User-based Enrollment for iOS Devices

Use user-based enrollment for Bring Your Own Device (BYOD) scenarios where users use personal devices. After user enrollment, the device creates a cryptographically isolated managed volume that stores work data separately from personal data. When you unenroll the device, it destroys the managed volume and its associated cryptographic keys, ensuring no enterprise data remains.

Restriction: User-based enrollment requires iOS 13.1 or later and Managed Apple IDs. These devices are not supervised. As a result, you can only deploy iOS custom applications, and features like Send SMS, Clear Passcode, Roaming Restrictions, and Wi-Fi proxy configurations are not supported.
Important: To protect user privacy, devices enrolled with user-based enrollment report less information than those enrolled with device-based enrollment. Omitted information includes (but is not limited to) phone number, IMEI, and device ID.

You can create user-based federated enrollment policies using these account types:

Federated Accounts Use a Microsoft Entra ID connection to federate your Managed Apple IDs.
Note: Managed Apple IDs are required for enrolling users via federated accounts. See Intro to Federated Authentication with Apple Business Manager for more details.
Local Accounts Add locally Managed Apple ID accounts. You can add up to 1,000 accounts, which must be valid email addresses (for example, user@domain or user@domain.topleveldomain).
Tip: Select Import to upload a .csv file containing Managed Apple IDs. Include only Managed Apple IDs, one per line, with no header.
Note: Managed Apple IDs for local accounts must be manually generated. See About Managed Apple Accounts in Apple Business Manager for more details.

Account-driven User Enrollment

Important: This feature is only available in SOTI MobiControl versions 2025.0.1 or later. Apple devices running iOS 18 or later and iPadOS 18 or later require configuring Account-driven user enrollment.

Starting with iOS 17 and iPadOS 17, organizations can simplify device setup and management with account-driven user enrollment. Users no longer need to download and install enrollment profiles manually. Instead, they sign in directly on their device with a Managed Apple ID or a federated Apple Business Manager (ABM) account. For more information, see Using Account-driven User Enrollment.

During enrollment

  1. A discovery service on a well-known domain identifies the correct enrollment URL.
  2. The system authenticates users and delivers the enrollment profile to their devices.
  3. The device receives a session token that allows ongoing authorization.

After enrollment

  1. The device automatically configures Mobile Device Management (MDM) and prompts users to sign in with their Managed Apple ID.
  2. The Managed Apple ID or federated user account associated with the enrollment appears under the device details in SOTI MobiControl.