top of page
Writer's pictureAnand P

How to Configure Enrollment Type in Intune based on User Choice

During the enrollment process, the user is given the flexibility to decide the extent of control the company will have over the device. The user can choose to either allow the company to manage the entire device or only the corporate data on the device.


To make this choice, the user is presented with two options: "I own this device" or "(Company) owns this device". If the user selects "My organization owns this device", the device enrollment process will begin, and the company will have full control over the device.


Alternatively, if the user selects "I own the device", they can then specify the level of security needed. The user can choose to either "secure the entire device" or just "secure work-related apps and data". This allows the user to maintain a certain level of autonomy while still ensuring that work-related data is secure.


Table of Content



Steps to Configure Determine based on user choice Enrollment Type


Step 1: Log in to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS



Step 2: Select iOS/iPadOS enrollment and select enrollment types.



Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.



Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue


Step 5: Select Determine based on user choice enrollment and tap Next



Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue



Step 7: Verify the settings and select Create to complete the profile creation.



Now the profile is created

Let's see the end-user experience


As the enrollment type is determined-based, users will be presented with two options initially, with the remaining options available based on user selection.

Note you will see your Tenant name instead of Organization 

The first two options under Who owns this device are


  1. Organization owns this device

  2. I own this device



If the user selects the first one Organization owns this device then there are no other options users will continue to enroll the device.


If the user selects the second option I own this device then the user will get two options to select under


How do you want the organization to secure your device after it's enrolled?


  1. Secure entire device

  2. Secure work-related apps and data only


What happens when the user selects Organization owns this device


Step 1: Download and open the Company Portal app, sign in with your work account and password, and complete MFA if needed.



Tap on Continue on the first page, If the user selects the first option "Secure entire device" the entire device will be protected, and the admin can manage the remote actions on the device level, tap on Continue, and install the management profile by following the prompts.



Administrators can manage the device remotely, giving them the ability to wipe, retire, and so on. These types of enrollment register the device as Corporate under ownership, but it won't enable additional remote management and restrictions under supervised device enrollment, despite the fact that it is registered as Corporate.



Let's see the enrollment experiance if the user selects I own this device and Secure entire device


Step 1: Download and open the Company Portal app, sign in with your work account and password, and complete MFA if needed.



Please tap on "Continue" on the first page. If you choose the "Secure entire device" option, the entire device will be protected and the admin will be able to manage remote actions at the device level. After selecting this option, tap on "Continue" and follow the prompts to install the management profile.



The admin has the ability to manage devices and execute remote commands such as wiping or retiring them. These types of enrollments provide the option to wipe the complete device including personal and corporate.


Let's see the enrollment experiance if the user selects I own this device and Secure work-related apps and data only


This process of enrollment typically involves creating separate partitions or containers for Work and Personal data, which helps administrators secure work-related information. Work-related data can only be managed within the work container or partition, while personal profiles are restricted to their respective partition. Only Organization accounts, settings, and information provisioned with Intune can be managed by the administrators. The information and settings related to a person's account cannot be managed.


This enrollment is similar to User-Enrollment with the Company portal to understand more about this enrollment please go through my post Configuring User Enrollment with Company Portal in Intune


Note: Apple Managed ID is required as prerequisite 

Step 1:Download Intune Company Portal and Microsoft Authenticator (this will be required at the time of enrollment) from the App Store, Tap on Sign in. Enter your work account and password, and complete MFA (if applicable)



To begin the enrollment process, simply tap on the "Begin" button. If you haven't downloaded Microsoft Authenticator yet, you will be prompted to download it. Once downloaded, return to the enrollment page and tap "Continue" to proceed. This will guide you through the installation of your profile and Apple-managed ID authentication. Once all of the necessary steps are completed, your device will be successfully enrolled in Intune.



Administrators can only manage organizational data remotely for enrolled devices, as options like wipe are grayed out. These devices can only be retired.



Conclusion

The purpose of this article is to provide a comprehensive guide on how to configure the determined based on user choice enrollment type in Intune, as well as to explain the end-user experience associated with the process.



455 views0 comments

Recent Posts

See All
2023-02-01_17-26-41.jpg
About Me

Thank you for taking the time to visit my website. My name is Anand P, and I work as a Senior Engineer in IT. This blog is dedicated to providing articles on various Microsoft technologies such as Intune, Azure AD, Microsoft Defender for Endpoint, Azure, EMS, M365, Security, and more. Most of the content on this blog is based on the solutions and issues I encounter in my everyday work, and I use this platform as a technical notebook to keep track of my findings. Please note that any views expressed in my posts on this site are solely my own. Also, any code, scripts, demos, or examples provided in the blog posts are only for illustration. I hope you find my blog posts informative and useful.

Never Miss a Post. Subscribe Now!

Thanks for submitting!

  • LinkedIn
  • YouTube

Copyright © 2024 by Cloud Tek Space.

bottom of page