- 07 Feb 2024
- 10 Minutes to read
- DarkLight
- PDF
User Enrollment
- Updated on 07 Feb 2024
- 10 Minutes to read
- DarkLight
- PDF
Jamf leverages User Enrollment for its global fleet of employee BYOD devices, exactly as described in this article.
Want to see how we do it? Check out How We BYO @ Jamf from JNUC 2023!
User Enrollment is the native Apple-supplied vehicle to support personally-owned / BYO devices.* Trusted Access is specifically designed to leverage User Enrollment, with other BYOD strategies not supported by the solution.
Trusted Access depends upon the inherent, private-by-design architecture delivered by User Enrollment. Specifically, on a single physical device, user enrollment effectively enables two logical device partitions: one for personal use and one for work.
Work apps, accounts, and data are stored within a "managed" partition on the device, while personal apps and data are encrypted separately on the "personal" partition. There is a strict firewall between work and personal, preventing IT administrators from having any visibility or control on data-in-motion or at-rest on the personal side. Administrators have limited but essential controls to manage data flow between the partitions for Data Loss Protection purposes.
To the end user, Apple blends the work and personal apps at the user interface level, so it feels like the user has a single device. Apple provides innovative and integrated Focus Filters that allow a user to hide work apps from view, disable notifications, and hide emails and calendar events when it is time to check out for the day.
To support app installation and further separation of work and personal identity, Apple requires the use of About Managed Apple IDs (MAIDs) to create and use the Work partition on the device. MAIDs are special organization-managed Apple IDs that typically take on the form of the user's work email address (e.g. jane@company.com
), with authentication provided by the organization's identity provider through a process known as federated authentication. This allows a user to use a MAID without really knowing it: they just use their email address and IdP credentials to initialze and use them.
This separation even extends to networking. An IT administrator can only apply company VPN networking to managed work applications, with no ability to manipulate or intercept traffic on the personal side in any way. Conversely, a user is free to use iCloud Private Relay or their own VPN of their choice that will only apply to their unmanaged personal applications.
From a Trusted Access perspective, this allows the solution architecture to treat the personal side of the device as "unsanctioned" while treating the work side of the device as "sanctioned".
By coupling this deployment strategy with Jamf technologies via Trusted Access:
- Most employees no longer need to carry around two phones as privacy and transparency builds user confidence to adopt user enrollment on their own device.
- Enrollment is easy and driven by the user through native iOS/iPadOS user interface and federated authentication.
- Compliance is acheived by making User Enrollment a required step to access critical apps on a mobile device, such as email. See this demo video as an example.
- Organizational data both at-rest and in-motion are securely managed and segmented from personal data and activity.
- IT organizations are able to confidently enable the entire library of work iOS/iPadOS apps to end users to faciliate more productive mobile work without technical/developer overhead.
Deploying User Enrollment
While User Enrollment does not deploy device-wide management capabilities, it is still deployed using Mobile Device Management (MDM) APIs, facilitated by Jamf Pro.
- Devices with iOS/iPadOS 15.0 or later
- Jamf Pro 10.33 or later
- The ability to host a
.json
file on your domain's web server - An Apple Business/School Manager account
Follow these steps to get User Enrollment up and running in your environment:
- Configure Single Sign On integration in Jamf Pro for user-initiated enrollment.
- Setup Federated Authentication via ABM to enable Managed Apple IDs to be automatically created and authenticated using your organization's identity provider.
- Host a service discovery .json file that is used by Account Driven User Enrollment to point the unmanaged device to your Jamf Pro instance during User Enrollment
- Don't forget to set the
content-type
header toapplication-json
in response to the device'sGET
request!
- Don't forget to set the
- Enable User Enrollment for Mobile Devices in Jamf Pro, being sure to enable Account-Driven User Enrollment.
- We do not recommend using profile-driven user enrollment for most end user activations.
- Configure automatic VPP invitations for new Managed Apple IDs to enable the automatic provisioning of work managed apps.
- Navigate to Users > Smart Groups and create a new group.
