Hello everyone, in today’s article, let’s see how we can enroll iOS/iPadOS devices in Intune and the prerequisites. In this article, we will discuss the required configurations in Microsoft Intune to enroll a device and how an end user can enroll the device.
Microsoft Intune OS/iPad OS devices help protect the organization’s data from being managed and enforce security policies such as password requirements, encryption, and app management. It supports BYOD devices and corporate devices to enroll in Intune.
For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment. Personal and organization-owned devices can be enrolled in Intune. Once they’re enrolled, they receive the policies and profiles you create.
Intune supports three types of enrolments for iOS/iPadOS devices, In this article, we will discuss BYOD scenarios. ADE and Apple configurator enrolment scenarios will be the topic of another day.
|Type of the Devices||Enrolment Mode|
|Corporate devices||Automated Device Enrolment (ADE) |
|Brig your own devices||User-driven enrolment|
- New Microsoft Intune Suite For Endpoint Management
- Multiple Identity Support For Intune MAM Policies
Prerequisites for Enroll iOS/iPadOS Devices in Intune
Let’s discuss the prerequisites for enrolling any iOS device in Intune.
- OS requirements
- Apple Push Notification certificate
- Device Platform Enrolment Restrictions
- Create Compliance policy for iOS/iPadOS devices
To enroll an iOS/iPadOS device into Intune, the device must be running on the below OS versions.
- Apple iOS 14.0 and later
- Apple iPadOS 14.0 and later
Apple Push Notification certificate: Apple Push Notification certificate or APNS certificate enables iOS, iPadOS, and MacOS devices to enroll and manage Apple devices through Intune. APNS certificate is valid for a year, and we should renew the certificate once every year.
For creating APNS, please refer to the article Enroll macOS in Intune with Step-by-Step Guide.
Note: The APNS certificate is associated with an email address. While creating an APNS certificate, we should use a common or corporate email address that is not associated with any user. Once the certificate expires, we have 30 days grace period to renew it. We cannot manage the Apple devices until we renew, enrolled devices continue as enrolled, and new enrolment is not possible.
The APNS certificate contains a unique UID. To check UID, look for the subject ID in the certificate details, which shows the GUID portion of the UID. We can also validate the same on Enrolled devices by navigating to Settings -> General -> Device Management -> Management Profile -> More Details -> Management Profile and looking for Topic ID, which will be the same as the GUID of the APNS certificate.
Intune provides notifications for Admins regarding the expiry of APNS before a month. This can be checked by navigating as shown in the below screenshot.
- Microsoft Intune -> Tenant administration -> Connector Status -> APNS expiry
As a best practice, always renew the APNS certificate at least a month before the expiry date. This will avoid last-minute mistakes.
Device platform Enrolment Restrictions: Intune provides device enrolment restrictions, to restrict enrolment to Intune based on certain device attributes. We can restrict enrolment based on device platform, OS version, manufacturer, or ownership type using Device Platform Restriction.
To create a device platform restriction, let’s follow the below steps.
- Sign in to Microsoft Intune Admin Center https://intune.microsoft.com/.
- Click on Devices -> Enroll devices -> Device platform restrictions -> iOS restrictions. Click on create new restrictions.
- Provide a name and description of the restrictions and click on next, Click on Allow for MDM.
- Define the min OS version allowed to enroll to Intune (always allow n-1 OS version, where n is the current IOS version) and Max OS version.
- Click on Allow for Personally Owned devices.
- Click Next and assign scope tags if required.
- Click Next and assign the restriction to a specific group or all users.
- Click Next and review the restrictions and create.
Create Compliance policy iOS/iPad OS devices: To protect corporate data, the user’s device must be compliant. In compliance policy, we will create a few restrictions like blocking jailbroken devices, device passcode Encryption of devices, etc.; for more on Compliance policy, please refer to Create Intune Compliance Policy for iOS iPadOS Devices.
Enroll iOS/iPadOS Devices in Intune
We have prepared the Intune environment ready for iOS/iPadOS enrolment from an administrator perspective. End-users can enroll their devices in Intune. Ensure you communicate the minimum iOS requirements for users before they start enrolling. Also, make sure the user has Intune license assigned.
Note: Before enrolling the device to Intune, make sure any other third party does not manage the device. This can be verified on the device by navigating Settings -> General -> Scroll to the bottom and looking for Device management. If you do not see the device management, the device is ready for enrollment to Intune.
If the user finds device management, we need to delete the profile Settings -> General -> Scroll to the bottom, click on Device Management -> Select management profile -> Click on remove the profile.
Please follow the below steps to enroll the device to intune
- Install the company portal app from the App store.
- Once installed, open the company portal app and click on Sign in.
- Enter the user’s email address, and Enter the password. Click on Begin.
Review the Privacy details and Click continue to Download the Management profile. This step re-directs to the Safari browser to download the profile. Click on allow to download the management profile.
Go to Settings -> General -> Scroll to the bottom and click on Device Management. Click on Install thrice.
Click on Trust. Now the profile is installed, click on Done.
Open the browser and click on continue. Click on Continue. Now the device will check for device compliance. If the device is non-compliant, the user will be prompted with steps to make the device compliant, as shown in the screenshot below.
Once the device is compliant, Intue provides access to corporate data.
So this is how a user can enroll the device to Intune. As an Admin, we can publish LOB apps to the users and install a few apps silently on the device to improve user experience. We will discuss the app deployment in Intune in another post. Till then have a good learning.