While zero-touch deployment is great for new and refreshed devices, Apple have something new to make the experience great for devices that are already in use. With account-driven enrollments, users can enroll their device using their Managed Apple ID right from Settings and System Settings.
Enrollment uses a discovery process so, organizations can define if devices should be managed as organized-owned or personal. Personal devices have a curated set of management capabilities, specifically designed for BYOD. In both cases, organizational data is cryptographically separated from personal data, providing security and privacy for users and organizations.
Account-driven user enrollment
In iOS 15, iPadOS 15 and macOS 14 or later, organizations can use a streamlined User Enrollment process, built right into the Settings app to make it easier for users to enroll their personal devices. To do this, the user navigates to Settings > General > VPN & Device Management and then taps the Sign In to Work or School Account button. As they enter their Managed Apple ID, service discovery identifies the MDM solution’s enrollment URL.
The user enters their organization user name and password. After the organization’s authentication succeeds, the enrollment profile is sent to the device. Additionally, a session token is issued to the device to allow ongoing authorization. After a user is signed in, the new managed account is displayed prominently within the Settings app.
Users can access files in their personal iCloud Drive. The iCloud Drive for the organization appears separately in the Files app. In iOS and iPadOS, Managed Apps and managed web-based documents all have access to the organization’s iCloud Drive, but the MDM administrator can help keep specific personal and organizational documents separate by using specific restrictions.