BYOD Recommendations

Learn how to best support Bring Your Own Device (BYOD) workflows

Introduction

Often times, Kandji Administrators have questions about supporting BYOD scenarios. This document will answer the most common questions.

Organization 

In most scenarios, admins find the most effective option for organizing employee-owned devices (BYOD devices) is to create a separate Blueprint for these devices. Leveraging a separate Blueprint for BYOD devices has the following advantages. 

  • Distinct separation from corporate-owned devices, by having a dedicated group.
  • Allows for a separate, less restrictive, management of employee-owned devices.
  • Allows for the Access Code of the BYOD Blueprint to be independently enabled for enrollment via the Enrollment Portal.

Management 

Generally speaking, most organizations will impose fewer restrictions on BYOD devices. One common practice is only imposing the restrictions needed to maintain a minimum level of information security. Organizations may also desire to deploy corporate applications needed for their end-users or device identity certificates for conditional access workflows. 

Examples of items an organization may deploy to BYOD devices are:

  • Imposing a passcode/password requirement via a Passcode profile.
  • Enforcing FileVault on macOS devices via a FileVault profile.
  • Enforcing Screen Saver start intervals via a Screen Saver profile.
  • Ensuring the operating system and corporate applications are up to date using Managed OS and Custom Apps.
  • Deploying a device identity certificate for conditional access via a SCEP profile.

In certain circumstances, the options for management will be limited (especially on iOS), as devices that are manually enrolled are not supervised, which limits which restrictions can be placed on them. One example of these limitations is that you can not prevent the use of the camera on iOS unless the device is supervised. 

Enrollment

Now that you've created a new Blueprint, set up a few restrictions, and added a few applications, it's time to enroll your organization's BYOD devices using the Kandji Enrollment Portal. You have the option of disabling non-BYOD Blueprints for the enrollment portal if you are typically using Automated Device Enrollment, and allow only the BYOD Blueprint to be enrolled via this method. We typically recommend giving the full enrollment URL to your end-users with the access code in it (similar to the following). 

https://accuhive.kandji.io/enroll/access-code/123456

Consent

With the level of control and information that is provided over even a manually enrolled device, it is important for your end-users to understand the amount of control being given to an IT administrator when enrolling. Apple makes this very clear to the end-user during the profile installation process by listing the "rights" that the MDM server is requesting, and giving a brief outline of what actions are possible. It is always recommended that you communicate with your end-users when rolling out a BYOD enrollment initiative.   

The Future of BYOD

Apple has introduced a new type of enrollment method to the MDM framework that is specifically designed for BYOD devices. This new enrollment method, know as User Enrollment is tailored for BYOD workflows, finding a middle ground between the scope of management capabilities that IT administrators want and the privacy concerns that users expect. Under User Enrollment, the end-user can enjoy more privacy, but IT administrators will notice a few significant management restrictions – especially considering the amount of management power that existing enrollment options provide (such as wiping, locking, and restricting enrolled and Apple supervised devices freely). 

User Enrollment works by leveraging the power of a Managed Apple ID from Apple Business Manager (or Apple School Manager) with the power of an MDM solution. The privacy of user data is protected through separate APFS volumes for work and personal use, and Managed Apple IDs are used to separate business apps (owned by the business) from personal apps (owned by the user). Device serial numbers and MAC addresses are also hidden from IT, replaced by an anonymized identifier created during enrollment. 

Here at Kandji, we are extremely excited about the future of BYOD and Apple's new User Enrollment feature, and cant wait to support it in the future.