The first requirement for iOS and MAC OS device enrollment is the setup of Apple MDM push cert. You need to download unique certificate signing request (CSR) from Intune tenant and upload the same to the Apple portal. Once uploaded successfully, you will get an option to download the Apple MDM push cert from Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process has been explained in the above video. I assumed that Intune MDM authority setting has already completed before setting up Apple MDM push cert and configuring Enrollment restriction policies.
Video about the setting up iOS/MAC OS MDM management via Intune here
Once Apple MDM push cert setup has completed then, we could proceed with the following configurations related to iOS and MacOS management. As next step, I would configure the Enrollment Restriction rules for iOS devices. If your organization has taken a decision not to allow (block) personal iOS devices from enrolling into Intune then, you need to setup enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices here.
Next step is to setup Conditional Access policies for iOS devices (while we are still waiting for Mac OS conditional Access policy). I would recommend doing this at the time of initial setup of Intune. As you can see in the following screen capture, you have a couple of options. Either you can select individual supported platforms for Conditional Access policy, or you can select “All platforms (including unsupported).” Somehow my recommendation is to use the later one “All platforms (including unsupported).”
Azure AD Conditional access policies can be deployed either combined with compliance policies or without compliance policies. I would recommend deploying conditional access policies with compliance policies. So, next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices? If so, there is no need of encryption policy for iOS devices because those devices will get encrypted once the password has enforced for devices.
After compliance policy settings, it’s time to setup configuration policies for iOS and MAC OS devices. Intune Configuration policies are there to deploy security settings for the devices. Also, these types of policies can be used to enable or disable features of devices. Details about different types of Intune configuration profiles are discussed here in my previous video blog post. Device restriction policies are nothing but security configuration policies in Intune Azure portal.
Above mentioned policies are very basic policies which you wanted to configure in case your organization has decided to manage iOS and MAC Os devices via Intune. There are loads of advanced kind of MDM policy management options available with Microsoft Intune. You can also create custom configuration policies for iOS devices if some of your security requirements are not available as out of box with Intune configuration policies. Apart from that, you can deploy Wi-Fi profile, VPN profile and Certs to iOS devices using Intune MDM.
Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies. In this scenario, your users don’t need to enroll into Intune MDM management. So, this is another decision point for each organization whether they should use MAM WE or MDM channel of iOS management.