How to start with iOS User Enrollment using Microsoft Intune

With the release of Apples iOS 13.1 a new device management type became available; User Enrollment. This update brings an iOS equivalent to Android Enterprise work profile available which is especially for managing personal (BYOD) devices. Like with Android work profile, it separates the users personal and corporate apps and data. It creates an isolated managed volume that keeps work apps and data separate and secure from personal apps and data.
To support User Enrollment, Microsoft rolled out new enrollment types (in Preview) in Intune to support User Enrollment. In this blog I will have a first look at iOS User Enrollment with Microsoft Intune.

Requirements

There are some requirements to start with iOS User Enrollment using Microsoft Intune:

  • Device with iOS 13.1 or later
  • Managed Apple IDs for the end-users (Apple Business Manager)
  • Apple enrollment enabled in Intune (MDM push certificate setup)
  • Apple Volume Purchase Program (VPP) tokens setup in Intune (to deploy apps)

Setup iOS User Enrollment in Microsoft Intune

To get started with iOS User Enrollment using Microsoft Intune, we first have to create an new Enrollment type profile.

  • Sign-in to the Device Management Portal
  • Browse to Device enrollment – Apple enrollment
  • Click Enrollment types (preview) under Enrollment targeting
  • Click Create profile
  • Click iOS
  • Give the enrollment type profile a Name
  • Enter a Description
  • click Next

On the settings page we need to choose if the user needs to select a device (enrollment) type during enrollment.
When you leave it to Not configured, you need to choose the Default enrollment type: User enrollment or Device enrollment.

As I want to show the complete enrollment experience for an end-user with the choice between private owned or corporate owned device, I choose Required.
Have a look at the Information message which is shown when you choose Required:
Deploy the Azure Authenticator app as required for Conditional Access to work.

  • Check Required
  • Click Next
  • Assign the policy by choosing All users or assign it to an user security group of your choice
  • Click Next
  • Review the settings
  • Click Create

The Enrollment type profile is created and ready to be used.

Because (at this moment) nothing changed to the configuration and compliance policies in Intune and your current policies also apply to User Enrolled devices, I will not handle that part in this article.

If you want to deploy apps to your device, keep in mind to deploy VPP apps!

End-user experience

Now let`s have a look at the end-user experience when the device is a personal device and we perform an User enrollment.
Make sure your iPhone runs iOS 13.1 or later. First download the Intune Company Portal app from the app store. As soon as the Company portal app is installed, open the app and choose Sign in. Authenticate by entering your corporate (Azure AD) username and password and click Next.

  • Click Begin
  • Select I own this device
  • Select Secure work-related apps and data only
  • Click Continue
  • Click Continue
  • Review both pages to read what can and cannot been seen by the company (administrators)
  • Click Continue
  • Click Continue to start downloading the management profile
  • Click Allow when the pop-up shows up to allow the download of the profile
  • When the profile is downloaded, click Close
  • Click Continue now
  • Click Continue to Install the management profile
  • An informational page is shown How to install Management profile
  • Go to the Settings app of your device
  • Select Enroll Klapwijk (Corporate name)
  • You might be asked for your passcode if one is active
  • Review the information
  • Select Enrol My iPhone
  • Enter your password of your your Managed Apple ID
  • A multi-factor challenge might be required
  • Click Sign in
  • The management profile is installed
  • Close the Settings app
  • Open the Intune Company Portal app
  • At this moment a popup might show up to notify about (required) App installations. The installation of required apps might start at this moment or later during or soon after the enrollment.
  • Click Install
  • You might also receive a pop-up about Passcode requirement, if that is set as requirement (or the current passcode doesn`t meet the requirements)
  • Click Later, to first finish the enrollment
  • Or click Change now, to change the current passcode
  • Click Continue to update and confirm the device settings
  • The device settings are confirmed which might take a few minutes
  • Click Done
  • Click OK to acknowledge the message about notifications
  • Click Allow to allow the Company portal to send notifications

The iPhone is now successfully enrolled as personal (BYOD) device using iOS User enrollment.
If you click on the devices tab and click the current device you can find information about the device like compliance status and Ownership type.

As the iPhone is successfully enrolled and compliant, you should now be able to access corporate data using this device.

How does that look like in the Intune portal

If we take a look at the Intune portal we can see the device is enrolled as personal device.

