Intune provides multiple methods for enrolling iOS/iPad devices. Let's explore how these enrollment methods can enhance the security of corporate data on endpoints. The enrollment methods are categorized into Automated Device Enrollment Method, Apple Configurator, and BYOM (User and Device Based). I have organized them into two sections: one for Bring Your Own Device (BYOD) and the other for Corporate Owned Devices.
Bring Your Own Device (BYOD)Â
The BYOD enrollment guide includes two distinct methods: user-based enrollment and device-based enrollment. These iOS/iPadOS devices are primarily personal or BYOD devices owned by users, allowing access to organizational data and applications such as email, Teams, OneDrive, and more. This enrollment option does not necessitate resetting the devices. There are various options available for enrolling these types of devices.
Protection Policy or MAM (Mobile Application Management)
Web-based device enrollment
Account-driven user enrollment
Device Enrollment with Company portal
Determine based on user choice
App Protection Policies this is the lightest version of the BYOD experience, this will allow admin to manage at an app level only, you can deploy an app protection policy that defines how the application is to be managed using Intune, for example when a user sign to any application which is protected using app protection policy, using their work or school account the application will receive the app protection policy and this depends on business to business how they want to secure, I had written a blog on App Protection Policy (Intune) please go through the article to understand how app protection works and how to Create and assign an App protection Policy for iOS/iPadOS (Intune)
Web-based Device Enrollment Method Web-based device enrollment provides a faster and more convenient experience, removing the necessity for the Company Portal app. Employees and students can complete the process directly through Safari and their device settings. Additionally, this method supports JIT registration, utilizing Microsoft Authenticator for device registration and single sign-on to reduce repeated sign-ins during enrollment and while using work apps. This approach is almost like to to device enrollment with the company portal, with no data separation.
Account-driven User Enrollment This method offers a quicker and more user-friendly experience compared to user enrollment with Company Portal. The device user begins enrollment by logging into their work account in the Settings app. Once the user consents to device management, the enrollment profile is installed silently, and Intune policies are applied. Intune utilizes just-in-time (JIT) registration and the Microsoft Authenticator app for authentication to minimize the number of sign-ins required during enrollment and when accessing work apps. This process is similar to user enrollment with a company portal, but instead of using a company portal, the managed Apple ID is entered in Settings > General > VPN & Device Management, followed by selecting the Sign In to Work or School Account button.
For Account-driven user enrollment Apple separates user data from organisation data, Upon completion of user enrollment, the device automatically generates separate encryption keys. If the user unenrolls or if it's done remotely via MDM, the encryption keys are securely destroyed.
The admin can manage only Organization accounts, settings, and information provisioned with Intune. Personal accounts, settings, and information cannot be managed. In this way, the corporate data is kept secure in organization-managed apps.
Device Enrollment with company portal This is the typical BYOD enrollment which provides a wide range of management for the admin to manage the device, by deploying device restriction, compliance policy, and management capabilities. these devices are registered as corporate-owned devices in Intune, there is no data separation between user data and corporate data both the data are saved in the same location or container
Determined User Enrollment This enrollment lets the user decide whether the device is managed by Corporate completely or only the Corporate data on the device is managed, the user will get the option to choose between I own this device and (Company) owns this device. if the user selects My organization owns this device the enrollment will follow device enrollment. If the user selects I own the device, user can specify whether to secure the entire device or secure work-related apps and data
COD (Company-Owned Device) Enrollment Methods
These are typically the devices owned by the organization and the asset completely belongs to the organization, below are some of the enrollment methods supported by Intune.
Apple Automated Device Enrollment (ADE) lets you enroll many devices without ever touching them (similar to zero-touch deployment or something like autopilot in OOBE mode). Apple devices brought by the organization from an authorized reseller are shipped to users directly and let the user set up the devices with Setup Assistant which includes the typical out-of-the-box experience which runs with preconfigured settings and the devices enrolled into Intune management.
To enable ADE, you need Apple Business Manager (ABM) or Apple School Manager portal, The Reseller will assign the serial numbers of the devices to ABM, and ABM will sync the devices to Intune with an enrollment token (you can read my blog Setup Apple automated device enrollment (ADE) token in Intune for more details) and assign a profile contains the settings that are applied to devices during enrollment. We will talk more about different types of user affinity and authentication methods tagged to the ADE program in upcoming blogs
Apple Configurator is a tool that is available for enrolling or adding a device to ABM running on a MAC computer (the application requires a MAC Computer to run the application). To prepare a device the iOS/iPadOS need to be connected using a USB/Lightning cable to the Mac Computer running Apple Configurator and install an enrollment profile. Devices can be enrolled in two ways using Apple Configurator
a. Setup Assistant Enrollment will wipe the device and prepare it to run the setup assistant and install the policies for the devices
b. Direct Enrollment doesn’t wipe the device, but enrolls the device with a predefined policy, this method is used for no user affinity
The diagram represents a quick spectrum of Management
Conclusion
This blog provides a comprehensive overview of the various iOS device enrollment types in Microsoft Intune. Understanding these methods is crucial for effective mobile device management (MDM). Each type offers unique features and benefits based on organizational needs and device use cases. The blog covers User Enrollment, Device Enrollment, and Automated Device Enrollment, highlighting their functionalities, advantages, and best practices. Readers will gain insights to make informed decisions on the best enrollment method for their iOS devices within the Intune ecosystem.