iOS/iPadOS BYOD User Enrollment
- iOS BYOD and VPP License Assignment Change
- iOS BYOD User Enrollment Overview
- Account-Driven User Enrollment for iOS/iPadOS BYOD Devices (v15.0+)
- Managing BYOD User Enrollment
- New Inventory Item -- Enrollment Type
iOS BYOD and VPP License Assignment Change
What
For a few years, device license assignment has been the preferred method for assigning licenses for managed iOS devices. But, with BYOD enrolled devices, licenses can't be assigned to the device... So FileWave have made some changes to how we handle this which make managing BYOD enrolled devices (and as a happy accident supervised devices) easier.
When/Why
Historically, when you created an association for a VPP app, you had a choice to assign the license to the Device, or to the User. And, in Preferences, there was an option to set your preference (which you most likely have set to Device). There is now a new option called "Automatic", which you will see below:
And, then on each Association that default can be overridden:
"Automatic" in this instance, basically means "Try to do a device license, but if you can't, then do a user based assignment"
Now, how does this make your life easier if you aren't going to manage BYOD devices? That is a great question! If you set your default setting in preferences to "Automatic", that means that all of your apps will assign to the device if they can, but if you have something that maybe you don't do much...like an app that can't do device based licensing, or an iTunes book for instance, then that association will still work even though you didn't manually change it over to "User".
How
We showed you above changing the preferences so that all new associations will be "Automatic" (which we think will work for almost all instances). But, what happens if you enroll a new BYOD device and put it in a group that has a "Device" based association? In short, nothing...the app will be associated, but can never install because device based license assignment can not be used. So, for best results, you may want to consider updating older associations to "Automatic" as well.
The above may mean you have hundreds of associations to change...if that is the case, remember that you can mass-edit associations in the Associations view.
iOS BYOD User Enrollment Overview
What
With Version 14(+) of FileWave, you can now BYOD (bring-your-own-device) enroll a device without giving total management of the device to the system admin.
When/Why
Typically, this option works best if the device to be supported is not company owned. For instance, an employee with their own iPhone may want to BYOD enroll a device to allow distribution of company-owned app licenses, but without giving their company the ability to manage their phone in other ways.
How
BYOD enrollment is off by default in FileWave, and must be enabled on the Mobile tab in preferences as shown below:
Once enabled, a new tab will be added to the "Enroll iOS Device..." Assistant:
And, once user enrollment is enabled, you can go to https://my.server.address:20443/ios/byod to see the user enrollment page:
Note that by BYOD's very nature the only way you will enroll BYOD devices is through this page. (i.e. it won't be through DEP). BYOD enrollment does require the use of managed apple ids from either Apple School, or Apple Business, Manager.
See below video of a BYOD device enrollment:
Unlike a DEP enrollment, you don't have to wipe the device first to BYOD enroll it. However, trying to enroll a device with a managed Apple ID that is already logged into iCloud on the device will result in an error.
Account-Driven User Enrollment for iOS/iPadOS BYOD Devices (v15.0+)
What
In 2021, Apple introduced Account-Driven User Enrollment, a new method for initiating Bring Your Own Device (BYOD) enrollments. With the releases of iOS 17 and iPadOS 17, profile-based User Enrollment is deprecated, and starting with iOS 18 and iPadOS 18, it is no longer supported. To align with these changes, FileWave 15.5 now supports Account-Driven User Enrollment (ADUE), enabling organizations to securely enroll BYOD devices using this new workflow.
When/Why
When to Use
- BYOD Environments: When employees use their personal iOS or iPadOS devices for work purposes and need access to corporate resources.
- Transitioning from Profile-Based Enrollment: As profile-based User Enrollment is being phased out, organizations should begin migrating to Account-Driven User Enrollment to ensure compatibility with future iOS and iPadOS versions.
Why This Feature Matters
Apple aims to enhance the security and privacy of BYOD deployments. Account-Driven User Enrollment offers several benefits:
- Improved Security: Separates personal and corporate data more effectively, protecting user privacy and corporate assets.
- Simplified Enrollment: Users can enroll their devices by signing in with their Managed Apple ID, streamlining the enrollment process.
- Modern Authentication: Utilizes OAuth 2.0 and OpenID Connect for authentication, providing a more secure and standardized method.
- Organizational Control: Shifts the responsibility of secure enrollment to the organization, allowing for better compliance with internal policies.
Account-Driven Enrollment relies on the Well-known URI mechanism for Mobile Device Management (MDM) discovery, ensuring that devices can locate the MDM server securely and efficiently.
How
Enrolling a Device Using Account-Driven User Enrollment
To enroll an iOS or iPadOS device using Account-Driven User Enrollment with FileWave 15.5:
-
On their iPhone or iPad, the user navigates to Settings > General > VPN & Device Management and taps Sign In to Work or School Account.
