by an administrator. MaaS360 cannot convert apps that were installed directly by the user as managed apps.
  • User enrollment devices receive apps only with user-based VPP licenses. For more information, see Downloading the Apple VPP token from Apple Business Manager. Free apps must also be assigned in user VPP license mode only. App management does not support device-based VPP licenses for user-enrolled devices.
  • A subset of iOS MDM policies that are available with managed mode are also available for User Enrollment devices. These attributes are tagged as UE in the user interface. Use the toggle option to filter policy settings that apply to User Enrollment devices.

Managed Apple ID

Managed Apple ID is a prerequisite for User Enrollment. The Managed Apple ID must be integrated with the user account to establish that user's identity on the device. If the Managed Apple ID is not integrated, self enrollments will fail and administrators cannot create enrollment requests. As a part of the device enrollment process, users are required to authenticate against their Managed Apple ID to complete the enrollment. A new storage area associated with the Managed Apple ID is created on the enrolled device along with a personal Apple ID. The two storage areas coexist on the same device without interacting with each other.

Note: MaaS360 allows administrators to use the user's email address as the Managed Apple ID. For more information, see Configuring user settings in the MaaS360 Portal.