With the release of Apples iOS 13.1 a new device management type became available; User Enrollment. This update brings an iOS equivalent to Android Enterprise work profile available which is especially for managing personal (BYOD) devices. Like with Android work profile, it separates the users personal and corporate apps and data. It creates an isolated managed volume that keeps work apps and data separate and secure from personal apps and data.
To support User Enrollment, Microsoft rolled out new enrollment types (in Preview) in Intune to support User Enrollment. In this blog I will have a first look at iOS User Enrollment with Microsoft Intune.
There are some requirements to start with iOS User Enrollment using Microsoft Intune:
- Device with iOS 13.1 or later
- Managed Apple IDs for the end-users (Apple Business Manager)
- Apple enrollment enabled in Intune (MDM push certificate setup)
- Apple Volume Purchase Program (VPP) tokens setup in Intune (to deploy apps)
Setup iOS User Enrollment in Microsoft Intune
To get started with iOS User Enrollment using Microsoft Intune, we first have to create an new Enrollment type profile.
- Sign-in to the Device Management Portal
- Browse to Device enrollment – Apple enrollment
- Click Enrollment types (preview) under Enrollment targeting
- Click Create profile
- Click iOS
- Give the enrollment type profile a Name
- Enter a Description
- click Next
On the settings page we need to choose if the user needs to select a device (enrollment) type during enrollment.
When you leave it to Not configured, you need to choose the Default enrollment type: User enrollment or Device enrollment.
As I want to show the complete enrollment experience for an end-user with the choice between private owned or corporate owned device, I choose Required.
Have a look at the Information message which is shown when you choose Required:
Deploy the Azure Authenticator app as required for Conditional Access to work.
- Check Required
- Click Next
- Assign the policy by choosing All users or assign it to an user security group of your choice
- Click Next
- Review the settings
- Click Create
The Enrollment type profile is created and ready to be used.
Because (at this moment) nothing changed to the configuration and compliance policies in Intune and your current policies also apply to User Enrolled devices, I will not handle that part in this article.
If you want to deploy apps to your device, keep in mind to deploy VPP apps!
Now let`s have a look at the end-user experience when the device is a personal device and we perform an User enrollment.
Make sure your iPhone runs iOS 13.1 or later. First download the Intune Company Portal app from the app store. As soon as the Company portal app is installed, open the app and choose Sign in. Authenticate by entering your corporate (Azure AD) username and password and click Next.
- Click Begin
- Select I own this device
- Select Secure work-related apps and data only
- Click Continue
- Click Continue
- Review both pages to read what can and cannot been seen by the company (administrators)
- Click Continue
- Click Continue to start downloading the management profile
- Click Allow when the pop-up shows up to allow the download of the profile
- When the profile is downloaded, click Close
- Click Continue now
- Click Continue to Install the management profile
- An informational page is shown How to install Management profile
- Go to the Settings app of your device
- Select Enroll Klapwijk (Corporate name)
- You might be asked for your passcode if one is active
- Review the information
- Select Enrol My iPhone
- Enter your password of your your Managed Apple ID
- A multi-factor challenge might be required
- Click Sign in
- The management profile is installed
- Close the Settings app
- Open the Intune Company Portal app
- At this moment a popup might show up to notify about (required) App installations. The installation of required apps might start at this moment or later during or soon after the enrollment.
- Click Install
- You might also receive a pop-up about Passcode requirement, if that is set as requirement (or the current passcode doesn`t meet the requirements)
- Click Later, to first finish the enrollment
- Or click Change now, to change the current passcode
- Click Continue to update and confirm the device settings
- The device settings are confirmed which might take a few minutes
- Click Done
- Click OK to acknowledge the message about notifications
- Click Allow to allow the Company portal to send notifications
The iPhone is now successfully enrolled as personal (BYOD) device using iOS User enrollment.
If you click on the devices tab and click the current device you can find information about the device like compliance status and Ownership type.
As the iPhone is successfully enrolled and compliant, you should now be able to access corporate data using this device.
How does that look like in the Intune portal
If we take a look at the Intune portal we can see the device is enrolled as personal device.
- Open the Device Management Portal
- Click Device – All devices
- Search for your iOS device
We can see, if we open the properties of the device, the ownership is Personal.
On the hardware tab we see, because the device is enrolled with User enrollment, for example no serial number and no IMEI is shown.
Perform a retirement
The iOS device is enrolled as BYOD device, thus a retire action from Intune should only remove the corporate managed apps and not reset the entire device.
