alextsa - iOS and iPadOS work in two different ways:
- When enrolled with automated enrollment (via Apple business manager), web enrollment, or hub-based enrollment, there is a concept of "managed" versus "unmanaged" data and apps. You can control whether unmanaged apps can interact with managed apps and data (and vice versa) via two checkboxes in the iOS restrictions profile. This concept of "managed vs unmanaged" means that everything is on a shared APFS partition on the device, but the OS is tracking what was put there by MDM and then will remove it during an enterprise wipe. Examples include volume-purchased, managed apps (or public apps that are then "taken over" by MDM to become managed apps), books, and content such as managed email accounts.
- When enrolled via Apple's new "User Enrollment" flow, there is a separate APFS partition created to store enterprise data separately from personal data. This means UEM can only query and manage data and apps on the "work" partition related to User enrollment. All physically identifying attributes of the device are obfuscated.
Now, as far as for the behavior of the public app that you mentioned, this is expected behavior UNLESS you've added a location token from Apple Business Manager to your account, and delivered that app to the device as a managed, volume-purchased app. (or, if it was a public app installed by the user's personal Apple ID, you've delivered it as a managed VPP app with the flag to "Make App MDM Managed if User Installed"). Basically, if you send the app using the "Public" apps tab in Workspace ONE UEM, then it's more of a "suggestion" that the end-user installs the app. Apps sent using the "Purchased" or "Internal" apps tab in Workspace ONE UEM are considered fully managed.
The above behavior is a fundamental difference between how i[Pad]OS works compared to Android.
Hope that helps!
Rob
