iOS 13 will dramatically improve MDM for BYOD. Hello User Enrollment!

Now updated with Part 2! – The new privacy-focused User Enrollment mode for MDM is just what we’ve been waiting for.

This article was published in two parts. The second part has now been added below.

The headline says it all. At WWDC 2019, Apple announced that iOS 13 will have a new form of MDM called User Enrollment, which is tailored to give BYOD users more privacy. This is a significant and long-awaited move, and it will affect how companies plan their enterprise mobility deployments going forward.

Apple shared details of User Enrollment last Friday in the WWDC session, “What’s new in Managing Apple Devices.” Today, I’ll give an overview and share my initial thoughts, along with a look at other new enterprise features coming in iOS 13, macOS 10.15, tvOS, and app distribution.

Why we’ve been waiting for User Enrollment

If you’ve been reading this blog for a while, you know that several times over the last few years, I published (and updated) an article called “iOS MDM needs to get better at BYOD.” The basic issue is that iOS MDM, as it existed in iOS 12 and earlier, just didn’t address all the privacy needs of users and organizations.

iOS 7 introduced some built in mobile app management features, including managed open in, per-app VPN, Kerberos-based SSO, and managed app configurations. However, the MDM protocol itself still allowed a bunch of fairly intrusive configurations, commands, and queries that many users weren’t comfortable with, such as listing all the apps installed on the device or erasing it completely. Third-party MDM servers could always choose not to take all of these remote management rights (a feature of the MDM protocol itself) or limit features in the server logic, but these approaches weren’t enough. As a result, many users weren’t comfortable enrolling their BYOD devices. (Fortunately for those users, most EMM products also offer MAM-only deployment without enrollment, where enterprise controls happen within the app, not at the device level. Queue up the great MAM debates!)

For a few years, most of Apple’s MDM improvements concentrated on corporate devices, using Automated Device Enrollment (formerly DEP) and supervised mode. And at the same time, Android Enterprise Work Profiles had gone much farther in terms of privacy. The EMM industry has been hoping for a change. In addition, privacy is a company-wide, headline-grabbing strategy at Apple now.  So, we were all very excited to see a quick mention of new features for BYOD in the main Apple WWDC 2019 keynote last Monday.

What is User Enrollment?

User Enrollment is a modified version of the MDM protocol with a much greater focus on user privacy, implemented with a level of security that enterprises should be comfortable with.

Here’s what an MDM server can do in a standard MDM enrollment, but will *not* be able to do in User Enrollment mode in iOS 13:

  • The MDM server cannot erase the device. (And if an Exchange account is configured via User Enrollment MDM, it cannot erase the device, either.)
  • It cannot see what personal apps the user has installed. (There are also many forms of personal data that MDM servers have never been able to see, like iMessages and photos.) It also cannot convert personally installed apps into MDM-managed apps.
  • It cannot clear the device passcode (i.e. unlock the device).
  • It cannot set a long, complex device passcode requirement.
  • It cannot configure a device-wide VPN or Wi-Fi proxy, nor can it do any management of the cellular functionality.
  • It cannot see device identifiers like the UDIC, serial number, or IMEI.
  • And there are many device-wide restrictions, such as restricting the app content rating, blocking iCloud, and all the supervised restrictions, which the MDM server cannot apply under User Enrollment.

In User Enrollment, the MDM server can still do everything needed to manage enterprise apps, accounts, and data:

  • It can install and configure apps and accounts.
  • It can enforce a six-digit passcode. (I think we can all agree that this is reasonable, especially since almost all iOS devices have biometrics.)
  • It can query data related to enterprise-managed apps, certificates, and profiles.
  • It can configure a per-app VPN for apps, mail, contacts, and calendars that have been installed by MDM.
  • The device will be associated with an enrollment ID, which changes if the device is re-enrolled.
  • It can enforce some restrictions, like managed open in, managed contacts, managed data on the lock screen, and several others. (See here for more.)

Enterprise data is stored in a separate APFS volume, which is created at enrollment, and encrypted separately from user data. This volume contains data stored by managed apps; enterprise Notes; enterprise iCloud Drive docs; enterprise Keychain entries; managed mail attachments and bodies; and calendar attachments. Unenrolling from MDM destroys the volume and the keys.

The final pillar of User Enrollment the user’s managed Apple ID, which is required, and associated with all enterprise apps and data on the device and in iCloud Drive. Managed Apple IDs have existed for education of a few years now; and you can create them in Apple School Manager, and soon, Apple Business Manager.

Apple School Manager, and soon Apple Business Manager, can federate with Microsoft Azure Active Directory to create the managed IDs. This is a logical starting point, since so many organizations have Office 365 these days, but it would be great to see support for other identity providers. (So be sure to submit your feedback!)

The end user enrollment workflow has been simplified, too. (Check out the session video starting around 20:50 for a demo.) Users will still have go to the Settings app to kick off the enrollment after they download a profile (a process introduced in iOS 12.2), but now there’s a prominent button at the top of the main Settings page to make it easier. Then the enrollment process brings up a new information dialogue, with fewer ominous warnings and buttons to tap. The last step will be for users to authenticate with their managed Apple ID (which in most situations, should be federated).