- Open the Device Management Portal
- Click Device – All devices
- Search for your iOS device and select the device
- On the Overview tab click Retire
- Acknowledge the information and click Yes to start the retire action
On the end-user device a pop-up is shown when you open the Intune Company Portal app, confirming the removal of the device from Intune. The managed apps with corporate data are indeed removed from the device, without performing a factory reset or removing personal data.
Conclusion about the preview experience
At the moment of writing this article, the User enrollment feature is in preview since a few days in Intune and Microsoft might change or fix some things around iOS User enrollment.
As end-user the enrollment went pretty good without any issues, but their are some other things which don`t work correct (all the time).
Configuring Outlook for example worked without any issues the first time, but after I retired the iPhone and trying to setup Outlook again (after enrollment), that fails. Maybe I need to deploy an App Configuration Policy to get this working fine, but need to test that later.
Deploying apps to the device with a required assignment runs fine, as long as you choose user license. If you use device license, the installation fails with the message “Error code: 0x87D13B69 Device VPP licensing is only applicable for iOS 9.0+ devices.”.
If I deploy the app as available, it fails over and over again when I try to install the app from the Company portal app.
Another thing I noticed, which is related to app deployment, when I search in the Company portal app for example Outlook, it shows two Outlook versions. Probably one version is the VPP app and the other one the store app. Pretty confusing and I expect only the VPP version to be shown.
Another small thing I would like to see (probably requires Apple to do some work on iOS level), which I do like from Android Work profile, is some sort of briefcase icon on the managed apps. At this moment there is nothing which shows the end-user an app is managed. There is no separation between Personal and Corporate apps, like we see with Android Work Profile. For example you only have 1 Outlook app, which is used for Personal and Corporate usage.
As an admin I would like to see Microsoft to provide us a separate set of configurations only for User enrolled devices. At this moment for example there is one Device restrictions profile type for fully enrolled and User enrolled devices, but not all settings are applicable to User enrolled devices.
And for a lot of (smaller) companies the required Manage Apple ID might be a thingy. I personally prefer the solution which Google uses for Android Enterprise, which uses random Android for work accounts which don`t need to be created by the company.
Update February 13th 2020
Not much changed since I did the first tests with iOS User Enrollment.
Application deployment still doesn`t seem to work when you set the assignment as required and the license type to Device. If you use license type User, the installation is running fine, but the reporting in the Intune portal shows different behavior, sometimes Succeeded and some Failed (with different errors, like the one already mentioned or The app is already installed on the device, but is not managed by Intune. MDM cannot prompt management take over on devices with OS version lower than iOS 9. The user can manually uninstall the app and then install it via MDM.).
Installing applications which are assigned as Available, do work fine now. The app is installed, but again reporting in the portal shows different statuses.
That`s it for now. I will update the article regularly when Microsoft or Apple brings out new updates around iOS User Enrollment.
Hi, does the user first need to complete the setup assistent and use a personal apple id? And when enrolling what apple id should then be used, a managed apple id is that created by azure ad synced to dep ?
An Managed Apple ID is used, nothing personal.
Federation with Azure AD is not publicly available to the business yet, so at the moment you need to create the users unfortunately manually.
Can you elaborate a bit more on the managed apple id, please?
The device/setup assistant the user needs to use the managed apple id , correct ?
And in the ‘dep’ or ‘business manager’ we create a managed apple id manualy ?
As described in the article: Enter your password of your your Managed Apple ID
Here the user needs to use the Managed Apple ID to authenticate.
At this moment you need to create these Managed Apple IDs in the Apple Business Manager portal (manually unfortunately), that`s correct.
Thanks Peter, all clear.
Default enrollment type: User enrollment or Device enrollment.
What is the difference between the 2 options ? Is it the the choice when enrolling for personal or corporate device ?
Sorry for the late response!
But yes, User enrollment is meant for personal devices and Device enrollment for corporate owned devices.
Not getting prompted to install the managed user id profile. Still getting a standard user profile like any old iOS enrollment. We are working with multiple domains and a few Azure tenants. Can you provide more detail what needs to be set up in Apple Business. Do email domains need to match between Azure and Apple, etc.
The Managed Apple ID must match the UPN in Azure AD. When the screen shows up on the iPhone to sign in with the Apple ID, the Apple ID is pre-populated and cannot be changed.
At the moment you need to manually create users in Apple Business Manager as long as there is no federation between both services for companies (I guess there is for education). So that is definitely a disadvantage.
