Guide for Apple IT: Device Enrollment (UAMDM, TCC, and Device Supervision)

Posted on December 17, 2019

For any business that runs on Apple, choosing the right device enrollment method is essential to speed up onboarding and provide the right balance between privacy (for corporate and personal data) and management capabilities.

In this guide, we’re going to take a look at three device enrollment methods that Apple offers, breaking down their strengths, weaknesses, and ideal use cases. We’ll also discuss how they relate to important privacy and policy topics like user approved MDM (UAMDM) status, “Transparency, Consent, and Control” (TCC), device supervision, kernel extension whitelisting, and BYOD (Bring Your Own Device).

Here are the three enrollment methods that we’ll cover:

  1. User Enrollment
  2. Device Enrollment
  3. Automated Device Enrollment (formerly “DEP”)

A Primer on User Enrollment, Device Enrollment, & Automated Device Enrollment

Before we dive into the particulars of each type of enrollment method, let’s get a basic understanding of what they are. Later on, we’ll talk about what they’re capable of, what circumstances they’re best suited for, and how you can start using them:

What’s User Enrollment?

User Enrollment was announced at the 2019 Worldwide Developer Conference (WWDC) as a brand-new enrollment method for macOS Catalina 10.15 and iOS 13. User Enrollment differentiates itself from past enrollment methods by rolling out new functionality that mainly addresses pain points in BYOD policy implementation.

We’ll take a closer look at this method later, but for now, just know that it introduced three significant updates that will make implementing BYOD much more attractive for businesses and employees by:

  1. Separating personal and corporate data by storing them in different APFS volumes.
  2. Limiting device-wide management and data capabilities to protect user privacy.
  3. Requiring Managed Apple IDs but allowing personal Apple IDs to coexist on the same device.

What’s Device Enrollment? 

Device Enrollment lets businesses enroll their Apple devices in an MDM solution of choice. This can be accomplished by visiting a web page, downloading a profile, or installing a package – even if the devices were purchased in a way that makes then ineligible for enrollment through Apple Business Manager's Automated Device Enrollment.

Though Device Enrollment lacks sufficient privacy features for BYOD, in High Sierra 10.13.2, User Approved MDM (also referred to as UAMDM) was introduced, which requires end-users to approve Device Enrollment before the IT team can enroll it in an MDM or make changes to sensitive security settings.

UAMDM is only required for businesses that need to manage sensitive security settings but don’t use Automated Device Enrollment (formerly Device Enrollment Program, or DEP) for their MDM enrollment. This is because devices enrolled in Automated Device Enrollment are already considered user approved.

What’s Automated Device Enrollment (Formerly DEP)?

Before we break down this enrollment method, it’s important to note that Apple Deployment Programs/Device Enrollment Program (DEP) has been replaced by Apple Business Manager and is now commonly referred to as “Automated Device Enrollment” within Apple Business Manager. (You can read more about this in our Apple Business Manager guide.)

For the rest of this article, we’ll refer to DEP as Automated Device Enrollment. Essentially, Automated Device Enrollment makes it easier for businesses to deploy macOS and iOS devices by letting IT administrators do things like reduce the number of steps needed while setting up a new device. Usually, manually setting up new devices takes a lot of time and resources, but using an MDM with Apple Business Manager’s Automated Device Enrollment feature can make it a breeze.

BYOD and Privacy Functions

We’ll also discuss how some of these enrollment methods relate to Apple device supervision, TCC, kernel extension whitelisting, and BYOD.

Here’s a bit of background on these terms:

Device Supervision: Apple device supervision was introduced in iOS 5, but it now extends to iPadOS and tvOS. Using device supervision is intended for company-owned devices, not personal devices, for reasons that we’ll see later. When supervision is active, IT administrators can exercise more control over managed devices to automate actions, add restrictions, and do things like bypass activation lock, install apps “silently,” push OS updates remotely, or filter web content.

