Enroll iOS devices with Apple Configurator
Intune supports the enrollment of iOS devices using Apple Configurator running on a Mac computer. Enrolling with Apple Configurator requires that you USB-connect each iOS device to a Mac computer to set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:
- Setup Assistant enrollment - Factory resets the device and prepares it to enroll during Setup Assistant.
- Direct enrollment - Does not factory reset the device and enrolls the device through iOS settings. This method only supports devices with no user affinity.
Apple Configurator enrollment methods can't be used with the device enrollment manager.
- Physical access to iOS devices
- Set MDM authority
- An Apple MDM push certificate
- Device serial numbers (Setup Assistant enrollment only)
- USB connection cables
- macOS computer running Apple Configurator 2.0
Create an Apple Configurator profile for devices
A device enrollment profile defines the settings applied during enrollment. These settings are applied only once. Follow these steps to create an enrollment profile to enroll iOS devices with Apple Configurator.
In Intune, choose Device enrollment > Apple enrollment > Apple Configurator > Profiles > Create.
Under Create Enrollment Profile, type a Name and Description for the profile for administrative purposes. Users do not see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.
For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.
- Enroll with user affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. The device must be affiliated with a user with Setup Assistant and can then access company data and email. Only supported for Setup Assistant enrollment. User affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.
Multifactor authentication (MFA) doesn't work during enrollment set up with user affinity. After enrollment, MFA works as expected on devices. Devices can't prompt users who need to change their password when they first sign in. Additionally, users with expired passwords aren't prompted to reset their password during enrollment. Users must use a different device to reset the password.
- Enroll without User Affinity - Choose this option for devices unaffiliated with a single user. Use this for devices that perform tasks without accessing local user data. Apps requiring user affiliation (including the Company Portal app used for installing line-of-business apps) won’t work. Required for direct enrollment.
If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.
Choose Create to save the profile.
Setup Assistant enrollment
Add Apple Configurator serial numbers
Create a two-column, comma-separated value (.csv) list without a header. Add the serial number in the left column, and the details in the right column. The current maximum for the list is 5,000 rows. In a text editor, the .csv list looks like this:
In Intune, choose Device enrollment > Apple enrollment > Apple Configurator > Devices > Add.
Select an Enrollment profile to apply to the serial numbers you're importing. If you want the new serial number details to overwrite any existing details, choose Overwrite details for existing identifiers.
Under Import Devices, browse to the csv file of serial numbers, and select Add.
Reassign a profile to device serial numbers
You can assign an enrollment profile when you import iOS serial numbers for Apple Configurator enrollment. You can also assign profiles from two places in the Azure portal:
- Apple Configurator devices
- AC profiles
Assign from Apple Configurator devices
- In Intune, choose Device enrollment > Apple enrollment > Apple Configurator > Devices > choose the serial numbers > Assign profile.
- Under Assign Profile, choose the New profile you want to assign, and then choose Assign.
Assign from profiles
- In Intune, choose Device enrollment > Apple enrollment > Apple Configurator > Profiles > choose a profile.
- In the profile, choose Devices assigned, and then choose Assign.
- Filter to find device serial numbers you want to assign to the profile, select the devices, and then choose Assign.
Export the profile
After you create the profile and assign serial numbers, you must export the profile from Intune as a URL. You then import it into Apple Configurator on a Mac for deployment to devices.
In Intune, choose Device enrollment > Apple enrollment > Apple Configurator > Profiles > choose the profile to export.
On the profile, select Export Profile.
Copy the Profile URL. You can then add it in Apple Configurator to define the Intune profile used by iOS devices.
Next you import this profile to Apple Configurator in the following procedure to define the Intune profile used by iOS devices.
Enroll devices with Setup Assistant
On a Mac computer, open Apple Configurator 2. In the menu bar, choose Apple Configurator 2, and then choose Preferences.
Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello screen when you connect the device.
In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server wizard. Choose Next.
Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant enrollment for iOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment profile URL exported from Intune. Choose Next.
You can safely disregard a warning stating "server URL is not verified." To continue, choose Next until the wizard is finished.
Connect the iOS mobile devices to the Mac computer with a USB adapter.
Select the iOS devices you want to manage, and then choose Prepare. On the Prepare iOS Device pane, select Manual, and then choose Next.
On the Enroll in MDM Server pane, select the server name you created, and then choose Next.
On the Supervise Devices pane, select the level of supervision, and then choose Next.
On the Create an Organization pane, choose the Organization or create a new organization, and then choose Next.
On the Configure iOS Setup Assistant pane, choose the steps to be presented to the user, and then choose Prepare. If prompted, authenticate to update trust settings.
When the iOS device finishes preparing, disconnect the USB cable.
The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When users turn on their devices, Setup Assistant starts.
After users receive their devices, they must complete Setup Assistant. Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices.
When you directly enroll iOS devices with Apple Configurator, you can enroll a device without acquiring the device's serial number. You can also name the device for identification purposes before Intune captures the device name during enrollment. The Company Portal app is not supported for directly enrolled devices. This method does not do a factory reset of the device.
Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps, cannot be installed.
Export the profile as .mobileconfig to iOS devices
In Intune, choose Device enrollment > Apple enrollment > Apple Configurator > Profiles > choose the profile to export > Export Profile.
Under Direct enrollment, choose Download profile, and save the file. An enrollment profile file is only valid for two weeks at which time you must re-create it.
Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile to iOS devices.
Prepare the device with Apple Configurator by using the following steps:
On a Mac computer, open Apple Configurator 2.0.
Connect the iOS device to the Mac computer with a USB cord. Close Photos, iTunes, and other apps that open for the device when the device is detected.
In Apple Configurator, choose the connected iOS device, and then choose the Add button. Options that can be added to the device appear in the drop-down list. Choose Profiles.
Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add. The profile is added to the device. If the device is Unsupervised, the installation requires acceptance on the device.
Use the following steps to install the profile on the iOS device. The device must have already completed the Setup Assistant and be ready to use. If enrollment entails app deployments, the device should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in for the App Store.
- Unlock the iOS device.
- In the Install profile dialog box for Management profile, choose Install.
- Provide the Device Passcode or Apple ID, if necessary.
- Accept the Warning, and choose Install.
- Accept the Remote Warning, and choose Trust.
- When the Profile Installed box confirms the profile as Installed, choose Done.
On the iOS device, open Settings and go to General > Device Management > Management Profile. Confirm that the profile installation is listed, and check the iOS policy restrictions and installed apps. Policy restrictions and apps might take up to 10 minutes to appear on the device.
Distribute devices. The iOS device is now enrolled in Intune and managed.