Apple User Enrollment offers a privacy-focused way to enroll personal (BYOD) Apple devices into Mobile Device Management (MDM) systems like Microsoft Intune. This enrollment model provides a balance between enterprise security and user privacy, making it a perfect fit for companies supporting bring-your-own-device (BYOD) policies.
IntuneBytes will help you to understand more about Apple User Enrollment and what are its prerequisites from Microsoft Intune perspective along with best practices for setup and management.
Table of Contents
What Is Apple User Enrollment?
Apple User Enrollment is a streamlined MDM profile designed for personal devices. Unlike Device Enrollment, which gives the organization full control, User Enrollment maintains a clear divide between personal and corporate data.
Apple User Enrollment establishes a separate managed APFS volume to store all work-related data, with MDM controls confined within this managed APFS volume. MDM cannot access information outside this space, like the device’s serial number, or deploy a device-wide VPN.
MDM cannot access outside the APFS volume to download Store Apps tied to the logged-in personal Apple ID. Apps in this setup must stay within the APFS volume, using Apple Business Manager and VPP user-licensed apps.
Setup for Apple User Enrollment in Intune?
To enable Apple User Enrollment in your tenant, you need the following requirements:
1. Apple Business Manager (ABM) account.
2. Apple MDM Push Certificate.
3. Service Discovery Server
4. Just in Time Registration (JIT) Policy
5. Enable Account Driven User Enrollment Profile
6. Company Portal Web version or Company Portal App
Apple User Enrollment In Depth:
Is a simple, web-based portal designed for corporate organizations using MDM solutions to automate device enrollment, manage app and book purchases, and create Managed Apple IDs for users within the organization, as required for Apple User Enrollment.
Best Practice is to sync AD Users to Apple Business Manager, check this article for more details https://support.apple.com/en-eg/guide/apple-business-manager/axm3ec7b95ad/web
2. Enable Apple MDM Push Certificate in Intune:
Apple devices only trust an MDM solution, install apps, or apply pushed policies if Apple recognizes the solution as trusted. To enable successful Apple User Enrollment, an Apple MDM certificate must be created.
Setting up an MDM certificate is easy by following these steps in link https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get
3. Create a service discovery server to route all enrollment requests to the Intune Tenant
Which will receive all enrollment requests from Managed Apple IDs and redirect it to your Intune Tenant >> our article here explains one of the methods to easily deploy this Service Routing Server with all Microsoft Intune Requirements.
4. JIT Policy is mandatory:
Enrollment is not finalized through the Company Portal, which manages the Azure registration process. The admin must add a JIT (Just-In-Time) policy to complete Azure registration and finish enrollment.
Admin should open Microsoft Intune Portal >> iOS >> Device Configuration Profile >> create a new policy >> select device restriction and configure only Single Sign on Extension
5. Create an Enrollment Profile for User Enrollment:
– Go to Devices > iOS/iPadOS > Enrollment >> Enrollment Types >> and Create profile.
Select Account Driven User Enrollment and assign it to targeted User Groups
6. Install Company Portal Web Version (https://portal.manage.microsoft.com) or Company Portal App VPP User Licensed App and assign it to User Group.
This link describes how to create WebApp https://learn.microsoft.com/en-us/mem/intune/apps/web-app#add-a-web-app-to-intune
How Enrollment will look like?
1- Users start enrollment by going to Settings > General > VPN and Device Management on their iOS device, then clicking Sign-in to Work or School Account.
User will be asked to enter Microsoft Credentials which have Intune License
2- After Authentication, user will be asked to sign-in with Managed Apple ID
When user click on sign-in he’ll be asked to Authenticate with Managed Apple ID which have the same UPN as Microsoft Account (no chance to change it)
3- User should consent Remote Management Profile installation which will be installed inside the managed APFS Volume (and attached to Managed Apple ID).
4- Opening any Microsoft app or the Company Portal web version completes Azure registration.
5- End users can sync device settings from either the web version of the company portal or the company portal app.
Leave a Reply