---
title: "User Enrollment"
slug: "user-enrollment"
updated: 2024-02-07T05:35:46Z
published: 2024-02-07T05:35:46Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://trusted.jamf.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User Enrollment

How does Jamf support BYOD?

          

Jamf leverages User Enrollment for its global fleet of employee BYOD devices, exactly as described in this article.

Want to see how we do it? Check out [How We BYO @ Jamf](https://www.youtube.com/watch?v=vohNJkr52U8) from JNUC 2023!

[User Enrollment](https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/web) is the native Apple-supplied vehicle to support personally-owned / BYO devices.* Trusted Access is **specifically designed** to leverage User Enrollment, with other BYOD strategies **not supported** by the solution.

Trusted Access depends upon the inherent, [private-by-design](/v1/docs/privacy-user-enrollment) architecture delivered by User Enrollment. Specifically, on a single *physical* device, user enrollment effectively enables two *logical* device partitions: one for personal use and one for work.

Work apps, accounts, and data are stored within a "managed" partition on the device, while personal apps and data are encrypted separately on the "personal" partition. There is a strict firewall between work and personal, preventing IT administrators from having *any* visibility or control on data-in-motion or at-rest on the personal side. Administrators have [limited but essential controls](/v1/docs/user-enrollment#configuring-data-loss-protection) to manage data flow *between* the partitions for Data Loss Protection purposes.

To the end user, Apple blends the work and personal apps at the user interface level, so it *feels* like the user has a single device. Apple provides innovative and integrated [Focus Filters](https://support.apple.com/guide/iphone/set-up-a-focus-iphd6288a67f/ios) that allow a user to hide work apps from view, disable notifications, and hide emails and calendar events when it is time to check out for the day.

To support app installation and further separation of work and personal identity, Apple requires the use of [About Managed Apple IDs](/v1/docs/about-managed-apple-ids) (MAIDs) to create and use the Work partition on the device. MAIDs are special organization-managed Apple IDs that typically take on the form of the user's work email address (e.g. `jane@company.com`), with authentication provided by the organization's identity provider through a process known as [federated authentication](/v1/docs/federated-authentication-with-abm). This allows a user to use a MAID without really knowing it: they just use their email address and IdP credentials to initialze and use them.

This separation even extends to networking. An IT administrator can only apply company VPN networking to *managed* work applications, with no ability to manipulate or intercept traffic on the personal side in any way. Conversely, a user is free to use iCloud Private Relay or their own VPN of their choice that will only apply to their *unmanaged* personal applications.

![Jamf_Trusted_Access_User_Enrollment.png](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/Jamf_Trusted_Access_User_Enrollment.png)

From a Trusted Access perspective, this allows the solution architecture to treat the **personal** side of the device as **"unsanctioned"** while treating the **work** side of the device as **"sanctioned"**.

By coupling this deployment strategy with Jamf technologies via Trusted Access:

- Most employees no longer need to carry around two phones as privacy and transparency builds user confidence to adopt user enrollment on their own device.
- Enrollment is easy and driven by the user through native iOS/iPadOS user interface and federated authentication.
- Compliance is acheived by making User Enrollment a required step to access critical apps on a mobile device, such as email.  See this [demo video](/v1/docs/ios-personally-owned-device) as an example.
- Organizational data both at-rest and in-motion are securely managed and segmented from personal data and activity.
- IT organizations are able to confidently enable the entire library of work iOS/iPadOS apps to end users to faciliate more productive mobile work without technical/developer overhead.

## Deploying User Enrollment

While User Enrollment does not deploy device-wide management capabilities, it is still deployed using Mobile Device Management (MDM) APIs, facilitated by Jamf Pro.

          Prerequisites

          

- Devices with iOS/iPadOS 15.0 or later
- Jamf Pro 10.33 or later
- The ability to host a `.json` file on your domain's web server
- An Apple Business/School Manager account

Follow these steps to get User Enrollment up and running in your environment:

