User-owned devices
Employees who use their personal devices for work can have their corporate data managed
through User Enrollment. Designed specifically for BYOD programs, User Enrollment allows
employees to protect their privacy while keeping corporate data safe, separate, and protected —
enabling device personalization that wasn’t previously possible. IT can enforce onlyspecific
settings, monitor corporate compliance, and remove only corporate data and apps. IT teams can’t
remotely wipe a device, access device location, or access personal information or apps on the
device. Users can remove the MDM profile — which removes all corporate apps and data —
whenever they want, and they have greater abilities over updates and other configurations than
they would on corporate-owned devices.
User Enrollment requires users to opt in to enroll their devices into the organization’s
MDMsolution. This gives them access to corporate resources, configures various settings,
installsa configuration profile, and installs corporate apps.
User Enrollment allows for a personal and a Managed Apple ID to exist on the same device.
The existing personal Apple ID is used for all of the user’s personal iCloud data. The Managed
Apple ID provided by the organization stores all of the organization’s corporate iCloud data in
the company’s managed iCloud Drive and Notes.
With iOS 15 and iPadOS 15, users can now enroll their devices right from the Settings app. In
Settings, they’ll choose General, choose VPN & Device Management, then tap Sign in to Work
or School Account. Once they enter their Managed Apple ID username and password, the
authentication process will begin.
Managing data this way gives users more autonomy over their own devices while increasing the
security of enterprise data by storing it on a separate, cryptographically protected Apple File System
(APFS) volume with Notes and the iCloud Drive app. This provides a better balance of security,
privacy, and user experience for BYOD programs. And if a user changes their managed device or
leaves the organization, all APFS volume data is destroyed as soon as their device is unenrolled.
Tools for separating corporate data
Apple has a variety of tools that make it simple to separate corporate and personal data on
devices, regardless of the ownership model you use. In this section, you’ll learn how to manage
data in managed apps, books, settings, accounts, and more.
Managed apps
To re ce ive a ss ig ne d ap ps f rom yo ur o rg an iz at io n, dev ic es m us t be e nro ll ed i n you r MD M
solution. After an app is assigned to a device, it’s pushed to that device through MDM. On
corporate-owned devices managed through supervision, apps are installed silently without user
interaction or an Apple ID.
Data stored in a managed app — whether devices are owned by the company or the users — will
be deleted when a device is unenrolled from MDM either by IT or the user. And IT teams can
prevent managed apps from backing up data to the Finder, iTunes, or iCloud. Disallowing backup
helps prevent managed app data from being recovered if the app is removed using an MDM
solution but later reinstalled by the user.