All third-party apps will have to be either a personal app or associated with the managed Apple ID and MDM—they can’t work in both modes, and as mentioned, the MDM service can’t start managing apps that the user has already installed. Some system apps like Notes and Files will support both work and personal accounts, though.

User Enrollment is also supported on macOS. Like iOS, you’ll need a managed Apple ID, and then User Enrollment will create a separate APFS volume, it will separate data in Notes, and have similar management capabilities.

The standard MDM mode is still around, of course, and is now known as Device Enrollment. (So if you’re following along at home, the three MDM modes are Automated Device Enrollment, Device Enrollment, and User Enrollment. Many organizations won’t be able to change overnight (re-enrollment can be disruptive), and ASM and ABM still aren’t available in all countries.

What does User Enrollment mean?

We’re going to be talking about this a lot over the next few months, especially as EMM vendors start announcing their plans to support it. (They definitely have a lot of work ahead of them to get to day one support when iOS 13 rolls out in September!)

The big question is what type of new use cases this will enable. For new, I’ll just look at this in a general way: Many users (and organizations) that previously rejected MDM for BYOD for privacy reasons will now be able to consider User Enrollment.

However, there will still be plenty of use cases for MAM SDKs and apps that are deployed without MDM enrollment. (So if you were planning on sending me a pitch about how iOS 13 is going to kill MAM SDKs, like some folks did after iOS 7, save yourself the time and know that I still won’t agree with you.) For example, multiple MDM server enrollment still isn’t a thing, and the fact that you can’t use third-party apps in both work and personal mode could be a blocker for some situations. We’ll have to see what type of extended enterprise use cases (i.e. contractor, partner, gig economy, etc.) that User Enrollment is and is not suitable for, too.

But overall, we can safely assume that MDM enrollment rates will increase under User Enrollment, and that this is a huge opportunity for EMM vendors, enterprise customers, Apple, and end users alike.

Sure, I would have preferred it to happen sooner. Android Enterprise work profiles really helped raise the bar for MDM intended for BYOD, and they’ve been around for a while now, though User Enrollment will probably spread faster. (We’ll save the rest of this comparison conversation for another time.)

Again, in summary, this is a big deal. Apple had a slide in their session called “It’s time to evolve BYOD” and talked about setting a better balance. The EMM industry is going to be excited to build around this, and this is the enrollment method that I would choose for my personal phone.

App Distribution

Enterprise app distribution is undergoing some interesting changes, too. Apple has introduced a new model for private distribution in the form of Custom Apps, and they’re encouraging enterprises that can to move away from in-house app distribution using enterprise certificates. (See the WWDC session “App Distribution – From Ad Hoc to Enterprise.”) Custom apps are already available for education, and will come to business soon.

Custom App distribution is based on the B2B app distribution model, which uses the App Store infrastructure. This brings all sorts of advantages, like the fact that you don’t have to keep resigning your apps, and you get to use the App Store’s infrastructure, along with things like TestFlight and app thinning. These apps get reviewed by Apple, but word on the street is that some of the criteria are somewhat different than the consumer review process, even though the guidelines are the same.

The difference with Custom Apps is that companies can now use the B2B model to distribute apps to their own employees. This means no more re-signing apps, hosting them, and making sure that they have access to the internet. Presumably, this is also an opportunity for Apple to address abuse of enterprise certificates, which can be used to circumvent the App Store and its policies.

Custom Apps can be distributed via MDM, or via redemption codes for non-enrolled devices. According to the WWDC session, they can target use cases for partners, clients, franchisees, internal employees, and affiliates. Companies should look at their enterprise license agreement with Apple (which is not available to the public) for more specific language on this.

Part 2

Added Tuesday, June 11.

Single Sign-On

Identity management is the biggest trend in end user computing today, and iOS 13 and macOS 10.15 are no exception. The new Single Sign-On extensions, along with Extensible SSO MDM profiles, can work together to ensure that SSO takes place with the desired, smooth flow. (Note that this is not the same as Sign In with Apple, which is consumer-oriented.)

The Extensible SSO MDM profile specifies which app authentication URLs are redirected to SSO extensions. (The Associated Domains concept ensures that you can only redirect the traffic you should be.) Next, the SSO extensions take care of doing a modern authentication with an identity provider.

Remember that extensions are basically a part of an app that can reach out and be integrated into other workflows in iOS and macOS, so if it helps, just think “app.” For the SSO extensions, the authentication can be in a native UI, in a web UI, or silent, and there are many different options for identity standards and user experiences, including MFA (as well as WebAuthn and FIDO2 on Mac). As Apple pointed out at WWDC, developers can also use the extensions (and their associated apps) to do other things, like generate a key with the Secure Enclave on the device, check the OS version for conditional access policies, or perform a password reset with the IdP.

