Insight09.12.2021

Apple User Enrollment

What is Apple’s user enrollment?

With user enrollment, private Apple devices can be enrolled without the owner having to relinquish complete control over the device. Based on the Bring Your Own Device (BYOD) approach, private devices of students or employees can be integrated and used in the school or company context while protecting private data.

How does the Apple user enrollment work?

During user enrollment of private devices via Relution, a so-called “work profile” is created. This means that all MDM authorisations are restricted to the work profile and the organisation does not have full control over the device. Analogous to this, Android-Enterprise also offers enrolment with Work profile.

What are the advantages of Apple user enrollment?

Since the MDM system does not have full access to the device, restrictions and actions are limited to the work profile. This ensures that private and business data and apps are kept separate. Reading out device details via Relution also only relates to the work profile. Private data on the device or in the apps used cannot be read out by Relution.

If a student or employee leaves the school or company, the profile can be remotely removed at any time, which automatically deletes all existing data in the work profile.

Which platforms are supported in Relution for Apple user enrollment?

It is possible to enroll iPhones and iPads via the iOS platform and Macbooks via macOS with the user enrollment in Relution.

How is an Apple device enrolled in Relution via user enrollment?

Starting from the Relution organization, a manual enrollment for iOS or macOS can be created and the enrollment link can be sent to the desired student or employee.

The basic prerequisite for creating a user enrollment is the assignment of a user. For this, either a managed Apple ID or email address must be stored in the user details. The corresponding user can then be added and the enrollment completed. Users assigned to a device can no longer be changed or removed from enrolled devices via user enrollment.

Display of the manually created user enrollment in Relution with a registration link for iOS or macOS devices

Then, the enrollment link received performs device enrollment on the iOS or macOS device using the Managed Apple ID of the user and the device appears in the device inventory of the corresponding Relution organization.

Can a user also enroll via account controlled user enrollment?

Relution supports account-based user enrollment for iOS devices that are not in the „Supervised” state.

This requires either a manually created user enrollment for a corresponding user in the respective Relution organization or the activation of “Allow account-based Apple user enrollment for all users” in the device management settings of the respective Relution organization.

View of the Relution settings to enable account-driven Apple user enrollment for non-supervised iOS devices

Option 2 makes it much easier to register personal devices in Relution.

As soon as a Relution user registers on the private device via the option “Log in to work or school account…” in “VPN & Device Management” of the general settings, a user enrollment is automatically generated in Relution. The registration URL of the MDM solution is automatically identified via the managed Apple ID of the respective user.

After logging in with the user’s login data from Relution, the device automatically appears in the inventory list of the corresponding Relution organization after successful authentication.

View of the Mac settings for "VPN & Device Management" for registering personal devices with automatic user enrollment in Relution

What options are there for configuring the private Apple devices in Relution?

All iOS and macOS configurations and restrictions that can be applied to the work profile of a private device are marked in Relution with the badge “Supports user enrollment”.

Screenshot of a configuration in Relution with the badge "Supports User Enrollment" for personal Apple devices

Can organisational apps be installed on enrolled private devices?

Apps can be made available on enrolled private devices for the work profile without requiring a personal Apple ID for the user on the device. To do this, VPP licences must be assigned to the organisation. However, in the context of user enrollment, the assignment is not made to the devices themselves, but the VPP licences are bound to individual users. If a user uses several devices and has received a VPP licence from the organisation, the corresponding app can be used on all devices. Assigned VPP licences can also be withdrawn from users via Relution.

Is a Managed Apple ID required for the allocation of VPP licences?

In order to assign VPP licences of an organisation to private users, the users must be linked to the VPP token used by the respective organisation. For this purpose, a Managed Apple ID must be stored in the respective user profile for the corresponding users in Relution. The Managed Apple ID is created in the respective Apple School Manager or Apple Business Manager account of the organisation for a user.

Does the linking of a VPP token of the organisation with users take place automatically?

When a private device is enrolled via user enrollment, the user logs in with the pre-populated Managed Apple ID and the device is enrolled in Relution.

If the user with the Managed Apple ID is not yet connected to a VPP token, Relution will automatically create the link and the user will appear under VPP Users with the status “Assigned”.

View of the "VPP Users" section in Relution with a status display "Assigned" after accepting the iTunes terms and conditions

If there are several VPP tokens for the organisation, the first VPP token in the order of deposited VPP tokens under VPP user accounts in the Relution settings is always used.

View of Relution settings showing the sequence of stored VPP tokens and automatic selection of the first token for the organization

Subsequently, VPP licences can be transferred in Relution via Purchased Apps to the VPP users in the status “Assigned” in order to be able to install apps on the private devices via the VPP token of the organisation.

Transfer of VPP licenses in the "Purchased Apps" section of Relution to VPP users with the status "Assigned" for app installation on personal devices using the organization's VPP token

Overview in the "Purchased Apps" section in Relution showing license assignment for Amazon Prime Video, including device information, token, and status

Can users who do not have a Managed Apple ID in their user profile become VPP users?

Users can also be added manually to VPP users via an invitation. For this purpose, an e-mail invitation is sent to the corresponding user via Relution, in which the token to be used is selected beforehand.

Input fields in Relution for preparing the email invitation to manually add users as VPP users with token selection

Status display "Invited" for a user in Relution after sending the email invitation

The user is shown in “Registered” status. The recipient of the email then clicks the link in the email invitation to register via iTunes.

Email invitation for user enrollment in Relution with registration link for enrolling devices via iTunes

After logging in to iTunes with the user’s personal Apple ID, the T&Cs must be accepted.

Screenshot of the iTunes terms and conditions that must be accepted after logging in with the personal Apple ID

In Relution, the respective user under VPP users is now displayed in the status “Assigned”.

Overview of the "VPP Users" section in Relution with a status display "Registered" for a sample user

From now on, this user can be selected for the assignment of VPP licences of purchased apps under “Users”.

Selection of a user in the "Users" section of Relution for assigning VPP licenses to purchased apps

The VPP licence is then assigned and the app can be installed on the user’s device using the selected VPP token of the organisation.

Assignment of a VPP license and installation of an app on the user's device in the Relution section using the selected organization's VPP token

Latest Insights

Relution and Samsung Knox Native Solution
16.02.2026
Relution and Samsung Knox Native Solution
Relution Parent
13.02.2026
Relution Parent
Relution Files for iOS & Android Enterprise
17.12.2025
Relution Files for iOS & Android Enterprise
Apple makes device migration to Relution easier with iOS 26, iPadOS 26, macOS
29.08.2025
Apple makes device migration to Relution easier with iOS 26, iPadOS 26, macOS
MDM briefly explained
25.07.2025
MDM briefly explained
Geo-zones in MDM: maximum control over mobile devicesGeo-zones in MDM: maximum control over mobile devices
10.03.2025
Geo-zones in MDM: maximum control over mobile devicesGeo-zones in MDM: maximum control over mobile devices
Data protection compliance with Relution - now more than ever
28.02.2025
Data protection compliance with Relution - now more than ever
Relution Kiosk Mode: Safer and easier device management
03.02.2025
Relution Kiosk Mode: Safer and easier device management
Cybersecurity, data protection and innovative solutions with Relution
10.01.2025
Cybersecurity, data protection and innovative solutions with Relution
VPN explained simply: How a virtual private network (VPN) protects your data
16.12.2024
VPN explained simply: How a virtual private network (VPN) protects your data