Different types of iOS/iPadOS Enrollment in Intune

Intune provides different capabilities for enrolling iOS/iPad devices, let’s explore and experience how these enrollments help us to secure corporate data from endpoints, below are the enrollment methods available in Intune some of them are generally available and some of them are in the preview state

BYOD (Bring your own device)

BYOD User-owned iOS/iPadOS and iPadOS devices which let users enroll their personal device for Intune management and access corporate data. There are three options for enrolling users

App Protection Policies is the lightest version of the BYOD experience, this will allow admin to manage at an app-level only, you can deploy an app protection policy that defines how the application is to be managed using Intune

Enrollment Types this feature is in preview state, there are two enrollment types Device enrollment, User enrollment, and Enrollment Determined based on user choice I will explain a brief about these enrollments and will write deep in upcoming blogs

User Enrollment is more of a streamlined enrollment process that provides a subset of device management options for admin, with user enrollment a user identity is created on the device using a managed apple ID (federated), and the managed apple id can be used alongside the personal apple ID that the user had already signed in with. During user enrollment, a separate volume is created on the device containing the

a. Apps

b. Notes

c. Calendar attachments

d. Mail Attachments and body of the mail message

e. Keychain items

The admin can manage only Organization accounts, settings, and information provisioned with Intune. Personal accounts, settings, and information cannot be managed. In this way, the corporate data is kept secure in organization-managed apps.

What can be managed by Intune for the devices enrolled under User enrollment

Device Enrollment this is the typical BYOD enrollment which provides a wide range of management for the admin to manage the device, by deploying device restriction, compliance policy, and management capabilities. these devices are registered as a corporate-owned device in Intune.

Determined User Enrollment this enrollment let the user decide whether the device is managed by Corporate completely or only the Corporate data on the device is managed, user will get the option to choose between I own this device and (Company) owns this device. if the user selects My organization owns this device the enrollment will follow device enrollment. If the user select I own the device, user can specify whether to secure the entire device or secure work-related apps and data

COD (Company-Owned Device)

These are typically the devices owned by the organization and the asset completely belongs to the organization, below are some of the enrollment methods supported by Intune.

Apple Automated Device Enrollment (ADE) lets enroll a large number of devices without ever touching them (similar to zero-touch deployment or something like autopilot in OOBE mode). Apple devices brought by the organization from an authorized reseller are shipped to users directly and let the user set up the devices with Setup Assistant which includes the typical out-of-the-box experience which runs with preconfigured settings and the devices enroll into Intune management.

To enable ADE, you need Apple Business Manager (ABM) or Apple School Manager portal, Reseller will assign the serial numbers of the devices to ABM, and ABM will sync the devices to Intune with an enrollment token (I will be explaining these in deep in my upcoming blogs) and assign a profile contains the settings that are applied to devices during enrollment.

Apple School Manager is likely an Apple Business Manager (ABM) devices purchased under the program are added to Apple School Manager Portal and profiles are assigned from Intune for enrolling the device.

Apple Configurator is a tool that is available for enrolling or adding a device to ABM running on a MAC computer (the application required a MAC Computer to run the application). To prepare a device the iOS/iPadOS need to be connected using a USB/Lightning cable to the Mac Computer which is running Apple Configurator and install an enrollment profile. Devices can be enrolled in two ways using Apple Configurator

a. Setup Assistant Enrollment will wipe the device and prepare it to run the setup assistant and install the policies for the devices

b. Direct Enrollment doesn’t wipe the device, but enrolls the device with a predefined policy, this method is used for no user affinity

The diagram represents a quick spectrum of Management