During the enrollment process, the user is given the flexibility to decide the extent of control the company will have over the device. The user can choose to either allow the company to manage the entire device or only the corporate data on the device.
To make this choice, the user is presented with two options: "I own this device" or "(Company) owns this device". If the user selects "My organization owns this device", the device enrollment process will begin, and the company will have full control over the device.
Alternatively, if the user selects "I own the device", they can then specify the level of security needed. The user can choose to either "secure the entire device" or just "secure work-related apps and data". This allows the user to maintain a certain level of autonomy while still ensuring that work-related data is secure.
Table of Content
Steps to Configure Determine based on user choice Enrollment Type
Step 1: Log in to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS
Step 2: Select iOS/iPadOS enrollment and select enrollment types.
Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.
Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue
Step 5: Select Determine based on user choice enrollment and tap Next
Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue
Step 7: Verify the settings and select Create to complete the profile creation.
Now the profile is created
Let's see the end-user experience
As the enrollment type is determined-based, users will be presented with two options initially, with the remaining options available based on user selection.
Note you will see your Tenant name instead of Organization
The first two options under Who owns this device are
Organization owns this device
I own this device
If the user selects the first one Organization owns this device then there are no other options users will continue to enroll the device.
If the user selects the second option I own this device then the user will get two options to select under
How do you want the organization to secure your device after it's enrolled?
Secure entire device
Secure work-related apps and data only
What happens when the user selects Organization owns this device
Step 1: Download and open the Company Portal app, sign in with your work account and password, and complete MFA if needed.
Tap on Continue on the first page, If the user selects the first option "Secure entire device" the entire device will be protected, and the admin can manage the remote actions on the device level, tap on Continue, and install the management profile by following the prompts.
Administrators can manage the device remotely, giving them the ability to wipe, retire, and so on. These types of enrollment register the device as Corporate under ownership, but it won't enable additional remote management and restrictions under supervised device enrollment, despite the fact that it is registered as Corporate.
Let's see the enrollment experiance if the user selects I own this device and Secure entire device
Step 1: Download and open the Company Portal app, sign in with your work account and password, and complete MFA if needed.
Please tap on "Continue" on the first page. If you choose the "Secure entire device" option, the entire device will be protected and the admin will be able to manage remote actions at the device level. After selecting this option, tap on "Continue" and follow the prompts to install the management profile.
The admin has the ability to manage devices and execute remote commands such as wiping or retiring them. These types of enrollments provide the option to wipe the complete device including personal and corporate.
Let's see the enrollment experiance if the user selects I own this device and Secure work-related apps and data only
This process of enrollment typically involves creating separate partitions or containers for Work and Personal data, which helps administrators secure work-related information. Work-related data can only be managed within the work container or partition, while personal profiles are restricted to their respective partition. Only Organization accounts, settings, and information provisioned with Intune can be managed by the administrators. The information and settings related to a person's account cannot be managed.
This enrollment is similar to User-Enrollment with the Company portal to understand more about this enrollment please go through my post Configuring User Enrollment with Company Portal in Intune
Note: Apple Managed ID is required as prerequisite
Step 1:Download Intune Company Portal and Microsoft Authenticator (this will be required at the time of enrollment) from the App Store, Tap on Sign in. Enter your work account and password, and complete MFA (if applicable)
To begin the enrollment process, simply tap on the "Begin" button. If you haven't downloaded Microsoft Authenticator yet, you will be prompted to download it. Once downloaded, return to the enrollment page and tap "Continue" to proceed. This will guide you through the installation of your profile and Apple-managed ID authentication. Once all of the necessary steps are completed, your device will be successfully enrolled in Intune.
Administrators can only manage organizational data remotely for enrolled devices, as options like wipe are grayed out. These devices can only be retired.
Conclusion
The purpose of this article is to provide a comprehensive guide on how to configure the determined based on user choice enrollment type in Intune, as well as to explain the end-user experience associated with the process.