Apple Account-Driven User Enrollment Guide

Set Up Account-Driven Apple User Enrollment for Microsoft Intune.

This guide explains how to configure account-driven Apple User Enrollment for personal devices enrolling in Microsoft Intune. Account-driven enrollment offers a smoother, faster, and more user-friendly process compared to user enrollment with the Company Portal. Enrollment begins when the device user signs into their work account via the Settings app. After approving device management, the enrollment profile installs automatically, and Intune policies are applied. By using Just-in-Time (JIT) registration and the Microsoft Authenticator app for authentication, the enrollment process minimizes the number of sign-ins required during enrollment and while accessing work apps.

What You'll Learn

In this article, you'll learn how to:

Set up JIT registration

Create an enrollment profile

Prepare employees and students for enrollment

Prerequisites

Microsoft Intune supports account-driven Apple User Enrollment on devices running iOS/iPadOS 15 or later. If your devices are running iOS/iPadOS 14.9 or earlier, Intune will automatically enroll them through user enrollment with the Company Portal.

Before you begin setup, ensure the following steps are complete:

Set mobile device management (MDM) authority

Get Apple MDM Push certificate

Create Managed Apple IDs for device users (refer to Apple Support)

Additionally, you'll need to set up service discovery to enable Apple devices to reach the Intune service and retrieve enrollment information. To do this, set up and publish an HTTP well-known resource file on the same domain where employees sign in. Apple will retrieve the file via an HTTP GET request to:

https://contoso.com/.well-known/com.apple.remotemanagement

Microsoft Intune environments:

{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.com/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YourAADTenantID"}]}

Microsoft Intune for US Government environments:

{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.us/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YourAADTenantID"}]}

Microsoft Intune operated by 21 Vianet in China environments:

{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.cn/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YourAADTenantID"}]}

JSON Configuration Details

The provided JSON sample includes all the necessary information to configure your environment:

Version: This specifies the server version, which is mdm-byod.

BaseURL: This is the URL where the Intune service is located.

Tip: For additional details about the technical requirements for service discovery, refer to the Implementing the Simple Authentication User-Enrollment Flow in the Apple Developer documentation.

Best Practices

Here are some additional configurations that can enhance the enrollment experience for device users:

1. Deploy Company Portal Web App

Deploying the web app version of the Intune Company Portal allows users quick access to their device’s status, device actions, and compliance information. The web app appears on the home screen as a link to the Company Portal website, making it easier to access. Without the web app, users must manually open the browser and type in the address. For more information, see Add web apps to Microsoft Intune.

2. Enable Federated Authentication

Apple User Enrollment requires that you create Managed Apple IDs for users. By enabling federated authentication, which links Apple Business Manager with Microsoft Entra ID, you eliminate the need to manually create unique Apple IDs for each user. Instead, users can sign in using their existing work account credentials. For more details, see Introduction to Federated Authentication with Apple Business Manager in the Apple Business Manager User Guide.

Setup Steps

Step 1:

Set Up Just-in-Time Registration and Assign Microsoft Authenticator

First, configure Just-in-Time (JIT) registration and assign Microsoft Authenticator as a required app. You can follow the steps in Set up JIT registration in Intune. Once this is done, return to this guide to continue with the next steps.

Step 2: Create Enrollment Profile

Create an enrollment profile for devices that will use account-driven user enrollment. This profile defines the device user's enrollment process and allows them to start the enrollment from the Settings app.

In the Microsoft Intune admin center, navigate to Devices > Enrollment.

Select the Apple tab.

Under Enrollment options, click Enrollment types.

Choose Create profile > iOS/iPadOS.

On the Basics page, provide a name and description for the profile so you can easily identify it. Device users won’t see these details.

Click Next.

On the Settings page, select the enrollment type:Account driven user enrollment: This is for users who initiate enrollment themselves.Determine based on user choice: Users can choose their preferred enrollment method. Available options:I own this device: Users can secure either the entire device or just work-related apps and data.(Company) owns this device: The device enrolls through Apple Device Enrollment.

Account driven user enrollment: This is for users who initiate enrollment themselves.

Determine based on user choice: Users can choose their preferred enrollment method. Available options:I own this device: Users can secure either the entire device or just work-related apps and data.(Company) owns this device: The device enrolls through Apple Device Enrollment.

