Intune provides different capabilities for enrolling iOS/iPad devices, let’s explore and experience how these enrollments help us to secure corporate data from endpoints, below are the enrollment methods available in Intune some of them are generally available and some of them are in the preview state, I had split that into two sections one for Bring Your- Own Device (BYOD) and another one for Corporate Owned device.
BYOD: User and Device enrollment
These iOS/iPadOS devices are mostly owned by users ( Personal ) or BYOD devices that can access organization data and applications like email, Teams, One Drive, and other data. This enrollment option doesn't require resetting their devices There are multiple options for enrolling these kinds of devices
Protection Policy or MAM (Mobile Application Management)
User enrollment with the company portal
Account-driven user enrollment
Device Enrollment with Company portal
Web-based device enrollment
Determine based on user choice
App Protection Policies this is the lightest version of the BYOD experience, this will allow admin to manage at an app level only, you can deploy an app protection policy that defines how the application is to be managed using Intune, for example when a user sign to any application which is protected using app protection policy, using their work or school account the application will receive the app protection policy and this depends on business to business how they want to secure, I had written a blog on App Protection Policy (Intune) please go through the article to understand how app protection works and how to Create and assign an App protection Policy for iOS/iPadOS (Intune)
User Enrollment with the company portal is more of a streamlined enrollment process that provides a subset of device management options for admin, with user enrollment a user identity is created on the device using a managed Apple ID (federated), and the managed Apple ID can be used alongside the personal apple ID that the user had already signed in with. During user enrollment, a separate volume is created on the device containing the
a. Apps
b. Notes
c. Calendar attachments
d. Mail Attachments and body of the mail message
e. Keychain items
The admin can manage only Organization accounts, settings, and information provisioned with Intune. Personal accounts, settings, and information cannot be managed. In this way, the corporate data is kept secure in organization-managed apps.
What can be managed by Intune for the devices enrolled under User enrollment?
Account-driven User Enrollment is almost like user enrollment with a company portal in this type of enrollment we don't use a company portal instead the managed Apple ID will be entered in Settings > General > VPN & Device Management and then select the Sign In to Work or the School Account button.
For both user enrollment with the company portal and account-driven user enrollment Apple separates user data from organisation data, Upon completion of user enrollment, the device automatically generates separate encryption keys. If the user unenrolls or if it's done remotely via MDM, the encryption keys are securely destroyed.
Web-based Device Enrollment Method Enrolling devices through web-based device enrollment offers a quicker and more user-friendly experience, eliminating the need for the Company Portal app. Employees and students can handle everything directly in Safari and their device settings. Moreover, web-based enrollment is compatible with JIT registration, which uses Microsoft Authenticator for device registration and single sign-on to minimize multiple sign-ins during enrollment and when using work apps. This enrollment method is similar to device enrollment with the company portal there is no data separation
Device Enrollment with company portal This is the typical BYOD enrollment which provides a wide range of management for the admin to manage the device, by deploying device restriction, compliance policy, and management capabilities. these devices are registered as corporate-owned devices in Intune, there is no data separation between user data and corporate data both the data are saved in the same location or container
Determined User Enrollment This enrollment lets the user decide whether the device is managed by Corporate completely or only the Corporate data on the device is managed, the user will get the option to choose between I own this device and (Company) owns this device. if the user selects My organization owns this device the enrollment will follow device enrollment. If the user selects I own the device, user can specify whether to secure the entire device or secure work-related apps and data
COD (Company-Owned Device) Enrollment Methods
These are typically the devices owned by the organization and the asset completely belongs to the organization, below are some of the enrollment methods supported by Intune.
Apple Automated Device Enrollment (ADE) lets you enroll many devices without ever touching them (similar to zero-touch deployment or something like autopilot in OOBE mode). Apple devices brought by the organization from an authorized reseller are shipped to users directly and let the user set up the devices with Setup Assistant which includes the typical out-of-the-box experience which runs with preconfigured settings and the devices enrolled into Intune management.
To enable ADE, you need Apple Business Manager (ABM) or Apple School Manager portal, The Reseller will assign the serial numbers of the devices to ABM, and ABM will sync the devices to Intune with an enrollment token (you can read my blog Setup Apple automated device enrollment (ADE) token in Intune for more details) and assign a profile contains the settings that are applied to devices during enrollment. We will talk more about different types of user affinity and authentication methods tagged to the ADE program in upcoming blogs
Apple School Manager is likely an Apple Business Manager (ABM) devices purchased under the program are added to the Apple School Manager Portal and profiles are assigned from Intune for enrolling the device.
Apple Configurator is a tool that is available for enrolling or adding a device to ABM running on a MAC computer (the application requires a MAC Computer to run the application). To prepare a device the iOS/iPadOS need to be connected using a USB/Lightning cable to the Mac Computer running Apple Configurator and install an enrollment profile. Devices can be enrolled in two ways using Apple Configurator
a. Setup Assistant Enrollment will wipe the device and prepare it to run the setup assistant and install the policies for the devices
b. Direct Enrollment doesn’t wipe the device, but enrolls the device with a predefined policy, this method is used for no user affinity
The diagram represents a quick spectrum of Management
Conclusion
The purpose of this blog is to explain different type of enrollments available in Intune for iOS devices.