Apple BYOD: How User Enrollment revolutionizes personal device management at work


Hexnode Apple User Enrollment helps IT departments work with employees’ personal devices.
Apple User Enrollment helps IT departments work with employees’ personal devices. 
Photo: Hexnode

This Apple for BYOD post is presented by Hexnode. 

Businesses enrolling employees’ personal devices for work use — known in IT circles as Bring Your Own Device, or BYOD — is growing. According to sources cited in Forbes, the market should reach nearly $367 billion by 2022, more than 10 times the size it was in 2014. Companies favoring BYOD tend to save about $350 per year per employee, and those employees see efficiency improvements by using personal devices, whether Android- or Apple-based. 

For years, IT departments deploying BYOD for Apple devices were limited to methods involving Mobile Device Management (MDM) and Apple Business Manager (ABM). But that changed when Apple introduced a new way, simply called User Enrollment, at the Worldwide Developers Conference last year (WWDC19). You can watch the presentation here.

BYOD with Apple

Immediately prior to Apple User Enrollment (UE), Apple offered only two ways to allow an IT department to manage users’ Apple devices. IT folks could employ either basic device enrollment or use the automated device enrollment feature of the Apple Device Enrollment Program (DEP).

Hexnode Apple User Enrollment: Allowing personal devices has advantages that benefit both the enterprise and the employee
Allowing personal devices has advantages that benefit both the enterprise and the employee.
Photo: Hexnode

BYOD subsumed the previously widespread practice of giving employees corporate devices for both business and personal use, known as COPE (Corporate Owned, Personally Enabled). Unlike BYOD, COPE and other device-deployment architectures rely heavily on MDM offered by companies like Hexnode. While COPE provides more control over devices generally, BYOD allows adequate control over corporate data on the devices.

Notably, MDM can provide the option of enrolling personal Apple devices using the new UE (available for iOS 13 and above). However, in that scenario, MDM will have less authority over the device than the direct employment of UE. That’s because UE restricts MDM. Rather than controlling the whole device, it controls within an area on the device where corporate data resides. On the one hand, MDM won’t be able to perform certain functions, such as device wipes or fetching the IMEI (serial) number. But on the other hand, management of corporate data on the device becomes uncannily easy and absolute.

Considering its seamless management of corporate data, Apple UE further encourages businesses and their employees to embrace BYOD using personal Apple devices. That’s because UE truly meets the basic requirement of BYOD: the separation of personal and corporate data. It manages corporate data on personal devices securely and can remove it as necessary without disturbing an employees’ personal information or privacy.

Managed Apple IDs

 Hexnode Apple User Enrollment 3
A Managed Apple ID helps keep personal and corporate information separate.
Photo: Hexnode

To separate personal and corporate information, UE introduced the Managed Apple ID. The account ID resembles a user’s basic Apple ID. But the IT department creates it for an employee to log into and use work apps. Some people may be familiar with the basic idea from similar separation protocols in Apple Education and Apple Business Manager. With the functionality, the user’s personal device accesses data in two separate iCloud accounts. Personal data resides in a personal iCloud account and corporate data sits in a corporate-managed iCloud account.

BYOD enrollment

Enrollment is simple using the new scheme. Once a user receives the Managed Apple ID from the IT department, the user enrolls the personal device. From then on, everything of a corporate nature on the device remains under the Managed Apple ID.

Apple creates a separate space for storing that corporate data. The space hosts local data from managed third-party apps along with managed data from some built-in apps, such as Notes. It also houses a managed keychain that stores secure items like passwords and certificates, authentication credentials for managed accounts, and full email bodies as well as email attachments. When it comes time to unenroll the device, both the Managed Apple ID and the associated corporate content are automatically removed.

Highlights of Apple BYOD

Hexnode Apple User Enrollment: A UE-managed BYOD environment for Apple truly separates personal and work spaces on the device
A UE-managed BYOD environment for Apple truly separates personal and work spaces on the device.
Photo: Hexnode

With UE, Apple has introduced a more stable and secure BYOD environment than businesses are likely to find for Android device support. UE assuages workers’ privacy concerns because their employer cannot see or access their personal apps and data in the device. The user need not fear losing all of their data, either, as there is no option for a complete device wipe. A device wipe performed as part of Remote Device Management (RDM) removes only corporate data and apps.

An important feature in UE is per-app virtual private network (VPN). It facilitates how traffic for managed accounts is guided through the corporate VPN. Using the feature, traffic from the Mail, Contacts and Calendars built-in apps will only go through the VPN if the domains match that of the business. For example, can pass through the VPN, but not In other words, the user’s personal mail remains private.

Regarding a business’s concerns about security, Apple’s “Managed Open In” feature helps access data in secured and managed apps, thus preventing external access to the corporate resources. Corporate resources access can be manipulated to open only in secure environments, preventing data leakage.

Advantages of Apple User Enrollment

  • Any enterprise can implement BYOD with Apple securely.
  • It reduces a business’s device purchase cost and maintenance costs.
  • Employees are likely to stay current on OS updates because they’re using their own devices.
  • Employees are likely to take good care of their devices.
  • Work can be done from anywhere in the world.
  • Businesses can make corporate resources available to employees and accessible at all times.


Apple’s introduction of UE has opened a new door to BYOD in enterprises. The method of enrollment enables more employees to use their own devices at work with personal and corporate information kept separate and secure. That offers peace of mind to both employee and employer. Enterprises can realize potentially substantial cost savings through reduced device purchases and maintenance, as well.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.