iOS User enrollment using Intune is currently still in preview. This feature was added by Apple in iOS 13.1 at around the same time in the end of september it was became available in preview in Intune. With User enrollment a user identity is created on the device using a Managed Apple ID. The Managed Apple ID can be used alongside the personal Apple ID that the user has already signed in with, and the two don’t interact with each other. During user enrollment a seperate volume is created on the device containing the
- Calendar attachments
- Mail attachments and body of the mail message
- Keychain items
Only organization’s accounts, settings, and information provisioned with MDM can be managed by the system administrators. Personal accounts, settings and information can not be managed. Corporate data is kept secure in organization-managed apps.
Enrollment type profile
To allow user enrollment an enrollment profile needs to be created in Intune. During the creation of the enrollment profile you can choose to let the user choose the type of enrollment or you can specify which type of enrollment will be used. When you preselect user enrollment the device will be enrolled as a personal device and only the work related apps and data will be secured. If you select device enrollment the device will be enrolled with personal ownership, but the entire device will be secured. Device enrollment will be used by default when you do not create an enrollment profile.
If you let the user choose, there is a third option called “owned by company”. When the user selects that option during enrollment, the device will be enrolled with corporate ownership. This is a new way to register an iOS/iPadOS device as a corporate owned. Previously, this was only possible by using Automated Device Enrollment.
Before you start with Apple User enrollment please keep in mind there are some some pre-requisites:
- Managed Apple ID (Apple Business Manager)
- Apple Business Manager with verified domain
- Apple MDM Push Certificate
- Devices with iOS/iPadOS 13 or later
Setup iOS User enrollment using Intune
To setup iOS User enrollment using Intune you first need to create an enrollment type profile. This profile is then assigned to a group of users. Let’s start by creating a group for the profile assignment.
1. Select “Groups” -> “+New group” or click here to create a new user group to assign the enrollment profile.
2. Use a recognizable name for the group and add a testuser. Press “Create” to proceed with the creation of the group.
3. Next step is to create the user enrollment profile. Select “Devices” -> “iOS/iPadOS” -> ” iOS/iPadOS enrollment” or click here. Select “Enrollment types (preview)”
4. Select “Create profile” -> “iOS/iPadOS” to create a new enrollment profile.
5. In the basics enter a recognizable name for the enrollment profile and press “Next”.
6. In settings select the enrollment type you would like to use. I will select “User enrollment” and press “Next”.
7. In the Assignment step add the group created in step 2 and press “Next”.
8. Review your settings and press “Create” to proceed.
9. (Optional) If your Apple Business Manager (ABM) is not federated with your Azure AD you will need to manually create a managed Apple ID for your testaccount. I will be using my test user Tim Philips. To create a managed apple id, you must log into your Apple Business Manager. Select “Accounts” and press the + sign to create a new account.
10. Before you can start you will first have to install Intune Company Portal. Launch the company portal app and press “sign in” to log in with your test user credentials.
11. Enter the Azure AD credentials of the test user.
12. The enrollment wizard will start. Press “Begin” to proceed.
13. The first step is to install the “Microsoft Authenticator”. During this step you only need to install the authenticator. It is not clearly indicated, but you do not need to configure the app. Once the installation is complete you can close the app and return to the Company Portal app to continue the enrollment.
14. Press “Continue” to review the privacy information page. Review the settings and press “Continue” to proceed.
15. Press “Continue” to start the download of the management profile. Press “Allow” in the pop-up to download the configuration profile and press “Continue” to proceed.
16. Press “Continue” to install the manament profile.
17. Go to the “Settings” app and select “General” -> “Profile”. Select the Management Profile to install the management profile. This must be done within 8 minutes of downloading, otherwise the profile will be deleted and you will have to download it again.
18. Press “Enrol My iPhone” and enter the Passcode of the device. Enter the password of the managed Apple ID and press “Sign in”. If your ABM is federated with the Azure AD you will be forwarded to https://login.microsoftonline.com/ for authentication.
19. The installation is now complete and the device is enrolled as a personal owned device with user enrollment.
I hope you liked this blog about iOS User enrollment in Intune. Just leave a reply if you have questions or remarks about this post.
I appreciate the way you shared such great information. I am happy to find such an informative post after so long. Hope more to come as I’m an avid reader. I tried to educate myself as much as possible.
I love your blog. I don’t normally comment but I really needed this one today – must be at the bottom dip of my roller coaster … sitting here with tears in my eyes. So just a thank you!
Hi there. Thank you so much for the clear language and step by step approach.
In Step 10, you move to the iOS device to install inTune Company Portal – my problem is that I can’t get that App onto the phone in the first place.
The AAD accounts are federated with SCIM but have not transferred over to ABM
I cannot purchase Apps in ABM
The apps assigned in intune do not transfer to the Phone.
Would you be able to do a short blog to trouble shoot some of these?
Either way, thanks again.
You need to manually install the company portal app from the app store. You need a personal apple id to do this (see my blog “Managed Apple ID“. Once you’ve installed the company portal and have enrolled the device in Intune the published apps will be installed.
If I do not want to use Device Enrollment Management (DEM) but I only have corporate iOS and no BYOD devices. I can select user choice for Intune to manage the whole device right?
Also if it is possible to skip Apple Business Manager (ABM) setup?
I’m not sure what you mean with Device Enrollment Management, do you mean a DEM account? A DEM acccount is not required. To use iOS User Enrollment in Intune a managed Apple ID is requirement, to get an managed Apple account you need Apple Business Manager.
hope this answers your question
Thanks for your post, it is very helpful, I was able to follow and complete all the steps, but I’m getting an issue with the apps, after the all process the apps are no installed automatically, and the apps are assigned as required for the user security group,
Any help will be appreciate,
Thanks in advance
Are you using VPP licenses? See this page
I can enroll private-owned iOS with all the apps and app protection policies that I have created on personal-owned devices.
For some reason it does not work the same for “company-owned” devices. I get enroll the apps but not the app protection policies (e.g. user is not prompted to change the PIN. It works only on personal-owned devices).
Is there any way to get it to fix it?
We have some security concerns with reagards of the ABM and Managed AppleID.
If we would like to “not” use ABM – how is it possible to create a managed Apple ID? Or what are our options?
It’s not possible to create Managed AppleIDs without Apple Business/School Manager. Have a look at my previous post about AppleIDs.
Account Driven User Enrollment for iOS devices will no longer depend on Company Portal and drastically reduces the number of Enrollment Screens for BYOD Nov 02 2021