Why Apple’s new User Enrollment isn’t a real alternative for managing mobile devices
What was supposed to be a great tool for attracting BYOD devices are severely impacted by the limitations of Managed Apple ID's.
(My opinions reflected in this piece are mine only, and do not represent the point of view of my employer, the University of Oslo)
Apple has newly introduced the so-called User Enrollment type of mobile device management. It came in good time: MDM administrators like myself have often to explain to users that just because we manage mobile devices it doesn't mean that we monitor our users and that we do limit the amount of information we collect. Perception of being monitored, even when unfounded, is a real problem when managing mobile devices.
Therefore, it has been difficult to convince users to enroll their private devices into their employer's MDM so that they can have access to enterprise resources such as configurations, certificates and apps. And to make things worse, EMM (Enterprise Mobile Management) for iOS has never been optimal when it comes to BYOD. If the enterprise has a strict policy concerning its data, it will likely manage an app. Managing an app means that the organization can delete it from the user's device or set rules for its usage, such as not allowing transfering documents from that app to another. On iOS, managing an app means that the user won't be able to use a personal version of that app.
Separating work and personal data, allowing the user to enjoy his phone while keeping work data safe and manageable, is the holy grail of mobile device management. Phones are perceived as personal devices. If its use is too much restricted, the user will often want to have another phone for personal use.
Apple has two things that, combined, would have the potential to encourage enterprises on the educational sector to have a boost in BYOD enrollment: Managed Apple ID's and User Enrollment.
Managed Apple ID's and User Enrollment
Managed Apple ID's (MAID) are Apple's enterprise-variant of its own account type, Apple ID. They can be created via Apple School Manager/Apple Business Manager and allow the users within an organization to use some of Apple's goodies such as iCloud Drive (with 200GB storage space for ASM users), collaboration tools, app assignment, etc.
These accounts are controlled by the enterprise in the sense that they can be created, changed and deleted by the organization. ASM/ABM can even be connected to Azure AD so that accounts are automatically created on an as-needed basis. In that way, to create a MAID account, all the user needs to do is to add in an Apple ID account on an Apple device using his Azure AD credentials. These credentials will not be saved on Apple servers, so the authentication process is under control of the organization.
MAIDs are the central component of User Enrollment. With User Enrollment, users can enroll their devices into the organisation's MDM without giving away full control of their devices to the enterprise. It allows the organization to control only a few settings and the apps it distributes and manages. The difference between Apple's User Enrollment and traditional BYOD enrollment lies pretty much in that very little information on the device is sent back to the MDM. The organization has no access to the device's serial number, list of personal applications that are installed, etc.
From a privacy perspective, this is really welcome, since we no longer have to hope that the user will trust that the organization will not overstep in only processing personal data that is strictly necessary for the purpose of security and device administration. The limitation on what the enterprise can do is implemented by design, which is logical if we think BYOD: why would the user want the enterprise to control his whole device? It makes much more sense to control just what is related to the enterprise, right?
While Apple's approach is not as robust as Android's segregation between work and personal profiles, it is a step in the right direction.
If it only worked.
Why User Enrollment doesn't work well
The flaws of the User Enrollment+MAID, especially when seen in the BYOD context, are so many that it makes User Enrollment unusable for most of the use cases it would be ideal for.
These flaws are mostly due the limitations of how Apple ID's accounts are installed on the devices.
On both iOS and macOS devices, users are asked to log in to an Apple ID, which will be the primary Apple ID of the device if it didn't have one configured already. Already there there is a problem: the user will get a completely different experience regarding to the use of his MAID depending whether if it is the primary or a non-primary Apple ID, and in both cases it will be a loose-loose game.
Users belonging to an educational institution get 200GB storage on iCloud when using a MAID. But that's only usable if the user uses that MAID as her primary Apple ID. But by doing so, the user cannot use the "Find my" application to find the device. "No problem, the user can add a non-primary, regular Apple ID", you would say. Well, that's true, but Apple limits severely what a non-primary Apple ID can be used for. It can't be used to locate devices, it can't be used to add iCloud storage, to synchronise keychain, Safari data, documents, etc.
