Microsoft Intune enables secure access to organizational resources on personal iOS and iPad devices through device enrollment, balancing security and user experience. IT admins can enforce policies, configure apps, and protect corporate data while allowing BYOD access to Emails and Corporate Apps. By managing only work data, Intune keeps personal information separate, ensuring security and productivity from anywhere.
In this article we’ll go through Web Based Device Enrollment with all Requirements, Administrative Tasks and User Experience.
Table of Contents
Web Based Device Enrollment
Personal Devices can be enrolled in Microsoft Intune through:
- Device Enrollment:
- Device Enrollment through Company Portal Application: End User installs Company Portal Application, sign-in to it and go through all normal steps (Download Management Profile, install it and complete device registration via Company Portal App).
- Web Based Device Enrollment: is more simplified enrollment enables user to complete device enrollment via web without any need to install Company Portal Application.
- Apple User Enrollment: which needs Managed Apple ID, VPP Token and Service Directory Server. We’ve published 2 articles before explaining Apple User Enrollment and easiest way to setup a Service Directory Server.
Web Based Device Enrollment Requirements
Intune Administrator need to complete all below requirements to enable users for this type of enrollment:
1- Enrollment Type
Administrator MUST allow this type of enrollment and assign it to eligible users as below:
- Access Intune Portal and navigate to Devices > iOS/iPadOS > Enrollment > Enrollment Types.
- Click on Create Profile, name it as you need and select Enrollment Type “Web based device enrollment”.
- Finally Assign the Profile to Targeted Users.
- Ensure that Profile Created have the highest priority to avoid any issues.
If Profile assigned doesn’t have the highest priority, (from the 3 dots on left of profile priority number) click on it and drag the profile to the priority needed.
2- Just in Time (JIT) Registration Profile
Just in Time is a new Registration introduced from Microsoft Intune to Simplify Device Registration in Azure and make the device have Azure Device ID attached to Intune Device ID.
Device Enrollment via Company Portal Application complete the device registration in Azure, JIT is mandatory in Web Based Device Enrollment and Apple User Enrollment. Because without it device will not be registered on Azure (Azure Device ID will be zeros).
You need to create JIT Policy by following these steps:
- Access Intune Portal and navigate to Devices > iOS/iPadOS > Configuration > Click on Create new Policy
- Select Templates and Device Feature Template.
- You only need to configure “Single Sign-on app extension”
- SSO App Extension type > Microsoft Entra ID
- Additional Configuration:
“device_registration” > String > {{DEVICEREGISTRATION}}
“browser_sso_interaction_enabled” > integer > 1
3- Microsoft Authenticator
Microsoft Authenticator (Store Version is fine) MUST be assigned as Required to Targeted Users. Because when Management Profile is installed and user need to access Organization Data Protected by Azure Conditional Access Policy. Microsoft Authenticator MUST be installed to collect all device information and send it to Azure Conditional Access for correct evaluation.
- Access Intune Portal and navigate to Apps > iOS/iPadOS Apps
- Click on Add and select Store App.
- Search for Microsoft Authenticator and assign it as required to targeted user group.
How to trigger Enrollment
Users can enroll their personal devices via this type by one of the following methods:
1- Via Conditional Access Policy
You can create a conditional Access Policy and assign it to Services needed with requirement “Device Marked as Compliant”. So, when Users try to access resource they’ll be redirected automatically to Safari Browser to start enrollment.
Conditional Access Policy need to be as follow:
- 1- Create Conditional Access Policy from Azure Portal
- 2- Users: select targeted user group for this enrollment type.
- 3- Targeted Resources: Office365 will be fine, and you can add any additional Services needed.
- 4- Conditions:
- You need to select Device Platform iOS
- For Clients you need to select Mobile Clients and Browser
- 5- Grant: you MUST select Require Device to be compliant and select any additional conditions needed (i.e. MFA)
- ensure that Conditional Access Policy have “ON” state and click on Create
2- Via Safari Browser
User can initiate enrollment by accessing this URL via Safari Browser “https://portal.manage.microsoft.com/enrollment/webenrollment/ios“
Safari is Mandatory by obligation from OS Restrictions. Because in Apple World no Browser is eligible to install any Configuration Profile but Safari.
End User Experience
When user open Office App (for example) and complete authentication, he’ll see the below message which required device to be secured.
Then when user clicks on Continue, he’ll be redirected automatically to Safari Browser. Authentication MUST be completed again here.
After successful authentication, user will see the same exact screen when opening URL (https://portal.manage.microsoft.com/enrollment/webenrollment/ios) manually.
This screen explains all needed steps to complete Enrollment, no Administration needed to customize this Guide (this is automatically done by Microsoft) .
- Download Management Profile > by clicking on Continue
- Install Management Profile
- Confirm Device is Compliant by installing Microsoft Authenticator Application.
When User clicks on continue, Management Profile will be offered for download.
Guide to install Management Profile is also explicitly explained in Microsoft WebPage.
and below are the steps with numbers from iPad device
As mentioned before, Microsoft Authenticator is Mandatory for this type of Enrollment and Conditional Access Evaluation. User will receive this pop-up once App is offered for installation.
Just in Time Policy is Mandatory for Azure Registration, Profile can be checked inside device as below snapshots with numbers.
When Authenticator App is installed, User can return back to Office App or any other Microsoft Application to open, and then Device Registration in Azure will be completed automatically through JIT Policy. (user might be prompted once or twice to complete MFA).
Finally Device will have an Azure Device ID instead of zeros.
Conclusion
Microsoft Intune’s web-based iOS device enrollment simplifies onboarding by allowing users to enroll directly through a web link, eliminating the need to download the Company Portal app. This streamlined process reduces setup time and minimizes user interaction, making it ideal for organizations seeking a faster, hassle-free enrollment experience. Unlike Company Portal enrollment, which requires multiple steps and app installations, the web-based method enhances efficiency while maintaining security and compliance. This approach ensures users can quickly access corporate resources with minimal effort, improving both IT management and user experience.
Leave a Reply