iOS management via Microsoft Intune allows organizations to securely manage and deploy iOS devices and applications. It provides tools for configuring settings, enforcing security policies, distributing apps, and ensuring compliance.
Devices can be enrolled through Automated Device Enrollment (ADE) via Apple Business Manager or manually (for Personal Devices – Bring your Own Device). Intune supports managing both App Store and in-house apps with configuration and protection policies. It enforces security measures like PINs, encryption, and remote wipe for lost devices, while real-time compliance checks ensure security standards are met. Intune simplifies iOS management, balancing security with user productivity.
Table of Contents
Previously used SCEP Certificate
All MDM Solutions were using SCEP Certificate issued by the MDM Solution itself to facilitate and secure the communication between MDM Solution and the Managed Devices.
But After Apple announced in WWDC 2022 new Certificate ACME (Automated Certificate Management Environment), all MDM Solutions should start with deploying ACME replacing SCEP Certificate to provide more security to the device, avoid high jacking risks and it’s also a mandatory prerequisite for the Apple Attestation feature.
The New ACME!
The New Certificate is supported from Intune side for iOS, iPadOS and MacOS Devices, the new ACME Certificate ensures devices maintain secure connections to enterprise systems way better than Old SCEP Certificate used. It make the devices more resistant to hijackers and backdoors, ensuring a stronger defense against unauthorized access and potential threats.
Devices eligible for ACME Certificate:
1- Device Type: iOS, iPadOS (A11 Bionic and later Chips) and macOS devices (Apple Silicon).
2- Enrollment Type: User Enrollment, Device Enrollment and Automated Device Enrollment.
What’s the difference between Device Attestation and ACME Certificate?!!
ACME Certificate will be replacing SCEP Certificate for all new Enrollments, But it’s NOT Device Attestation.
Apple Device Attestation is a security feature that verifies the authenticity and integrity of Apple devices during enrollment and ongoing management. It ensures that a device is genuine and running an unmodified, trusted version of Apple’s operating system. This process helps organizations prevent unauthorized or compromised devices from accessing corporate systems and data.
By ensuring only trusted devices can connect to enterprise resources, Apple Device Attestation strengthens overall security, especially in environments with strict compliance requirements.
Microsoft Intune announced Support for Apple Device Attestation earlier in May. From Roadmap it seems it’ll be released in the first half of 2025
Any changes for End-Users?!!
No, There’s no changes at all from end-user side. Enrollment steps (for whatever enrollment) remains as is.
The only difference is user can see in Device Management Profile (ACME Certificate) instead of (SCEP).
ACME in MacOS
As mentioned before, any enrollment type for MacOS should have ACME Certificate generated and used instead of SCEP
Below Device was recently enrolled as Device Enrollment (BYOD):
1- From Settings, General and Device Management
2- Click on Management Profile, you can see ACME Certificate with all details as per Apple Document.
ACME in iOS and iPadOS
For iOS and iPad Enrollment, steps to verify ACME Certificate are:
1- Complete Enrollment for the device (doesn’t matter type of enrollment).
2- Navigate to Settings, General, VPN and Device Management to see ACME Certificate
3- For More details of the certificate information and attributes, click on more details and select ACME CCertificate
When Microsoft Intune release the Apple Device Attestation Feature, you will be able to see if the device hardware attested or not
Conclusion
The integration of Microsoft Intune with Apple’s ACME Automated Certificate Management Environment (ACME) is a vital step towards enhancing the security and efficiency of managed Apple devices. By following the enrollment process and navigating to the appropriate settings, users can easily access the ACME Certificate and its detailed attributes. Furthermore, the upcoming Apple Device Attestation Feature in Microsoft Intune will provide valuable insight into the hardware attestation status of the devices, further bolstering security measures in enterprise environments.
This link contains all repository of our articles.
Leave a Reply