With the release of iOS 13 there were a few major changes, not only did the iPad’s got their own iPadOS, also with the Mobile Device Management (MDM) enrollment modes there are major changes. The Device Enrollment Program (DEP) is renamed to “Automated Device Enrollment” and all devices enrolled with “Automated Device Enrollment” are now automatically set in supervised mode. There is also a new MDM enrollment mode introduced with the release of iOS 13, the User Enrollment mode.
What is iOS “User Enrollment” mode?
You can see iOS “User Enrollment” mode as the BYOD mode for iOS, I find it very similar to Android Enterprise – Work Profile. It brings the end user more privacy (less information is collected) and his/her device is not fully managed by the company (for example, a full wipe is not possible). Applications can be pushed and removed on the device but the MDM solution collects only the apps it is managing.
This gives a better separation between private and work apps and data on the same device. The security is focused on the managed applications and the company data, just like with Mobile Application Management (MAM) but with a little extra possibilities like pushing applications.
Managed Apple ID’s
User Enrollment mode will be using Managed Apple ID’s. it will represent the users company workspace identity. It will be configured parallel with the users own Apple ID on the same device. With this configured an Work/Company iCloud Drive and a Personal iCloud drive will exist on the same device to separate private and company data even more.
Managed Apple ID will support Azure AD federation in Apple Business Manager, but at the time of writing this blog it is still in beta and currently not available in the Apple Business Manager I use.
How to configure iOS “User Enrollment” in Microsoft Intune?
Lets start with the configuration of iOS “User Enrollment” within Microsoft Intune. For the following steps login to the Microsoft Azure Portal.
Navigate to Intune > Device enrollment and click Apple enrollment
Click Enrollment types (preview)
Click +Create profile and select iOS
Note: Keep in mind that User Enrollment is only available for iOS at the time of writing this blog, so it will not work on iPads that are upgraded to iPadOS! It will only work for iPhones that are running iOS 13 or higher.
Give this profile a Name and a Description and click Next
Now you can select in which mode new devices must be enrolled (or for a selected group of users). I select Required so users have the choice themselves for this demo/blog. Click Next
Select the group you want to assign this profile to, or select All Users. Click Next.
The profile is now created and assigned.
Enroll an iOS device in User Enrollment Mode
Now that the User Enrollment profile is created, lets enroll an iOS 13 device with it.
Left : Open the App store and search for Intune Company Portal. Install the application
Right : Open the Intune Company Portal after the installation
Left : If you have already used Microsoft account on this device it will be listed here, in my case I click Sign in with another account
Right : If the regarding account is listed in the Microsoft Authenticator you can select it here, otherwise you can add it via the + button
Left : Tab Begin
Right : Select the device owner and how you want to enroll the device. Secure work-related apps and data only = User Enrollment
Left : Click Continue
Right : Click Continue
Left : Click Continue
Right : Click Allow
Left : Click Close
Right : Navigate to Settings > General > Profile and click the Managed Profile. Then click Enrol My iPhone
Left : Sign in with your Managed Apple ID
Right : Click Agree
Left : Click Agree
Right : Decide if you want to merge your iPhone contact with iCloud
Left : Go back to the Intune Company Portal and click Continue now
Right : Click Done
See how an iOS device in User Enrollment mode looks like in the Microsoft Intune Portal
Now that the device is enrolled in User Enrollment mode, let’s take a look on how it looks in the Microsoft Intune portal.
As you can see, my phone is displayed and the ownership is already set to Personal
When opening the device, notice that the Serial number and Phone number are not available.
And when opening the Hardware details of this device, a lot of other information is not available since this device is in User Enrollment Mode