User Enrollment

An enrollment method designed for personally-owned devices that separates work and personal data (via separate APFS volume) while limiting MDM management capabilities to protect user privacy.

What to Know

User Enrollment is Apple’s purpose-built solution for BYOD scenarios, providing a privacy-focused middle ground between full device management and no management at all. Introduced in iOS 13 and macOS 10.15, User Enrollment creates a separate APFS volume for managed data, ensuring complete separation between personal and work content. MDM can only see and manage work-related apps, accounts, and data, while personal information remains completely private and inaccessible to IT. This technical separation addresses employee privacy concerns while giving organizations necessary control over corporate data.

User Enrollment requires a Managed Apple ID and authentication through the organization’s identity provider, tying enrollment to the user’s work identity rather than the device itself. When a user leaves the organization, removing the Managed Apple ID cleanly removes all work data and management without affecting personal content. This makes User Enrollment ideal for organizations with strict privacy requirements, unionized workforces, or regulations prohibiting invasive device monitoring.

Common Scenarios

Enterprise IT: Employees with personal iPhones enroll via User Enrollment to access corporate email and Slack while keeping personal photos, messages, and apps completely private. IT can enforce policies on managed apps—requiring passcodes, preventing screenshots in work apps, enabling remote wipe of work data—without seeing or controlling anything personal. When employees leave, IT removes the Managed Apple ID, instantly deleting all corporate data while preserving personal content.

MSP: MSPs recommend User Enrollment for clients with BYOD policies or privacy concerns. The MSP configures User Enrollment in Apple Business Manager, sets up identity provider integration, and creates policies that apply only to managed apps. This provides clients with necessary corporate data protection while respecting employee privacy, reducing friction in BYOD policy adoption and maintaining clear legal boundaries around device management.

Education: Universities deploy User Enrollment for student-owned devices accessing institutional resources. Students enroll their personal iPads to receive campus apps, email, and Wi-Fi certificates, but the university cannot see personal apps, location, or browsing history. The clear privacy separation increases student willingness to enroll while giving the university necessary control over institutional data and app distribution.

In Addigy

Addigy supports User Enrollment through Apple Business Manager integration with Managed Apple IDs. You configure User Enrollment policies that define which apps and settings apply to the managed volume, while Addigy automatically respects the privacy boundaries of User Enrollment. Devices enrolled via User Enrollment are clearly designated in Addigy’s inventory, and Addigy prevents deployment of policies or commands that would violate User Enrollment privacy restrictions.

Addigy’s User Enrollment workflow includes Managed Apple ID authentication, automatic creation of the separate managed volume, and deployment of work apps to the managed partition only. You can manage VPP app licenses, enforce managed app restrictions, and remotely remove the managed volume without affecting personal data. Addigy’s reporting shows only managed content, maintaining privacy compliance throughout the device lifecycle.