Hello everyone, in this blog, I will discuss how to enroll an iOS/iPadOS device with user affinity, which entails assigning a primary user to the enrolled device. These enrollment methods are beneficial when an administrator wants personalized settings, apps, and configurations to be automatically applied based on the user’s profile. You can read the blog Enroll iOS/iPadOS devices in Intune through the ADE enrollment program to learn more about Automated Device Enrollment in Intune, which will provide insight into the methods available in ADE for enrolling iOS devices.
Requirements
Mobile Device Management (Microsoft Intune)
Appel Business manager Account
APNS Certificate
Supported OS iOS/iPadOS 16+
Automated Device Enrollment (ADE) Token
The Benefits of Enrolling with a User Affinity
Enrolling an iOS device with User Affinity in Microsoft Intune offers several key benefits, especially for organizations that assign devices to specific users. This approach tailors the device's configuration, apps, and settings to the individual user's needs, providing a personalized experience. For example, specific apps, email profiles, Wi-Fi settings, and security configurations can be automatically deployed based on the user's role or department.
User affinity also enhances security. It ensures the device complies with organizational security policies, such as requiring strong passwords, enforcing encryption, and protecting data. Administrators can apply customized device restrictions to align with the user's job function. If a device is lost or stolen, it can be remotely wiped or locked to safeguard sensitive data. Additionally, user-specific app management becomes easier, as apps can be automatically installed or updated based on the user's preferences and role.
Step 1: Log into the Microsoft Intune Admin center, navigate to and select "Devices" from the left panel. Choose "iOS/iPadOS," tap on "Enrollment" under "Device onboarding," and select "Enrollment program token." Choose the token for which you need to create a new profile.
Step 2: Choose profiles and tap on Create Profile, then select iOS/iPadOS. Enter a suitable name and description, and tap on next.
Step 3: Choose Enroll with User Affinity and select the authentication method you want users to use when enrolling the device.
Company Portal: The admin can select this method if they want users to use MFA, prompt users to change their password upon first sign-in, prompt users to reset their expired password during the enrollment process, register the device in Microsoft Entra ID, and utilize features available with Microsoft Entra ID, such as conditional access. Automatically install the Company Portal app during enrollment. If your company uses the Volume Purchase Program (VPP), you can automatically install the Company Portal app during enrollment without requiring user Apple IDs, and you want to lock the device until the Company Portal app installs.
Note : If a user is targeted with an account driven Apple user enrollment profile type, Intune will block enrollment via this method, resulting in an error message. Users must enroll through the Company Portal website. For successful automated device enrollment, use Option: Setup Assistant with modern authentication for these profile types.Setup Assistance (Legacy): The legacy Setup Assistant is recommended for providing users with the standard, out-of-box experience for Apple products. This option applies pre-configured settings when the device is enrolled in Intune. It can be used for authentication when administrators need to wipe a device. This approach avoids modern authentication features like multifactor authentication, and does not involve registering devices with Microsoft Entra ID. Instead, the Setup Assistant authenticates the user using the Apple .p7m token.
Setup Assistant with modern authentication: This option offers the same security as Intune Company Portal authentication, but differs in allowing device users to access parts of the device even without the Company Portal installed. Use this option for authentication when you need to Wipe the device. Require multifactor authentication. Prompt users to change their passwords on first sign-in. Prompt users to reset expired passwords during enrollment. Register devices in Microsoft Entra ID and leverage Entra ID features like Conditional Access. Automatically install the Company Portal app during enrollment, even if your company uses the Volume Purchase Program, without requiring user Apple IDs. Allow users to use the device when the Company Portal app isn't installed.
Note: Setup Assistant with modern authentication is supported on iOS/iPadOS 13.0 and later devices. Older iOS/iPadOS devices assigned this profile type will fall back to Setup Assistant authentication.In my case, I opted for the Company Portal as the authentication method since I need to secure the device until enrollment is finalized by setting "Run Company Portal in Single App Mode until authentication" to Yes
Note: Single App Mode in Company Portal is supported only on iOS version 11.3.1 or later.Step 4: Select the appropriate settings for your configuration and click Next.
Step 5: Choose the appropriate options under the Setup Assistance Screen, which will appear during the device enrollment and tap on Next.
This table describes the Setup Assistant screens shown during automated device enrollment for iOS/iPadOS. You can show or hide these screens on compatible devices during enrollment.
