macOS 10.15 Catalina, iOS 13, and iPadOS 13 introduced a new level of MDM capabilities that balances the protection of user data with corporate security: User Enrollment, or more commonly called Bring Your Own Device (BYOD). User Enrollment, BYOD, will not install the Addigy Agent on macOS and User Enrolled Devices will deny MDM profiles from installing that affect core settings of the operating system like the ability to App Lock or Wipe commands.
You can learn more about User Enrollment from this Apple WWDC presentation “What’s New in Managing Apple Devices”.
Requirements for Configuring User Enrollment:
Apple MDM Push Certificate
Managed Apple IDs for end users that will be enrolling devices
Enrollment Operating System Requirements
macOS Catalina 10.15 or newer
iOS 13 or newer
iPadOS 13 or newer
Devices cannot be supervised or have parts of a prior management method still installed
Configuring Add Devices Settings:
To get started with BYOD User Enrollment, login to Addigy and click on Add Devices in the left side navigation bar. Once there, select a Policy to configure User Enrollment (BYOD) settings.
On the Add Devices page for a specific policy, there are three ways to add a device to Addigy thru an MDM Profile. Click on Edit Settings for User Enrollment (BYOD) to upload a custom logo, modify end user instruction text, and add a passcode.
Allowed Settings and Software for User Enrollment (BYOD):
Below is a list of common management tasks that an Addigy Administrator will be able to accomplish with User Enrollment (BYOD):
Request general device information
Deploy mail and calendar settings
Require a device passcode
Enable a subset of MDM restrictions
Install apps via Apps and Books (VPP)
Management Restrictions for User Enrollment (BYOD):
Below is a list of common management tasks that an Addigy administrator will not be able to accomplish with User Enrollment (BYOD):
Device information like Serial Number, UDID, IMEI, etc
Viewing or modifying cellular information
Viewing information about apps or settings that were not configured via MDM
Full device wipe
Device Lock or Lost Mode
Restrictions that modify more than the security of corporate data
List of Payloads that Support User Enrollment (BYOD):
Active Directory Certificates