- Provide a name, we recommend
Managed Apple IDs
- Set a criteria as follows then save the smart group
- Criteria:
Managed Apple ID
- Operator:
like
- Value:
@{{your company domain}}
(e.g.@company.com
)
- Criteria:
- Navigate to Users > Volume Assignments and create a New volume assignment
- Configure Options
- Give a name like
BYO Devices Volume Assignment
- Set the VPP location to be that of the same ABM/ASM portal that has federation of the domain being used for MAIDs
- Under Apps, check the box for any apps you want to deploy, or have available in Self Service, for BYO devices
- Under Scope make the target the MAID smart group created above (e.g.
Managed Apple IDs
)
- Give a name like
- Navigate to Users > Invitations and create a new inivtation
- Configure the General settings
- Give a name like
BYOD Managed Apple IDs
- Set the location to the same VPP location as above. IMPORTANT: this must originate from the same ABM/ASM server as the MAIDs coming from federation.
- Set the distribution method to “Automatically register only users with Managed Apple IDs and skip invitation”
- Check the box “Automatically register with volume purchasing if users have Managed Apple IDs"
- Give a name like
- Configure Scope
- Set the scope to your Managed Apple IDs smart user group (e.g.
Managed Apple IDs
)
- Set the scope to your Managed Apple IDs smart user group (e.g.
- Configure the deployment of managed apps to BYOD User Enrolled devices:
- Navigate to Devices > Smart Device Groups and make a new smart device group
- Provide the new group with a Name, we recommend
User Enrolled BYOD Devices
. - Set the Criteria per the below:
- Criteria:
Device Ownership Type
- Operator:
is
- Value:
Personal (Account-Driven User Enrollment)
- Criteria:
- Navigate to Mobile Devices > Mobile Device Apps
- Add or edit an existing Mobile App and add the new
User Enrolled BYOD Devices
smart group to theScope
for deployment.
Depending upon your existing app deployment strategy, you may need to exclude the User Enrolled BYOD Devices smart group from some app assignments to avoid assignment conflicts between instituionally owned and personally owned devices.
Here at Jamf, we excluded the User Enrolled BYOD Devices
smart group from all existing mobile apps, and created a new app entry (and Category for organization) for every app that should be available to BYOD devices.
If a user already has an unmanaged version of an app installed, (e.g. Google Chrome), and the MDM attempts to install a managed version of the app, the installation will fail.
The user will need to un-install the unmanaged app version first, then re-attempt the installation of the app from Self Service.
Some apps support "dual personas", that is a "work" account and a "personal" account. This includes apps such as Slack and Dropbox.
Most vendors that provide such apps also provide an "EMM" version of their apps, such as "Slack EMM" and "Dropbox EMM" respectively. This allows users to keep the personal version of their app on the personal side of their device, which the "EMM" version of the app is used on the work side with their work account.
Admins can enforce that a user can only login to the managed version of the app by Restricting Access for Anonymous Devices (with the "personal" side of the device appearing as anoymous in this case).
- Configure Self-Service to be pushed to devices using Automatic Deployment upon enrollment.
With this configuration complete, users should now be able to enroll in User Enrollment as shown in this experience.
Deploying Jamf Trust
Jamf Trust is used to enable network segmentation between work apps and personal devices. This provides IT added assurances that corporate data is not subject to attack on unknown third party networks or untrusted environments.
This is accomplished using Jamf Private Access and attaching Per-App VPN configurations to managed apps and accounts.
Follow these step to configure network segmentation for managed apps on User Enrolled devices:
- Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR, with the following modifications (skip the last step in the linked doc and follow these instead):
- Create a new Activation Profile titled
BYOD Device Activations
with the following configurations:- Set the Device Group to a new group named
BYO Devices
- Select the identity provider configured in RADAR (usually the same as that used for MAID federation)
- For Capabilities minimally select Zero Trust Network Access. If licensed and desired, select Threat Defense and Data Policy. Keep in mind all capabilities will only work in the work partition of the device.
