Separate work and personal data on iOS devices (beta)

This feature is available with Cloud Identity Premium edition. Compare editions 

As an administrator, you can manage all data on a user’s personal iOS device, or only the work data. Apple User Enrollment separates work and personal data on iOS devices to give you full control of work data on the device while users retain privacy over their personal data.

Compare iOS device enrollment options

You can choose between device enrollment and user enrollment for BYOD (bring your own device) iOS devices. Each enrollment type gives you a different set of features.

  • Use user enrollment if you want to secure work data on the device and give the user privacy over their personal data.
  • Use device enrollment for more control of the device, including the ability to wipe the device. 
Mobile management feature Device enrollment User enrollment 
Access work data in built-in iOS apps
Install and configure apps
Require passwords for devices
Require a strong passcode  
See inventory of work apps
Access inventory of personal apps  
Remove work data only  
Remotely wipe entire device (including personal data)  

Before you begin

  • Note that user enrollment is supported on devices running iOS 15.5 and later. 
  • Prepare the sign in details for both the Google Admin console and your organization's Apple Business Manager or Apple School Manager.
  • Turn on advanced mobile management for the organizational unit that will use the devices.
  • Set up Apple Volume Purchase Program (VPP) to distribute work apps to users. 

Step 1: Link Apple Business Manager to Google Workspace

You link Apple Business Manager or Apple School Manager to Google Workspace so that users can use their Google Workspace usernames as Managed Apple IDs. They can use those details to sign in to their iOS device. You need licenses for the Google Device Policy app and any other apps that you want to distribute to user-enrolled devices.To link Apple Business Manager to Google Workspace:

  1. Open Apple Business Manager or Apple School Manager and sign in with your business Apple ID.
  2. At the bottom left, select your nameand thenPreferencesand thenAccounts.
  3. Next to Federated Authentication, click Edit.
  4. Select Google Workspaceand thenConnect, and sign in with your Google Workspace administrator account.
  5. Check the box next to each of the requested permissions, and click Continueand thenDone.
  6. Next to Domains, click Edit.
  7. Next to your verified domain, click Federate.
  8. At the left, click Directory Sync and enable Google Workspace Sync.

Step 2: Get app licenses for Google Device Policy

You need licenses for the Google Device Policy app and any other apps that you want to distribute to user-enrolled devices. For details, go to Distribute iOS apps with Apple VPP (beta).

Step 3: Turn on user enrollment

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Enrollment
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Choose an option: 
    • (Default) To manage work and personal data on personal iOS devices, select Device Enrollment.  
    • To manage only the work data on devices, select User Enrollment.
    • To apply the setting only to new devices, check the Allow Device Enrollment for existing users box.
    • To let the user decide the enrollment type, select User's choice.
  6. Click Save

Step 4: (Optional) Set up account-driven user enrollment

You can set up account-driven user enrollment so that users can enroll their device with the iOS settings app. This is an easier way for users to enroll their personal devices. To do this, you need to set up service discovery so that Apple can retrieve enrollment information from Google endpoint management. 

  1. Create a JSON file with this content: 

       "Servers": [
        { 
           "BaseURL":"https://ios-mdm.google.com/userenrollment/enroll", 
           "Version":"mdm-byod"
        } 
       ]
    }
  2. Save the file to your domain at the following location:
    https://yourdomain.com/.well-known/com.apple.remotemanagement

The response should have the following header:

Name: Content-Type
Value: application/json

Step 5: Have users enroll their device

To enroll iOS devices for management, have users do the following: 

  1. If the user’s device was already enrolled for management, have them unregister their Google Workspace account from the Device Policy app and then uninstall the app. For details, go to Manage the Device Policy app.
  2. Choose an option:
    • If you set up account-driven user enrollment (see step 4), have users tap Settingsand thenGeneraland thenVPN & Device Managementand thenSign In to Work or School Account and sign in with their Google Workspace account.
    • To use Google apps (such as Gmail) for work, have users install the Google Device Policy app and sign in with their Google Workspace account. 
    • If you allow users to sync email, calendars, and contacts with the built-in iOS apps on their device, users can use those iOS apps (such as iOS Mail) for work. Have users tap Settingsand thenMailand thenAccountsand thenAdd Accountand thenGoogle and sign in with their Google Workspace account. For more information, go to Account Configurations.
  3. Follow the prompts to install the Google Device Policy app and a configuration profile on their device. For detailed instructions, go to Set up a personal device

Related topics 

 

Was this helpful?

How can we improve it?
true
Search
Clear search
Close search
Main menu
13965546270699902594
true
Search Help Center
true
true
true
false
false