I own this device: Users can secure either the entire device or just work-related apps and data.

(Company) owns this device: The device enrolls through Apple Device Enrollment.

Click Next.

On the Assignments page, assign the profile to all users or specific groups. (Note: Device groups aren't supported for user enrollment since it requires user identities.)

Click Next.

On the Review + Create page, verify your choices, then click Create to finalize the profile.

Step 3: Prepare Employees for Enrollment

To start the enrollment process, users need to sign in to the Settings app with their work or school account. If they attempt to sign into a work-related app, they’ll receive a prompt to begin the enrollment process.

Here are the steps for device users:

Open the Settings app.

Select General.

Select VPN & Device Management.

Sign in with your work or school account (or the Apple ID provided by your organization).

Select Sign In to iCloud.

Enter the password for your username and select Continue.

Select Allow Remote Management.

Wait a few minutes for the device configuration and management profile installation.

To confirm enrollment, go to VPN & Device Management and check that your work account is listed under MANAGED ACCOUNT.Note: Microsoft Authenticator is required for accessing work apps. After enrollment, wait for the app to install. You’ll get an error if you try to sign in without it.

Profile Priority

Intune applies enrollment profiles in order of priority. To change the priority:

Go to Enrollment types in the admin center.

Drag and drop profiles to reorder them.

If multiple profiles conflict, Intune will apply the profile with the highest priority.

Removing Device from Management

When a device unenrolls from Intune, the volume and cryptographic keys used to manage work data on the device are erased.

Known Issues

Enrollment Fails Due to SSO Application

If the Microsoft Authenticator app is already installed on the device before enrollment, the process will fail when the user attempts to sign in with their work account. The error message will state:

Title: Sign In Failed

Description: The Enrollment SSO application has been installed on the device.

To resolve this, the user must uninstall Microsoft Authenticator and restart the enrollment process.

Next Steps

For an overview of supported Apple User Enrollment features and management actions in Microsoft Intune, see the Overview of Apple User Enrollment in Microsoft Intune.

For troubleshooting, check the Troubleshooting iOS/iPadOS Device Enrollment Errors in Microsoft Intune guide.

For supported settings in Intune device configuration profiles, refer to:iOS and iPadOS device restrictions iOS and iPadOS device features Setting up per-app Virtual Private Network (VPN)

iOS and iPadOS device restrictions

iOS and iPadOS device features

Setting up per-app Virtual Private Network (VPN)

Retirement of Exchange Online Admin Audit Log

The Exchange Online Admin Audit Log feature is scheduled for deprecation by the end of 2025.

To continue accessing administrative audit information for Exchange Online, users must transition to using the Microsoft Purview Audit logs. When searching within the Purview Audit log tool, the correct filter to apply for Exchange admin activities is to select Exchange Admin as the Record Type.

Windows Autopilot: A Transformative Tool for IT Device Management

Traditionally, device deployment has been a major drain on IT resources, involving time-intensive tasks like operating system imaging, manual configuration, application installation, and policy application.

Windows Autopilot fundamentally alters this process. It is a robust, cloud-based deployment solution enabling organizations to automatically configure brand-new Windows devices with virtually no manual intervention.

How Windows Autopilot Functions

Autopilot streamlines the entire employee device setup into an easy, automated workflow:

1. Registration: The device is registered using its unique hardware identifier.

2. Profile Assignment: An appropriate Autopilot profile (for Azure AD Join or Hybrid Join) is assigned to the device.

3. User Initiation: The end-user powers on the new laptop and connects it to the internet.

4. Automated Setup: Autopilot then automatically executes the following steps:

   • Joins the device to Azure Active Directory (Azure AD).

   • Enrolls the device into Intune (Microsoft Endpoint Manager).

   • Installs all necessary business applications.

   • Applies all required configuration policies and security baselines.

The outcome is a device that is fully configured, secured, and immediately ready for use, all without any handling by the IT department.

The Value of Windows Autopilot

• Speed: Accelerates the onboarding experience for new personnel.

• Efficiency: Eliminates the need for manual imaging or custom builds via USB.

• Security & Consistency: Guarantees a standardized, secure, and policy-compliant configuration every time.

• Flexibility: Ideal for supporting remote or hybrid work environments.

• Productivity: Significantly lowers the IT workload and reduces configuration errors.

