In a previous blog post, I covered the various types of enrollment available for iOS/iPadOS devices in Intune. If you haven't read that post yet, I recommend checking it out to better understand the different types of iOS/iPadOS enrollment in Intune. The purpose of this blog is to explain how to configure web-based device enrollment and the user enrollment experience.
I have written a blog that explains how to enroll iOS/iPad OS devices enrollment with the Company Portal both enrollment types are almost similar but only differentiate the enrollment method
Enrolling personal iOS/iPadOS devices can be done through web-based device enrollment and the other method remains using the Company Portal app. Web-based device enrollment stands out by offering a faster and more user-friendly experience as it eliminates the need to download the Company Portal app. Users can initiate the new enrollment process directly from their favorite browser or start via an app that requires a compliant device, making it easily accessible. Additionally, integrating web-based device enrollment with Just-In-Time registration reduces the frequency of sign-ins during both initial enrollment and when accessing apps.
Web-based device enrollment works with Just-In-Time registration, which enables Intune to use the Microsoft Authenticator app for registering the device and implementing single sign-on. This reduces the frequency of user sign-ins during both enrollment and when accessing work apps.
Table Of Content
Prerequisites for Web-based Device Enrollment.
iOS/iPadOS version 15 or later
Why Just In Time Registration?
The optimal user experience in web-based device enrollment begins with JIT configuration, which significantly improves the user experience. Following device enrollment, it minimizes authentication prompts during sessions and enables single sign-on across all supported and configured applications.
Additionally, it offers technical capability for integrating compliance checks within both Microsoft and non-Microsoft apps using the Apple SSO extension. This comprehensive functionality is made possible through the utilization of the Apple SSO extension by JIT.
I wrote a blog post on setting up Just In Time Registration in Intune for smooth device management. Please refer to the blog for configuration details.
Steps to Configure Web-Based Device Enrollment
Step1: Login to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS
Step 2: Select iOS/iPadOS enrollment and select enrollment types.
Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.
Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue
Step 5: Select Web-based device enrollment and tap Next
Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue
Step 7: Verify the settings and select Create to complete the profile creation.
It is a best practice to deploy the web app version of Intune Company Portal to provide device users with quick access to device status, actions, and compliance information. The web app will appear on the home screen and serve as a link to the Company Portal website. please go through my blog post on how to create and deploy a web app clip to iOS /iPadOS
Now let's prepare employees for enrollment
When a user attempts to access the work application from their personal device, they receive a notification stating that enrollment is required and are directed to visit the Company Portal website for further instructions.
If you are not using conditional access, it's crucial to give device users the enrollment link so they understand how to start the enrollment process. The link that needs to be shared is portal.manage.microsoft.com/conditionalaccess/enrollment
We have now completed the profile creation and prepared the employees with communication channels to facilitate the new enrollment.
Let's take a look at end-user experiences
Step 1: Open Safari or any other browser and sign in to the Company Portal website with your work account using one of the below links
this will open the sign-in page enter your work account and password and complete MFA if required
Step 2: Once signed in successfully the page will redirect the user to start enrolling the device, tap on Get Started, this will start the process of downloading the profile tap on Allow now the profile will get downloaded user needs to review the profile in settings apps tap on Close to continue to next step
Step 3: Navigate to the Settings app select Profile Download, tap Install on the install profile, input your device passcode tap on Done, and tap Install on the next two options tap on Trust to start profile installation, and tap Done once the profile installation completed
You can verify the profile installation status by navigating to the General selecting VPN & Device Management and tapping on Management Profile
This will show the enrollment profile user can see the Single sign-on configuration and web clip deployed to the device
On the administrative side, the admin is limited to managing the device, enabling remote commands such as Wipe, retire, etc. This type of enrollment allows the personal device to be wiped (which may pose a potential risk), but it is up to the organization to determine how the device and data should be managed.
How to Remove the Management Profile
Users can remove the management profile by tapping the Remove Management Option, the user needs to provide the device passcode tap on Done, and tap on Remove all the applications and data associated which is almost the Retire option.
Conclusion
This blog post offers a straightforward and brief guide on enrolling iOS/iPad OS devices through the Web-based Device Enrollment method
Opmerkingen