TCC/PPPC: Apple introduced new controls in macOS Mojave 10.14 that are collectively referred to as TCC (Transparency Consent and Controls) or PPPC (Privacy Preferences Policy Control). These controls let IT administrators allow or restrict cross-application data requests – for instance, with TCC, Apple would let IT decide if a user should be able to give an app access to Photos or Contacts.

Whitelist Kernel Extensions: Kernel extensions (also known as “KEXTs”) let developers load code dynamically into the macOS Kernel. This grants access to internal Kernel interfaces, allowing complex apps (such as virtualization applications and hypervisors like Parallels or VMware Fusion) to function properly. To whitelist kernel extensions, IT simply decides which kernel extensions should be allowed to run (especially when the extensions relate to third-party programs). The ones that are approved are considered whitelisted.

BYOD: A “bring your own device” policy is exactly what it sounds like; it gives employees the option to use their own devices at work. This can save businesses a lot of money that would typically go into hardware, and employees tend to like having the freedom to pick their own tech. On the other hand, it poses quite a few security challenges. As we’ll see later in this guide, Apple has taken some steps to make BYOD safer and more convenient for everyone involved.

 

Now that we have a working definition of the three primary enrollment methods and a few important policy and privacy topics, let’s dig a bit deeper into how this all works.

 

1. User Enrollment

As we brought up earlier, User Enrollment is Apple’s latest enrollment method. It’s tailored for BYOD, finding a middle ground between the scope of management capabilities that IT administrators want and the privacy concerns that users expect.

Under User Enrollment, the user can enjoy more privacy, but IT administrators will notice a few significant management restrictions – especially considering the amount of management power that existing enrollment options provide (such as wiping, locking, and restricting enrolled and Apple supervised devices freely). That said, this balance between control and privacy still manages to benefit both users and IT.

Balancing Privacy and Management Capabilities

Under User Enrollment, your MDM solution can only manage spaces that operate in a business capacity. On one hand, this keeps personal information (such as non-business-related apps a user has installed) private; on the other, it makes business data safer within BYOD policies – though at the cost of management flexibility.

This separation of data is achieved during enrollment. Basically, the user is given a separately managed APFS volume that uses different cryptographic keys than the volume that stores business data. Beyond keeping personal data private, using two separate volumes makes dealing with company data easier when a user no longer works for a company – because, under User Enrollment, business data can be wiped without erasing the whole device. Users get to keep their data, and businesses get to protect theirs.

This enrollment method solves one of the biggest problems with previous enrollment methods for BYOD – employees had to give IT administrators an uncomfortable amount of control over their devices. Now, they can feel more comfortable using their tech at work, and businesses can feel better about their data being accessed on a non-company-owned device.

When to Use User Enrollment

Apple built User Enrollment to make BYOD policies easier to implement in the workplace, so any business that uses or wants to use BYOD is a good match. For businesses that aren’t interested in this policy, User Enrollment loses much of its relevance and will probably be too restrictive for effective device management.

That said, adopting User Enrollment in the right circumstances can benefit both parties:

  • For Employees: The privacy of user data is protected through separate APFS volumes for work and personal use, and Managed Apple IDs are used to separate business apps (owned by the business) from personal apps (owned by the user). Device serial numbers and MAC addresses are also hidden from IT, replaced by an anonymized identifier created during enrollment.
  • For IT: User Enrollment gives businesses the opportunity to let employees bring their own devices to work without having to worry about invading employee privacy or inadequate security measures to keep business data safe. If an employee leaves the company, IT can easily wipe business data, leaving personal data intact.

 

2. Device Enrollment

Device Enrollment gives IT plenty of management freedom to perform actions like remote device wipes. This is a great enrollment method for businesses that use company-owned devices that aren’t available for enrollment in Apple Business Manager via Automated Device Enrollment.

This can be problematic for BYOD cases where privacy must be taken into account. However, Apple rolled out a new feature, UAMDM, that requires user approval before IT can gain full management capabilities, limiting IT’s power until users give their approval.

