Configure Account-driven User Enrollment in Intune

In a previous blog post, I covered the various types of enrollment available for iOS/ipadOS devices in Intune. If you haven't read that post yet, I recommend checking it out to gain a better understanding of Different types of iOS/iPadOS Enrollment In Intune. The main aim of this blog is to provide a step-by-step guide on how to create an account-driven user enrollment type, along with the end-user experience.

I have written a blog that explains User Enrollment with the company portal both enrollment types are almost similar but only differ in the enrollment method.

This enrollment process creates separate areas, also known as containers or partitions, for Work and Personal data. These containers help admins secure work-related information by ensuring that data related to work can only be managed in a work container. At the same time, personal profiles can only be accessed through a personal container. Admins can only manage Organization accounts, settings, and information provisioned with Intune. The information and settings related to a person's account cannot be managed by admins, which is important for protecting corporate data in apps managed by the organization and keeping user personal data untouched by the admin.

Important

This feature is currently in public preview.

1. Here are some additional steps you need to take to enroll

2. Steps to Configure Account-driven User Enrollment

3. Let's take a look at end-user experiences

4. How to Remove the Management Profile
   

Prerequisites for Account-driven User Enrollment.

• Set mobile device management (MDM) authority

• Get an Apple MDM Push certificate

• Create Managed Apple IDs for device users

• iOS/iPadOS version 15 or newer

Here are some additional steps you need to take to enroll

You must verify the domain in your Apple Business Manager. To use Apple User Enrollment, you need to generate and give managed Apple IDs to the enrolling users. If federated authentication is enabled by linking Apple Business Manager with Microsoft Entra ID, there is no need to create and provide individual Apple IDs for each user. Instead, a device user can access their apps using the same login credentials as their work account.

To ensure that Apple can access the Intune service and obtain enrollment information, you must set up service discovery. This can be done by creating and publishing an HTTP well-known resource file on the same domain that employees use to sign in. Apple will retrieve the file via an HTTP GET request, for example, “https://cloudtekspace.com/.well-known/com.apple.remotemanagement”, you need to replace your web server FQDN instead of the one I used in the example "cloudteskspace.com"

Create a JSON file with the content type set to application/JSON, you can see the JASON file example provided in the Microsoft website Link, replace the Tenant ID with your Tenant ID for example

Steps to Configure Account-driven User Enrollment

Step1: Login to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS

Step 2: Select iOS/iPadOS enrollment and select enrollment types.

Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.

Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue

Step 5: Select Account Driven user enrollment and tap Next

Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue

Step 7: Verify the settings and select Create to complete the profile creation.

Let's take a look at end-user experiences

Step 1: Open the Settings app on your iOS/iPadOS navigate to General and select VPN & Device Management

Step 2: Tap on Sign in to Work or School account... enter your work account and tap on Continue and this will look for the enrollment URL

Step 3: Tap on Sign in to iCloud ( this is managed iCloud, not personal one) tap on Continue, and complete multi-factor authentication, once completed you can see the Remote Management profile tap on Allow Remote Management enter the iPad passcode to complete the enrollment

Step 4: Now you can see the profile tap on the enrollment profile to see more details

On the admin end, they can only manage organizational data remotely as options like wipe are grayed out. These types of enrolled devices can only be retired.

How to Remove the Management Profile

Users can remove the management profile by tapping the Remove Management Option, the user needs to provide the device passcode tap on Done, and tap on Remove all the applications and data associated which is almost the Retire option.

This blog post will provide you with a clear and concise set of instructions on how to enroll iOS/iPad OS devices using the Account-Driven User Enrollment type