The SSO extensions come in two varieties, one for redirect flows, and one for getting credentials, which also supports Kerberos.

The Kerberos version of the extension will be included with iOS and macOS, and can also be used with Apple Enterprise Connect to sync macOS passwords with Active Directory. It also supports smart card and certificate-based authentication. As we saw with products like Jamf Connect and Mosyle Auth, this is a big topic in Mac management these days, so I’m looking forward to seeing how the industry reacts.

Other MDM updates

Restrictions deprecations
As Apple has been warning for years, a bunch of restrictions that were available in the standard MDM mode will now only be available for supervised devices. (These restrictions will stay in place for devices that upgrade from iOS 12 to 13, but not for devices that are backed up and restored, or devices that are newly enrolled.) They are personal app installation, app removal, FaceTime, iTunes, Safari, iCloud data usage, multiplayer gaming and Game Center friends, explicit content, and Siri.

New restrictions
On the other hand, there are some new supervised restrictions for iOS: Allow hotspot modification; Find my devices; Find my friends; QuickPath keyboard; and Wi-Fi modification.

And for Apple TV, new restrictions include: allow device to sleep, and have device always ready to AirPlay.

Automated Device Enrollment
Automated Device Enrollment (formerly DEP) will result in devices being managed and supervised, no matter what.

The Automated Device Enrollment flow in Setup Assistant now has a customizable web UI, which can be used for a number of purposes like branding, user agreements, or most importantly, modern authentication. Again, this has been a big topic of conversation in Automated Device Enrollment for the last year or so.

Certificate transparency
iOS and macOS introduced some new certificate transparency features, but as this could be a security risk, there’s an MDM payload to opt out of them.

Apple School Manager and Apple Business Manager
The old Apple Deployment Programs portal is sunsetting at the end of the year, so everybody should be using these new portals as their interface to VPP, Automated Device Enrollment, and managed Apple IDs.

Documentation
Apple is bringing MDM documentation to the Apple Developer site, with tools to highlight new changes. See developer.apple.com/documentation/devicemanagement. This is in addition to MDM documentation at help.apple.com and support.apple.com.

Managed Apple IDs for admins will provide access to AppleSeed for IT, which includes beta software, documentation, and feedback tools.

Classroom
Classroom is an app that allows teachers to manage student iPads (think of tasks like mirroring, monitoring, and single app mode), and it will now be coming to macOS, too.

Safari and iPads
We could have a whole discussion about the iPad as a laptop replacement, but here’s one interesting point I learned: The user agent string for Safari in iPadOS will identify the device as a Mac. (So SEO pros should be aware of that, too.)

Content caching
While Apple content caching was previously a best effort, it can now be managed and set as mandatory.

Apple TV
tvOS now has more management features to bring it even closer to iOS. It now supports managed software updates, you can force it to use automatic date and time settings, and screen savers work with content caching, too.

macOS

macOS has plenty of new security features, which are really worthy of their own article. For example:

  • The OS is now in a read-only volume.
  • Macs with the T2 security chip support Activation Lock, just like iOS devices.
  • Apple is moving away from kernel extensions for drivers and security software, and instead making new frameworks so that they can run in the user space.
  • There are more new permissions to protect access to various files and folders, as well as key logging and screen capture.

In the WWDC session, Apple emphasized a few goals with macOS. First, they want to achieve management parity between iOS and macOS, so you’ll notice that a lot of the announcements list above include macOS from the start, or involve iOS features spreading to macOS.

Second, they want to make sure that the new security features don’t get in the way of enterprise processes. So, most of the new security features can be disabled via MDM, giving companies time to adopt them at their own pace. For example, you can use MDM to whitelist apps that aren’t notarized.

Here are some of the new MDM changes for macOS:

  • There are new management controls for Apple Remote Desktop.
  • MDM can manage bootstrap tokens, which was described as being useful for Macs that use mobile user accounts and FileVault.
  • There are new Privacy Policy payloads, to manage the new permissions described above.
  • Silent MDM profile installation will be deprecated.

Final thoughts

So far, we’ve really only scratched the surface. There are still many more questions to be answered about all of these new features, including more specifics about how they’ll work, how vendors will adopt them, and how customers will react.

Still, I stand by my initial thoughts: User Enrollment is going to dramatically improve iOS MDM for BYOD, and we can safely assume that enrollment rates will increase. This is the biggest Apple MDM update since iOS 7 in 2013, and it’s important news for our industry.



Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

The added privacy changes are welcome, it certainly has dampened adoption rates for my community, namely device deletion. However, I'm baffled that they've not added restrictions to the system pasteboard to prevent cross-profile exfiltration, and the lack of dual-app support still frustrates situations where the company and the individual use the same services, like Google Drive. Managed app restrictions, seem mooted without complete profile separation. -BGW
Cancel
If there is no user agent how do the mdm differentiates which device/os it is during enrollment?
Cancel
Thanks for the great article.  I'm having difficulty finding information about federating ABM with Azure AD.  Is this not yet available for ABM?  Thanks!
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close