Apple has announced a new activation: User Enrollment. This activation should map BYOD (Bring Your Own Device). In my opinion, Google has set standards with Work Profile. So what does it look like in comparison?!
On iOS devices COBO (Corporate Owned, Business Only) and COPE (Corporate Owned, Personally Enabled) could be implemented correctly so far. On request also automatically via DEP (Device Enrollment Program), which will be replaced by Apple Business Manager at the end of 2019. BYOD is currently an MDM activation, which means that an MDM profile is installed and admins have extensive authority on the device. Or you can use a MAM-only (Mobile Application Management – only) activation.
For BYOD Apple now implements the User Enrollment activation. Technically, this is not a multi-user approach, but a multi-account. The user logs on to the device with his Managed Apple ID in addition to his private one. As a result, admins must register their own domain with Apple Business Manager (ABM) or upgrade their DEP account to ABM.
If the device is deactivated, the Managed Apple ID is automatically deleted from the device.
Apps are bound to an Apple ID and can only be used with this ID. Apps that access accounts are excluded. These then get the data from managed and unmanaged sources via the accounts.
During activation, a managed APFS volume is created with its own keys. Managed sources write data only to this volume: App containers, notes, iCloud drive files, keychain, mail attachments and bodies, calendar attachments. If deactivated, this and the corresponding keys will be deleted.
The MDM protocol does not provide persistent data such as UDID, IMEI and the like during user enrollment activation. A User Enrollment ID is used for identification and reported to the MDM servers, an EASID is created for an Exchange. If deactivated, these are deleted and a device gets new IDs if reactivated.
There will be no possibility for the admin to reset the device passcode or to perform a remote wipe. Also the payloads are limited. For example, the second level domain for VPN must be identical to the company’s second level domain.
Admins can only implement IT guidelines for user enrollments that do not provide for a supervised device.
Comparison with Android Enterprise Work Profile
The new activation for iOS devices is logical. But with regard to Android Enterprise Work Profile there is a serious difference: It is not based on multi-users.
This gives you some limitations on iOS devices that you don’t have on Android:
- An Android app can be used simultaneously as both a private and a business app.
- With Google PlayStore for Work you have your own App Store for business apps on the device without the need that the EMM has to implement their own way.
- The Work Profile can implement global settings such as VPN. So every business app uses the VPN connection (as long as no exceptions are defined).
- Android does not restrict device access as iOS does (only 6-digit pin or complex).
- On Android there is no dependence on VPN and domain.
- The Work Profile can be deactivated in terms of accessibility. Thus the user can switch off the entire business area at the end of the day and switch it on again the next day.