User Enrollment for iOS/iPadOS devices
In iOS 13 and macOS 10.5 (Catalina), Apple introduced an additional method of device management called User Enrollment. User Enrollment is a modified version of the MDM protocol with a greater focus on user privacy.
Apple has announced the introduction of a new type of enrollment called User Enrollment for iOS 13, iPadOS, and macOS 10.15 Catalina devices. To prepare for User Enrollment release, ensure that your current Device Configuration policies will apply in a predictable manner to User Enrolled devices.
These settings are also available for devices enrolled through Device Enrollment and Automated Device Enrollment (previously known as DEP).
All settings supported by Intune that Apple allows on User Enrollment devices will continue to work on these devices using your current policies.
Settings that are available for devices enrolled through User Enrollment apply to all enrolled devices.
Settings that are not marked as available for User Enrollment will not be applied to devices enrolled through User Enrollment. For example, if you block AirPrint on an iOS device that was enrolled through User Enrollment, AirPrint will not be blocked because that device restriction requires a supervised iOS device running iOS 11.0+.
Additional Information for User Enrollment
Here’s what an MDM server can *not* do for devices in User Enrollment mode in iOS 13:
The MDM server cannot erase the device.
Personal apps are not visible to the MDM server.
Personal apps cannot be converted to MDM managed apps.
Device passcodes cannot be cleared by the MDM server. (i.e. unlock the device).
The MDM server cannot set a long, complex device passcode requirement.
It cannot configure a device-wide VPN or Wi-Fi proxy, nor can it do any management of the cellular functionality.
Device identifiers like the UDID, serial number, and IMEI are not visible to the MDM server.
In User Enrollment, the MDM server can still do everything needed to manage enterprise apps, accounts, and data:
Apps and accounts can be installed and configured.
It can enforce a six-digit passcode.
The MDM server can query data related to enterprise-managed apps, certificates, and profiles.
It can configure a per-app VPN for apps, mail, contacts, and calendars that have been installed by the MDM server.
The device will be associated with a unique enrollment ID, which changes each time a device is re-enrolled.
Some restrictions such as managed open in, managed contacts, managed data on the lock screen, and several others can be enforced by the MDM server.
Use case for User Enrollment
When employees bring their own devices to work, it is difficult to convince them to grant you permission to look at the apps they have installed, remove their password at any time, or wipe their devices. You are likely to find yourself in this situation if employees are using their own devices in the deployment process
User enrollment doesn't appear to be very practical except in BYOD scenarios. In the event a business owns the hardware being managed, it is likely to want the ability to unlock, track, and recover the devices as needed. In the future, as business requirements evolve, using User Enrollment may prove too restrictive if not immediately initiated.
In case you want to understand more on Managed Apple ID and how we can setup, please refer my previous post for SCIM setup.
Create an enrollment type profile for iOS/iPadOS
The User Enrollment can be handled by using an enrollment profile. Users are given a configuration of this enrollment type profile based on their assignment to it.
In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment > Enrollment types (preview)
Create enrollment Profile > provide meaningful Name and Description
On the Settings page, select one of the following options for Enrollment type:
Device enrollment: This profile will enable device enrollment for all users.
User enrollment: Each user in this profile uses User Enrollment.
Determine based on user choice: All members of this group will have the choice of which enrollment type they want to use. In the enrollment process, users can choose the ownership of their device, either I own this device or (Company) owns this device.
On the Assignments page, configure the assignment of the profile and click Next.
Note: Since this feature is based on user identities, the assignment must be a user group.
On the Review + create page, verify the configuration, and click Create.
An end-user's experience when enrolling their personal iOS device.
Download and install the Company Portal app
Open the Company Portal app and sign in using a work or school account.
On the Set-up access page, tap Begin.
On the Select device and enrollment type page, select I own this device and select Secure work-related apps and data only and tap Continue.
You will be prompted to download and install Microsoft Authenticator (Does not necessary to sign in Authenticator at this stage)
On the Device management and privacy screen, read through the list of device information your organization can and cannot see. Then tap Continue.
Back on the Set-up access page, tap Continue.
On the This website is trying to download a configuration profile. Do you want to continue - dialog-box, tap Allow.
On the Profile Download dialog box, tap Close.
Open the Settings app and tap on Enroll.
On the User Enrollment page, review the information and tap Enroll My iPhone
Enter your device Passcode.
Return to company portal setup and click Continue.
Complete setup process with check device settings.