Separate work and personal data on iOS devices

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition

As an administrator, you can manage all data on a user’s personal iOS device, or only the work data. Apple User Enrollment separates work and personal data on iOS devices to give you full control of work data on the device while users retain privacy over their personal data.

Compare iOS device enrollment options

You can choose between device enrollment and user enrollment for BYOD (bring your own device) iOS devices. Each enrollment type gives you a different set of features.

  • Use user enrollment if you want to secure work data on the device and give the user privacy over their personal data.
  • Use device enrollment for more control of the device, including the ability to wipe the device. 
Mobile management feature Device enrollment User enrollment 
Configure accounts to access work data in built-in iOS apps
Install and configure apps
Require passwords for devices
See inventory of work apps
Require a strong password  
Access inventory of personal apps  
Remove work data only  
Remotely wipe entire device (including personal data)  

Before you begin

  • User enrollment is supported on personal devices running iOS 15.5 and later. It is not available for company-owned devices. 
  • Account-driven user enrollment (users enroll device using iOS settings app) is required on devices running iOS 18 and later. 
  • Prepare the sign-in details for both the Google Admin console and your organization's Apple Business Manager or Apple School Manager.
  • Turn on advanced mobile management for the organizational unit that will use the devices.
  • Set up Apple Volume Purchase Program (VPP) to distribute work apps to users. 

Step 1: Link Apple Business Manager to Google Workspace

You link Apple Business Manager or Apple School Manager to Google Workspace so that users can use their Google Workspace usernames as Managed Apple IDs. They can use those details to sign in to their iOS device. You need licenses for the Google Device Policy app and any other apps that you want to distribute to user-enrolled devices. To link Apple Business Manager to Google Workspace:

  1. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
  2. At the bottom left, select your nameand thenPreferencesand thenAccounts.
  3. Next to Federated Authentication, click Edit.
  4. Select Google Workspaceand thenConnect, and sign in with your Google Workspace administrator account.
  5. Check the box next to each of the requested permissions, and click Continueand thenDone.
  6. Next to Domains, click Edit.
  7. Next to your verified domain, click Federate.
  8. At the left, click Directory Sync and enable Google Workspace Sync.

Step 2: Get app licenses for Google Device Policy

You need licenses for the Google Device Policy app and any other apps that you want to distribute to user-enrolled devices. For details, go to Distribute iOS apps with Apple VPP.

Step 3: Turn on user enrollment

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Enrollment
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Choose an option: 
    • (Default) To manage work and personal data on personal iOS devices, select Device Enrollment.  
    • To manage only the work data on devices, select User Enrollment.
    • To apply the setting only to new devices, check the Allow Device Enrollment for existing users box.
    • To let the user decide the enrollment type, select User's choice.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Step 4: Set up account-driven user enrollment

Required for iOS 18 and later devices

You can set up account-driven user enrollment so that users can enroll their device with the iOS settings app. This is an easier way for users to enroll their personal devices. To do this, you need to set up service discovery so that Apple can retrieve enrollment information from Google endpoint management. 

  1. Create a JSON file with this content: 

       "Servers": [
        { 
           "BaseURL":"https://ios-mdm.google.com/userenrollment/enroll", 
           "Version":"mdm-byod"
        } 
       ]
    }
  2. Save the file to your domain at the following location:
    https://yourdomain.com/.well-known/com.apple.remotemanagement

The response should have the following header:

Name: Content-Type
Value: application/json

Step 5: Have users enroll their device

To enroll iOS devices for management, have users do the following: 

  1. If the user’s device was already enrolled for management, have them unregister their Google Workspace account from the Device Policy app and then uninstall the app. For details, go to Manage the Device Policy app.
  2. Choose an option:
    • If you set up account-driven user enrollment (see Step 4), have users tap Settingsand thenGeneraland thenVPN & Device Managementand thenSign In to Work or School Account and sign in with their Google Workspace account.
    • To use Google apps (such as Gmail) for work, have users install the Google Device Policy app and sign in with their Google Workspace account. 
    • If you allow users to sync email, calendars, and contacts with the built-in iOS apps on their device, users can use those iOS apps (such as iOS Mail) for work. Have users tap Settingsand thenMailand thenAccountsand thenAdd Accountand thenGoogle and sign in with their Google Workspace account. For more information, go to Account Configurations.
  3. Follow the prompts to install the Google Device Policy app and a configuration profile on their device. For detailed instructions, go to Set up a personal device
  4. Install managed apps from the Google Device Policy app. If a managed app is already on the user's device, they might need to uninstall it first. For details, go to Get approved work apps on iOS devices

Related topic

Manage mobile apps for your organization

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
5954989596198589239
true
Search Help Center
true
true
true
true
true
73010
false
false