1. [Configure Single Sign On integration](https://docs.jamf.com/jamf-pro/documentation/Single_Sign-On.html) in Jamf Pro for user-initiated enrollment.
2. [Setup Federated Authentication via ABM](/v1/docs/federated-authentication-with-abm) to enable Managed Apple IDs to be automatically created and authenticated using your organization's identity provider.
3. [Host a service discovery .json file](https://docs.jamf.com/10.41.0/jamf-pro/documentation/Account-Driven_User_Enrollment_for_Personally_Owned_Mobile_Devices.html) that is used by Account Driven User Enrollment to point the unmanaged device to your Jamf Pro instance during User Enrollment
  1. Don't forget to set the `content-type` header to `application-json` in response to the device's `GET` request!
4. [Enable User Enrollment for Mobile Devices](https://docs.jamf.com/10.41.0/jamf-pro/documentation/Enabling_User_Enrollment_for_Mobile_Devices.html) in Jamf Pro, being sure to enable **Account-Driven User Enrollment**.
  1. We do not recommend using profile-driven user enrollment for most end user activations.
5. Configure automatic VPP invitations for new Managed Apple IDs to enable the automatic provisioning of work managed apps.
  1. Navigate to **Users > Smart Groups** and create a new group.
  2. Provide a name, we recommend `Managed Apple IDs`
  3. Set a criteria as follows then save the smart group
    1. Criteria: `Managed Apple ID`
    2. Operator: `like`
    3. Value: `@{{your company domain}}` (e.g. `@company.com`)
  4. Navigate to **Users > Volume Assignments** and create a **New** volume assignment
  5. Configure **Options**
    1. Give a name like `BYO Devices Volume Assignment`
    2. Set the VPP location to be that of the same ABM/ASM portal that has federation of the domain being used for MAIDs
    3. Under **Apps**, check the box for any apps you want to deploy, or have available in Self Service, for BYO devices
    4. Under **Scope** make the target the MAID smart group created above (e.g. `Managed Apple IDs`)
  6. Navigate to **Users > Invitations** and create a **new** inivtation
  7. Configure the **General** settings
    1. Give a **name** like `BYOD Managed Apple IDs`
    2. Set the **location** to the same VPP location as above.  **IMPORTANT:** this must originate from the same ABM/ASM server as the MAIDs coming from federation.
    3. Set the **distribution method** to **“Automatically register only users with Managed Apple IDs and skip invitation”**
    4. **Check** the box **“Automatically register with volume purchasing if users have Managed Apple IDs"**
  8. Configure **Scope**
    1. Set the scope to your Managed Apple IDs smart user group (e.g. `Managed Apple IDs`)
6. Configure the deployment of managed apps to BYOD User Enrolled devices:
  1. Navigate to **Devices > Smart Device Groups** and make a **new smart device group**
  2. Provide the new group with a **Name**, we recommend `User Enrolled BYOD Devices`.
  3. Set the **Criteria** per the below:
    1. Criteria: `Device Ownership Type`
    2. Operator: `is`
    3. Value: `Personal (Account-Driven User Enrollment)`
  4. Navigate to **Mobile Devices > Mobile Device Apps**
  5. Add or edit an existing Mobile App and add the new `User Enrolled BYOD Devices` smart group to the `Scope` for deployment.

          Customization may be required

          

Depending upon your existing app deployment strategy, you may need to exclude the User Enrolled BYOD Devices smart group from some app assignments to avoid assignment conflicts between instituionally owned and personally owned devices.

Here at Jamf, we *excluded* the `User Enrolled BYOD Devices` smart group from all existing mobile apps, and created a new app entry (and **Category** for organization) for every app that should be available to BYOD devices.

![Jamf_BYO_Apps.png](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/Jamf_BYO_Apps.png)

          About Existing Apps

          

If a user already has an unmanaged version of an app installed, (e.g. Google Chrome), and the MDM attempts to install a managed version of the app, the installation will fail.

The user will need to un-install the unmanaged app version first, then re-attempt the installation of the app from Self Service.

          About Dual-Persona Apps

          

Some apps support "dual personas", that is a "work" account and a "personal" account. This includes apps such as Slack and Dropbox.

Most vendors that provide such apps also provide an "EMM" version of their apps, such as "Slack EMM" and "Dropbox EMM" respectively. This allows users to keep the personal version of their app on the personal side of their device, which the "EMM" version of the app is used on the work side with their work account.

Admins can enforce that a user can only login to the managed version of the app by [Restricting Access for Anonymous Devices](/v1/docs/access-restriction-strategies) (with the "personal" side of the device appearing as anoymous in this case).

1. Configure Self-Service to be pushed to devices using Automatic Deployment upon enrollment.

With this configuration complete, users should now be able to enroll in User Enrollment as shown in [this experience](https://docs.jamf.com/10.41.0/jamf-pro/documentation/Account-Driven_User_Enrollment_for_Personally_Owned_Mobile_Devices.html#concept-7204).

## Deploying Jamf Trust

Jamf Trust is used to enable network segmentation between work apps and personal devices. This provides IT added assurances that corporate data is not subject to attack on unknown third party networks or untrusted environments.

This is accomplished using Jamf Private Access and attaching **Per-App VPN** configurations to managed apps and accounts.

