Configure Web-based Device Enrollment in Intune

In a previous blog post, I covered the various types of enrollment available for iOS/ipadOS devices in Intune. If you haven't read that post yet, I recommend checking it out to gain a better understanding of Different types of iOS/iPadOS Enrollment In Intune. The purpose of this blog is to explain how to configure web-based device enrollment and the user enrollment experience.

I have written a blog that explains how to enroll iOS/iPad OS devices enrollment with the Company Portal both enrollment types are almost similar but only differentiate the enrollment method

Enrolling personal iOS/iPadOS devices can be done through web-based device enrollment and the other method remains using the Company Portal app. Web-based device enrollment stands out by offering a faster and more user-friendly experience as it eliminates the need to download the Company Portal app. Users can initiate the new enrollment process directly from their favorite browser or start via an app that requires a compliant device, making it easily accessible. Additionally, integrating web-based device enrollment with Just-In-Time registration reduces the frequency of sign-ins during both initial enrollment and when accessing apps.

Web-based device enrollment works with Just-In-Time registration, which enables Intune to use the Microsoft Authenticator app for registering the device and implementing single sign-on. This reduces the frequency of user sign-ins during both enrollment and when accessing work apps.

1. Why Just In Time Registration?

2. Steps to Configure Web-Based Device Enrollment

3. Now let's prepare employees for enrollment

4. Let's take a look at end-user experiences

5. How to Remove the Management Profile

Prerequisites for Web-based Device Enrollment.

• Set mobile device management (MDM) authority

• Get an Apple MDM Push certificate

• iOS/iPadOS version 15 or later

Why Just In Time Registration?

The optimal user experience in web-based device enrollment begins with JIT configuration, which significantly improves the user experience. Following device enrollment, it minimizes authentication prompts during sessions and enables single sign-on across all supported and configured applications.

Additionally, it offers technical capability for integrating compliance checks within both Microsoft and non-Microsoft apps using the Apple SSO extension. This comprehensive functionality is made possible through the utilization of the Apple SSO extension by JIT.

I wrote a blog post on setting up Just In Time Registration in Intune for smooth device management. Please refer to the blog for configuration details.

Steps to Configure Web-Based Device Enrollment

Step1: Login to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS

Step 2: Select iOS/iPadOS enrollment and select enrollment types.

Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.

Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue

Step 5: Select Web-based device enrollment and tap Next

Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue

Step 7: Verify the settings and select Create to complete the profile creation.

It is a best practice to deploy the web app version of Intune Company Portal to provide device users with quick access to device status, actions, and compliance information. The web app will appear on the home screen and serve as a link to the Company Portal website. please go through my blog post on how to create and deploy a web app clip to iOS /iPadOS  

Now let's prepare employees for enrollment

When a user attempts to access the work application from their personal device, they receive a notification stating that enrollment is required and are directed to visit the Company Portal website for further instructions.

If you are not using conditional access, it's crucial to give device users the enrollment link so they understand how to start the enrollment process. The link that needs to be shared is portal.manage.microsoft.com/conditionalaccess/enrollment

Let's take a look at end-user experiences

Step 1: Open Safari or any other browser and sign in to the Company Portal website with your work account using one of the below links

• https://portal.manage.microsoft.com/conditionalaccess/enrollment

• https://portal.manage.microsoft.com/enrollment/webenrollment/ios

this will open the sign-in page enter your work account and password and complete MFA if required

Step 2: Once signed in successfully the page will redirect the user to start enrolling the device, tap on Get Started, this will start the process of downloading the profile tap on Allow now the profile will get downloaded user needs to review the profile in settings apps tap on Close to continue to next step

Step 3: Navigate to the Settings app select Profile Download, tap Install on the install profile, input your device passcode tap on Done, and tap Install on the next two options tap on Trust to start profile installation, and tap Done once the profile installation completed

You can verify the profile installation status by navigating to the General selecting VPN & Device Management and tapping on Management Profile

This will show the enrollment profile user can see the Single sign-on configuration and web clip deployed to the device

On the admin end, the admin can only manage the device which will allow remote commands like Wipe, retire, etc...These types of enrollment give the ability to wipe the personal device ( which can be considered as a potential risk ), but it depends on the organization to decide how the device and data need to be managed.

How to Remove the Management Profile

Users can remove the management profile by tapping the Remove Management Option, the user needs to provide the device passcode tap on Done, and tap on Remove all the applications and data associated which is almost the Retire option.

This blog post will provide you with a clear and concise set of instructions on how to enroll iOS/iPad OS devices using the Web-based Device Enrollment type