Here’s what you need to know:

UAMDM and Device Enrollment

User Approved MDM (UAMDM) requires end-users to approve Device Enrollment during the actual enrollment process. It’s no longer as easy as installing a silent package using an existing management or patching tool. Managing employees’ Macs will be heavily restricted until they give IT their approval.

A device can become “User Approved” in two ways:

  1. Approval via Automated Device Enrollment: If the device is enrolled through Automated Device Enrollment (formerly DEP) into an MDM, it’s immediately granted “User Approved” status. Using UAMDM would not be relevant to these cases. User Approval is also necessary if IT wants to manage Mac security settings via an MDM solution enrolled outside of Automated Device Enrollment (DEP).
  2. Approval via User Interaction: If the device is manually enrolled in an MDM by the user, it is granted “User Approved” status. However, enrollment must be completed by users themselves – Apple has taken precautions not to approve devices if enrollment is done via automation, scripts, or screen sharing.

There’s also an exception to these methods – devices that were enrolled in an MDM before upgrading to 10.13.2 are automatically considered “User Approved.” It should also be noted that PKG-based device enrollment products don’t always result in UAMDM.

Whitelist Kernel Extensions and TCC with UAMDM

As of macOS 10.13.4, UAMDM is required for the Kernel Extension Policy payload on macOS. Because this policy manages user-approved kernel extension loading, if it isn’t in place while your business is using UAMDM, it’s entirely up to end users to approve kernel extensions manually. As you can imagine, this isn’t ideal.

This payload lets IT administrators work out the particulars when it comes to kernel extensions on company devices, choosing what extensions should be loaded without user consent and if users should be able to approve additional kernel extensions.

This is where UAMDM’s whitelist kernel extensions feature comes into play. Whitelisting lets the IT team identify which third-party kernel extensions are acceptable for their devices. If a kernel extension is whitelisted, end users can execute it without having to approve it themselves. To whitelist kernel extensions, IT just has to specify any IDs that correspond with the program team or bundle. This lets the system recognize if the extension in question should be executed or not.

Similarly, system extensions perform the same tasks that were exclusive to kernel extensions before macOS 10.15 Catalina. They also need to be whitelisted.

When it comes to TCC (Apple’s security controls we mentioned earlier – the ones that manage cross-application data requests), Apple considers data requests sensitive enough to be locked behind User Approval, just like the Kernel Extension Policy. That means you'll need to have UAMDM devices in order to install TCC Profiles.

Earning User Approved Status

Let’s look at a few ways you can earn User Approval status for a Mac. The method you end up using depends on how and when you enrolled your device into an MDM. It’s worth mentioning again that using scripts or screen sharing to enroll a device will not result in user approval.

Enrolled Through Automated Device Enrollment (DEP): If your Mac is already enrolled in the Automated Device Enrollment (DEP) feature on Apple Business Manager, then it will be given “User Approved” status once it’s enrolled in your MDM solution. There are no other approval stages required in this case.

Enrolled in a Non-User Approved MDM Before 10.13.4: If your Mac was enrolled in an MDM that wasn’t User Approved before updating to macOS 10.13.4, enrollment should occur automatically once you update to 10.13.4. Alternatively, you can access the enrollment profile via email or direct download.

Enrolled in a Non-User Approved MDM in 10.13.4: If you’re enrolling your Mac in a non-User Approved MDM in macOS 10.13.4, then you aren’t grandfathered in. In order to get approved, you’ll have to follow these steps:

  1. Click the “System Preferences” icon in the Dock or choose Apple menu > “System Preferences.”
  2. Click “Profiles.”
  3. Find the enrollment profile that has a badge icon next to it and click it.
  4. Click “Approve.”
  5. Follow the Onscreen Instructions.

If an MDM follows the Apple approved flow of downloading a profile, you will click “Approve” as part of the installation or enrollment process into the MDM, resulting in UAMDM.

 

3. Automated Device Enrollment (DEP)

Apple’s Automated Device Enrollment feature (formerly DEP) in Apple Business Manager helps businesses speed along the setup process for new company-owned devices. Using Automated Device Enrollment with your MDM solution, you can control how your new devices will be configured so you can start using them sooner.