In essence, Windows Autopilot allows the process to be summarized as: Unbox $\rightarrow$ Sign In $\rightarrow$ Begin Work.

Troubleshooting When Windows Explorer is Not Responding

Solutions for an Unresponsive Application

1. Wait Momentarily (Recommended First Step)

An application might simply be occupied with a process.

• Wait for approximately 30 to 60 seconds.

• If the application resumes operation, no further action is necessary.

2. Attempt Normal Application Closure

If the program is partially responsive:

1. Click the standard Close (X) button.

2. If a dialogue box appears, choose the option to Close program.

3. Force Close Using Task Manager (Most Frequent Resolution)

1. Press the keyboard combination Ctrl + Shift + Esc.

2. Locate the application identified as Not Responding.

3. Select the application and click End task.

• This action immediately terminates the frozen application.

4. Utilize the Keyboard Shortcut for Quick Termination

1. With the frozen application in focus, press Alt + F4.

2. Confirm the closure if prompted by the system.

5. Restart Windows Explorer (If the User Interface is Frozen)

If elements like the taskbar or desktop are unresponsive:

1. Press Ctrl + Shift + Esc.

2. Find Windows Explorer in the list.

3. Right-click it and select Restart.

• This refreshes the desktop environment without requiring a complete system reboot.

6. Terminate the Application via Command Line (Advanced Technique)

Using Command Prompt:

1. Press Win + R, type cmd, and press Enter.

2. Run the following commands:

   • tasklist (To view all running processes)

   • Taskkill /IM appname.exe /F (To forcefully terminate a specific process)

   • Example: taskkill /IM chrome.exe /F

7. System Restart (Final Option)

If multiple applications are failing to respond:

• Save any work you can.

• Initiate a Windows restart.

---

Preventing Future "Not Responding" Errors

• Ensure Windows is kept up to date.

• Avoid simultaneously running an excessive number of applications.

• Consider a RAM upgrade if freezing is a frequent issue.

• Monitor Task Manager $\rightarrow$ Performance for sudden spikes in CPU or RAM usage.

• Conduct a malware scan.

Professional Insight

If a single application repeatedly freezes, the cause is typically one of the following:

• A corrupted installation.

• An incompatible update.

• Insufficient system resources dedicated to the application.

Action: Reinstall or update the problematic application.

Preventing Users from Installing Unauthorized Applications (Intune Policy)

(A Practical Administrator Solution)

This common helpdesk issue often arises:

"A user installed unapproved software, and now their device is compromised and slow."

This represents a frequent security vulnerability encountered in Microsoft Intune deployments.

Here is the proper method for securing devices:

---

Step-by-Step: Restrict Application Installation via Intune

1. Device Restriction Policy (Recommended for Standard Users)

• Path: Intune Admin Center $\rightarrow$ Devices $\rightarrow$ Configuration Profiles $\rightarrow$ Create Profile

• Settings:

  • Platform: Windows 10/11

  • Profile Type: Device Restrictions

  • Set "Allow App Installation" = Block

2. Endpoint Security Policy (Best Practice)

• Path: Endpoint Security $\rightarrow$ Attack Surface Reduction

• Action: Configure App Control / Smart App Control to prevent:

  • Unrecognized installers

  • Untrusted executable files

  • Applications not sourced from the Microsoft Store

• Benefit: Provides robust security and aids regulatory compliance.

3. Microsoft Store Control

• Action:

  • Block Win32 installers.

  • Permit installation only of applications approved through the Microsoft Store.

  • Distribute approved applications via the Company Portal.

• Outcome: Users are restricted to installing only what the IT department has sanctioned.

---

Significance of This Control

• Mitigates:

  • Risk of malware

  • "Shadow IT" (unmanaged software)

  • Device performance degradation

  • Compliance failures

• Ensures:

  • A regulated computing environment

  • Secure endpoints

  • Adherence to Zero-Trust principles

---

Expert Tip

Always pilot-test new policies with a small group before implementing them across the entire organization.

---

Important Note

Configuration details may vary depending on your tenant setup and specific business requirements. Always test thoroughly in a non-production or pilot group before deployment.

---

For more real-world IT admin tips on Intune, Azure, and M365 security, follow Ryan Adams.

