Set Up Account-Driven Apple User Enrollment for Microsoft Intune.
This guide explains how to configure account-driven Apple User Enrollment for personal devices enrolling in Microsoft Intune. Account-driven enrollment offers a smoother, faster, and more user-friendly process compared to user enrollment with the Company Portal. Enrollment begins when the device user signs into their work account via the Settings app. After approving device management, the enrollment profile installs automatically, and Intune policies are applied. By using Just-in-Time (JIT) registration and the Microsoft Authenticator app for authentication, the enrollment process minimizes the number of sign-ins required during enrollment and while accessing work apps.
What You'll Learn
In this article, you'll learn how to:
Set up JIT registration
Create an enrollment profile
Prepare employees and students for enrollment
Prerequisites
Microsoft Intune supports account-driven Apple User Enrollment on devices running iOS/iPadOS 15 or later. If your devices are running iOS/iPadOS 14.9 or earlier, Intune will automatically enroll them through user enrollment with the Company Portal.
Before you begin setup, ensure the following steps are complete:
Set mobile device management (MDM) authority
Get Apple MDM Push certificate
Create Managed Apple IDs for device users (refer to Apple Support)
Additionally, you'll need to set up service discovery to enable Apple devices to reach the Intune service and retrieve enrollment information. To do this, set up and publish an HTTP well-known resource file on the same domain where employees sign in. Apple will retrieve the file via an HTTP GET request to:
https://contoso.com/.well-known/com.apple.remotemanagement
Microsoft Intune environments:
{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.com/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YourAADTenantID"}]}
Microsoft Intune for US Government environments:
{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.us/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YourAADTenantID"}]}
Microsoft Intune operated by 21 Vianet in China environments:
{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.cn/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YourAADTenantID"}]}
JSON Configuration Details
The provided JSON sample includes all the necessary information to configure your environment:
Version: This specifies the server version, which is mdm-byod.
BaseURL: This is the URL where the Intune service is located.
Tip: For additional details about the technical requirements for service discovery, refer to the Implementing the Simple Authentication User-Enrollment Flow in the Apple Developer documentation.
Best Practices
Here are some additional configurations that can enhance the enrollment experience for device users:
1. Deploy Company Portal Web App
Deploying the web app version of the Intune Company Portal allows users quick access to their device’s status, device actions, and compliance information. The web app appears on the home screen as a link to the Company Portal website, making it easier to access. Without the web app, users must manually open the browser and type in the address. For more information, see Add web apps to Microsoft Intune.
2. Enable Federated Authentication
Apple User Enrollment requires that you create Managed Apple IDs for users. By enabling federated authentication, which links Apple Business Manager with Microsoft Entra ID, you eliminate the need to manually create unique Apple IDs for each user. Instead, users can sign in using their existing work account credentials. For more details, see Introduction to Federated Authentication with Apple Business Manager in the Apple Business Manager User Guide.
Setup Steps
Step 1:
Set Up Just-in-Time Registration and Assign Microsoft Authenticator
First, configure Just-in-Time (JIT) registration and assign Microsoft Authenticator as a required app. You can follow the steps in Set up JIT registration in Intune. Once this is done, return to this guide to continue with the next steps.
Step 2: Create Enrollment Profile
Create an enrollment profile for devices that will use account-driven user enrollment. This profile defines the device user's enrollment process and allows them to start the enrollment from the Settings app.
In the Microsoft Intune admin center, navigate to Devices > Enrollment.
Select the Apple tab.
Under Enrollment options, click Enrollment types.
Choose Create profile > iOS/iPadOS.
On the Basics page, provide a name and description for the profile so you can easily identify it. Device users won’t see these details.
Click Next.
On the Settings page, select the enrollment type:Account driven user enrollment: This is for users who initiate enrollment themselves.Determine based on user choice: Users can choose their preferred enrollment method. Available options:I own this device: Users can secure either the entire device or just work-related apps and data.(Company) owns this device: The device enrolls through Apple Device Enrollment.
Account driven user enrollment: This is for users who initiate enrollment themselves.
Determine based on user choice: Users can choose their preferred enrollment method. Available options:I own this device: Users can secure either the entire device or just work-related apps and data.(Company) owns this device: The device enrolls through Apple Device Enrollment.
I own this device: Users can secure either the entire device or just work-related apps and data.
(Company) owns this device: The device enrolls through Apple Device Enrollment.
Click Next.
On the Assignments page, assign the profile to all users or specific groups. (Note: Device groups aren't supported for user enrollment since it requires user identities.)
Click Next.
On the Review + Create page, verify your choices, then click Create to finalize the profile.
Step 3: Prepare Employees for Enrollment
To start the enrollment process, users need to sign in to the Settings app with their work or school account. If they attempt to sign into a work-related app, they’ll receive a prompt to begin the enrollment process.
Here are the steps for device users:
Open the Settings app.
Select General.
Select VPN & Device Management.
Sign in with your work or school account (or the Apple ID provided by your organization).
Select Sign In to iCloud.
Enter the password for your username and select Continue.
Select Allow Remote Management.
Wait a few minutes for the device configuration and management profile installation.
To confirm enrollment, go to VPN & Device Management and check that your work account is listed under MANAGED ACCOUNT.Note: Microsoft Authenticator is required for accessing work apps. After enrollment, wait for the app to install. You’ll get an error if you try to sign in without it.
Profile Priority
Intune applies enrollment profiles in order of priority. To change the priority:
Go to Enrollment types in the admin center.
Drag and drop profiles to reorder them.
If multiple profiles conflict, Intune will apply the profile with the highest priority.
Removing Device from Management
When a device unenrolls from Intune, the volume and cryptographic keys used to manage work data on the device are erased.
Known Issues
Enrollment Fails Due to SSO Application
If the Microsoft Authenticator app is already installed on the device before enrollment, the process will fail when the user attempts to sign in with their work account. The error message will state:
Title: Sign In Failed
Description: The Enrollment SSO application has been installed on the device.
To resolve this, the user must uninstall Microsoft Authenticator and restart the enrollment process.
Next Steps
For an overview of supported Apple User Enrollment features and management actions in Microsoft Intune, see the Overview of Apple User Enrollment in Microsoft Intune.
For troubleshooting, check the Troubleshooting iOS/iPadOS Device Enrollment Errors in Microsoft Intune guide.
For supported settings in Intune device configuration profiles, refer to:iOS and iPadOS device restrictions iOS and iPadOS device features Setting up per-app Virtual Private Network (VPN)
iOS and iPadOS device restrictions
iOS and iPadOS device features
Setting up per-app Virtual Private Network (VPN)