Follow these step to configure network segmentation for managed apps on User Enrolled devices:

1. Follow the steps in [Enabling Access for Trusted Devices](/v1/docs/enabling-access-for-trusted-devices) to configure Private Access in RADAR, with the following modifications (skip the last step in the linked doc and follow these instead):
  1. Create a new **Activation Profile** titled `BYOD Device Activations` with the following configurations:
    1. Set the **Device Group** to a new group named `BYO Devices`
    2. Select the identity provider configured in RADAR (usually the same as that used for MAID federation)
    3. For **Capabilities** minimally select **Zero Trust Network Access**.  If licensed and desired, select **Threat Defense and Data Policy**.  Keep in mind all capabilities will only work in the work partition of the device.
  2. To ensure maximum app compatqability and to enable a managed browser, create a new **Access Policy** named `BYOD Wildcard Policy` and define the following:
    1. Under **Traffic Matching** > **Application Hostnames**, add a wildcard hostname `*`.
    2. Under **Users and Groups**, select **Limited** then select the `BYO Devices` group created above.
    3. Under **Routing**, select **Encrypt and route via Private Access: Nearest Data Center**.
  3. Naviage to **Devices > Deployment > Activation Profiles** and click **Deploy** for the `BYOD Device Activations` profile you had created earlier.
    1. Under **Managed Deployment** select **Jamf Pro**.
    2. Expand **iOS / iPadOS Managed App Configuration** and click **Show App Configuration**
    3. Copy the XML presented as save it for the next step.  **Warning**: do **not** deploy the RADAR defined **UEM Configuration Profiles**.  They are not permitted to be installed on a User Enrolled device!
2. Navigate into Jamf Pro **Devices > Mobile Device Apps** and add a new app for **Jamf Trust**.
  1. In **App Configuration** paste the app configuration copied in the previous step.
  2. For **Scope**, define the `User Enrolled BYOD Devices` smart group created earlier.
  3. It is recommended to Auto-Deploy Jamf Trust to make sure users have it available to enable the networking required for managed applications.
3. [Create and deploy a Per-App VPN mobile configuration profile](https://docs.jamf.com/jamf-security/radar/documentation/Configuring_Per-App_VPN_on_iOS_and_iPadOS_Devices.html#task-2169) that is scoped to your User Enrolled devices (e.g. `User Enrolled BYOD Devices`)
  1. Note: `Safari Domains` are not supported on User Enrolled devices by Apple for privacy reasons.
4. Create and deploy a Per-App VPN mobile configuration profile that is scoped to your User Enrolled devices (e.g. `User Enrolled BYOD Devices`)
5. Attach the Per-App VPN configuration to BYOD-enabled apps:
  1. In **Devices > Mobile Device Apps**, edit an app that you would like to add VPN networking to.
  2. Under **Per-App Networking**, select the **Per-App VPN** configuration you created in the previous step.

          Per-App VPN Behavior

          

- It may take up to two minutes for the Per-App VPN configuration to be bound to the defined app after saving.
- Once bound, the mobile app will not be able to use any network traffic unless Jamf Trust is properly installed and activated by the end user.
- Traffic destinations will be limited to the hostnames authorized across all Access Policies in RADAR.  In an earlier step we added a wildcard `*` rule, effectively sending all traffic destinations through the VPN and out to the internet.  Private destinations (e.g. interal or private cloud apps) will be reachable by these applications if access policies are defined to permit them for the user and the BYO device's group as defined in RADAR.

1. We recommend depolying a "managed browser" for enterprise web browsing and attaching it to the Per-App VPN.
  1. Since Safari Domains do not work for User Enrolled devices, a non-Safari browser dedicated to work-traffic should be used instead.
  2. Configure this by creating a new **Mobile Device App** and use Chrome, Edge, Opera, or private browser of choice. Be sure to attach the Per-App VPN to it and scope it to the BYO Device smart group as well.
  3. Now all traffic generated by this app will flow through the Private Access infastructure, including public and private destinations per policy.

## Configuring Data Loss Protection

Preventing the flow of "managed" work data to "unmanaged" destinations is a critical security feature of the Trusted Access solution to ensure data remains under control on endpoints.

Apple provides a [set of very useful restriction commands](/v1/docs/privacy-user-enrollment#restrictions-permitted-on-user-enrolled-devices) that may be deployed on user enrolled devices to control this data flow, including but not limited to:

- Disabling AirDrop for managed apps
- Preventing Copy/Paste to and from managed and unmanaged apps
- Preventing "Open In..." to and from managed and unmanaged apps
- Preventing screenshots across the entire device
- Preventing notifications from displaying previews on the the lock screen when the device is locked

Apple has selected these sets of restrictions that balance enterprise control of data with user privacy, in consideration that the device belongs to the individual.

## Device Passcode Requirements

Included by default upon User Enrollment is a required 6-digit numeric passcode for the device.

It is not possible to change the complexity requirements of this device passcode as this specific requirement was selected to balance user experience with adequate security.

Given Apple's [in-built brute force protection mechanisms](https://support.apple.com/guide/security/passcodes-and-passwords-sec20230a10d/web), a six-digit passcode provides sufficient brute force attack protection for most organizations.