iOS 13 is out – Here’s what the enterprise needs to know
What does Apple need to do put the final polish on User Enrollment? Where will it be useful? What do the new iPhones mean? All this, and other notes.
iOS 13 is out today, and like any Apple update, it’s going to show up on millions of iPhones in the enterprise over the next few days.
This year, Apple’s biggest new enterprise feature is User Enrollment, a new MDM mode that’s designed to preserve end user privacy on BYOD iPhones and iPads, as well as on Macs with macOS Catalina.
I’ve already spilled plenty of ink about why Apple needed to improve BYOD, though to be fair, Apple had been busy on other enterprise features. Either way, this is the biggest leap forward for BYOD since iOS 7, and finally brings an iOS equivalent to Android Enterprise work profiles.
User Enrollment will actually be arriving with iOS 13.1, which is coming out on September 30 24 (Update: Apple recently posted this change, and confirmed it to The Verge mid-day Thursday, shortly after this article was first published), along with several other consumer features. (As John Gruber wrote, we should think of Apple WWDC as showing us the strategy for the next year, rather than all the updates coming out precisely in the middle of September.)
We covered many of the enterprise features (including User Enrollment) back in June in our WWDC 2019 overview, our iOS 13 and macOS deep dive, and our podcast. At the time, we had some unanswered questions, and there's a lot to think about in general. In today’s article, I’ll pick up the discussion again.
What do you need for User Enrollment?
If you’re not familiar with User Enrollment, go back and read those articles I just linked to. Now, how do you get going with it?
First, you’ll need a device running iOS 13.1 or macOS Catalina, so that means that you’ll need a device that has a beta version, or you’ll have to wait until September 24 for iPhones and iPads, and later for Macs. Note that you cannot migrate a device from traditional MDM to User Enrollment, and you’ll have to do fresh enrollments.
Next, you need an MDM/EMM/UEM platform that supports User Enrollment. Even though most platforms have support for the OS at release, that doesn’t mean that they have support for all the features. From what I’ve seen, it’s a mixed bag out there and things are changing quickly, so check with your vendor.
You’ll need to create Managed Apple IDs for BYOD users in Apple Business Manager or Apple School Manager. Here’s where things get tricky: these programs are only available in about 65 69 countries, so if you’re not on the list, you’ll have to stick to other EMM techniques. (Update #2: This week Apple announced four additional regions: China mainland, Saudi Arabia, Thailand, and Vietnam.)
Apple Business Manager and Apple School Manager support federating Managed Apple IDs with Microsoft Azure Active Directory. As of writing, it’s my understanding that this is in beta for Apple Business Manager. (It’s already available for schools.)
Some users may have already created a personal Apple ID with their work email address. Apple has a process for finding these conflicts and taking over the IDs. The Apple School Manager support page has details, and it should be similar for Apple Business Manager.
Another important step is figuring out which users are candidates for User Enrollment. Right now, it’s best for traditional employees that bring in personally liable devices (BYOD), and possibly some corporate-issued devices that are essentially given to users and treated as personal devices (COPE). Devices can only have one User Enrollment association, so this isn’t really suitable for contractors yet.
You’ll have to look at all the security features of User Enrollment and decide if it’s right for you. Remember, traditional MDM isn’t going anywhere, and also there are plenty of times where you’ll just have to be pragmatic and say no to BYOD. In addition, there’s still a big role for third-party MAM SDKs and containerization, just like after Samsung Knox, iOS 7, and Android work profiles came out. If you want more granular features beyond what Apple gives you, or you’re dealing with contractors whose devices you can’t enroll, you’ll also still be looking at these other forms of mobile app management.
Finally, you should get familiar with the new enrollment process. It’s simpler, and there are fewer buttons for users to tap, but it is different, so instructions need to be updated. In particular, be aware of the ramifications of enrolling from Safari versus a native EMM app. Under User Enrollment, MDM servers can’t take over the management of user-installed apps. So, if an EMM agent app is used to enroll, then it will be stuck outside of the enterprise container. Instead, you’ll want users to enroll via Safari (via a link, QR code, email, or message) before they install any enterprise apps. Check with your EMM vendor for more recommendations on this.
User Enrollment to do list
There are a few more things that Apple and EMM vendors could do to polish up User Enrollment in the short term:
- Figure out an elegant way to avoid the user-installed versus MDM-managed app conflict described above.
- Expand Managed Apple ID federation to additional identity providers beyond Azure AD.
- Expand Apple Business Manager and Apple School Manager to more regions.
- Provide more ways for enterprises to manage data that’s backed up into the iCloud accounts associated with Managed Apple IDs.
And in the long term, there are more features that would be nice to have. Some of these might not completely align with Apple’s philosophy, but we’ll see what happens as User Enrollment spreads over the next year and beyond:
- Dual work and personal app usage for more apps, either via a framework that developers could use, or a system-provided route, like Android Enterprise work profiles.
- More granular DLP policies and restrictions. Today, User Enrollment still has some restrictions that can apply to the whole device, as well as a few routes for data exfiltration (such as copy/paste).
- A work app challenge (i.e., MDM could put a passcode / Face ID / Touch ID step in front of any managed app).
- Do Not Disturb for managed apps only, to let users shut out distractions on the weekend. (Setting limits in Screen Time could be a good way to do this in the meantime.)
- Support for connections to multiple MDM servers. (To be fair, Android Enterprise doesn’t do this yet, either.)
I’ll acknowledge that User Enrollment isn’t perfect yet. But it will get more polished over time, both by Apple and EMM vendors. What’s more important is that Apple has acknowledged the need for a different approach to BYOD. They responded with a brand new MDM mode, which is going to be widely available very soon. This is a big deal. User Enrollment is the MDM technique that I would prefer to use on my personal phone, and I’m sure the same applies to many other users.
What else is going on?
As I mentioned, User Enrollment is just one of many big enterprise features coming out of Apple this fall. Head to our previous article for more on Customized Automatic Device Enrollment, app distribution, and more. Since June, Apple has published a video with more information about the new enterprise SSO extensions. Over the next few months, we’ll see what EMM and identity vendors do with these new frameworks.
There’s a lot to talk about with macOS, but we’ll save that for another article.
With iPadOS, arriving on September 24, be aware that the user agent string in Safari will now indicate that it is macOS. This means that MDM enrollment profiles and conditional access policies will have to be modified. See this Azure AD documentation for one example.
What about devices? The iPhone 11 and iPhone 11 Pro are coming out tomorrow. Of note, the iPhone 11 is $50 cheaper than the iPhone XR, and the prices have been dropped more than usual for older devices.
There’s been no word of a new iPhone SE, but with the iPod Touch recently refreshed, companies that have 4” iOS devices in frontline use cases (e.g., barcode scanners, point of sale) will have replacement options available for at least a few more years.
Also on the device front, the new iPhones now have an ultra wideband chip, called the U1. Apparently this will open up all sorts of new use cases with precision indoor location. In addition, the new iPhones also support WiFi 6.
Overall, keep an eye on your EMM documentation and Apple’s documentation.