Setting Up Required iOS Enrollment in Intune

A comprehensive guide to configuring iOS devices through Microsoft Intune

landscape of mobile devices and office setup

Key Highlights

Apple MDM Push Certificate: Crucial for secure iOS device management.
Enrollment Profiles & Methods: User enrollment, automated device enrollment (ADE), or web enrollment options available.
Compliance & Configuration: Creating policies and configuring the Company Portal ensure a secure, managed environment.

Introduction

In today’s mobile-first environment, organizations increasingly rely on mobile device management (MDM) solutions to ensure security and operational efficiency. Microsoft Intune offers robust tools to manage and secure iOS devices in your enterprise. Setting up required enrollment for iOS in Intune involves several critical steps, including validating prerequisites, integrating with Apple’s ecosystem through an MDM push certificate, creating enrollment profiles, and configuring compliance policies. This guide covers each step in detail, allowing you to smoothly implement enrollment for iOS devices in your organization.

Prerequisites and Preparations

Key Requirements

User devices must be running iOS 14.0 or later.
An active Microsoft Intune subscription with proper licensing for users.
An active Apple MDM Push Certificate, which you must renew annually.
The Intune Company Portal app must be available from the App Store for installation on user devices.
A stable Wi-Fi connection during the enrollment process.

These prerequisites ensure that your devices can authenticate securely and that necessary security and management controls are in place. In addition, it is essential to assign Intune licenses and prepare user accounts with corporate credentials; this will facilitate smooth authentication during enrollment.

Apple MDM Push Certificate

The Apple MDM Push Certificate is the linchpin in the integration of iOS devices with Intune. It enables Microsoft Intune to communicate with Apple’s notification service for device management commands and updates. To create the certificate:

Access the Intune portal and navigate to the Devices section, selecting iOS/iPadOS Enrollment.
Download the Certificate Signing Request (CSR) from the portal.
Visit the Apple Push Certificate Portal, login with your Apple ID, and upload the CSR to generate the certificate.
Download the certificate (generally as a .pem file) and upload it back into the Intune portal.

This certificate must be renewed annually to avoid disruptions in service. It acts as the secure channel for managing devices and delivering policies.

Enrollment Profiles and Methods

Enrollment Options

There are several methods to enroll iOS devices in Intune. The selection depends primarily on how devices are owned and managed by your organization:

User Enrollment (BYOD): This approach is ideal for personal devices. Users download the Intune Company Portal app from the App Store and follow the guided setup process using their corporate credentials.
Automated Device Enrollment (ADE): Devices purchased through Apple Business Manager or Apple School Manager are enrolled automatically with zero-touch configuration during the setup process. This method is preferred for corporate-owned devices.
Apple Configurator Enrollment: Used for devices that are not purchased through ADE. In this method, devices are connected to a Mac computer, and the Apple Configurator tool is used to prepare the devices for enrollment.
Web Enrollment: In some cases, users can enroll via web-based processes. This requires the configuration of web enrollment in the Intune admin center, enabling Single Sign-On (SSO) extensions and guided steps in a browser.

Creating Enrollment Profiles

Enrollment profiles in Intune define the settings that are applied to devices during the enrollment process. These profiles allow you to specify which functionalities are enforced and which settings are pushed automatically.

To create an enrollment profile:

In the Intune portal, navigate to Devices > iOS/iPadOS Enrollment.
Select "Create Enrollment Profile," then assign this profile to the specific group of users or devices.
For corporate-owned devices, consider enabling settings like forced installation of the Company Portal app.
Ensure that the profile settings include device configuration requirements such as Wi-Fi, VPN, and email settings if needed.

It is crucial to set up and test enrollment profiles in a controlled environment before full deployment. This ensures that all configurations conjoin seamlessly and meet your organization’s compliance standards.

Distributing the Company Portal App

The Company Portal app facilitates the enrollment process by guiding users through authentication and providing self-service management for their devices. To ensure that it is deployed universally:

In the Intune admin center, go to Apps > All Apps and confirm that the Company Portal app is added.
Set the app as a required installation, ensuring it is pushed automatically to enrolled devices.
Educate users on how to retrieve the app from the App Store for BYOD scenarios if it is not pre-installed automatically.

Enrollment Process and Steps

Step-by-Step Guide

We now detail the step-by-step process to enroll iOS devices in Microsoft Intune. These steps combine the setup of essential prerequisites, configuring your enrollment method, and ensuring that policies and compliance standards are met.

Step 1: Configure the Apple MDM Push Certificate

Begin with the Apple MDM Push Certificate creation. Log into the Intune portal and navigate to Devices > iOS/iPadOS Enrollment. Download the CSR file and then log in to the Apple Push Certificate Portal. Here, upload the CSR file with your Apple ID credentials, generate the certificate, download it, and finally, return to the Intune portal to upload your new certificate. This process ensures secure communication between Intune and the iOS devices.

