Enroll personally owned BYOD Apple devices using account-based user enrollment

[ddribeiro]

Support for account driven user enrollment would enable an organization to allow their employees to enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID. User Enrollment provides several benefits to the employee and organization when enrolling personally owned devices:

1. Organization data is cryptographically separated from personal data.
2. Enrollment of personal devices is streamlined as there is a standardized flow built into iOS in Settings > General
3. Some typical MDM capabilities for organization owned devices is not available (i.e. Erase Device), offering an employee peace of mind that their personal information cannot be erased when they enroll.
4. Organization can see limited device details (i.e. Can only see a list of managed apps, not a full list).

Links: Apple Platform Deployment: User Enrollment and MDM Apple Platform Deployment: User Enrollment MDM Information

[nonpunctual]

related to https://github.com/fleetdm/fleet/issues/18119

[noahtalerman]

Thanks for tracking this @ddribeiro.

enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID

Do you know if customers attached to this issue provide Managed Apple IDs to their end users today?

I think customer-starchik is planning on rolling out Managed Apple IDs but hasn't started yet.

[nonpunctual]

I think that's correct @noahtalerman these features can be aligned with the ability of customers to federate Apple IDs & reclaim domain-owned email addresses.

[noahtalerman]

Hey @dherder, @ddribeiro, and @nonpunctual heads up, I'm closing this issue as a duplicate of #19448.

[fleet-release]

Apple ID enrolls, Data in harmony, peace. Fleet, the bridge, connects.