Insight09.12.2021

Apple User Enrollment

What is Apple’s user enrollment?

With user enrollment, private Apple devices can be enrolled without the owner having to relinquish complete control over the device. Based on the Bring Your Own Device (BYOD) approach, private devices of students or employees can be integrated and used in the school or company context while protecting private data.

How does the Apple user enrollment work?

During user enrollment of private devices via Relution, a so-called “work profile” is created. This means that all MDM authorisations are restricted to the work profile and the organisation does not have full control over the device. Analogous to this, Android-Enterprise also offers enrolment with Work profile.

What are the advantages of Apple user enrollment?

Since the MDM system does not have full access to the device, restrictions and actions are limited to the work profile. This ensures that private and business data and apps are kept separate. Reading out device details via Relution also only relates to the work profile. Private data on the device or in the apps used cannot be read out by Relution.

If a student or employee leaves the school or company, the profile can be remotely removed at any time, which automatically deletes all existing data in the work profile.

Which platforms are supported in Relution for Apple user enrollment?

It is possible to enroll iPhones and iPads via the iOS platform and Macbooks via macOS with the user enrollment in Relution.

How is an Apple device enrolled in Relution via user enrollment?

Starting from the Relution organization, a manual enrollment for iOS or macOS can be created and the enrollment link can be sent to the desired student or employee.

The basic prerequisite for creating a user enrollment is the assignment of a user. For this, either a managed Apple ID or email address must be stored in the user details. The corresponding user can then be added and the enrollment completed. Users assigned to a device can no longer be changed or removed from enrolled devices via user enrollment.

Then, the enrollment link received performs device enrollment on the iOS or macOS device using the Managed Apple ID of the user and the device appears in the device inventory of the corresponding Relution organization.

Can a user also enroll via account controlled user enrollment?

Relution supports account-based user enrollment for iOS devices that are not in the „Supervised” state.

This requires either a manually created user enrollment for a corresponding user in the respective Relution organization or the activation of “Allow account-based Apple user enrollment for all users” in the device management settings of the respective Relution organization.

Option 2 makes it much easier to register personal devices in Relution.

As soon as a Relution user registers on the private device via the option “Log in to work or school account…” in “VPN & Device Management” of the general settings, a user enrollment is automatically generated in Relution. The registration URL of the MDM solution is automatically identified via the managed Apple ID of the respective user.

After logging in with the user’s login data from Relution, the device automatically appears in the inventory list of the corresponding Relution organization after successful authentication.

What options are there for configuring the private Apple devices in Relution?

All iOS and macOS configurations and restrictions that can be applied to the work profile of a private device are marked in Relution with the badge “Supports user enrollment”.

Can organisational apps be installed on enrolled private devices?

Apps can be made available on enrolled private devices for the work profile without requiring a personal Apple ID for the user on the device. To do this, VPP licences must be assigned to the organisation. However, in the context of user enrollment, the assignment is not made to the devices themselves, but the VPP licences are bound to individual users. If a user uses several devices and has received a VPP licence from the organisation, the corresponding app can be used on all devices. Assigned VPP licences can also be withdrawn from users via Relution.

Is a Managed Apple ID required for the allocation of VPP licences?

In order to assign VPP licences of an organisation to private users, the users must be linked to the VPP token used by the respective organisation. For this purpose, a Managed Apple ID must be stored in the respective user profile for the corresponding users in Relution. The Managed Apple ID is created in the respective Apple School Manager or Apple Business Manager account of the organisation for a user.

Does the linking of a VPP token of the organisation with users take place automatically?

When a private device is enrolled via user enrollment, the user logs in with the pre-populated Managed Apple ID and the device is enrolled in Relution.

If the user with the Managed Apple ID is not yet connected to a VPP token, Relution will automatically create the link and the user will appear under VPP Users with the status “Assigned”.

If there are several VPP tokens for the organisation, the first VPP token in the order of deposited VPP tokens under VPP user accounts in the Relution settings is always used.

Subsequently, VPP licences can be transferred in Relution via Purchased Apps to the VPP users in the status “Assigned” in order to be able to install apps on the private devices via the VPP token of the organisation.

Can users who do not have a Managed Apple ID in their user profile become VPP users?

Users can also be added manually to VPP users via an invitation. For this purpose, an e-mail invitation is sent to the corresponding user via Relution, in which the token to be used is selected beforehand.

The user is shown in “Registered” status. The recipient of the email then clicks the link in the email invitation to register via iTunes.

After logging in to iTunes with the user’s personal Apple ID, the T&Cs must be accepted.

In Relution, the respective user under VPP users is now displayed in the status “Assigned”.

From now on, this user can be selected for the assignment of VPP licences of purchased apps under “Users”.

The VPP licence is then assigned and the app can be installed on the user’s device using the selected VPP token of the organisation.

Latest Insights

Apple iNDIGO and Relution - Highest security for iOS in public authorities
31.01.2025
Apple iNDIGO and Relution - Highest security for iOS in public authorities
Cybersecurity, data protection and innovative solutions with Relution
10.01.2025
Cybersecurity, data protection and innovative solutions with Relution
VPN einfach erklärt: So schützt ein Virtual Private Network (VPN) Ihre Daten
16.12.2024
VPN einfach erklärt: So schützt ein Virtual Private Network (VPN) Ihre Daten
Relution is platform-independent
03.12.2024
Relution is platform-independent
Relution as a holistic UEM solution for BYOD and COPE
14.11.2024
Relution as a holistic UEM solution for BYOD and COPE
Cloud or on-premises solution?
07.11.2024
Cloud or on-premises solution?
Digital device management explained in brief
27.09.2024
Digital device management explained in brief
MDM briefly explained
12.09.2024
MDM briefly explained
Relution Parent
01.07.2024
Relution Parent
Relution Files for iOS
12.06.2024
Relution Files for iOS