Choose which BYOD Device Enrollment is suitable for you. (iOS/iPadOS)

Are you having trouble deciding which Bring Your Own Device (BYOD) enrollment option to choose? Let me help! I'll guide you through the process of selecting the best option for you, so you can get all the benefits and features you need without any difficulties. To make things easier, I'll keep things simple. I believe that by following these guidelines, you'll be able to make an informed decision about which BYOD enrollment option is right for you. Just remember that different audiences have different needs. In this post, I will provide a comprehensive explanation of the various BYOD enrollment types that are available in Intune.

1. App Protection Policies

2. User enrollment with the company portal

3. Account-driven user enrollment

4. Device Enrollment with Company portal

5. Web-based device enrollment

6. Determine based on user choice

7. Decide through the Tree
   

BYOD: User and Device enrollment

Mostly, users own iOS/iPadOS devices that are referred to as BYOD (Bring Your Own Device) devices. These devices can access organizational data and applications such as email, Teams, One Drive, and other data. The users can enroll these devices without the need to reset them. There are various options available for enrolling these types of devices.

App Protection Policies

App Protection Policies offer a streamlined approach to the BYOD experience, allowing administrators to manage at an app level. With this policy in place, you can deploy specific rules through Intune that dictate how applications are managed. For example, when a user signs in to a protected application using their work or school account, the app will adhere to the protection policy set by your organization. The specifics of these policies depend on individual business security preferences. If you'd like more information on App Protection Policy, I have written a blog post outlining how it works and providing guidance on creating and assigning App Protection Policies for iOS/iPadOS.

User enrollment with the company portal

The enrollment process is more of a streamlined one that provides a subset of device management options for admin, with user enrollment a user identity is created on the device using a managed Apple ID (federated), and the managed Apple ID can be used alongside the personal apple ID that the user had already signed in with. During user enrollment, a separate volume is created on the device. The data separation is created upon the completion of enrollment, apple will create separate encryption keys for user and work data, and the encryption keys are securely destroyed once the device is unenrolled by the user or retired by the admin, to understand more about how this enrollment works read my blog How to Configuring User Enrollment with Company Portal in Intune and end-user experiance.

Account-driven user enrollment

The procedure for enrolling a BYOD device using Account-driven user enrollment bears some resemblance to the enrollment process for a user User enrollment with the company portal. In this enrollment, users are not required to download the Company Portal app from the App Store. Instead, they may enroll their device by selecting the "Sign In to Work or the School Account" option from the settings app. This option eliminates the need to download the company portal, thereby simplifying the enrollment process. Nonetheless, it is important to note that additional settings are necessary to complete this type of enrollment. to understand more about how this enrollment works read my blog How to Configure Account-driven User Enrollment in Intune

Device Enrollment with Company portal

This refers to the standard Bring Your Own Device (BYOD) enrollment process, which offers a broad range of management options for administrators to manage the device. This includes deploying device restrictions, compliance policies, and management capabilities and there is no separation between user data and corporate data. Both types of data are saved in the same location or container. To understand more about how this enrollment works read my blog on How to Configure Device Enrollment with the Company Portal in Intune

Web-based device enrollment

Enrolling personal iOS/iPadOS devices can be done through web-based device enrollment and the other method remains using the Company Portal app. Web-based device enrollment stands out by offering a faster and more user-friendly experience as it eliminates the need to download the Company Portal app. Users can initiate the new enrollment process directly from their favorite browser or start via an app that requires a compliant device, making it easily accessible. Additionally, integrating web-based device enrollment with Just-In-Time registration reduces the frequency of sign-ins during both initial enrollment and when accessing apps. To understand more about how this enrollment works read my blog on How to Configure Web-based Device Enrollment in Intune

Determine based on user choice

During the registration process, users have the choice to determine the level of control that the company will exercise over their device. They can opt to grant full management access to the company or limit it only to corporate data. Users are presented with two options: "This is my device" or "Company-owned device". If they choose "My organization owns this device", the enrollment process begins and grants complete control to the company. On the other hand, if they select "I own this device," they can then specify their security preferences by either securing all data on their devices or solely work-related apps and data. This ensures a certain level of independence while still maintaining secure work-related information. To understand more about how this enrollment works read my blog on How to Configure Determine based on user choice Enrollment Type in Intune

Decide through the Tree

An easy-to-understand chart

This blog explains different options for managing BYOD devices using Intune for iOS/iPadOS, to determine which one is the most suitable for you.