Apple BYOD enrollments

BigFix MCM and BigFix Mobile allows device users to enroll their BYOD (Bring Your Own Device) also known as personally owned Apple devices (such as macOS, iOS, and iPadOS ) with BigFix MCM and BigFix Mobile, so that the IT admin can manage the devices. Apple BYOD user enrollment separates work and personal data on the device, allowing employees to use their own device for work without compromising their privacy. With User Enrollment, the organization can manage work-related apps and data, but the user retains control over their personal apps and data.

Note: This option is available for devices running iOS 12 or later.

Key benefits

  • User enrolled devices get personal and company profile. The company does not have access to the personal profile and hence cannot wipe, lock, or impose any control over the personal use of the device.
  • Users can review the IT management capabilities of personally owned iOS and iPadOS devices before enrolling their device. Users can remove the MDM profile as the device is in unsupervised state.
  • Users can securely access institutional resources such as email, contacts, calendars, Wi-Fi, and VPN, while keeping their personal data secure. Users maintain a personal Apple ID for their personal data and use a Managed Apple ID for institutional data.
  • IT can only remove institutional data from the device, ensuring protection of the user's personal data, such as photos and documents. Since users must interactively complete enrollment, User Approved MDM status is achieved and grants administrators additional device management privileges.

Methods

BigFix MCM supports different methods for enrolling Apple BYOD (Bring Your Own Device), allowing organizations to manage personal devices securely while respecting user privacy. Here are the different types:

Differences between profile-based and account-based enrollments

Here's a comparison table highlighting the key differences between Profile-Based Enrollment and Account-Based Enrollment:

Feature Profile-Based Enrollment Account-Based Enrollment
Supported OS Versions iOS 13–17, macOS 12–14 Required for iOS 18 and macOS 15 and later (Apple dropped profile-based support). Supported on iOS 15 and later; macOS 15 and later.
Prerequisites No additional setup needed apart from MDM configuration Requires Service Discovery setup, which involves placing a JSON file on a publicly accessible web server under the company domain
Enrollment Method User visits a web page and installs a profile User initiates enrollment from SettingsVPN & Device ManagementSign in to Work or School Account
Authentication Requires both Managed Apple ID plus LDAP/AD credentials. LDAP/AD is only supported authentication method on MDM server for User Enrollment in MCM v3.3. Requires both Managed Apple ID plus LDAP/AD credentials. LDAP/AD is only supported authentication method on MDM server for User Enrollment in MCM v3.3.
Service Discovery User manually enters the MDM enrollment URL Device automatically finds the MDM server based on email domain
User Interaction Requires users to accept the installation of a profile that is automatically downloaded as part of the enrollment process. Integrated into the Settings app for a seamless experience
IT Control & Privacy IT can manage work-related apps and settings but not personal data Same as profile-based, but with deeper OS integration for better security and automation
Management Features Limited integration with Apple’s Managed Apple ID system Tightly integrated with Managed Apple IDs for improved user and device management

Prerequisites

The user must have a Managed Apple ID or Federated AD credentials through the associated Apple Business Manager account.

Applicable actions for BYOD

  • Lock (iOS only)
  • Remove Policy
  • Push VPP Apps and Books
  • Unenroll

Frequently Asked Questions

1. What happens when a device is unenrolled?

When a user removes the MDM profile or signs out of their Managed Apple ID, all corporate apps, configurations, and data are removed, but personal data remains untouched.

2. What happens if I change my Apple ID?

  • If the Managed Apple ID changes, users must unenroll the device with the old ID and re-enroll with the new one.

  • Users can switch personal Apple IDs, but only the organization controls the Managed Apple ID.