The email entered is used by the device to discover the MDM server. For example, if you enter “pn@widget.ch”, the device queries the widget.ch domain, specifically at https://widget.ch/.well-known/com.apple.remotemanagement.
This endpoint must return a specific JSON message containing all the information required to proceed with MDM BYOD enrollment. Therefore, organizations must have control over this URL, which could be an issue for those who completely outsource their website management (see below for potential workarounds).
FileWave Setup
The existing User Enrollment option in FileWave now enables both legacy BYOD and the new Account-Driven Enrollment (ADUE):
FileWave cannot manage your domain but provides some helpful options:
-
Retrieving the Well-Known Content (JSON):
-
If you prefer to host the required file yourself, you can easily obtain the necessary JSON content from FileWave.
-
Click the “Well-known content” button in the FileWave interface. The following JSON will be copied to your clipboard:
{"Servers": [{"Version": "mdm-byod", "BaseURL": "https://pn.widget.ch:20445/ios/byod/enroll/"}]}
-
Create a file containing this JSON and serve it from your web server at the appropriate URL (https://yourdomain/.well-known/com.apple.remotemanagement).
-
-
Setting Up a Redirection to the FileWave Server Endpoint:
-
Alternatively, you can configure your web server to redirect requests from https://yourdomain/.well-known/com.apple.remotemanagement to the FileWave server endpoint.
-
Retrieve the endpoint URL by clicking the “Well-known URL” button in FileWave. For example, the endpoint might be:
https://pn.widget.ch:20445/ios/byod/well-known/
-
Consult your web server documentation for details on setting up the redirection. For instance, to configure Apache, add the following directive inside the VirtualHost section:
RewriteRule ^/.well-known/com.apple.remotemanagement https://pn.widget.ch:20445/ios/byod/well-known/ [R=301,L]
-
Related Content
Digging Deeper
Device Enrollment Process Workflow
Now the device is ready. As a final step, you need to add the device to FileWave. It will appear in the “New Mobile Client” dialog, or it will be automatically added to the model if Auto-Enrollment is enabled.
Managing BYOD User Enrollment
What
You have no doubt gotten used to managing supervised iOS devices, where you have the ability to manage most elements of the device. If you have previously had folks do a manual OTA enrollment, then you know you have less management of those devices than those that are supervised. BYOD user enrolled devices take that a step further, and even fewer capabilities exist (but for good reason).
When/Why
If you are going to utilize BYOD enrollment, it is because the devices to be enrolled actually shouldn't be managed by you, but they should have the ability to leverage the organization's resources. So, with BYOD enrollment, you can distribute VPP apps and licenses:
- An important feature provided through the Managed Apple IDs is the deployment of apps and media via VPP
- For User Enrollment, FileWave will automatically register and associate VPP users for each associated VPP asset on demand (because the licenses can't be associated to the device)
- Configuration profiles, like email settings and VPN settings are supported (to ease customer setup)
But there are also restrictions to management:
- No access to device-identifying information (e.g. serial number, universal device identifier (UDID), IMEI, or mac addresses)
- No access to personal data
- No access to personal apps (no taking management or removing)
- Limited control capability (no remote wipe, no restrictions, device is not supervised so no profiles requiring supervision)
- Not all profiles are supported (profiles that restrict the user are largely not permitted, e.g strict passcode requirements, configurations that proxy network traffic, restrictions that block content)
How
Once the devices are enrolled, associations for content are managed like you are used to, but there is one important (and helpful) change to the way FileWave is managing VPP license assignation. So please make sure and check out the article linked below on VPP License/Association Changes
You may be saying to yourself: "If I have to assign these licenses to the user, doesn't that mean I'll have to create VPP users in FileWave and invite them?" And the answer to that is thankfully, no. For User Enrollment, FileWave will automatically register and associate VPP users for each associated VPP asset on demand.
New Inventory Item -- Enrollment Type
What
There are now several methods of enrolling devices into FileWave and a new inventory field has been created to record the enrollment method.
When/Why
This field can be helpful when assigning content to devices. The field in question is called Enrollment Type as you'll see below:
How
There is nothing special about access the item...you can do it in any query or smart group, but the following are the breakdown of the values for the field:
Displaying information |
Description |
Enrollment via APK |
Device was manually enrolled via installation of FileWave application |
Enrollment via EMM_API |
Device was enrolled via the Android Management API (through NFC or a QRcode) |
OTA Enrollment |
Device was enrolled over-the-air |
User Enrollment |
Device was enrolled BYOD |
DEP Enrollment |
Device was enrolled via Apple DEP |
Enrollment via fwcld |
Device was enrolled via fwcld |
Enrolled |
Enrollment of Chromebook |
User approved enrollment |
Device was enrolled over-the-air and approved by user |
Presumed DEP Enrollment |
Device is supervised iOS client that was enrolled before v14. |
Not available |
Enrollment type is not determined |