Understanding BYOD and ADE enrolments in macOS – pros, cons and what to look out for 

Enrolling devices in a management system is an essential step for organisations to ensure the security and compliance of their data and applications. Depending on the technology and use requirements in each environment, there are different methods to enrol Apple devices.

Two commonly used methods are Bring Your Own Device (BYOD), previously known as User-Initiated Enrolment, and Automated Device Enrolment (ADE).

BYOD is a self-service enrolment process that enables employees to enrol their own devices in the organisation’s management system, without the need for IT intervention. This method is often used in scenarios where employees use their personal devices for work purposes. BYOD provides a flexible enrolment experience. However, it can be challenging to manage at scale and is not as secure as ADE.

By contrast, ADE is designed for company-owned devices and provides a secure and streamlined enrolment process that is managed by IT. ADE allows companies to enrol devices in bulk and automatically configure them with required settings, apps and security policies when linked to an MDM solution. One caveat with ADE is devices must be purchased through authorised resellers or carriers that support it, or by manually adding devices using the Apple Configurator app.

Why would you choose to enrol devices via ADE vs BYOD?

1. Automatic Enrolment – ADE allows the automatic enrolment of devices into your mobile device management (MDM) solution without any user interaction. This means  as soon as a device is turned on, it can automatically enrol in your MDM and begin receiving configurations, apps and policies. BYOD requires users to manually initiate enrolment, which can be less efficient and more time-consuming.
2. MDM Profile Lock – ADE allows MDM profiles to be locked to a device, which prevents them from being removed or modified by the end user. UIE does not offer this feature, so end users can potentially remove or modify the MDM profile on their device, which could lead to security vulnerabilities.
3. Firmware Passwords – ADE allows you to enforce a firmware password on devices, preventing users from booting the device from an external disk or entering target disk mode. BYOD does not offer this feature, so it is possible for users to bypass security measures by booting from an external disk. 
   However, it should be noted Firmware passwords are no longer a factor for Apple Silicon-based Macs which use the Volume Ownership model to protect data. Firmware password protection is only a benefit for Intel-based Macs.
4. Device Supervision – ADE allows devices to be automatically placed under supervision, which provides additional management capabilities such as the ability to restrict app installation and usage. BYOD does not offer this feature, so you will have less control over the device.

I bought my company Mac from a non-ADE vendor but have not enrolled it yet. What should I do?

Intel-based Macs with the T2 Security Chip and Apple Silicon-based Macs can be added to Apple Business/School Manager by utilising Apple’s Configurator app for iPhone. 

I have already enrolled the company Macs using BYOD but they are capable of ADE enrolment. 

Ideally, you should wipe these Macs and reinstall the latest macOS version. At this point, you will be offered a route to add the Mac to your Apple Business/School Manager by utilising Apple’s Configurator app for iPhone. 

I have already enrolled the company Macs using BYOD but I bought them from an ADE-ready vendor. What should I do?

Contact the vendor or reseller you purchased from as they can often retroactively add your Macs to your Apple Business Manager. Apple maintains a list of preferred resellers here. You can then re-enrol the Mac without wiping by following Jamf’s documentation here.

Are there any alternatives?

Ideally, you will want to wipe and rebuild these Macs as ADE-enrolled at the earliest convenience but things should be getting interesting for already deployed devices in the near future. 

Apple recently created a framework which offers a GUI interface for organisations to add devices to Apple Business/School Manager on the fly. However, it first requires development integration into existing enrolment solutions by software vendors and service providers.

If you, instead, wanted to head into the weeds, the technique this industrious Reddit user tried can help you reach the goal.

However, it is always best to follow the Apple-approved methods of enrolling devices to avoid disappointment.

What if I do not enrol company Macs via ADE?  BYOD seems fine.

With BYOD, the goal may be achieved in the short term. Your user has the Mac in hand and they are seemingly able to work, they have not come back to you with an issue….yet.
They continue to work, configure their settings, organise their filesystem, they begin to love their set-up. And then…

• The Mac gets lost or stolen but you cannot send commands to lock it down as it has now been erased and macOS reinstalled; it is now a fresh-faced retail Mac again and is not associated with your company in any shape or form.
  
• Enterprise security configurations will not work as their settings cannot be installed or enforced. Leaving aside the risk of a potentially costly data breach, your staff member now has to wipe their device at an inconvenient time and have it re-enrolled to comply with company information security standards.  

In summary

BYOD is an option that works best as an enrolment method for users who own their own devices, but need access to company resources. It is not as secure as ADE and does not tie the Mac to your organisation, which could become an issue for your finance and InfoSec departments.

If you are responsible for managing your company’s Apple devices, you should carefully evaluate your enrolment requirements and choose the method that best suits your environment’s needs. In this case, BYOD enrolment should only be used for people who bring in personally owned hardware to the organisation, or for devices that are physically incapable of ADE enrolment.