With the release of iOS 13 there were a few major changes, not only did the iPad’s got their own iPadOS, also with the Mobile Device Management (MDM) enrollment modes there are major changes. The Device Enrollment Program (DEP) is renamed to “Automated Device Enrollment” and all devices enrolled with “Automated Device Enrollment” are now automatically set in supervised mode. There is also a new MDM enrollment mode introduced with the release of iOS 13, the User Enrollment mode.
What is iOS “User Enrollment” mode?
You can see iOS “User Enrollment” mode as the BYOD mode for iOS, I find it very similar to Android Enterprise – Work Profile. It brings the end user more privacy (less information is collected) and his/her device is not fully managed by the company (for example, a full wipe is not possible). Applications can be pushed and removed on the device but the MDM solution collects only the apps it is managing.
This gives a better separation between private and work apps and data on the same device. The security is focused on the managed applications and the company data, just like with Mobile Application Management (MAM) but with a little extra possibilities like pushing applications.
Managed Apple ID’s
User Enrollment mode will be using Managed Apple ID’s. it will represent the users company workspace identity. It will be configured parallel with the users own Apple ID on the same device. With this configured an Work/Company iCloud Drive and a Personal iCloud drive will exist on the same device to separate private and company data even more.
Managed Apple ID will support Azure AD federation in Apple Business Manager, but at the time of writing this blog it is still in beta and currently not available in the Apple Business Manager I use.
How to configure iOS “User Enrollment” in Microsoft Intune?
Lets start with the configuration of iOS “User Enrollment” within Microsoft Intune. For the following steps login to the Microsoft Azure Portal.
Navigate to Intune > Device enrollment and click Apple enrollment
Click Enrollment types (preview)
Click +Create profile and select iOS
Note: Keep in mind that User Enrollment is only available for iOS at the time of writing this blog, so it will not work on iPads that are upgraded to iPadOS! It will only work for iPhones that are running iOS 13 or higher.
Give this profile a Name and a Description and click Next
Now you can select in which mode new devices must be enrolled (or for a selected group of users). I select Required so users have the choice themselves for this demo/blog. Click Next
Select the group you want to assign this profile to, or select All Users. Click Next.
Click Create
The profile is now created and assigned.
Enroll an iOS device in User Enrollment Mode
Now that the User Enrollment profile is created, lets enroll an iOS 13 device with it.
Left : Open the App store and search for Intune Company Portal. Install the application
Right : Open the Intune Company Portal after the installation
Left : If you have already used Microsoft account on this device it will be listed here, in my case I click Sign in with another account
Right : If the regarding account is listed in the Microsoft Authenticator you can select it here, otherwise you can add it via the + button
Left : Tab Begin
Right : Select the device owner and how you want to enroll the device. Secure work-related apps and data only = User Enrollment
Left : Click Continue
Right : Click Continue
Left : Click Continue
Right : Click Allow
Left : Click Close
Right : Navigate to Settings > General > Profile and click the Managed Profile. Then click Enrol My iPhone
Left : Sign in with your Managed Apple ID
Right : Click Agree
Left : Click Agree
Right : Decide if you want to merge your iPhone contact with iCloud
Left : Go back to the Intune Company Portal and click Continue now
Right : Click Done
See how an iOS device in User Enrollment mode looks like in the Microsoft Intune Portal
Now that the device is enrolled in User Enrollment mode, let’s take a look on how it looks in the Microsoft Intune portal.
As you can see, my phone is displayed and the ownership is already set to Personal
When opening the device, notice that the Serial number and Phone number are not available.
And when opening the Hardware details of this device, a lot of other information is not available since this device is in User Enrollment Mode
So user has to complete the setup assistant first and add his private apple id?
Then install the CP and enroll ? Which Apple id should then be used ? And what happens if the device get factory reset do we need the private Apple id ?
Hi Rkast, it’s how you configure authentication. In any case is it not a private Apple ID, User Enrollment mode works only with Managed Apple ID’s.
Thanks Robin,
Question2 is the device in supervised mode after enrollment ? Cause most device configuration policy require supervised or DEP.
No, and MDM policy options are limited since it is marked as a personal owned devices.
Excellent write up Robin!
Thanks Bilgin!
Awesome explanation Robin!
Thanks Stephan!
Great article.
I have problem with Apple user enrollment. Maybe you will be able to help me.
I have a managed Apple ID and I had set up the user enrollment in Intune like in your article. But enrollment is to stop when signing in with a Managed Apple ID. I can’t get past installing the management profile. After signing in with the managed Apple ID, it requires me to sign-in twice. But this time its wants to login in settings tab (iTunes store i App store). Once I sign nothing happens. Its leaves open settings tab (iTunes store i App store). The installation of profile starts from beginning.
I don’t know whats is wrong. Do you have any idea?
Thanks
I have the same issue. You ever figure thus out?
Hi Robin,
Thanks for being straight to the Point, I always enjoy reading your Blog…I have a question, if you don´t mend me asking.Do you know of any IOS enrollment type that I can configure in Ms-intune to enroll remote devices that is not possible to add in DEP/Automated device Enrollment or Through the apple configurator
No, not with iOS. If you want devices to automatically enroll with Intune after activation, you need DEP.
HI Robin,
Blog is great ! i have problem when i set up user enrollment. when i try to install Management profile it ask for Managed apple id but by default it take my company id as apple id and i am note able to edit 🙁
Hi Selva
I have the same issue. Did you resolve it?
Paul
Hi Robin,
On creating the Apple ID, does the Intune admin have to send the user an apple id password? They can’t use there domain / O365 password?
It will be integrated with Azure AD soon, but for now you manage this within the Apple Business Manager.