For those that manage Apple devices, do you generally enable/allow iCloud/iMessaging? Any policies/procedures that you enforce if you allow it? (full knowing that the staff typically use that platform for personal stuff).
We absolutely allow it, in fact when out comes to iDevices, we typically work to do all of our corporate work on the device level, and let people use their own personal AppleID/iCloud account on it as they would a personal device.
That is to say we push our corporate apps in via VPP, we push our policies in via MDM, and we lock the device to our ownership with DEP.
All three of these things work even if you don’t have an AppleID at all. In fact, our DEP/MDM profiles skip past everything to do with iCloud/AppleID out of the box, so a new iPad is ready to use out of the box with our organizational apps - even if you have no AppleID account logged in.
This way, if we are just using a device for a kiosk, or with a user who is just doing organization/corporate things with it, we don’t need an AppleID logged in at all.
If a user gets the device and wants to download their own apps, use their own iMessage, whatever - all they need to do is sign in and use it like they would their own. Anything they do just sits inside the framework we built, it doesn’t interfere.
When/If they leave, because we have DEP/MDM ownership and control, we can just wipe it and re-assign it, no sweat.
Users typically see mobile devices as “theirs” - even if it is organizationally issued. We typically lean into that world view and manage accordingly.
It has worked great.
Do you use MDM to pre-assign apple IDs?
We do not - we try to avoid assigning AppleID’s at all for organizational purposes.
We do not currently have an MDM in place, but we do use iCloud and AppleID (for keychain primarily, but disabling iCloud Drive). We only use them where the corresponding iPhone/iPad is tied to a particular role such as Manager, Finance, Reception where it is needed to support dual-factor authentication on an external system such as a cloud-based platform. As such all devices are entirely owned/controlled by the organisation. We do not generally allow BYOD as it causes too many issues.