To take advantage of Automated Device Enrollment, you need to make sure that the devices you want to enroll are listed in Apple Business Manager. Upon startup, these devices will be configured according to the enrollment profile created on your MDM solution. This profile contains information about enrollment options and which setup screens are skipped or shown to the user.

This frees up time for IT teams (who would alternatively have to set devices up manually), and it lets users start working with their new devices with just a few taps, skipping screens like:

  • Signing into Apple ID and iCloud
  • Setting up a passcode
  • Managing location services
  • Restoring data from backup
  • Setting up Touch ID
  • And much more

On the other hand, Automated Device Enrollment isn’t an excellent fit for businesses that want to employ BYOD policies. While User Enrollment was packed with privacy features that minimized if not blocked IT’s interaction with personal data, Automated Enrollment still gives IT a high level of visibility, as we’ll see in the next section.

Using Device Supervision with Automated Device Enrollment

Apple’s Device Supervision feature gives IT administrators more management capabilities to do things like filter web content, blacklist applications, bypass activation locks, and lock a device in single-app mode.

As you can imagine, this is intended for company-owned devices – not for BYOD. The level of oversight that Apple Device Supervision gives IT isn’t appropriate for use with personal macOS, iOS, iPadOS, or tvOS devices. More than that, devices that have already been set up and used (such as a personal iPhone) cannot become supervised without being entirely reset – with all data and settings deleted.

It should be noted that Supervision for macOS was only recently introduced in Catalina 10.15, so its functionality isn’t as built-out as it is on iOS and iPadOS. As of right now, Supervision on the Mac just changed “DEP” enrolled status to mean Supervised.

Here are some of the options that are achievable with Apple device supervision on iOS and iPadOS. If you want to find more, you can visit Apple’s “Supervised Restrictions” list.

  • Disable the Safari web browser app
  • Disable the App Store
  • Bypass activation locks
  •  “Silently” install applications
  • Set Home screen and Lock screen wallpaper
  • Filter web content
  • Force or hide iOS and iPadOS software updates
  • Blacklist applications
  • Set a global proxy
  • Lock device in single-app mode

 

How to Supervise Devices in Automated Device Enrollment

As of iOS 13 and macOS Catalina, devices enrolled via Automated Device Enrollment are supervised by default. Supervising devices can be achieved in the following two ways:

  1. Supervision with Apple Configurator. This mode requires a lot more hands-on work than using the second method (but if you’re only enrolling a few devices, that shouldn’t be a problem). To take this route, you need a USB cable and a Mac with the latest version of Apple Configurator installed.

    Once you have your devices linked up, you just have to select them in Apple Configurator, enroll them in your MDM Server, check the box for “Supervise Devices,” and then follow onscreen instructions to prepare them.

  2. Supervision with Automated Device Enrollment: Again, as of iOS 13 and macOS Catalina, devices enrolled via Automated Device Enrollment are supervised by default. We already talked about how businesses can use Automated Device Enrollment to configure devices right out of the box – this includes the ability to automatically supervise devices. If your business has a lot of devices to supervise, using Automated Device Enrollment is much less time consuming than manually configuring them with a Mac and Apple Configurator.

    The step-by-step process will depend on your MDM solution, but essentially, you’re going to configure supervision in the enrollment profile (after making sure that it’s paired with Apple Business Manager). As long as your new devices are associated with the MDM in Apple Business Manager, they will be configured and supervised upon startup.

 

There are plenty of paths to device enrollment. Which one is best for your business depends on the type of devices you’re using, who owns them, and how they’re enrolled in an MDM solution. Apple has cast a wide net with these three enrollment methods, each designed to meet the unique privacy and management needs of various business structures.

No matter what enrollment method you’re using, you can trust Kandji, our MDM solution, to manage all of your devices from deployment to retirement. With powerful features like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.

Get started with Kandji today.