macOS 10.15 Catalina, iOS 13, and iPadOS 13 introduced a new level of MDM capabilities that balances the protection of user data with corporate security: User Enrollment, or more commonly called Bring Your Own Device (BYOD). User Enrollment, BYOD, will not install the Addigy Agent on macOS and User Enrolled Devices will deny MDM profiles from installing that affect core settings of the operating system like the ability to App Lock or Wipe commands.
You can learn more about User Enrollment from this Apple WWDC presentation “What’s New in Managing Apple Devices”.
Requirements for Configuring User Enrollment:
Apple MDM Push Certificate
Managed Apple IDs for end users that will be enrolling devices
Enrollment Operating System Requirements
macOS Catalina 10.15 or newer
iOS 13 or newer
iPadOS 13 or newer
Devices cannot be supervised or have parts of a prior management method still installed
Configuring Add Devices Settings:
To get started with BYOD User Enrollment, login to Addigy and click on Add Devices in the left side navigation bar. Once there, select a Policy to configure User Enrollment (BYOD) settings.
On the Add Devices page for a specific policy, there are three ways to add a device to Addigy thru an MDM Profile. Click on Edit Settings for User Enrollment (BYOD) to upload a custom logo, modify end user instruction text, and add a passcode.
Allowed Settings and Software for User Enrollment (BYOD):
Below is a list of common management tasks that an Addigy Administrator will be able to accomplish with User Enrollment (BYOD):
Request general device information
Deploy mail and calendar settings
Require a device passcode
Enable a subset of MDM restrictions
Install apps via Apps and Books (VPP)
Management Restrictions for User Enrollment (BYOD):
Below is a list of common management tasks that an Addigy administrator will not be able to accomplish with User Enrollment (BYOD):
Device information like Serial Number, UDID, IMEI, etc
Viewing or modifying cellular information
Viewing information about apps or settings that were not configured via MDM
Collecting logs
Full device wipe
Device Lock or Lost Mode
Removing passcode
Complex passcode
Restrictions that modify more than the security of corporate data
List of Payloads that Support User Enrollment (BYOD):
802.1x
Active Directory Certificates
AirPlay
AirPrint
Associated Domains
Calendar
Contacts
Certificates
Desktop
Directory Services
Exchange
Extensible SSO
Fonts
Google Accounts
Identification
LDAP
Login Items
Mail
Passcode
Restrictions
SCEP
Subscribed Calendars
User Preferences
Web Clip
Wi-Fi