Forum Discussion
Enrollment iOS - BYOD
- Mar 20, 2024
This is a very general question. But indeed the normal iOS management, that is commonly called Personal is just a MDM enrollment. The different approaches for iOS Management are as follows ( starting from full management 'downward' to BYOD):
- Intune enrollment using DEP (Apple Business Manager) and through the Enrollment Profile make the device Supervised. Supervised means the device is completely Company Owned and you have a lot of Settings available normally not available to 'normal' device. It is even possible to restrict the device to a point it is a Kiosk. For Intune and ABM see the following: https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enroll-ios
-Intune Enrollment without DEP. The device is not supervised and not all settings are available from MDM (see here a list of settings only for supervised devices: https://support.apple.com/en-gb/guide/deployment/dep6b5ae23e9/1/web/1.0) . You register the device with the Company Portal that you download for the App Store on the device. This is a full MDM enrollment and you are able to wipe the devices from MDM for example. This is the enrollment you were referring to but this is not BYOD!
- Apple's User Enrollment. This is Apple's own solution for BYOD (this is real BYOD enrollment, comparable to Android Enterprise Work Profile). Basically this accomplished on the device by creating an second (company) APFS volume. You are unable to wipe the device from mdm, only able to remove the work partition. This method has downsides, you need ABM and user need an Managed Apple ID, created in ABM. See here for getting started: https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions
- Application Protection policies (MAM-WE). This is not accomplished by any device enrollment and this is not an Apple method but Microsoft's. With the App Protection Policies (APP) only the company apps are managed (works out-of-the-box only for Microsoft apps and some partner apps) en all security policies are applied to the apps, like a app pincode. This is a much used method of providing company data to private devices (hence a BYOD solution). You can start here: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies
Beside this break down there are a lot of other details, for example we discussed the APP to create a sort of 'company container' where company data can flow but for example is not allowed to be shared outside of the container. Within iOS there is a similar feature (is not as feature rich and sophisticated as APP) called Managed Open-in. You can read about it here, and this is good document to read in general for this topic: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf
This is a very general question. But indeed the normal iOS management, that is commonly called Personal is just a MDM enrollment. The different approaches for iOS Management are as follows ( starting from full management 'downward' to BYOD):
- Intune enrollment using DEP (Apple Business Manager) and through the Enrollment Profile make the device Supervised. Supervised means the device is completely Company Owned and you have a lot of Settings available normally not available to 'normal' device. It is even possible to restrict the device to a point it is a Kiosk. For Intune and ABM see the following: https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enroll-ios
-Intune Enrollment without DEP. The device is not supervised and not all settings are available from MDM (see here a list of settings only for supervised devices: https://support.apple.com/en-gb/guide/deployment/dep6b5ae23e9/1/web/1.0) . You register the device with the Company Portal that you download for the App Store on the device. This is a full MDM enrollment and you are able to wipe the devices from MDM for example. This is the enrollment you were referring to but this is not BYOD!
- Apple's User Enrollment. This is Apple's own solution for BYOD (this is real BYOD enrollment, comparable to Android Enterprise Work Profile). Basically this accomplished on the device by creating an second (company) APFS volume. You are unable to wipe the device from mdm, only able to remove the work partition. This method has downsides, you need ABM and user need an Managed Apple ID, created in ABM. See here for getting started: https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions
- Application Protection policies (MAM-WE). This is not accomplished by any device enrollment and this is not an Apple method but Microsoft's. With the App Protection Policies (APP) only the company apps are managed (works out-of-the-box only for Microsoft apps and some partner apps) en all security policies are applied to the apps, like a app pincode. This is a much used method of providing company data to private devices (hence a BYOD solution). You can start here: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies
Beside this break down there are a lot of other details, for example we discussed the APP to create a sort of 'company container' where company data can flow but for example is not allowed to be shared outside of the container. Within iOS there is a similar feature (is not as feature rich and sophisticated as APP) called Managed Open-in. You can read about it here, and this is good document to read in general for this topic: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf