User Enrollment creates a management profile for BYOD iPhones, but IT must remove that data in cases such as device loss or theft. Learn how to do this with a selective wipe.
IT administrators managing personally owned iPhones should be familiar with the data wipe options available for those devices -- especially since Apple introduced more enrollment methods.
User Enrollment provides a secure method for managing personal Apple devices in the enterprise without affecting users' personal data. Previously, there was only a full Device Enrollment option, which ensures that the device is completely managed and can be fully wiped. User Enrollment, on the other hand, protects user privacy by separating work and personal data. With this enrollment method, IT admins are only able to perform a selective wipe of the device, making it a much better option for BYOD endpoints.
What are the main features of Apple User Enrollment?
When IT sets up User Enrollment on a personal iPhone and iPad, the device gets an enrollment profile. This is a type of device management profile that creates a complete separation between work and personal data. It's similar to a work profile on an Android device. However, there is an important difference. For personal Android devices, the separation is clearly shown by literally having two separate profiles on the device. For User Enrollment on Apple devices, the separation is visible on a data storage level, within the apps.
To create that separation, the personal Apple Account and the Managed Apple Account are both signed in on the device at the same time, but they each have their own storage location. The apps clearly show a separate data storage location for the personal account and the managed account. This is important for when users or admins have to erase work data due to situations such as device theft. The separation makes it easy to remove the enrollment profile and the data within it through a selective wipe.
The selective wipe capability sets User Enrollment apart from other enrollment options for iOS devices. All the other options provide more management controls and visibility over the device and enable IT to perform full wipes. Admins should consider these factors when choosing a management route, but the different options available might differ based on the organization's MDM provider.
How User Enrollment affects iPhone management
User Enrollment provides admins with limited control and insights over users' iPhones. Within this limited management experience, an organization's MDM software is only able to do the following:
Configure accounts.
Configure per-app VPNs.
Install and configure apps.
Require a passcode.
Enforce some specific device restrictions.
Collect an inventory of managed apps.
Remove work data and apps.
These capabilities are comprehensive while ensuring users have enough privacy on their BYOD endpoints. With User Enrollment, the end user is ultimately in control of the device's management, as they can always unenroll the device again.
Besides a few specific device restriction options, User Enrollment mainly addresses work apps and data. The enrollment process creates the following components on the device:
An enrollment profile containing the different apps and device restrictions that the organization manages. Users can find this under Settings > General > VPN & Device Management.
Separate encryption keys that protect access to work data on the device.
A separate volume for standard iOS apps.
A separate iCloud Drive that serves as a storage location for work data. Standard iOS apps and managed apps can both access this location.
The user then has one iCloud Drive for their work data and a separate iCloud Drive for their personal data. Both are shown in apps as separate storage locations. That clear separation also ensures that any MDM software can wipe work apps and data without affecting personal data.
How to remove a management profile from an iPhone
When a user or admin says they want to remove a management profile from a personal iPhone, they might mean one of two different things. They might want to remove the enrollment profile, wiping all work data and management settings from the device. Alternatively, they might want to remove a configuration profile from the device, changing a specific batch of settings. The terms can cause confusion, as an enrollment profile is basically a configuration profile with an MDM payload that enrolls the device.
If a profile is required under MDM policies, users cannot delete it on their own.
While IT teams can remove configuration profiles on managed devices from their MDM console, users might not have the same control. To see what configuration profiles are on a device, users can navigate to Settings > General > VPN & Device Management. If any configuration profiles are listed, they can select one to uninstall and click Remove Profile. However, from there, they might need to enter admin credentials to continue. If a profile is required under MDM policies, users cannot delete it on their own.
Similarly, users shouldn't be able to bypass MDM or remove management controls overall. MDM profiles -- including enrollment profiles -- are listed in the same location as configuration profiles. Under VPN & Device Management, if a user selects an MDM profile, they'll see the option to select Remove Management, but they'll run into the same issue. Without admin credentials, they can't go forward with the removal.
It's possible to remove MDM profiles by jailbreaking the device or using third-party tools, but this can cause security issues and violate corporate policies. To remove a device from remote management securely and without affecting their personal data, users should contact their administrator. The IT team can then perform a selective wipe of the device, removing all work apps and data as it removes the enrollment profile.
Why is it important to selectively wipe an iPhone?
Personal iPhones are often enrolled for management so users can easily and securely access work apps and data. That's also why it's important to be able to wipe personal devices. Easy access to sensitive data is a problem if the device gets lost or stolen or the user leaves the company. In either case, with remote wipe capability, the IT department stays in control of the work apps and data and can at least remove corporate information.
Depending on how personal devices are managed and enrolled, there are different options for wiping them. The following options are available for wiping personal iPhones:
Full wipe. This option restores the device's factory defaults and settings, wiping all the user accounts, data, and MDM policies and settings in the process.
Selective wipe. This option wipes only the managed app data, MDM policies and settings by removing the enrollment profile from the device, which leaves personal data untouched.
Whether IT can perform either of these wipe options depends on the ownership and enrollment of the device. User Enrollment provides users with certainty that their data will remain private, as IT only has the option to perform a selective wipe.
How to selectively wipe an iPhone
The selective wipe option is ideal for BYOD scenarios because it removes only work apps and data, leaving personal apps and data untouched. IT teams using Microsoft Intune as their MDM provider can perform a selective wipe on a personal iPhone through the following steps:
Open the Microsoft Intune admin center portal and navigate to Devices > iOS/iPadOS.
On the iOS/iPadOS | iOS/iPadOS devices page, select the iPhone that should be wiped.
On the device-specific page, select Retire > Yes to start the selective wipe of the device.
The next time the iPhone checks in with the MDM platform, the selective wipe will occur. During that process, the enrollment profile is removed from the device, and the device is removed from the MDM system. That check-in should happen automatically when the device connects to the internet. In addition, the process destroys the encryption keys to ensure the iPhone has no more access to work data.
Editor's note:This article was originally published in 2023 and was updated in 2025 to improve the reader experience.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.
