User Enrollment is a new enrollment method for iOS 13 and later devices that allow you to effectively manage settings, applications, and corporate data while protecting user privacy and personal data. With User Enrollment, you are permitted to install applications, configure profiles, and issue commands only to a managed user container on the device rather than the entire device.
User Enrollment is achieved through MDM providing a user context called a Managed Apple ID in the MDM profile installed on the device during enrollment. The user context instructs the device to prompt the user for their Managed Apple ID credentials to install the MDM profile. After enrollment, a specific Apple File System (APFS) volume is created for the managed data. Data in the personal volume cannot be accessed from the managed volume keeping user data private.
Due to the creation of the new managed volume of data, there are several existing management capabilities that are not possible for privacy purposes. For example, if any app is manually installed by the user from the App Store, that app is considered personal and cannot be managed by MDM. Such user installed apps must first be uninstalled and then reinstalled by Workspace ONE UEM to be managed.
For this reason, Workspace ONE does not permit User Enrollment using the Intelligent Hub app. If the Intelligent Hub is already installed by the user, uninstall and reinstall the Hub through MDM so that the app's data can be accessed by other Workspace ONE SDK enabled apps.
User Enrollment Settings
Enable the User Enrollment option for iOS devices by accessing the Enrollment settings page on the Workspace ONE UEM console (). Enabling the option allows the supported iOS 13 and later devices to enroll to the Organization Group using Apple's User Enrollment method. User Enrollment uses the users' Managed Apple IDs rather than the enrollment user name as a way to indicate which user the device is enrolling. The Managed Apple ID should correspond a user’s email address in Workspace ONE UEM.