I’ve tried creating an account in apple business, assigned it the staff role, the account matched the tenant upn. Still I’m not seeing the section to sign in using the downloaded profile with any account. It only acts like a normal iOS enrollment. Not prompting for corporate managed account. Also called apple and they had no idea
Question is the device in supervised mode after enrollment ? Cause most device configuration policy require supervised or DEP.
No only when enrolled with DEP they are supervised.
Do we need to create Managed Apple ID in ABM after federation, though the federation is done the device are going through normal enrollment process. Only if the accounts are created in ABM manually we get to see User Enrollment.
I have not used federation, but with federation the accounts should be created automatically in ABM.
User enrollment should be visible when federation is used as far as I know. but as it is a preview, things might not work as expected.
We had to abandon User based enrollment back in November 2019 and go back to Device based enrollment because Apple did not allow us to have an ABM account. During the verification process, we were told ABM is for corporate owned devices only; since we have a BYOD environment, ABM is not for us.
It is a big disadvantage ABM (DEP) accounts need to be used for this. Google has done a better job with Work profile.
I totally understand “iOS User Enrollment”
The other way of creating enrollment profile for user is “iOS Device Enrollment”
As the word suggests, this is to register the device as CORPORATE in Intune
So if install and sign in “company portal” on my running iOS device, Intune will realize that this device has to be treated as CORPORATE
So my understanding is , I will be asked to factory-reset the device.
If I factory-reset the device, I want to know what is the next step to enroll the device.
It’s like a brand-new device which I want to enroll into Intune.
Do I have to again install “company portal” and sign-in and will Intune sense out that this is brand new installation ?
Basically, if I clarify above a little more step wise…
• So basically, I start my enrollment process in the same way as you showed in the demo, meaning I will open Company portal app and sign-in.
• I have been assigned a particular Enrollment-profile already created in Intune
• This Enrollment-profile has enrollment-type as “Device Enrollment” (this is different from your blog)
• This is to enroll the device as CORPORATE in Intune
• So though the device serial-id is NOT in Intune, Intune point of view this is CO (corporate owned fully managed) device.
• So In general when I am doing CO type of enrollment, the MDM would ask to factory reset the device.
• So the Company portal app will show me a message to factory-reset the device and kick off enrollment.
• If it was Android, I could have factory-reset and then I would scan the QR-code or feed in the token manually (precreated on Intune) to kick start the enrollment process from the brand new device.
• I do not know, how to kick start enrollment process in case of iOS once I factory-reset the device.
• Do I have to manually install the “company portal” on the factory-reset device and then it kick off ?
Will Intune sense out that this is brand new device and ready to be enrolled as CORPORATE ?
If you enable User enrollment and the end-user chooses that the iOS device is owned by the company during enrollment, no factory reset is needed. The enrollment is not completely equal to above, but a wizard like enrollment is started like above. Some steps differ and more info is visible for the IT admin in the Endpoint Manager portal.
If you want a zero-touch deployment of your iOS devices, you should use Apple Business Manager (formerly known as DEP). In that case, when a new device is started (or after a factory reset), enrollment starts.
Great article. Thank you for the info. Just a few questions about deployment of apps. As you said IOS devices do not have the work container. Currently we have deployed Defender ATP as well and made appd available in Company portal. However, the apps installed is being downloaden from app store. How does this separate work and prvate dats when using the same app? Example Word or Outlook, you add a private account in the app. Can the company also manager or see this info?
HI Peter, Many thanks for the write up on how to deploy IOS Devices via Intune. I have configured the works (Register with ABM, Setup VPP Token Setup) so I do not need to create fake company apple id’s but do it via the ABM. I imported several apps via the ABM into Intune and that worked fine. Now my biggest question is; I enroll a user (based on the ABM setup) and this user cannot install anything from the apple store (that is what we want eh?) but how can I then let the user deploy the very first app needed to control the device? If I am not allowed to download Intune Company Portal as an app, then how can I deploy the device? My workaround now is to temporarily use my private apple id to sign into the apple store, download the Intune app and then remove the account again but this is a crude workaround. What am I doing wrong here?
This article describes the User enrollment management option. This is intended for personal owned devices and yes the user should use his personal to install the Company portal app.
Hi Peter, I’m a bit confused about signing in to Company Portal on the device, then signing in with Managed Apple Id on the device. I sign in to Company Portal ok, but when signing in with Managed Apple Id, it displays my corporate email address that I login to Company Portal with. The Managed Apple Id cannot be edited to change it to my @company.appleid.com address. Do I need to add my corporate email address domain in Apple Business Manager as a Managed Apple Id domain?