Enroll iOS devices in Intune
Intune enables mobile device management (MDM) of iPads and iPhones to give users secure access to company email, data, and apps.
As an Intune admin, you can set up enrollment for iOS and iPadOS devices to access company resources. You can let users enroll personally-owned devices, known as "bring your own device" (BYOD) enrollment. You can also set up enrollment of company-owned devices.
Prerequisites for iOS enrollment
Before you can enable iOS devices, complete the following steps:
- Make sure your device is eligible for Apple device enrollment.
- Set up Intune - These steps set up your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority.
- Get an Apple MDM Push certificate - Apple requires a certificate to enable management of iOS and macOS devices.
User-owned iOS and iPadOS devices (BYOD)
You can let users enroll their personal devices for Intune management, know as "bring your own device" or BYOD. There are three options for enrolling users:
- App Protection Policies give you the lightest BYOD experience, providing management at an app level only. However, if you want to also secure the device with a 6-digit complex PIN, you can use these policies along with User Enrollment.
- Device Enrollment is what you may think of as typical BYOD enrollment. It provides admins with a wide range of management options.
- User Enrollment is a more streamlined enrollment process that provides admins with a subset of device management options. This feature is currently in preview.
After you've completed the prerequisites and assigned user licenses, users can download the Intune Company Portal app from the App Store, and follow enrollment instructions in the app. You can customize the Company Portal privacy statement on iOS devices as explained in privacy statement customization.
Company-owned iOS devices
For organizations that buy devices for their users, Intune supports the following iOS company-owned device enrollment methods:
- Apple's Device Enrollment Program (DEP)
- Apple School Manager
- Apple Configurator Setup Assistant enrollment
- Apple Configurator direct enrollment
You can also enroll company-owned iOS devices with a device enrollment manager account.
Device Enrollment Program
Organizations can purchase iOS devices through Apple's Device Enrollment Program (DEP). DEP lets you deploy an enrollment profile “over the air” to bring devices into management. For more information, see Device Enrollment Program.
User Enrollment gives admins a subset of management options compared to other enrollment methods. For more information, see User Enrollment supported actions, passwords, and other options and Set up iOS and iPadOS User Enrollment.
Apple School Manager
Apple School Manager is a device purchase and enrollment program for schools. Like DEP, you can deploy a profile to enroll devices in management. Learn more about Apple School Manager.
You can enroll iOS devices with Apple Configurator running on a Mac computer. To prepare devices, you USB-connect them and install an enrollment profile. You can enroll devices with Apple Configurator in two ways:
- Setup Assistant enrollment - Wipes the device, prepares it to run Setup Assistant, and installs the company's policies for the device’s new user.
- Direct enrollment - Doesn't wipe the device and enrolls the device with a predefined policy. This method is for devices with no user affinity.
Learn more about Apple Configurator enrollment.
Use the Company Portal on DEP-enrolled or Apple Configurator-enrolled devices
Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices. After users receive their devices, they must complete a number of additional steps to complete the Setup Assistant and install the Company Portal app.
User affinity is required to support the following:
- Mobile application management (MAM) apps
- Conditional Access to email and company data
- Company Portal app
How users enroll corporate-owned iOS devices with user affinity
- When users turn on their device, they are prompted to complete the Setup Assistant.
- After completing setup, users are prompted for an Apple ID. They must provide an Apple ID to allow the device to install Company Portal.
- The iOS device automatically installs the Company Portal app from the App Store.
- Users should launch the Company Portal app and sign in using the credentials (like the unique personal name or UPN) that are associated with their subscription in Intune.
- After logging in, enrollment is complete. Users can now use this device with the full set of capabilities.
About corporate-owned managed devices with no user affinity
Devices that are configured with no user affinity do not support the Company Portal and should not have the app installed. The Company Portal is designed for users who have corporate credentials and require access to personalized corporate resources (like email). Devices that are enrolled with no user affinity aren't intended to have a dedicated user sign in. Kiosk, point of sale (POS), or shared-utility devices are typical use cases for devices that are enrolled with no user affinity.
If user affinity is required, be sure that the device’s enrollment profile has User Affinity selected before enrolling the device. To change the affinity status on a device, you must retire the device and reenroll it.