Hello everyone. Today, let’s talk about enable Web Based Enrollment for iOS Devices using Intune. In this article, we will discuss Web based enrollment for iOS devices, a user-friendly way to enrol iPhones and iPads, especially when dealing with personally owned devices.
Microsoft Intune offers various ways of enrolling iOS devices into Intune. One way is through Web-based Enrollment, and the other is to use the Company Portal app. Web-based Enrollment simplifies the BYOD enrollment process.
When you enable web-based enrollment, users can enrol their devices using a web portal and can access their corporate data. This ensures that the sensitive data is secured and protected. It also simplifies the entire enrollment process and allows admins to manage iOS/iPadOS devices in a secure way.
In this blog, let’s learn how to enable the Web-based enrollment for iOS /iPad OS devices and significantly improve the user experience. The number of steps to enroll the iOS/iPad OS devices will be reduced and with this mode of enrollment users can enrol the devices on the go.
Table of Contents
Pre-requistes
This enrollment eliminates users to download the company portal application from the App Store. Instead, they can enrol their devices directly from the Safari browser on their devices. Web-based enrollment is supported from iOS/iPadOS 15.0 or later.
- Microsoft Intune License
- APNS certificate to enable iOS devices to enrol
- iOS/iPadOS device with 15.0 or later
- Enable Just-in-Time Registration
Devices having older OS versions, when trying web-based enrollment, will be prompted to install the Company Portal app and complete the enrollment. The above listed are required to enrol the iOS device using Web-based Enrollment in Intune.
- Onboard iOS/iPadOS Devices to Microsoft Defender for Endpoint
- How to Block OS Updates on iOS Devices using Intune
Enable Just-in-Time Registration(JIT)
Just-In-Time Registration helps users to enrol their devices directly from work or school apps without the need to install the Company portal app. Essentially, it utilises Apple SSO extensions to register the device with Microsoft Entra ID and Perform Compliance checks. Let’s see how to enable JIT Registration in below steps
- Log in to the Microsoft Intune Admin Centre
- Click Devices > Configuration > Create > New Policy
- Click on Template and select the Device Features template
Now, provide a Name to identify the policy and a Description for the Policy, and click Next. The Description should be why we are creating the policy, and you can include the change number if your organisation uses a change management process to track the changes made in the production environment.
Now, under the Configuration Settings page, we can see various categories. Now, click on Single sign-on app extension, and configure the app extensions. Now, select the SSO app extension type as Microsoft Entra ID, and if you want to enrol the device in shared mode, click yes next to Enable shared device mode.
Under the App bundle ID section, add the application bundle ID to enable the single sign-in for the applications. I have added a few applications like Teams, Company Portal, Outlook, and Microsoft Edge. If you want these applications to be installed on their devices, we can deploy them as Required apps.
Now, add the required key value pair under the additional configuration as per the table below. These configurations will help users to enrol the device and sync the devices. You can deploy the Company portal app for users to install organisational apps.
| Key | Type | Value |
|---|---|---|
| device_registration | String | {{DEVICEREGISTRATION}} |
| browser_sso_interaction_enabled | integer | 1 |
Now, click on Next to the scope tags screen and assign the tags if you have any. Click Next on the Scope tags screen to the assignment screen. Now add user groups to which you want to assign the configurations and click Next. You can add an exclusion group in order to exclude users.
Click on Next to Review+Create screen. Review the settings and assignment groups and click on Create. This will create a policy for Just-in-Time Registration for iOS enrollment. We have completed the major step in enabling the Web based enrollment for iOS devices
Create Enrollment Types
Now, we have completed the prerequisite, let’s create the Enrol type. Here, you will define what kind of enrollment for users. Intune supports various types of enrollment like Web based device enrollment, Account-Driven user enrollment, Device enrollment based on Company portal, Determine based on user choice.
As we are discussing Web based enrollment, let’s see below how to create the Enrollment type for Web based enrollment iOS/iPad OS devices in steps below
- Log in to the Microsoft Intune Admin Centre
- Click Devices > iOS/iPadOS > Enrollment
- Click on Enrollment Types
On the Enrollment type page, click on Create profile and choose iOS/iPad OS. Here we will create the enrollment type and assign this configuration to users.
On the Basics page, provide a Name for the enrollment type and provide a Description for the enrollment type. The description can be anything that identifies why the policy has been created. Once added, click on Next to the Settings page.
On the Settings page, let’s choose Enrolment type as Web based Enrollment for Web based iOS enrollment. As mentioned above, Intune supports various other types of enrollment. Now, click on Next to move to the Assignment screens
On the Assignments page, click on Add groups to add the user groups. Search for the group you want to assign, add the group, and click on Next to the Review+Create screen. Let’s see how users can enrol their devices without the Company portal application installed on their devices.
User Experience
Now we have completed all the required settings to enable users to enrol their iOS devices using web based enrollment. Now let’s see the enrollment. Whenever a user joins or wants to enable the iOS device enrollment, please share the following enrollment URL with the users
The user should open the enrollment URL only on the Safari browser. If a user tries to enrol the devices on a different browser, they are prompted to use the Safari browser. As soon as they enter the Enrollment URL, they are prompted to enter user username and password. Once users authenticate successfully, users are prompted to start the Enrollment. Click on Get Started to begin the enrollment.
Once the user starts the enrollment, users are prompted to download the MDM profile, and click on Allow to download the profile. Once the profile is downloaded, follow the steps to install the profile. Open Settings > General > Scroll to the bottom and click on VPN and Mobile Device Management
Now, click on Install to install the MDM profile. Now the profile will give information about the MDM certificate and information collected, and what an admin can perform on the device. Once satisfied, click on Install again and click on Trust to trust the MDM profile.
Now, once you click on Trust, the MDM profile starts installing on the device. Once installation is completed, click on Done to complete the enrollment. Now users have completed the enrollment using web based enrollment method successfully. As I have pushed a few apps as Required, the apps started installing on the device.
As we have set up the Apple SSO extensions, apps will be automatically signed in without the user entering the credentials. Due to the Additional Configuration configured in the SSO extension, the device will sync with Intune and Entra ID for policies and Conditional Access policies.
Conclusion
With the Web based iOS enrollment, users will get the required access to devices, and as an Admin, you can protect the corporate data on their devices without affecting the users’ personal data and application usage. It is a more user-friendly enrollment method when compared to Company portal based enrollment. With this, we come to a closure of this post, and we will meet you with another interesting topic again.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About Author – Narendra Kumar Malepati (Naren) has 13+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.