  • Open the Device Management Portal
  • Click Device – All devices
  • Search for your iOS device

We can see, if we open the properties of the device, the ownership is Personal.

On the hardware tab we see, because the device is enrolled with User enrollment, for example no serial number and no IMEI is shown.

Perform a retirement

The iOS device is enrolled as BYOD device, thus a retire action from Intune should only remove the corporate managed apps and not reset the entire device.

  • Open the Device Management Portal
  • Click Device – All devices
  • Search for your iOS device and select the device
  • On the Overview tab click Retire
  • Acknowledge the information and click Yes to start the retire action

On the end-user device a pop-up is shown when you open the Intune Company Portal app, confirming the removal of the device from Intune. The managed apps with corporate data are indeed removed from the device, without performing a factory reset or removing personal data.

Conclusion about the preview experience

At the moment of writing this article, the User enrollment feature is in preview since a few days in Intune and Microsoft might change or fix some things around iOS User enrollment.

As end-user the enrollment went pretty good without any issues, but their are some other things which don`t work correct (all the time).
Configuring Outlook for example worked without any issues the first time, but after I retired the iPhone and trying to setup Outlook again (after enrollment), that fails. Maybe I need to deploy an App Configuration Policy to get this working fine, but need to test that later.

Deploying apps to the device with a required assignment runs fine, as long as you choose user license.
If I deploy the app as available, it fails over and over again when I try to install the app from the Company portal app.
Another thing I noticed, which is related to app deployment, when I search in the Company portal app for example Outlook, it shows two Outlook versions. Probably one version is the VPP app and the other one the store app. Pretty confusing and I expect only the VPP version to be shown.

Another small thing I would like to see (probably requires Apple to do some work on iOS level), which I do like from Android Work profile, is some sort of briefcase icon on the managed apps. At this moment there is nothing which shows the end-user an app is managed.

As an admin I would like to see Microsoft to provide us a separate set of configurations only for User enrolled devices. At this moment for example there is one Device restrictions profile type for fully enrolled and User enrolled devices, but not all settings are applicable to User enrolled devices.

And for a lot of (smaller) companies the required Manage Apple ID might be a thingy. I personally prefer the solution which Google uses for Android Enterprise, which uses random Android for work accounts which don`t need to be created by the company.

That`s it for now. I will update the article regularly when Microsoft or Apple brings out new updates around iOS User Enrollment.

Happy testing!

Share This!

10 Comments

  1. Hi, does the user first need to complete the setup assistent and use a personal apple id? And when enrolling what apple id should then be used, a managed apple id is that created by azure ad synced to dep ?

    • An Managed Apple ID is used, nothing personal.
      Federation with Azure AD is not publicly available to the business yet, so at the moment you need to create the users unfortunately manually.

      • Can you elaborate a bit more on the managed apple id, please?
        The device/setup assistant the user needs to use the managed apple id , correct ?
        And in the ‘dep’ or ‘business manager’ we create a managed apple id manualy ?

        • As described in the article: Enter your password of your your Managed Apple ID
          Here the user needs to use the Managed Apple ID to authenticate.

          At this moment you need to create these Managed Apple IDs in the Apple Business Manager portal (manually unfortunately), that`s correct.

  2. Peter,
    Default enrollment type: User enrollment or Device enrollment.

    What is the difference between the 2 options ? Is it the the choice when enrolling for personal or corporate device ?

  3. Not getting prompted to install the managed user id profile. Still getting a standard user profile like any old iOS enrollment. We are working with multiple domains and a few Azure tenants. Can you provide more detail what needs to be set up in Apple Business. Do email domains need to match between Azure and Apple, etc.

    • Hi Jak,

      That`s a good one, I have only tested this with matching UPNs in Azure AD and Apple Business Manager.
      At the moment you need to manually create users in Apple Business Manager as long as there is no federation between both services for companies (I guess there is for education). So that is definitely a disadvantage.

  4. I’ve tried creating an account in apple business, assigned it the staff role, the account matched the tenant upn. Still I’m not seeing the section to sign in using the downloaded profile with any account. It only acts like a normal iOS enrollment. Not prompting for corporate managed account. Also called apple and they had no idea

Leave a Reply

Your email address will not be published.


*