Setup Assistant Screen | What Happens When Visible |
Passcode | Displays the passcode and password lock screen to users, prompting them to enter a passcode. |
Location Services | The location services setup screen allows users to enable location services on their device. Supports iOS/iPadOS 7.0 and later. |
Restore | The apps and data setup screen allows users to restore or transfer data from iCloud Backup when setting up their devices. This feature is available for iOS/iPadOS 7.0 and later. |
Apple ID | Shows the Apple ID setup pane, which gives users to the option to sign in with their Apple ID and use iCloud. For iOS/iPadOS 7.0 and later. |
Terms and conditions | Shows the Apple terms and conditions pane, and requires users to accept them. For iOS/iPadOS 7.0 and later. |
Touch ID and Face ID | The biometric setup pane allows users to set up fingerprint or facial recognition on their devices. This feature is available for iOS/iPadOS 8.1 and later, but with some limitations. For more details, see the 'Limitations' section in this article. |
Apple Pay | Displays the Apple Pay setup screen, allowing users to set up Apple Pay on their devices. For iOS/iPadOS 7.0 and later. |
Zoom | The zoom setup pane allows users to configure their zoom settings. This feature was available in iOS/iPadOS 8.3 and later, but is now deprecated in iOS/iPadOS 17. |
Siri | Shows the Siri setup pane to users. For iOS/iPadOS 7.0 and later. |
Diagnostics Data | Shows the diagnostics pane where users can opt in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. |
Display Tone | Displays the display tone setup pane, where users can adjust the display's white balance settings. This feature was available in iOS/iPadOS 9.3.2 and later, but has been deprecated in iOS/iPadOS 15. |
Privacy | Shows the privacy setup pane to the user. For iOS/iPadOS 11.3 and later. |
Android Migration | Shows a setup pane meant for previous Android users. On this screen, users can migrate data from an Android device. For iOS/iPadOS 9.0 and later. |
iMessage & FaceTime | Shows the setup pane for iMessage and FaceTime. For iOS/iPadOS 9.0 and later. |
Onboarding | Shows onboarding informational screens for user education, such as Cover Sheet and Multitasking and Control Center. For iOS/iPadOS 11.0 and later. |
Screen Time | Shows the Screen Time screen. For iOS/iPadOS 12.0 and later. |
SIM Setup | Shows the cellular setup pane, where users can add a cellular plan. For iOS/iPadOS 12.0 and later. |
Software Update | Shows the mandatory software update screen. For iOS/iPadOS 12.0 and later. |
Watch Migration | Shows the Apple Watch migration pane, where users can migrate data from an Apple Watch. For iOS/iPadOS 11.0 and later. |
Appearance | Shows the appearance setup pane. For iOS/iPadOS 13.0 and later. |
Device to Device Migration | The device-to-device migration screen lets users transfer data from an old device to their current one. However, this direct transfer option is not available for devices running iOS 13 or later. |
Restore Completed | Shows users the Restore Completed screen after a backup and restore is performed during Setup Assistant. |
Software Update Completed | Shows users all software updates that happen during Setup Assistant. |
Get Started | Shows users the Get Started welcome screen. |
Terms of Address | The terms of address pane allows users to choose how they want to be addressed: feminine, masculine, or neutral. This Apple feature is available for select languages. For more details, see the Key Features and Enhancements. Requires iOS/iPadOS 16.0 or later. |
Emergency SOS | Shows the safety setup pane. For iOS/iPadOS 16.0 and later. |
Action button | Shows the configuration pane for the action button. For iOS/iPadOS 17.0 and later. |
Intelligence | Shows the Apple Intelligence setup pane, where users can configure Apple Intelligence features. For iOS/iPadOS 18.0 and later. |
Step 5: Review the configuration and tap 'Create' once completed.
If you have chosen Setup Assistance (Legacy) as your authentication method
If you have chosen Setup Assistant with modern authentication as your authentication method
In this case, you will notice an additional setting labeled "Await Final Configuration."
Enabling this will ensures critical device policies are installed before device access. Just before the home screen loads, Setup Assistant pauses for Intune to check in with the device. Users wait while the device receives final configurations.The time users spend on the Awaiting final configuration screen depends on the number of policies and apps applied. More policies and apps mean a longer wait. Setup Assistant and Microsoft Intune have no time limits for this setup stage.
Note : Device configuration policies are the only items that begin installing during the final configuration stage, while applications are not part of this process.The locked experience works on devices enrolling with new and existing profiles. Supported devices include:
iOS/iPadOS 13+ devices enrolling with Setup Assistant using modern authentication
iOS/iPadOS 13+ devices enrolling without user affinity
iOS/iPadOS 13+ devices enrolling with Microsoft Entra ID shared mode
This setting is applied during the automated device enrollment in Setup Assistant. Users don't experience it again unless they re-enroll. Yes is the default for new profiles.
If thsi is not enabled or set to No then The device is released to the home screen when Setup Assistant finishes, even if policies haven't been installed yet. Users can access the home screen or change settings before all policies are in place. The default setting for existing enrollment profiles is No.
Conclusion
Registering iOS and iPadOS devices in Microsoft Intune with user affinity offers an effective and secure way to manage devices tailored to individual user needs. By following the steps in this guide, administrators can ensure devices are configured with personalized settings, applications, and security protocols, enhancing both user experience and organizational security. Whether utilizing the Company Portal, Setup Assistant (Legacy), or Setup Assistant with Modern Authentication, each option provides unique benefits to meet your organization's requirements. Harness the power of user affinity in Intune to improve device management and effectively support your users. For more detailed information and additional resources, be sure to explore the links provided throughout this blog. Happy enrolling!
Comments