Microsoft is delighted to announce support for iOS User Enrollment with the release of Apple iOS 13.1 and iPadOS. This feature is currently available in public preview with Microsoft Endpoint Manager, including Microsoft Intune.
At Microsoft, we take end user privacy seriously and have long offered the choice of using managed apps or managing the entire device for bring-your-own-device (BYOD) users. Microsoft is delighted to enhance our best-in-class spectrum of BYOD offerings on iOS and iPadOS with User Enrollment. Apple introduced User Enrollment as a new type of lightweight enrollment in iOS 13.1 and iPadOS designed to meet a couple of goals -- namely, how to help IT keep corporate data safe with critical device enrollment features and protect end user privacy on their personal devices. We’re excited to extend Apple’s User Enrollment with the data protection afforded by Intune App Protection Policies to enable IT to use the most crucial device management features while maintaining trust and privacy for end users. Microsoft Endpoint Manager pairs the platform’s lightweight management experience with the intuitive enrollment experience that people love in the Microsoft Company Portal app (thank you for our 4.5 star rating in the App Store!), to create an easy on-boarding experience.
Every organization is unique, and they generally have end users with a variety of different expectations and use cases. Microsoft supports the full spectrum of device management and data protection choices to support these needs – from managed apps, User Enrollment, and Device Enrollment for personally-owned devices to Automated Device Enrollment for supervised, corporate-owned devices. On personally-owned devices, Microsoft Intune app protection policies provide IT the ability to prevent data leaks from protected apps while leveraging support for multiple identities to provide end users with complete trust that their privacy is protected. We believe our customers can get the best of both worlds when we pair the proven capabilities of Intune app protection policies with the platform capabilities of User Enrollment. Together, the two provide significant granular control over Intune protected apps such as Office 365 and other mobile apps, whether downloaded by end users or provided by IT, paired with the ability to use crucial device management features like a 6-digit non-simple device PIN, required app deployment with VPN to corporate resources on end user devices, and provisioning Wi-Fi access on personal devices.
Placing the user in control of their enrollment experience
Intune has taken an innovative approach to User Enrollment by putting the user in control of their device enrollment experience. When targeted by their IT admin, the user is asked whether the device belongs to them or their organization. If the device belongs to the user, they are provided with the option of securing the entire device (Device Enrollment) or securing work-related apps and data (User Enrollment). This is a distinct evolution in the enrollment experience which provides end users with the agency to determine the level of control their organization has over their personally-owned devices.
Our user studies have indicated that the ability to determine the level of protection applied to their device is important or very important to end users. 100% of users who participated in our study reported that the Microsoft end user experience for User Enrollment made it clear to them that their company cannot access personal data on their devices.
This is a common hesitation among end users, as one respondent put it best: “Every person within the company should only have access to specific information, they shouldn’t have everything. Security (team) is primarily making sure that what you, as an employee, are responsible for is secure within your profile. The enrollment thing is just raising your hand to say, ‘Yes I volunteer to do this’. This (enrollment) is just you validating and choosing what data. “
Particularly in today’s environment, users care deeply about their privacy. By enabling end users to choose the type of enrollment that makes sense to them, IT can continue to build trust with users, while maintaining secure control over organizational data.
Enrollment targeting– simple and flexible configuration
You will find the process to get started with User Enrollment is quite simple and provides you with significant flexibility in how you provide choice of enrollment types to your iOS and iPadOS users. First, you will need to ensure you have a valid Apple Push Notification Service (APNS) certificate to manage Apple devices.
After that, you will set up managed Apple IDs in Apple Business Manager using federation with your instance of Microsoft Azure Active Directory. Microsoft Azure Active Directory is the only federation partner within Apple Business Manager for all management solutions. The Managed Apple ID provides access to Apple services associated with the organization, separate from the personal Apple ID the user may already use. User Enrollment creates a separate Apple File System (APFS) volume using this ID for managed accounts, apps and data on the device. This managed volume is cryptographically separated from the rest of the device. Managed Apple IDs are created automatically during enrollment when users sign in on a device with their corporate email address. You can find more guidance from Apple on this topic here
User Enrollment is designed for securely using personally owned devices for work apps, without giving up management of the entire device to organizations. IT can apply necessary configuration and policies such as requiring a passcode or deploying mandatory apps, but not have the ability to control the camera or access personal information. For company owned devices or particularly sensitive data access on personally owned devices, full device enrollment may still be the preferred management method. Within the Microsoft admin console, you can set up so end users can choose between User enrollment or Device enrollment at the time of enrollment. You can also specify the enrollment type if you wish, or have a mixed approach depending on user groups. Visit the documentation to learn more.
