Account-Driven User Enrollment - Workspace ONE

Introduction Account-Driven User Enrollment

With the release of iOS 15 and iPadOS 15, Apple introduced Account-Driven User Enrollment. This would allow a more seamless way of enrolling Personal Devices. Instead of jumping through different hoops, users can use the integrated 'Work or School' approach to enroll devices:

 https://support.apple.com/en-gb/guide/deployment/dep23db2037d/web

In Settings - General - VPN & Device Management, there will be an option on iOS or iPadOS to login with your company email address:

(notice that if you have already enrolled or configured Device Management, there won't be an option to add an account)

If everything is configured correctly, you will be redirected to iCloud for Work and are asked to authenticate with your Managed Apple ID:

Allow Remote Management: 

This will give you a separate Managed Apple ID on your device to use for Work AND your device is enrolled with your company's MDM, this my case Workspace ONE UEM:

Configuration

To configure Account Driven User Enrollment a couple of requirements needs to be in place:

• Domain verification Apple Business Manager
• Discovery Service configured
• Managed Apple ID that matches the enrollment user in Workspace ONE UEM
• Unsupervised iOS 15 and later

VMware Documentation:

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/iOS_Platform/GUID-EnrollmentOverview.html?hWord=N4IghgNiBcIJYHkDKACArgZwKYCcVYDscB7CCAW0IBcQBfIA

Domain verification Apple Business Manager

The enrollment domain will need to be verified with Apple Business Manager. When navigating to ABM - https://business.apple.com make sure you have configured the domains for Managed Apple ID's. See below:

https://support.apple.com/en-us/HT212275

Discovery Service

On the domain there is a requirement for a JSON file to be present to assign the correct MDM server. During the enrollment there will be a Discovery request going to your domain where it will look for a JSON file to be present on https://<domain>/.well-known/com.apple.remotemanagement

https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow

To host the JSON file on the domain i have configured a IIS server publicy on the domain:

1. Create a directory for .well-known path under interpub

2. Create a file named com.apple.remotemanagement (without a .json extension)

   com.apple.remotemanagement

   {     "Servers": [         {             "Version" : "mdm-byod",             "BaseURL" : "{MDM Enrollment URL}/AccountDrivenUserEnroll"         }     ] }

   {MDM Enrollment URL} should be replaced with your setting value located in Settings->System->Advanced→Site URLs, such as "Base URL" : "https://*.awmdm.com/DeviceManagement/Enrollment/AccountDrivenUserEnroll"

3. Create a file named web.config in the same directory with following contents. It is required to change a content type of com.apple.remotemanagement to application/json

   web.config

   <?xml version="1.0" encoding="UTF-8"?> <configuration>     <system.webServer>         <staticContent>             <mimeMap fileExtension=".*" mimeType="application/json" />         </staticContent>     </system.webServer> </configuration>

4. Verify that a directory for .well-known path contains com.apple.remotemanagement and web.config
   
   
   
   
   
5. Open Internet Information Services (IID) Manager and click a right mouse button over Default Web Site to show a context menu then click Add Virtual Directory. 
6. Create a virtual directory for .well-known path
   
   
   
   
   
7. Click OK. and verify that .well-known is created succeeded.
   
   
   
   
   

App Management limitations

App Management

Applications installed by Workspace ONE UEM on the User Enrolled devices are managed and associated to the Managed Apple ID, that is used to enroll the device. Applications installed by the user cannot be managed.

App Licenses

Since User Enrollment must associate the managed application to a Managed Apple ID, only Apple Business Manager User Licenses are supported. This means that both 'normal' public and Device Based Apple Business Manager licenses do not work.