Anand P
Mar 124 min
Updated: Mar 14
In a previous blog post, I covered the various types of enrollment available for iOS/ipadOS devices in Intune. If you haven't read that post yet, I recommend checking it out to gain a better understanding of Different types of iOS/iPadOS Enrollment In Intune. The purpose of this blog is to explain how to configure web-based device enrollment and the user enrollment experience.
I have written a blog that explains how to enroll iOS/iPad OS devices enrollment with the Company Portal both enrollment types are almost similar but only differentiate the enrollment method
Enrolling personal iOS/iPadOS devices can be done through web-based device enrollment and the other method remains using the Company Portal app. Web-based device enrollment stands out by offering a faster and more user-friendly experience as it eliminates the need to download the Company Portal app. Users can initiate the new enrollment process directly from their favorite browser or start via an app that requires a compliant device, making it easily accessible. Additionally, integrating web-based device enrollment with Just-In-Time registration reduces the frequency of sign-ins during both initial enrollment and when accessing apps.
Web-based device enrollment works with Just-In-Time registration, which enables Intune to use the Microsoft Authenticator app for registering the device and implementing single sign-on. This reduces the frequency of user sign-ins during both enrollment and when accessing work apps.
Table Of Content
Why Just In Time Registration?
Steps to Configure Web-Based Device Enrollment
Now let's prepare employees for enrollment
Let's take a look at end-user experiences
How to Remove the Management Profile
iOS/iPadOS version 15 or later
The optimal user experience in web-based device enrollment begins with JIT configuration, which significantly improves the user experience. Following device enrollment, it minimizes authentication prompts during sessions and enables single sign-on across all supported and configured applications.
Additionally, it offers technical capability for integrating compliance checks within both Microsoft and non-Microsoft apps using the Apple SSO extension. This comprehensive functionality is made possible through the utilization of the Apple SSO extension by JIT.
I wrote a blog post on setting up Just In Time Registration in Intune for smooth device management. Please refer to the blog for configuration details.
Step1: Login to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS
Step 2: Select iOS/iPadOS enrollment and select enrollment types.
Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.
Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue
Step 5: Select Web-based device enrollment and tap Next
Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue
Step 7: Verify the settings and select Create to complete the profile creation.
It is a best practice to deploy the web app version of Intune Company Portal to provide device users with quick access to device status, actions, and compliance information. The web app will appear on the home screen and serve as a link to the Company Portal website. please go through my blog post on how to create and deploy a web app clip to iOS /iPadOS
When a user attempts to access the work application from their personal device, they receive a notification stating that enrollment is required and are directed to visit the Company Portal website for further instructions.
If you are not using conditional access, it's crucial to give device users the enrollment link so they understand how to start the enrollment process. The link that needs to be shared is portal.manage.microsoft.com/conditionalaccess/enrollment
We have now completed the profile creation and prepared the employees with communication channels to facilitate the new enrollment.
Step 1: Open Safari or any other browser and sign in to the Company Portal website with your work account using one of the below links
https://portal.manage.microsoft.com/conditionalaccess/enrollment
https://portal.manage.microsoft.com/enrollment/webenrollment/ios
this will open the sign-in page enter your work account and password and complete MFA if required
Step 2: Once signed in successfully the page will redirect the user to start enrolling the device, tap on Get Started, this will start the process of downloading the profile tap on Allow now the profile will get downloaded user needs to review the profile in settings apps tap on Close to continue to next step
Step 3: Navigate to the Settings app select Profile Download, tap Install on the install profile, input your device passcode tap on Done, and tap Install on the next two options tap on Trust to start profile installation, and tap Done once the profile installation completed
You can verify the profile installation status by navigating to the General selecting VPN & Device Management and tapping on Management Profile
This will show the enrollment profile user can see the Single sign-on configuration and web clip deployed to the device
On the admin end, the admin can only manage the device which will allow remote commands like Wipe, retire, etc...These types of enrollment give the ability to wipe the personal device ( which can be considered as a potential risk ), but it depends on the organization to decide how the device and data need to be managed.
Users can remove the management profile by tapping the Remove Management Option, the user needs to provide the device passcode tap on Done, and tap on Remove all the applications and data associated which is almost the Retire option.
Conclusion
This blog post will provide you with a clear and concise set of instructions on how to enroll iOS/iPad OS devices using the Web-based Device Enrollment type