Protect corporate data in apps using Intune app protection policies
User Enrollment and App Protection Policies are a great example of two management features that are better together for your user‘s personal devices accessing data in your organization. Both management options were designed to protect user privacy, and each solves unique management problems. User Enrollment allows IT to have control over a curated set of device management features. For instance, admins can set policies to enforce a 6 digit non-simplePIN on the device, deploy Wi-Fi profiles, and distribute secured apps such as Microsoft Edge to the device. They can also push configuration for VPN access to on-premises corporate resources. In the past, these specific capabilities drove organizations that were considering App Protection Policies towards heavier-weight Device Management - including features like Device Wipe that end users were not always comfortable with. With the introduction of User Enrollment, admins can pair both management options together to provide a deeper and more robust BYOD solution. App Protection Policies allow users to continue to use the Office apps exactly as they do today and now. They download the apps directly from the App Store and can use them across all aspects of their lives- whether for work or personal use. At Microsoft, we think it is crucial to enable this dual-use case and App Protection Policies provide your organization the ability to offer this best-in-class experience while also protecting your corporate data against leaks.
App Protection Policies target only the corporate account in protected apps, and the data is kept secure and separate from the personal account. In case the device is lost or the user leaves the organization, only the data in corporate account is wiped leaving the personal data in the same app on the personal partition of the device untouched.
Considerations for deploying User Enrollment with Microsoft
There are certain recommendations and alternatives that are good to know as you plan the roll-out of User Enrollment within your Microsoft managed device estate.
Conditional Access
Conditional Access policies can be applied when users are targeted for User Enrollment and provide the most seamless experience for ensuring users are prompted to begin the enrollment process. These policies can be configured exactly the same way you configure policies for device enrollments today. Turning on Conditional Access will ensure your users are properly forced to enroll in whatever form of management you have defined before they can get access to online resources like Exchange and SharePoint Online. To enable these scenarios, your end users will be prompted to install the Microsoft Authenticator app to their device if it is not already present during User Enrollment. Learn more about conditional access
Compliance
Many of the compliance policies you set for iOS and iPadOS devices using Device Enrollment will apply to User Enrolled devices as well. However, there are a subset of these policies that will work differently on User Enrolled devices. The biggest difference between Compliance policies for Device Enrollment and User Enrollment is the password policy. User Enrollment will only enforce a 6-digit, non-simple PIN after a one hour grace period. This is enforced at the OS level regardless of what is configured and the OS will report back the password is compliant as long as the policy is installed on the device.
There are a few differences in how other compliance settings are handled as well, detailed below.
Email: Managed email profiles will work for User Enrolled devices the same as they do for Device Enrollments today.
Device Heath: The Intune Company portal will check for a jailbroken device regardless of enrollment type. Microsoft is working with our MTD partner ecosystem to validate scenarios r reporting Device Threat Level on User Enrolled devices.
Restricted App: On a user enrolled device, Intune only receives information regarding applications deployed to the device in the managed APFS volume. As a result, the restricted app functionality is not valid for User Enrolled devices.
All actions for noncompliance are supported. These include sending emails to end users and remotely locking noncompliant devices. Conditional Access policies applied to devices targeted for User Enrollment are the best way to ensure your users are prompted to begin the enrollment process and become compliant.
Configuration
User Enrollment supports a subset of available device configuration options, which is indicated within the admin console upon creation or editing of a device configuration profile. If a pre-existing configuration profile is applied to a User Enrollment device, only settings supported by User Enrollment will be applied to that device. More details can be found here
App Distribution
App Distribution for devices with User Enrollment will use the same methods as Device Enrollment, as described within Intune documentation. All applications targeted to users that are supported by User Enrollment will be delivered to these devices and displayed within the Company Portal.
User Enrollment supports the following app types:
- Line-of-business
- Web link
- VPP apps with User licensing
Administrator Remote Actions
You can perform the following actions on User Enrolled iOS devices:
- Retire
- Delete
- Remote Lock
- Sync
User Enrollment does not support Device Wipe, Passcode Reset, or other remote actions not listed above, so you will not have the ability to deploy those actions from the Azure console.
Known issues and limitations during public preview
For the latest information on known issues and platform feature availability, see Intune documentation
Next Steps
We’re excited to release this public preview to our Microsoft Intune customers so that you can test out your management scenarios and determine if User Enrollment is a correct fit for some or all of your users on iOS devices. As we continue to iterate on User Enrollment, we look forward to you and your users’ usage and feedback. We believe this is just the first step in allowing you to put your users into the driver’s seat and choose what type of enrollment makes sense for them. Stay tuned in upcoming months.
Resources to learn more
Supported actions with User Enrollment
End user privacy with Microsoft Intune
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter
(Authored in collaboration with Tiffany Silverstein, Product Manager, Microsoft Endpoint Manager)