Create Apple User Enrollment Profile
  • 12 Feb 2024
  • 5 Minutes to read
  • PDF

Create Apple User Enrollment Profile

  • PDF

Article summary

Device Profiles are a great way to streamline your enrollment process. Like Device Profiles for Corporate devices, you can create BYOD Profiles for employee-owned iOS devices. BYOD Profiles are a great way to unify all your policies under one entity which then can be assigned to a QR Code configuration or a User Group.

At a high level, a BYOD profile offers the following policies on iOS devices,

  1. Application Policy: Select the applications that are to be installed in the secure work container.
  2. Browser Shortcuts: Select the browser shortcuts that will be shown in the Scalefusion workplace to provide your employees with quick bookmarks.
  3. Restrictions: Choose and control the finer security policies that should be applied on an employee-owned device.

The article below explains how to create a Device Profile for Apple User Enrollment and policies offered therein.

Before You Begin

  1. You must have a valid Scalefusion account.
  2. VPP token should be configured under Apple Setup in Scalefusion Dashboard.

Creating Apple User Enrollment Profile

  1. Sign In to Scalefusion Dashboard and navigate to Device Profiles & Policies ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner.
  3. From the iOS tab, select the Apple User Enrollment (BYOD) option under Choose Profile mode. Enter a name for your new Profile and click SUBMIT to see the profile creator window.
  4. The Profile creator has mainly following sections

Select Apps

  1. This helps you decide on the application policy. Only the apps purchased under Volume Purchase Program (VPP) will be listed here. Enable the applications that you would like to be installed and used in Work Apps, and click NEXT once done.

Select Browser Shortcuts

  1. The next section is the BROWSER SHORTCUTS section, where you can select the previously allowed websites. The visible shortcuts will appear in Scalefusion Workplace as bookmarks so that your users can easily navigate to them. Click NEXT once you are done.
    Note: Use Device Profiles & Policies > Allowed Websites section to create and allow websites.


  1. The last section is the RESTRICTIONS section which gives you a wide range of policy controls. Configure the policies as per your requirements. The section is divided into sub-sections allowing you to define various policies,

General Settings

iCloud & Assistant Settings

Allow Managed Apps Sync to Personal iCloudAllow/Restrict syncing of managed apps to personal iCloud
Allow SiriAllow/Restrict usage of Siri.
Allow Assistant while LockedAllow Siri on Lock screen. Works only if Siri is Allowed in iCloud and Siri settings.

Lock Screen Settings

Allow Lock Screen Control CenterAllow/Restrict the Control Center on the Lock screen.
Allow Lock Screen Notification ViewAllow/Restrict Notifications view on the Lock screen.
Allow Lock Screen Today ViewAllow/Restrict Today View notifications when the device is locked.

Work Data Settings

These settings help you control the exchange of data between Managed (work) apps and non-Managed (personal apps). These settings work on all iOS devices irrespective of they are Supervised or not (min.OS version required), and help you secure the corporate data by preventing the Unmanaged applications from being used to view/open Managed data. The settings offered are:

Allow Open From Managed to UnmanagedAllow Work documents/files to be opened via Unmanaged apps. Disabling this prevents the Unmanaged apps from being listed in the Share menu.
Allow UnManaged Apps to read contacts to Managed contact accountsAllow Unmanaged applications to add/edit contacts to Work managed accounts. his setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
Allow Work Documents to be Shared via AirdropAllow Work documents/files from managed applications to be shared via Airdrop. This setting will be forced to true if Allow Open From Managed to Unmanaged is true.
Block Copy/Paste from Managed apps to Unmanaged appsBlocks copy and paste actions done from managed to unmanaged apps. When this setting is enabled, and if you try to copy anything from a managed application onto an unmanaged one, the following message will appear:
This setting will not work if Allow Open From Managed to Unmanaged setting is also enabled

Allow Open Documents From Managed to UnmanagedAllow non-Work documents/files to be opened via Managed applications. Enabling this will cause the managed apps to be shown in the Share menu of unmanaged apps.
Allow ScreenshotAllow/Restrict users to take screenshot.
Force Encrypted BackupsAllow/Restrict users to enforce encrypted backups where they can set a password for encrypted files while taking backup. This option is unchecked by default.

Device Management

Application Management

In this section, admin can configure settings that give control to users over how Applications published from the Dashboard are installed on the managed devices. This can be done by enabling the application catalog. To know more about the app catalog, click here.


From here, you can select a Wifi configuration from the drop-down and enforce it on the iOS device. The drop-down will show list of configurations created for iOS from Wifi Configurations section.


Use this section to install and deploy certificates on your managed devices. The certificates uploaded via Enterprise > Certificate Management are listed here. To learn more about how certificates can be applied on managed devices, please refer to the document here.

Email & Exchange Settings

Use this section to select the Email or Exchange configurations that you want to publish to the devices in this Device Profile. You can select one or multiple configurations to be pushed on the devices. To learn how to create Exchange and Email configurations, please refer to our document here.

Custom Settings

By using the Custom Settings feature of a Scalefusion iOS Profile, IT Admins can use a top-notch XML editor and push a Custom Payload directly to the devices. Hence, with this admins will now be able to add those features for iOS which are not yet offered under Scalefusion. To learn more about Custom Settings feature, click here.

  1. Once you have configured the various sections, click on CREATE PROFILE to create the profile. Once the profile is created, it starts appearing in the Device Profile listing view with a User badge next to it, indicating that this is a BYOD profile.
  2. Any future updates to the device profile are automatically pushed to the devices. Hence please make sure to validate the changes before editing.
  3. Once you have created a Device Profile to apply it to devices, you can do the following,
    1. Create Enrollment Configuration: This will make sure that any user using the enrollment configuration will get these policies by default.
    2. Assign to a User Group: This will apply this profile to all the iOS devices belonging to the users in that group.

Was this article helpful?