Walkthrough: Workplace Join with an iOS Device
Applies To: Windows Server 2012 R2
This topic demonstrates Workplace Join on an iOS device. You must complete the steps in the Set up the lab environment for AD FS in Windows Server 2012 R2 section before you can try out this walkthrough. You can use the device to access the same company web application that you accessed in Walkthrough: Workplace Join with a Windows Device.
Join an iOS device with Workplace Join
When on-premises DRS is configured, the iOS device must trust the Secure Socket Layer (SSL) certificate that was used to configure Active Directory Federation Services (AD FS) in Step 2: Configure the federation server (ADFS1) by using Device Registration Service, for Workplace Join to succeed. If the AD FS SSL certificate was issued from a test certification authority (CA), you must install the certification authority certificate on your iOS device. If your certification authority certificate is published on a website, you can browse to the website from your iOS device and install the certificate.
In this demonstration, you join the device to the workplace.
To join an iOS device to a workplace
When Azure Active Directory Device Registration service is the configured DRS:
Open Apple Safari and navigate to Azure Active Directory Device Registration service Over-the-Air Profile endpoint for iOS devices, <https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/<yourdomainname >
Where <yourdomainname> is the domain name that you have configured with Azure Active Directory. For example, if your domain name is contoso.com, the URL would be: https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/contoso.com
When On-premises DRS is the configured DRS:
Open Apple Safari and navigate to the Device Registration Service (DRS) Over-the-Air Profile endpoint for iOS devices, https://adf1s.contoso.com/enrollmentserver/otaprofile
There are many ways to communicate this URL to your users. One recommended way is to publish this URL in a custom application access denied message in AD FS. This is covered in the upcoming section: [Create an application access policy and custom access denied message](http://msdn.microsoft.com/library/azure/dn788908.aspx)
Log on to the webpage by using a company domain account: firstname.lastname@example.org and password: P@ssword.
You are prompted to install a profile. On the Install Profile screen, click Install.
When prompted to confirm installation of the profile, click Install Now.
If your device requires a PIN to unlock the device, you are prompted to enter your PIN.
The profile installation is finished when you see the Profile Installed screen. Click Done.
Return to Safari. A message informs you that you can close or leave Safari.
To view or remove the Workplace Join profile, browse to Settings, click General, and then click Profiles on your iOS device.
Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications
Set up the lab environment for AD FS in Windows Server 2012 R2
Walkthrough: Workplace Join with a Windows Device