Got the picture? If a BYOD user has a MAID as his primary Apple ID on an iOS or macOS device, he looses important features of modern-day smart phone controls, such as locating a lost device. If he then adds a MAID as a non-primary Apple ID, it can't be used for the very things it is supposed to be useful for, especially that nice free storage space for users within the education sector.
So Managed Apple ID's make User Enrollment useless for most BYOD cases, as those limitations found on MAID are echoed into User Enrollment. Usually, the MDM can assist to locate, lock, unlock and wipe a device. This is usually unused, since most users have an Apple ID that is more straightforward to use for those tasks. But with User Enrollment, neither the user nor his organization can perform those mundane tasks of EMM administration, as User Enrollment does not allow them to.
There is hope that this will change: on macOS, it seems it is possible to use iCloud Drive with a non-primary Apple ID, though I haven't found where that drive is accessible, if it is accessible at all. It might as well be a bug, just like it is certainly a bug that activating "Find my iPad" when having a MAID as a primary Apple ID seems to work, until you go back to the settings to realize that it was turned off again.
How could it be better?
While a big part of this problem is due the limitations of MAID accounts, Apple's philosophic approach to the separation of work and personal contexts is also to be blamed. As this article mentions it, " In contrast to Google, Apple doesn’t use a multi-user approach, but a multi-account approach."
Work/personal separation on Android devices doesn't attempt to do the complex work of harmonizing work and private contexts. It rather separates them, and separates them well. This is not free of problems either, as my colleague annoyingly discovered when he had to check if a meeting invitation he wanted to send was in conflict with his turn to pick his kid at the kindergarten: you need to check both work and personal calendars individually. Of course, you can configure a work calendar on the private profile, but that is an extra step that the user will have to deal it. Still, the advantages are many: the user has a clear picture of what belongs to work, and what is his to use freely.
Could Apple do the same? Could it create an obvious distinction of work/personal contexts on its devices that would be as easy to understand and comply to as it is with Android's work and personal profiles?
The only current use case that I see plausible for User Enrollment in its current form, ironically, if for institutions that do not purchase devices registered under the Automated Device Enrollment, formerly known as DEP, and where the devices are usually shared among users. Ironically, I said, because everyone was hoping that User Enrollment would target BYOD users. Sorry to bring bad news. It might make more sense for a user to enroll a company-owned device to have access to his documents, say during class, unenrolling the device later, than to enroll his private device only to loose functionality. Personal, private devices are definetely not a very good target for User Enrollment.
I argue that a use case where User Enrollment would shine is exactly the one it currently won't work with: corporate-owned, supervised devices. However, if a device has a DEP profile installed, forget it: user enrollment is not possible. But I still mean it: the best of both worlds would be an Apple-implemented version of COPE on its products: enterprise owned devices where the user would know clearly what belongs to the company and what is his. In those cases, the company would have a privacy measure implemented by design against overstepping into the administration of devices. Users would have the peace of mind that their favorite phones can be used with work without fearing monitoring. Administrators could still provide good support, distribute apps and have peace of mind when setting up devices.
Other things can also be added as suggestions on what could make User Enrollment and MAID more useful:
- Being able to add a MAID as a primary Apple ID in addition to a primary regular Apple ID, or any other form of having good segregation of work and personal data/apps without limiting personal use of the device.
- Apple School Manager is not the best tool to manage users — MDM's are arguably better, so MAID accounts could be hidden under the carpet.
- There's very little room for fine tuning: collaboration using MAID is only possible within the organisation, and there is no way to allow collaboration with sister institutions or with the whole world. Being able to use "Find my" should be configurable, and not just disallowed. It is kinda all-or-nothing, and it is yet to be seen if this will be improve or if that's how Apple intends it to be.
- User termination is another thing that could be better, as there is not very good use of Azure AD to actually terminate accounts. Also, transferring data between MAID and ordinary Apple ID's should be possible, depending on the company's choice.
Apple has many good incentives to make teachers and students to want to use its products: good collaboration tools, hefty iCloud storage that will help with those iPhone backups we never have space to make with our free Apple ID's, and good access to the institution's portfolio of licensed apps. Still, its bad implementation, as well as with bad support on current devices, makes it no good alternative for mobile management.