fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Enroll personally owned BYOD iOS/iPadOS hosts using account-based (Apple) user enrollment

Open ddribeiro opened this issue 1 year ago • 14 comments

  • customer-flavia: Slack thread: https://fleetdm.slack.com/archives/C0389SEPLR3/p1729001707646059
  • customer-numa: Slack thread TODO
  • customer-eponym: In person off site (quote: can't do BYOD without this feature as they move to managed apple id's in q1)
  • customer-preston: Gong snippet TODO
  • customer-reedtimmer: Gong snippet TODO
  • customer-pingali: Gong snippet TODO
  • community request: https://macadmins.slack.com/archives/C0214NELAE7/p1728670150649039
  • @ddribeiro: There have been several Slack threads about Apple deprecating profile driven user enrollment in iOS 18. Folks are confusing this with profile driven device enrollment (not deprecated).
    • @noahtalerman: I think let's add a sentence or two to clarify in this in the guide here: https://fleetdm.com/guides/enroll-byod-ios-ipados-hosts
      • @noahtalerman: We can say account-based is coming soon.

User stories

  • #23233
  • #27391
  • #27390

ddribeiro avatar May 29 '24 14:05 ddribeiro

related to https://github.com/fleetdm/fleet/issues/18119

nonpunctual avatar May 29 '24 14:05 nonpunctual

Thanks for tracking this @ddribeiro.

enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID

Do you know if customers attached to this issue provide Managed Apple IDs to their end users today?

I think customer-starchik is planning on rolling out Managed Apple IDs but hasn't started yet.

noahtalerman avatar May 30 '24 13:05 noahtalerman

I think that's correct @noahtalerman these features can be aligned with the ability of customers to federate Apple IDs & reclaim domain-owned email addresses.

nonpunctual avatar May 30 '24 15:05 nonpunctual

Hey @dherder, @ddribeiro, and @nonpunctual heads up, I'm closing this issue as a duplicate of #19448.

noahtalerman avatar Jun 25 '24 15:06 noahtalerman

Apple ID enrolls, Data in harmony, peace. Fleet, the bridge, connects.

fleet-release avatar Jun 25 '24 15:06 fleet-release

Reopening because this request did not end up getting covered in #19448. That ticket is still using profile driven device enrollment.

This ticket to support account driven user enrollment, which uses Managed Apple Accounts.

ddribeiro avatar Oct 11 '24 19:10 ddribeiro

I would be very grateful if you could implement this feature promptly because we would like to switch from Intune and Jamf to you. However, there are over 350 Managed Apple IDs in our company, where the management has decided that they can now all use BYOD. Accordingly, this is currently a showstopper to switch to you. Let me know if you need anything as support or testing for the implementation

MalteKiefer avatar Oct 12 '24 07:10 MalteKiefer

Support for account driven user enrollment would enable an organization to allow their employees to enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID. User Enrollment provides several benefits to the employee and organization when enrolling personally owned devices:

  1. Organization data is cryptographically separated from personal data.
  2. Enrollment of personal devices is streamlined as there is a standardized flow built into iOS in Settings > General
  3. Some typical MDM capabilities for organization owned devices is not available (i.e. Erase Device), offering an employee peace of mind that their personal information cannot be erased when they enroll.
  4. Organization can see limited device details (i.e. Can only see a list of managed apps, not a full list).

Links: Apple Platform Deployment: User Enrollment and MDM Apple Platform Deployment: User Enrollment MDM Information

noahtalerman avatar Oct 15 '24 19:10 noahtalerman

  • @noahtalerman: I think let's add a sentence or two to clarify in this in the guide here: https://fleetdm.com/guides/enroll-byod-ios-ipados-hosts
  • @noahtalerman: We can say account-based is coming soon.

Hey @spokanemac, can you please take this guide update? Thanks :)

noahtalerman avatar Oct 15 '24 19:10 noahtalerman

@ambrusps @Patagonia121 we peeled a research story off of this request and brought it into the design sprint: #23233

This means that we think we won't ship a feature for it in 6 weeks. Instead, it might take an extra sprint (9 weeks).

noahtalerman avatar Oct 25 '24 14:10 noahtalerman

latest from Apple on account-driven enrollment: Screenshot 2024-11-05 at 2 42 34 PM

nonpunctual avatar Nov 05 '24 19:11 nonpunctual

Potential blocker for prospect-quantz. The "why" behind needing this: https://us-65885.app.gong.io/call?id=6106796065079746590&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A762%2C%22to%22%3A783%7D%5D

allenhouchins avatar Dec 05 '24 17:12 allenhouchins

Good write up on state of BYOD enrollment https://jonbrown.org/blog/byo-with-me-in-2025-for-mac-ios-andriod-and-windows/

nonpunctual avatar Jan 29 '25 14:01 nonpunctual

Is MacOS scoped into this? As it also supports account-driven device enrolment from 15.2 Monterey per Apple docs & the email above. Thanks!

ChipWolf avatar Feb 18 '25 15:02 ChipWolf

Notes from #g-mdm design review doc:

Image

noahtalerman avatar May 18 '25 20:05 noahtalerman

Moving the old user stories list out of the issue description to below. User stories that contribute to this request now live in the "Sub-issues" section.

User stories

  • #23233
  • #27391
  • #27390

noahtalerman avatar Jul 15 '25 14:07 noahtalerman

Suggestion: Ensure conditional access via Entra ID works with account-drive user enrollment.

patgmac avatar Jul 23 '25 01:07 patgmac

FYI @kc9wwh @Patagonia121 we shipped Account-driven User Enrollment for personal Apple devices (BYOD). A request for blondelet and pingali.

I think we can let the customer know that enrollment is ready to test but the management features aren't done yet. I'm leaving this request open.

What's left?

  • Installing App Store (VPP) apps: https://github.com/fleetdm/fleet/issues/31138
  • Default team: https://github.com/fleetdm/fleet/issues/30871
  • Unenrolling (turning off MDM): https://github.com/fleetdm/fleet/issues/31584

cc @marko-lisica

noahtalerman avatar Aug 21 '25 14:08 noahtalerman

Feedback from @allenhouchins:

  • In addition to the gaps we've already identified, Allen noticed that Fleet isn't mapping the IdP info to hosts that enroll via account-driven user enrollment. @marko-lisica do we have a user story for the IdP mapping?
  • To enable end user authentication via GitOps, we have to set macos_setup.enable_end_user_authentication to true. But, I'm doing this on the personal mobile devices team which only has iOS/iPadOS hosts.
    • @allenhouchins: I think having one apple_setup control works for this.
    • @noahtalerman: Captured this in a separate issue here: https://github.com/fleetdm/fleet/issues/33059

noahtalerman avatar Sep 16 '25 18:09 noahtalerman

Allen noticed that Fleet isn't mapping the IdP info to hosts that enroll via account-driven user enrollment. @marko-lisica do we have a user story for the IdP mapping? To

@noahtalerman I thought that we implemented this but seems that we didn't design it in first iteration (probably to make scope smaller). I just filed story: #33097.

marko-lisica avatar Sep 17 '25 11:09 marko-lisica

@marko-lisica thanks! Added to 4.77 on the roadmap.

noahtalerman avatar Sep 17 '25 16:09 noahtalerman