- Set the Device Group to a new group named
- To ensure maximum app compatqability and to enable a managed browser, create a new Access Policy named
BYOD Wildcard Policy
and define the following:- Under Traffic Matching > Application Hostnames, add a wildcard hostname
*
. - Under Users and Groups, select Limited then select the
BYO Devices
group created above. - Under Routing, select Encrypt and route via Private Access: Nearest Data Center.
- Under Traffic Matching > Application Hostnames, add a wildcard hostname
- Naviage to Devices > Deployment > Activation Profiles and click Deploy for the
BYOD Device Activations
profile you had created earlier.- Under Managed Deployment select Jamf Pro.
- Expand iOS / iPadOS Managed App Configuration and click Show App Configuration
- Copy the XML presented as save it for the next step. Warning: do not deploy the RADAR defined UEM Configuration Profiles. They are not permitted to be installed on a User Enrolled device!
- Create a new Activation Profile titled
- Navigate into Jamf Pro Devices > Mobile Device Apps and add a new app for Jamf Trust.
- In App Configuration paste the app configuration copied in the previous step.
- For Scope, define the
User Enrolled BYOD Devices
smart group created earlier. - It is recommended to Auto-Deploy Jamf Trust to make sure users have it available to enable the networking required for managed applications.
- Create and deploy a Per-App VPN mobile configuration profile that is scoped to your User Enrolled devices (e.g.
User Enrolled BYOD Devices
)- Note:
Safari Domains
are not supported on User Enrolled devices by Apple for privacy reasons.
- Note:
- Create and deploy a Per-App VPN mobile configuration profile that is scoped to your User Enrolled devices (e.g.
User Enrolled BYOD Devices
) - Attach the Per-App VPN configuration to BYOD-enabled apps:
- In Devices > Mobile Device Apps, edit an app that you would like to add VPN networking to.
- Under Per-App Networking, select the Per-App VPN configuration you created in the previous step.
- It may take up to two minutes for the Per-App VPN configuration to be bound to the defined app after saving.
- Once bound, the mobile app will not be able to use any network traffic unless Jamf Trust is properly installed and activated by the end user.
- Traffic destinations will be limited to the hostnames authorized across all Access Policies in RADAR. In an earlier step we added a wildcard
*
rule, effectively sending all traffic destinations through the VPN and out to the internet. Private destinations (e.g. interal or private cloud apps) will be reachable by these applications if access policies are defined to permit them for the user and the BYO device's group as defined in RADAR.
- We recommend depolying a "managed browser" for enterprise web browsing and attaching it to the Per-App VPN.
- Since Safari Domains do not work for User Enrolled devices, a non-Safari browser dedicated to work-traffic should be used instead.
- Configure this by creating a new Mobile Device App and use Chrome, Edge, Opera, or private browser of choice. Be sure to attach the Per-App VPN to it and scope it to the BYO Device smart group as well.
- Now all traffic generated by this app will flow through the Private Access infastructure, including public and private destinations per policy.
Configuring Data Loss Protection
Preventing the flow of "managed" work data to "unmanaged" destinations is a critical security feature of the Trusted Access solution to ensure data remains under control on endpoints.
Apple provides a set of very useful restriction commands that may be deployed on user enrolled devices to control this data flow, including but not limited to:
- Disabling AirDrop for managed apps
- Preventing Copy/Paste to and from managed and unmanaged apps
- Preventing "Open In..." to and from managed and unmanaged apps
- Preventing screenshots across the entire device
- Preventing notifications from displaying previews on the the lock screen when the device is locked
Apple has selected these sets of restrictions that balance enterprise control of data with user privacy, in consideration that the device belongs to the individual.
Device Passcode Requirements
Included by default upon User Enrollment is a required 6-digit numeric passcode for the device.
It is not possible to change the complexity requirements of this device passcode as this specific requirement was selected to balance user experience with adequate security.
Given Apple's in-built brute force protection mechanisms, a six-digit passcode provides sufficient brute force attack protection for most organizations.