Privacy and User Enrolled Devices
  • 07 Sep 2022
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Privacy and User Enrolled Devices

  • Dark
    Light
  • PDF

Article summary

Apple takes user privacy extremely seriously, and they have gone above-and-beyond to deliver a next-generation, private-by-design BYOD experince that favors user privacy, while still delivering the critical capabilities IT and security teams require to enable data acceess confidently on personally-owned devices.

Known as User Enrollment, the feature has been designed in such a way that the user's privacy is preserved by implementing a rigid separation between work and personal data.

Unlike "device enrollment" – where the entire device is being registered with a device management service – users instead elect to add a behind-the-scenes "work partition" to their device. This work partition can be managed by the user's IT department, but IT cannot in any way access a user's personal data or network activity outside of that work partition.

User Enrollment Capabilities and Limitations

From Apple's official User Enrollment guide User Enrollment and MDM [apple.com]:

System administrators can manage only an organization’s accounts, settings, and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organization-managed apps also protect a user’s personal content from entering the corporate data stream.

Administrators can...Administrators cannot...
Configure Accounts (eg. Mail, Contacts, Calendar)See personal information, usage data or logs
Install and configure apps (known as "managed" apps)Access inventory of personal apps
Configure Per-app VPN (only usable with managed apps)Take over management of a personal app
Require a passcode (6 digit numeric only)Require a complex passcode
Enforce certain restrictionsAccess device location
Access inventory of managed appsAccess unique device identifiers
Remove managed data onlyRemove any personal data
Remotely wipe the entire device
Manage Activation Lock
Access roaming status
Enable Lost Mode

Restrictions Permitted on User Enrolled Devices

IT administrators are permitted to configure these restrictions – and only these restrictions – on User Enrolled devices. These restrictions are generally intended to help control data flow between managed (work) apps and unmanaged (personal) apps.

Any other restrictions will be rejected by the device if attempted to be installed via an MDM mobile configuration payload.

Source: Restrictions Mobile Configuration Profile Documentation

KeyTypeDescription
forceAirDropUnmanagedbooleanIf true, causes AirDrop to be considered an unmanaged drop target. Available in iOS 9 and later. Also available for user enrollment.
allowScreenShotbooleanIf false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in iOS 4 and later, and macOS 10.14.4 and later. Also available for user enrollment. Default: true
forceEncryptedBackupbooleanIf true, encrypts all backups. Available in iOS 4 and later. Also available for user enrollment. Default: false
forceOnDeviceOnlyDictationbooleanIf true, disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later. Also available for user enrollment. Default: false
forceOnDeviceOnlyTranslationbooleanIf true, the device won’t connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Also available for user enrollment. Default: false
forceWatchWristDetectionbooleanIf true, forces a paired Apple Watch to use Wrist Detection. Available in iOS 8.2 and later. Also available for user enrollment. Default: false
safariForceFraudWarningbooleanIf true, enables Safari fraud warning. Available in iOS 4 and later. Also available for user enrollment. Default: false
allowAssistantbooleanIf false, disables Siri. Available in iOS 5 and later. Also available for user enrollment. Default: true
allowAssistantWhileLockedbooleanIf false, disables Siri when the device is locked. This restriction is ignored if the device doesn’t have a passcode set. Available in iOS 5.1 and later. Also available for user enrollment. Default: true
allowDiagnosticSubmissionbooleanIf false, prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also available for user enrollment. Default: true
allowEnterpriseBookBackupbooleanIf false, disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment. Default: true
allowEnterpriseBookMetadataSyncbooleanIf false, disables sync of Enterprise books, notes, and highlights. Available in iOS 8 and later. Also available for user enrollment. Default: true
allowLockScreenControlCenterbooleanIf false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later. Also available for user enrollment. Default: true
allowLockScreenNotificationsViewbooleanIf false, disables the Notifications history view on the lock screen, so users can’t view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment. Default: true
allowLockScreenTodayViewbooleanIf false, disables the Today view in Notification Center on the lock screen. Available in iOS 7 and later. Also available for user enrollment. Default: true

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.