Apple User Enrollment Deployment Guide
Apple User Enrollment is a method of iOS and macOS enrollment aimed at protecting end user's privacy and data, while also allowing organizations to securely install content. In Apple User Enrollment, a user can safely enroll their personal device into Meraki Systems Manager without any of the device privacy or management fears that comes from typical standard device enrollment. In Apple User Enrollment, the end user's personal Apple ID and content is left untouched and hidden from Systems Manager. Instead, a separate Managed Apple ID container is setup on the device. The end user's personal Apple ID container and the organization's Managed Apple ID container co-exist together, without interfering with each other. This containerization allows organizations to safely install their content without affecting an end user's personal content. In User Enrollment, Systems Manager cannot issue dangerous MDM commands such as factory erase, activation lock, lock device, clear passcode, and more. And also, Systems Manager cannot report on sensitive device information such as device serial number and device UUID.
This guide will help familiarize you with some of the core management concepts and configuration options when setting up Apple User Enrollment with Meraki Systems Manager. The video below provides a general overview and walkthrough of the Apple User Enrollment setup and enrollment process.
For more information about how to enroll iPhones, iPads, and Mac devices in Apple User Enrollment, check out the User Enrollment Onboarding Guide in Meraki Documentation.
- An Apple device running iOS 13+, iPadOS 13.1+, or macOS 10.15+ Catalina
- User Authentication must be enabled in the Systems Manager network
- The Meraki organization must have a valid Apple Push Certificate and available licensing
Enabling Apple User Enrollment in Systems Manager
To enable Apple User Enrollment in a Systems Manager network, sign in to your Meraki Dashboard and navigate to Systems Manager > Configure > General
- Under "User authentication settings", choose an Authentication setting to enable User Authentication:
Under "Enrollment settings", enable Apple User Enrollment
Note: Enabling Apple User Enrollment will expose the User Enrollment Link. This is the URL end users should navigate to on their devices in order to trigger Apple User Enrollment. Check out the Documentation for more information on how to enroll devices in Apple User Enrollment.
End users register their devices with Apple User Enrollment using a Managed Apple ID. These special enterprise Apple ID accounts are created and maintained by administrators in Apple Business Manager. Due to technical limitations, there is no active synchronization of Managed Apple ID accounts between Apple Business Manager and Meraki Systems Manager. In order to ensure user accounts are properly associated between both portals, follow these steps:
Add or import Owners into Meraki Systems Manager.
Note: If you are using Active Directory, Azure AD, Google Auth, or OpenID Connect then Owners are created automatically at the time of enrollment
Create Managed Apple IDs in Apple Business Manager using one of the following options:
Option A: Create accounts so that the Managed Apple IDs match the email address of the corresponding Meraki Systems Manager owner. This option is typically best for organizations that are able to claim their company email domain in Apple Business Manager or organizations using Azure Active Directory for sign in authentication in Apple Business Manager and Systems Manager.
(ex. Managed Apple ID: email@example.com & SM Owner email address: firstname.lastname@example.org. The Managed Apple ID and the SM owner's email address are an exact match)
Option B: If you are unable to activate a domain in Apple Business Manager that matches your company email domain, then use the User Enrollment Domain Override option in Systems Manager. Systems Manager will use the username of an owners’ email address to dynamically provision the Managed Apple ID during enrollment.
Go to Systems Manager > Configure > General, and fill in the User Enrollment Domain Override field with the domain of your Apple Business Manager accounts
Create accounts in Apple Business Manager so that the username portions of the Apple ID match the corresponding Meraki Systems Manager owners’ email address.
(ex. Managed Apple ID: email@example.com & SM Owner email address: firstname.lastname@example.org. The “username” parts are a unique exact match)
Once enrolled, a Meraki administrator cannot manually change the owner associated with the Apple device via the Dashboard. The device must be re-enrolled to change owners.
Application management for devices enrolled with Apple User Enrollment largely follows the same principles as traditional Device Enrollment, but there are some important differences for App Store apps.
App Store Apps
Apple User Enrollment requires an Apple Volume Purchasing Program (VPP) token to be associated with your Meraki Dashboard organization to install apps from the Apple App Store on devices. Once the token is associated, administrators can purchase licenses for App Store apps. Please follow the documentation for more information on setting up a VPP token in Dashboard and purchasing licenses.
To deploy an app to a device enrolled with User Enrollment, go to Systems Manager > Manage > Apps. Add your app to Systems Manager and ensure that the "License Purchase Method" is set to VPP device assignment. Scope your app to target devices using the appropriate tags.
When a User Enrollment device is scoped to an app, Meraki Systems Manager will automatically do two things:
- Associate the Managed Apple ID of the end user to all VPP tokens in a network if the tokens have licenses for apps scoped to target devices
- Silently invite & accept the user-based VPP license request on behalf of the Managed Apple ID
This has significant meaning for App Store app deployment for the following reasons:
A single app can be scoped to devices regardless of enrollment type. Systems Manager will automatically grant VPP device-assigned licenses to devices enrolled with standard device enrollment, while also granting user-assigned VPP licenses to any devices enrolled with User Enrollment.
User Enrollment devices consume one VPP license per Owner, not device. For example, If Owner A enrolls two or more devices using User Enrollment, only one (1) VPP license is consumed.
At the time of enrollment/unenrollment, Systems Manager will automatically grant and revoke VPP user-assigned licenses without any additional steps required by the end user.
Every end user's Managed Apple ID becomes automatically associated to all VPP tokens in a given network if their devices are scoped to an app. This can be tracked in Systems Manager > Manage > VPP under the "User Management" section.
In the screenshot below, email@example.com was automatically associated to the VPP token "Meraki LLC + Developer" when an app was scoped to a device enrolled with User Enrollment -- the app was also automatically assigned to this Managed Apple ID.
Systems Manager will also automatically append a Note to all Managed Apple IDs in the VPP User Management page that were auto-associated via User Enrollment.
Custom Enterprise Apps
Follow the documentation to deploy custom enterprise apps to User Enrollment devices using Systems Manager. There is no difference between standard Device Enrollment and User Enrollment today.
Since Apple User Enrollment is designed to protect the end user's privacy, there are a different set of configuration profiles which can be applied to User Enrollment devices. Systems Manager has limited capabilities to send device commands, enforce restrictions, and apply configurations on devices.
To view which Settings payloads are available for User Enrollment, navigate to Systems Manager > Manage > Settings and select the iOS or macOS device type filter, then select the “User Enrollment” enrollment type filter.
User Enrollment vs Standard Device Enrollment
Apple User Enrollment contains some unique behavior when compared to standard device enrollment and automated device enrollment with Supervision. There is less control and power over devices enrolled via Apple User Enrollment, so administrators who desire maximum control over the device should consider one of the other enrollment options instead. Apple User Enrollment is considered the least intrusive method of enrolling a device as it is designed to protect the end user's privacy of the device at all times.
To identify whether a device is enrolled with Apple User Enrollment, go to the device's details page and look for the User Enrollment status in the "Management" section
Note: It is not possible to enroll a Supervised device in User Enrollment.
User Enrollment devices are also identified by their Enrollment ID, which appears in the Details section.
Note: Devices enrolled with User Enrollment never report their serial number. Instead, Systems Manager tracks devices using a unique "Enrollment ID".
Furthermore, unlike in standard device enrollment, device information for devices enrolled with Apple User Enrollment is not stored or saved in Systems Manager when a device is unenrolled. Automatically removing device records ensures the intended privacy of the enrolled user.