Apple Account-Based BYOD user enrollment

Starting from iOS 18 and macOS 15, Apple no longer supports Profile-Based User Enrollment, making Account-Based Enrollment the required method for BYOD device management. Apple Account-Based BYOD Enrollment is a privacy-focused enrollment method that allows employees to use their personally owned iOS and iPadOS devices for work while keeping their personal data separate.

Unlike traditional Profile-Based User Enrollment, this method leverages Managed Apple IDs and a service discovery process to streamline on-boarding and enhance security.

Key Features

Automatic Service Discovery: Devices determine the enrollment server based on the user’s email domain, simplifying on-boarding.
Support for Latest Apple OS: Designed for BYOD enrollment on iOS and iPad OS 18+ and macOS 15+.
Managed Apple ID Requirement: Users must sign in with a Managed Apple ID instead of a personal Apple ID.
Limited IT Control: IT can enforce work policies, manage apps, and remove corporate data, but cannot wipe, lock, or restrict personal usage.
Enhanced Privacy: Work and personal data remain separate, ensuring personal information is not accessible by IT.

Account-driven enrolment process

To enrol a device using account-driven User Enrolment or account-driven Device Enrolment, the user navigates to Settings > General > VPN & Device Management or System Settings > General > Device Managementand selects the Sign In to Work or School Account button.

This initiates a four-stage process to enrol into MDM:

Service discovery: The device determines the enrolment URL of the MDM solution.
Authentication and access token: The user provides credentials to authorise the enrolment and get an access token issued for ongoing authentication.
MDM enrolment: The enrolment profile is sent to the device and the user is required to sign in with their Managed Apple Account to complete the enrolment.
Ongoing authentication: The MDM solution verifies the signed-in user on an ongoing basis using the access token.

Service discovery process

The Service Discovery process enables Apple devices to automatically locate the appropriate MDM server based on the user’s email domain. This simplifies the Apple Account-Based User Enrollment process by eliminating the need for users to manually enter MDM server details.

To enable Apple Account-Based User Enrollment to support Apple BYOD enrollments on iOS 18+ and macOS 15+, IT administrators must configure Service Discovery by setting up a well-known URL on their organization’s domain and ensure their MDM server is properly configured before attempting the first enrollment.

This allows Apple devices to automatically locate the MDM server when users enter their Managed Apple ID during enrollment.

Implementation Requirements

Service Discovery JSON File
- Organizations must create and host the JSON file on their MDM server’s domain.
- Example JSON format:
```
{
  "Servers": [
    {
      "Version": "mdm-byod",
      "BaseURL": "https://<mdm-server>/mdm/apple/byod"
    }
  ]
}
```
  where <mdm-server> is your MDM server na
MDM Server Configuration
- The FQDN of the MDM server must be included in the JSON file.
- The MDM server must support Apple Account-Based User Enrollment flows.
Service Discovery Setup
- Organizations must configure service discovery by hosting a JSON file at a well-known URL.
- The service discovery request will be sent to:
```
https://<domain>/.well-known/com.apple.remotemanagement
```
  where <domain> is the Managed Apple ID domain name.
- The JSON file must contain a single entry in the Servers array, specifying:
  - ```
  "Version":
                      "mdm-byod"
```
- "BaseURL" pointing to the Account-Based Enrollment URL on the MDM server.

For more information, refer to the Apple official documentation at https://support.apple.com/en-gb/guide/deployment/dep4d9e9cd26/web.

For assistance in setting up service discovery, contact HCL BigFix Support.