#MicrosoftIntune

#EndpointManagement

#Windows11

#M365

#CyberSecurity

#ITAdmin

#ZeroTrust

#CloudSecurity

#SysAdmin

#TechTips

#DeviceManagement

Microsoft Teams: Enhanced Messaging Safety Features Activated by Default

Microsoft Teams: Enhanced Messaging Safety Features Activated by Default

Microsoft is boosting the security of messaging within Microsoft Teams by automatically activating key safety safeguards. This enhancement is designed to shield users from harmful content and includes a mechanism for users to report incorrect blocks, thereby improving the overall security of collaboration.

Rollout Schedule

This update is slated to begin deployment on January 12, 2026.

Affected Groups

Organizations whose Teams messaging safety settings are currently at the factory default and have not been previously modified.

Key Changes

The following options within the Teams admin center under Messaging settings > Messaging safety will be enabled by default:

• Protection against file types that can be exploited for malicious purposes.

• Identification and alerting for malicious URLs.

• The function allowing users to report security detections that are incorrect.

User Experience Implications

End users may observe the following:

• Notification banners appearing on messages that contain questionable or malicious links.

• An option provided to submit a report for any messages wrongly flagged as suspicious.

• Messages being prevented from sending if they incorporate file types categorized as weaponizable.

---

Organizations that have already customized and saved specific configurations for these settings will not see any change.

Administrator Recommendations

Admins are advised to:

• Examine their existing setup in the Teams admin center under Messaging > Messaging settings > Messaging safety.

• If you choose not to utilize these new default protections, modify and save your preferred settings prior to January 12, 2026.

• Brief internal helpdesk teams and update relevant organizational documentation as required.

Additional Information

• https://lnkd.in/eyvCya4t

• https://lnkd.in/eUb7GZ8a

• https://lnkd.in/ehqQtH9k

---

#MicrosoftTeams #Microsoft365 #M365Security #CyberSecurity #CloudSecurity #TeamsAdmin #ITAdmins #SecurityAwareness #MicrosoftUpdates #EnterpriseIT

10 Useful Windows Run Commands (Win + R)

Pressing Windows + R opens the Run dialog box, which lets you quickly launch applications, system tools, and configuration settings. This shortcut is an efficient way to navigate Windows without relying on the Start menu or File Explorer.

Below is a collection of commonly used Run commands and their functions.

---

System and Administrative Tools

• cmd – Launches Command Prompt

• powershell – Opens Windows PowerShell

• services.msc – Opens the Services console

• taskmgr – Launches Task Manager

• msconfig – Opens System Configuration

• eventvwr – Opens Event Viewer

• compmgmt.msc – Opens Computer Management

• regedit – Launches the Registry Editor

• perfmon – Opens Performance Monitor

• gpedit.msc – Opens Group Policy Editor (if available)

• dxdiag – Opens the DirectX Diagnostic Tool

• cleanmgr – Launches Disk Cleanup

• diskmgmt.msc – Opens Disk Management

• sysdm.cpl – Opens System Properties

---

Networking and Connectivity

• ncpa.cpl – Opens Network Connections

• inetcpl.cpl – Opens Internet Options

• mstsc – Launches Remote Desktop Connection

• control /name Microsoft.NetworkAndSharingCenter – Opens Network and Sharing Center

• wf.msc – Opens Windows Defender Firewall with Advanced Security

---

Control Panel Applets

• control – Opens the Control Panel

• appwiz.cpl – Opens Programs and Features

• powercfg.cpl – Opens Power Options

• timedate.cpl – Opens Date and Time settings

• desk.cpl – Opens Display Settings

• hdwwiz.cpl – Opens Device Manager

• sysdm.cpl – Opens System Properties

---

File System and Folder Shortcuts

• . – Opens the current user’s home directory

• .. – Opens the parent directory

• control folders – Opens Folder Options

• %temp% – Opens the Temporary Files directory

• shell:startup – Opens the Startup folder

• shell:sendto – Opens the SendTo folder

---

System Utilities

• notepad – Opens Notepad

• calc – Launches Calculator

• charmap – Opens Character Map

• mspaint – Opens Paint

• snippingtool – Opens the Snipping Tool

• osk – Opens the On-Screen Keyboard

• write – Opens WordPad

---

Other Helpful Commands

• explorer – Opens File Explorer

• control printers – Opens Devices and Printers

• control keyboard – Opens Keyboard settings

• control mouse – Opens Mouse settings

---

#Windows
#CommandPrompt