Apple takes user privacy extremely seriously, and they have gone above-and-beyond to deliver a next-generation, private-by-design BYOD experince that favors user privacy, while still delivering the critical capabilities IT and security teams require to enable data acceess confidently on personally-owned devices.
Known as User Enrollment, the feature has been designed in such a way that the user's privacy is preserved by implementing a rigid separation between work and personal data.
Unlike "device enrollment" – where the entire device is being registered with a device management service – users instead elect to add a behind-the-scenes "work partition" to their device. This work partition can be managed by the user's IT department, but IT cannot in any way access a user's personal data or network activity outside of that work partition.
User Enrollment Capabilities and Limitations
From Apple's official User Enrollment guide User Enrollment and MDM [apple.com]:
System administrators can manage only an organization’s accounts, settings, and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organization-managed apps also protect a user’s personal content from entering the corporate data stream.
| Administrators can... | Administrators cannot... |
|---|---|
| Configure Accounts (eg. Mail, Contacts, Calendar) | See personal information, usage data or logs |
| Install and configure apps (known as "managed" apps) | Access inventory of personal apps |
| Configure Per-app VPN (only usable with managed apps) | Take over management of a personal app |
| Require a passcode (6 digit numeric only) | Require a complex passcode |
| Enforce certain restrictions | Access device location |
| Access inventory of managed apps | Access unique device identifiers |
| Remove managed data only | Remove any personal data |
| Remotely wipe the entire device | |
| Manage Activation Lock | |
| Access roaming status | |
| Enable Lost Mode |
Restrictions Permitted on User Enrolled Devices
IT administrators are permitted to configure these restrictions – and only these restrictions – on User Enrolled devices. These restrictions are generally intended to help control data flow between managed (work) apps and unmanaged (personal) apps.
Any other restrictions will be rejected by the device if attempted to be installed via an MDM mobile configuration payload.
Source: Restrictions Mobile Configuration Profile Documentation
| Key | Type | Description |
|---|---|---|
forceAirDropUnmanaged |
boolean | If true, causes AirDrop to be considered an unmanaged drop target. Available in iOS 9 and later. Also available for user enrollment. |
allowScreenShot |
boolean | If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in iOS 4 and later, and macOS 10.14.4 and later. Also available for user enrollment. Default: true |
forceEncryptedBackup |
boolean | If true, encrypts all backups. Available in iOS 4 and later. Also available for user enrollment. Default: false |
forceOnDeviceOnlyDictation |
boolean | If true, disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later. Also available for user enrollment. Default: false |
forceOnDeviceOnlyTranslation |
boolean | If true, the device won’t connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Also available for user enrollment. Default: false |
forceWatchWristDetection |
boolean | If true, forces a paired Apple Watch to use Wrist Detection. Available in iOS 8.2 and later. Also available for user enrollment. Default: false |
safariForceFraudWarning |
boolean | If true, enables Safari fraud warning. Available in iOS 4 and later. Also available for user enrollment. Default: false |
allowAssistant |
boolean | If false, disables Siri. Available in iOS 5 and later. Also available for user enrollment. Default: true |
allowAssistantWhileLocked |
boolean | If false, disables Siri when the device is locked. This restriction is ignored if the device doesn’t have a passcode set. Available in iOS 5.1 and later. Also available for user enrollment. Default: true |
allowDiagnosticSubmission |
boolean | If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also available for user enrollment. Default: true |
allowEnterpriseBookBackup |
boolean | If false, disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment. Default: true |
allowEnterpriseBookMetadataSync |
boolean | If false, disables sync of Enterprise books, notes, and highlights. Available in iOS 8 and later. Also available for user enrollment. Default: true |
allowLockScreenControlCenter |
boolean | If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later. Also available for user enrollment. Default: true |
allowLockScreenNotificationsView |
boolean | If false, disables the Notifications history view on the lock screen, so users can’t view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment. Default: true |
allowLockScreenTodayView |
boolean | If false, disables the Today view in Notification Center on the lock screen. Available in iOS 7 and later. Also available for user enrollment. Default: true |