Supported editions for this feature: Frontline Starter , Frontline Standard , and Frontline Plus ; Business Plus; Enterprise Standard and Enterprise Plus ; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus ; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
As an administrator, you can manage all data on a user’s personal iOS device, or only the work data. Apple User Enrollment separates work and personal data on iOS devices to give you full control of work data on the device while users retain privacy over their personal data.
Compare iOS device enrollment options
You can choose between device enrollment and user enrollment for BYOD (bring your own device) iOS devices. Each enrollment type gives you a different set of features.
- Use user enrollmentif you want to secure work data on the device and give the user privacy over their personal data.
- Use device enrollmentfor more control of the device, including the ability to wipe the device.
| Mobile management feature | Device enrollment | User enrollment |
|---|---|---|
| ✔ | ✔ | |
| ✔ | ✔ | |
| ✔ | ✔ | |
| ✔ | ✔ | |
| ✔ | ✔ | |
| ✔ | ||
| ✔ | ||
| ✔ |
Before you begin
- User enrollment is supported on personal devices running iOS 15.5 and later. It is not available for company-owned devices.
- Account-driven user enrollment (users enroll device using iOS settings app) is required on devices running iOS 18 and later.
- Prepare the sign-in details for both the Google Admin console and your organization's Apple Business Manager or Apple School Manager.
- Turn on advanced mobile management for the organizational unit that will use the devices.
- Set up Apple Volume Purchase Program (VPP) to distribute work apps to users.
Step 1: Link Apple Business Manager to Google Workspace
You link Apple Business Manager or Apple School Manager to Google Workspace so that users can use their Google Workspace usernames as Managed Apple IDs. They can use those details to sign in to their iOS device. You need licenses for the Google Device Policy app and any other apps that you want to distribute to user-enrolled devices. To link Apple Business Manager to Google Workspace:
- Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
- At the bottom left, select your name Preferences Accounts.
- Next to Federated Authentication, click Edit.
- Select Google Workspace Connect, and sign in with your Google Workspace administrator account.
- Check the box next to each of the requested permissions, and click Continue Done.
- Next to Domains, click Edit.
- Next to your verified domain, click Federate.
- At the left, click Directory Syncand enable Google Workspace Sync.
Step 2: Get app licenses for Google Device Policy
You need licenses for the Device Policy app and any other apps that you want to distribute to user-enrolled devices. For details, go to Distribute iOS apps with Apple VPP .
Step 3: Select the enrollment type
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go toMenu Devices > Mobile & endpoints > Settings > iOS .
Requires having the Services and devices administrator privilege.
- Click Enrollment.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Choose an option (one per organizational unit):
- (Default) To manage work and personal data on personal iOS devices, select Device Enrollment.
- To manage only the work data on personal devices, select User Enrollment.
To apply the setting only to new devices, check the Allow Device Enrollment for existing usersbox. - To let the user decide the enrollment type, select User's choice.
- If the user chooses Device Enrollment, they need to install the Google Device Policy app and configuration profile. For details, go to Install the Google Device Policy app .
- If they choose User Enrollment, go to Step 5 (later on this page) for steps to enroll the device.
- Click Save.Or, you might click Overridefor an organizational unit
.
To later restore the inherited value, click Inherit.
Step 4: Set up account-driven user enrollment
Required for iOS 18 and later devices. Optional for iOS 17 and earlier devices.
Set up account-driven user enrollment so users can enroll their personal devices in the iOS settings app. To set up account-driven enrollment, you need to configure service discovery by hosting enrollment information on your web server. This allows Apple to retrieve the information from Google endpoint management.
Configure service discovery
- Define the service discovery JSON document:
{
"Servers": [
{
"BaseURL":"https://ios-mdm.google.com/userenrollment/enroll",
"Version":"mdm-byod"
}
]
} -
Configure your web hosting to serve the JSON document from the following location:
https:// yourdomain.com /.well-known/com.apple.remotemanagement
Important:- Ensure that the Content-Type header in the HTTP response is set to application/json.
- The SSL certificate for the web server must be issued by a trusted certificate authority and have the same fully qualified domain name (FQDN) as the verified domain setup in step 1 (earlier on this page).
- The service discovery configuration must be hosted on a server that supports HTTPS GET requests.
-
Verify the service discovery configuration by executing the command:
curl -I https:// your_domain /.well-known/com.apple.remotemanagementMake sure the web server serving the JSON file can handle additional URL parameters. Certain iOS versions might attach the following parameters to the HTTP GET request:
- user-identifier—the user account identifier (for example, email@yourdomain.com)
- model-family—the device’s model family (for example, iPhone or iPad)
The command should print a response similar to:
HTTP/2 200 content-type: application/json
last-modified: Wed, 30 Oct 2024 19:14:12 GMT
accept-ranges: bytes
date: Fri, 27 Dec 2024 18:40:36 GMT
content-length: 138
This configuration lets the iOS device find the Google MDM enrollment servers during the account-driven enrollment process. After a user enters the email address of their managed Apple account, the following occurs:
- The device extracts the domain name from the managed Apple account.
- The device sends an HTTP request to the web server hosting the enrollment information.
Example
If the user Andy Jones signs in to a device with Managed Apple ID andy.jones@ yourdomain
.com:
- The device extracts yourdomain.com and uses the service discovery process to make an HTTPS request for the enrollment information that's hosted at https:// your_domain /.well-known/com.apple.remotemanagement.
- The device identifies Google MDM from the service discovery configuration and initiates enrollment.
For more information about the service discovery process, see the Discover Authentication Servers documentation from the Apple Developer website.
Step 5: Have users enroll their device
To enroll iOS devices for management, have users do the following:
- If the user’s device was already enrolled for management, have them unregister their Google Workspace account from the Device Policy app and then uninstall the app. For details, go to Manage the Device Policy app .
- Choose an option:
- If you set up account-driven user enrollment (earlier in this article), have users tap Settings General VPN & Device Management Sign In to Work or School Accountand sign in with their Workspace account.
- Otherwise, have users sign in with their work account in the Gmail app installed from the Apple App Store.
- Follow the prompts to install the configuration profile. The user might need to go to the iOS settings app to install the downloaded profile. The Google Device Policy app is automatically installed.
- The user must sign in with the Device Policy app after it’s downloaded. For details, go to Set up a personal device .
- Install managed apps from the Device Policy app. If an app is marked as Requiredin the Device Policy app, the user must uninstall the app and then reinstall it from the Device Policy app. For details, go to Get approved work apps on iOS devices .
Note:For privacy reasons, Google endpoint management cannot read the list of installed apps on user-enrolled devices. If a user has not yet installed a managed app from the Device Policy app, we cannot tell if the app is already installed as unmanaged from the App Store. If the app is already on the device, the user needs to uninstall it before they install it from the Device Policy app. For more details on protecting the user's privacy, refer to your Apple documentation .
