Forum Discussion
CNAME records
My IT person had used his personal Apple Id to set up my company MDM. He explained it was an oversight - he should have asked me first and he should not have used his personal Apple ID. I accept that explanation but I wondered why he set it up in the first place. I did not want my devices controlled. There was no need. Especially given I had been complaining that I found Google device management policies deployed across my domain. He told me he set up MDM to allow Microsoft and my apple phones to create a handshake. He argued it was necessary to "harden" my environment. He said my phone was not being controlled as there was no Intune set up. Given I was not using emails on my phone I queried this reasoning. I never understood why my phone and Microsoft needed to handshake.
I have just read the CNAME records below are only needed for MDM
enterprisereigistation.windows.net
enterpriseenrollment.manage.microsoft.com
Is there any reason other than MDM for the above CNAME records? Do the above CNAME records allow apps other than Intune to control my iPhone?
- Intune_Support_TeamMicrosoft
Hi 20passist, an Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. After you add the certificate to Intune, your users can enroll their devices using either the Intune Company Portal, or Apple's bulk enrollment methods. More information can be found here: Get an Apple MDM push certificate.
If there are BYOD iOS device - They can be enrolled within the Intune service by installing the Intune Company Portal, following though the prompts, and installing a Management profile. Have a look over our iOS enrollment docs on what this process looks like.
Validating if a device has been enrolled can be confirmed by the Intune Company Portal being installed/signed in on the device, or if a Management profile has been installed.Steps on manually validating if a device is managed:
Settings App > General > If a "Device Management" profile exists, then the device is managed by an MDM.
Hope this helps!
- Moe_KinaniBronze ContributorAnswer is NO.
You need this CNAME in Intune for MDM and Auto Enrollment for Windows devices only, not for IPhone & Android.
Hope this helps!
Moe- 20passistCopper Contributor
Ok thank you all.
Can I please clarify three points?
1. If MDM was not being enabled why would you go to the trouble of creating an Apple Certificate?
2. Does the Apple Certificate create a "handshake" between Apple and Microsoft ?
3. Does Microsoft recommend an Apple Certificate to improve security when using Microsoft on Apple devices?
- Moe_KinaniBronze Contributor1. Admin might not finished the config for MDM.
2. The certificate to allow Intune to manage Apple phones, this way goes with all MDM tools not just Intune.
3. As mentioned, Apple force the certificate for all MDM tools to manage Apple devices, the certificate lasts for one year.
Hope this helps!
Moe