Step 2: Create and Configure the Enrollment Profile

Once the certificate is in place, create an enrollment profile:

Navigate to Devices > iOS/iPadOS Enrollment in the Intune admin center.
Select “Create Enrollment Profile,” where you can set enrollment type options such as enforcing the installation of the Company Portal app, defining network configurations, and applying necessary restrictions.
For devices enrolled through ADE, set up configurations to automate the enrollment process during setup.
Designate whether the profile should allow BYOD or if it is strictly for corporate devices.

Step 3: Distribute the Company Portal App

The Intune Company Portal app is essential for user enrollment. Ensure that:

The app is added to the Intune portal under Apps > All Apps.
It is configured as a required application either through automatic push or through explicit user download instructions.
You provide clear instructions on installing and launching the app to initiate the enrollment process.

Step 4: Initiate the Enrollment on iOS Devices

With configurations set, instruct users to follow these steps:

Download the Intune Company Portal app from the App Store.
Launch the app and sign in using their corporate credentials.
Follow the on-screen instructions to grant permissions and complete profile installation. Users will be prompted to allow notifications and other essential permissions.
Once the process completes, the device will automatically download and enforce necessary security policies and configurations.

Step 5: Web Enrollment Option

For environments that require a browser-based alternative, web enrollment is available:

Configure web enrollment via the Intune admin center under the Web Enrollment section.
Ensure that Single Sign-On is properly set up for a seamless user experience.
Direct users to the designated web URL, such as https://portal.manage.microsoft.com/enrollment/web/enrollment/ios, where they can authenticate and complete the enrollment process.

Implementing Compliance and Configuration Policies

Managing Security and Settings

After enrollment, enforcing compliance policies is critical to maintaining device security. Microsoft Intune allows you to define and deploy various policies ensuring devices adhere to company standards. These include:

Device compliance policies (for instance, requiring a passcode, setting minimum OS versions, and enforcing encryption).
Conditional access to control which devices have access to corporate resources based on compliance status.
Configuration profiles that manage Wi-Fi, VPN, email settings, and other device configurations necessary for secure operation.

Administrators can monitor and update these policies centrally through the Intune portal to ensure a consistent security baseline across the enterprise. Updating or modifying compliance policies can be performed in real time, pushing necessary changes to enrolled devices promptly.

Sample Table of iOS Enrollment Steps and Policies

Step	Description	Implementation
1. Apple MDM Push Certificate	Generate and upload the certificate to Intune.	Download CSR from Intune, generate via Apple Portal, upload certificate back to Intune.
2. Enrollment Profile	Create profiles defining device settings and restrictions.	Assign profiles via Intune portal for BYOD or corporate devices.
3. Company Portal App	Deploy the portal app for managing enrollment.	Add app in Intune and enforce installation policy.
4. Device Enrollment	Enroll devices using the app or web enrollment.	User sign-in through the Company Portal or browser-based enrollment.
5. Compliance Policies	Ensure security settings are applied.	Deploy device compliance and configuration profiles via Intune.

Post Enrollment Monitoring and Ongoing Management

Ensuring Continued Compliance

After devices have been successfully enrolled, continuous monitoring is paramount to ensure ongoing compliance and detect potential issues. Microsoft Intune provides administrators with dashboards to view device status, compliance levels, and policy application. Regular audits and support structures help maintain secure configurations.

Key areas to focus on include:

Issue Resolution: Promptly address any enrollment issues or compliance alerts that appear on the dashboard.
Automation & Updates: Automate the deployment of updates and new policies as corporate requirements evolve.
User Support: Prepare help guides and resources to assist users during troubleshooting and re-enrollment scenarios.

Maintaining a proactive stance through regular review sessions of the Intune dashboard helps ensure device security and compliance, while also adapting to any emerging requirements or threats.

Additional Considerations

Strategic Insights for Successful Deployment

Before rolling out enrollment to the entire organization, consider these additional factors for a smooth implementation:

BYOD vs. Corporate-Owned Devices: Clearly delineate policies for personal devices compared to corporate-owned devices. Ensure that the enrollment profiles and compliance requirements are tailored to each scenario.
User Training: Educate end-users on the enrollment process, explaining the importance of device security and the benefits of management through Intune. Well-informed users are less likely to experience enrollment issues.
Testing: Implement a pilot phase with a select group of users to validate all configurations. Feedback during this phase allows adjustments before broader deployment.
Device Lifecycle Management: Establish procedures for offboarding devices, handling lost or stolen devices, and recurring compliance checks to keep device management current.

Integrating these strategic insights into your deployment plan helps anticipate challenges and ensures that your enrollment process remains effective throughout its lifecycle.