User Enrollment is a new enrollment method that came out with IOS 13 to address BYOD cases.
During the Enrollment process a new APFS partition is created in order to separate User data from Corporate data.
User Enrollment uses Managed Apple IDs from Apple Business Manager (ABM) in order to manage work applications in devices without the need of accessing personal information on the device such as device identifiers for example.
Therefore User Enrollment requires the use of ABM. In its turn ABM needs a source of truth, an identity provider, indicating which users can participate in User Enrollment.
The only identity provider available at this moment in time is Azure AD and as such federation between ABM and Azure AD is required for IOS User Enrollment.
Intelligent Hub is not permitted in this model. Instead users enroll their devices using Safari to point to the MDM server, authenticate and download the MDM certificate
Applications deployed using ABM’s Volume Purchasing Program can be pushed to User Enrolled devices. Similar to unsupervised devices the user must accept the installation of the app.
Internal Apps can be pushed to User Enrolled devices.
Although full device control actions such as device wipe and set password complexity are not available in User Enrollment there is a limited amount of profile restrictions available for this enrollment model: Article
A pre-req for this set up is to have Apple Business Manager integrated with the Workspace One UEM tenant. You can confirm the integration is in place by confirming a token exists and is not expired in All Settings \ Devices & Users \ Apple \ Device Enrollment Program
Also, in order to push Volume Purchased Apps to the User Enrolled devices make sure your Workspace One UEM tenant is integrated with VPP. You can confirm this integration is in place by checking in All Settings \ Devices & Users \ Apple \ VPP Managed Distribution
The first step is to enable User Enrollment in All Settings \ Devices & Users \ General \ Enrollment
You need to add your domain in Apple Business Manager, in Settings \ Accounts
Verify the domain ownership by adding a TXT record in your External DNS server
Once Verified, federate it with Azure AD
During the federation process ABM is going to look into any possible conflict with corporate email accounts already being used by your users to register their devices into iCloud and if there are conflicts an email will be sent to the Admin: Article
An email is sent to the admin every time a step is completed successfully
