Greetings everyone, in this blog I will describe how to enroll an iOS/iPadOS device without assigning a primary user. These enrollment methods are beneficial when an administrator does not need to permanently associate a user with a device. This approach provides flexibility, allowing businesses to efficiently manage resources by enabling shared access among employees.
Requirements
Mobile Device Management (Microsoft Intune)
Appel Business manager Account
APNS Certificate
Supported OS iOS/iPadOS 16+
Automated Device Enrollment (ADE) Token
Where can these types of profiles be used?
Managing a userless iOS device with Intune enhances security by blocking user access to sensitive data, simplifies management for shared devices like kiosks, eases policy application for multiple users, and allows remote erasure if lost or compromised, while maintaining standard iOS functionality. This is particularly useful in environments like hot-desking or industries with frequent location changes, streamlining operations and boosting productivity. It ensures secure use in digital signage, kiosks, point-of-sale systems, shared public access, automated testing, and tasks without user involvement.
Step 1: Log into the Microsoft Intune Admin center, navigate to and select "Devices" from the left panel. Choose "iOS/iPadOS," tap on "Enrollment" under "Device onboarding," and select "Enrollment program token." Choose the token for which you need to create a new profile.
Step 2: Choose profiles and tap on Create Profile, then select iOS/iPadOS. Enter a suitable name and description, and tap on next.
Step 3: Choose the User Affinity & Authentication Method, opting to enroll without user affinity. Select the remaining management options according to your requirements and specify any naming conventions if necessary and tap on next
Step 4: Choose the appropriate options under the Setup Assistance Screen, which will appear during the device enrollment and tap on Next.
This table describes the Setup Assistant screens shown during automated device enrollment for iOS/iPadOS. You can show or hide these screens on compatible devices during enrollment.
Setup Assistant Screen | What Happens When Visible |
Passcode | Displays the passcode and password lock screen to users, prompting them to enter a passcode. |
Location Services | The location services setup screen allows users to enable location services on their device. Supports iOS/iPadOS 7.0 and later. |
Restore | The apps and data setup screen allows users to restore or transfer data from iCloud Backup when setting up their devices. This feature is available for iOS/iPadOS 7.0 and later. |
Apple ID | Shows the Apple ID setup pane, which gives users to the option to sign in with their Apple ID and use iCloud. For iOS/iPadOS 7.0 and later. |
Terms and conditions | Shows the Apple terms and conditions pane, and requires users to accept them. For iOS/iPadOS 7.0 and later. |
Touch ID and Face ID | The biometric setup pane allows users to set up fingerprint or facial recognition on their devices. This feature is available for iOS/iPadOS 8.1 and later, but with some limitations. For more details, see the 'Limitations' section in this article. |
Apple Pay | Displays the Apple Pay setup screen, allowing users to set up Apple Pay on their devices. For iOS/iPadOS 7.0 and later. |
Zoom | The zoom setup pane allows users to configure their zoom settings. This feature was available in iOS/iPadOS 8.3 and later, but is now deprecated in iOS/iPadOS 17. |
Siri | Shows the Siri setup pane to users. For iOS/iPadOS 7.0 and later. |
Diagnostics Data | Shows the diagnostics pane where users can opt in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. |
Display Tone | Displays the display tone setup pane, where users can adjust the display's white balance settings. This feature was available in iOS/iPadOS 9.3.2 and later, but has been deprecated in iOS/iPadOS 15. |
Privacy | Shows the privacy setup pane to the user. For iOS/iPadOS 11.3 and later. |
Android Migration | Shows a setup pane meant for previous Android users. On this screen, users can migrate data from an Android device. For iOS/iPadOS 9.0 and later. |
iMessage & FaceTime | Shows the setup pane for iMessage and FaceTime. For iOS/iPadOS 9.0 and later. |
Onboarding | Shows onboarding informational screens for user education, such as Cover Sheet and Multitasking and Control Center. For iOS/iPadOS 11.0 and later. |
Screen Time | Shows the Screen Time screen. For iOS/iPadOS 12.0 and later. |
SIM Setup | Shows the cellular setup pane, where users can add a cellular plan. For iOS/iPadOS 12.0 and later. |
Software Update | Shows the mandatory software update screen. For iOS/iPadOS 12.0 and later. |
Watch Migration | Shows the Apple Watch migration pane, where users can migrate data from an Apple Watch. For iOS/iPadOS 11.0 and later. |
Appearance | Shows the appearance setup pane. For iOS/iPadOS 13.0 and later. |
Device to Device Migration | The device-to-device migration screen lets users transfer data from an old device to their current one. However, this direct transfer option is not available for devices running iOS 13 or later. |
Restore Completed | Shows users the Restore Completed screen after a backup and restore is performed during Setup Assistant. |
Software Update Completed | Shows users all software updates that happen during Setup Assistant. |
Get Started | Shows users the Get Started welcome screen. |
Terms of Address | The terms of address pane allows users to choose how they want to be addressed: feminine, masculine, or neutral. This Apple feature is available for select languages. For more details, see the Key Features and Enhancements. Requires iOS/iPadOS 16.0 or later. |
Emergency SOS | Shows the safety setup pane. For iOS/iPadOS 16.0 and later. |
Action button | Shows the configuration pane for the action button. For iOS/iPadOS 17.0 and later. |
Intelligence | Shows the Apple Intelligence setup pane, where users can configure Apple Intelligence features. For iOS/iPadOS 18.0 and later. |
Step 5: Review the configuration and tap 'Create' once completed.
To enroll the device using the user-less device enrollment method, assign it to the profile. You can refer to this blog for instructions on how to assign a device to a profile How to Allocate a Device to the ADE Profile
Now let's explore the user experience on an end device.
Conclusion
Enrolling iOS and iPadOS devices in Microsoft Intune without user-affinity provides a streamlined and secure solution for businesses needing shared device access. By following the detailed instructions, organizations can ensure their devices are efficiently managed and protected without requiring permanent user association. This approach is especially advantageous in environments like kiosks, shared workspaces, and hot-desking scenarios, where flexibility and security are crucial. Implementing this enrollment process not only simplifies device management but also strengthens the organization's overall security posture. Adopt this method to optimize your device management strategy and ensure seamless operations across your enterprise.