Forum Discussion

Guilherme1020's avatar
Guilherme1020
Copper Contributor
Mar 20, 2024

Enrollment iOS - BYOD

Hello everyone,

 

Currently, I'm deeply immersed in learning about Intune and its functionalities. As an intern, my project involves implementing Intune to manage enterprise devices and personal devices brought in by employees (BYOD). I'm encountering some difficulties dealing with BYOD on iOS, unlike Android, which seemed to be more straightforward.

 

Unlike Android, where a separate work profile is created from the personal one, this doesn't occur on iOS. It seems to require a different approach to secure and manage devices. Previously, all restrictions applied on Android only affected the work profile, whereas on iOS, they affect the entire device.

 

I would like to ask for your assistance with tips and guides on the best way to ensure that company data and applications are used securely on iOS devices. Any guidance would be greatly appreciated.

  • Guilherme1020 

     

    This is a very general question. But indeed the normal iOS management, that is commonly called Personal is just a MDM enrollment. The different approaches for iOS Management are as follows ( starting from full management 'downward' to BYOD):

     

    - Intune enrollment using DEP (Apple Business Manager) and through the Enrollment Profile make the device Supervised. Supervised means the device is completely Company Owned and you have a lot of Settings available normally not available to 'normal' device. It is even possible to restrict the device to a point it is a Kiosk. For Intune and ABM see the following: https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enroll-ios

     

    -Intune Enrollment without DEP. The device is not supervised and not all settings are available from MDM (see here a list of settings only for supervised devices: https://support.apple.com/en-gb/guide/deployment/dep6b5ae23e9/1/web/1.0) . You register the device with the Company Portal that you download for the App Store on the device. This is a full MDM enrollment and you are able to wipe the devices from MDM for example. This is the enrollment you were referring to but this is not BYOD!

     

    - Apple's User Enrollment. This is Apple's own solution for BYOD (this is real BYOD enrollment, comparable to Android Enterprise Work Profile). Basically this accomplished on the device by creating an second (company) APFS volume. You are unable to wipe the device from mdm, only able to remove the work partition. This method has downsides, you need ABM and user need an Managed Apple ID, created in ABM. See here for getting started: https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions

     

    - Application Protection policies (MAM-WE). This is not accomplished by any device enrollment and this is not an Apple method but Microsoft's. With the App Protection Policies (APP) only the company apps are managed (works out-of-the-box only for Microsoft apps and some partner apps) en all security policies are applied to the apps, like a app pincode. This is a much used method of providing company data to private devices (hence a BYOD solution). You can start here: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies

     

    Beside this break down there are a lot of other details, for example we discussed the APP to create a sort of 'company container' where company data can flow but for example is not allowed to be shared outside of the container. Within iOS there is a similar feature (is not as feature rich and sophisticated as APP) called Managed Open-in. You can read about it here, and this is good document to read in general for this topic: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf

  • Guilherme1020 

     

    This is a very general question. But indeed the normal iOS management, that is commonly called Personal is just a MDM enrollment. The different approaches for iOS Management are as follows ( starting from full management 'downward' to BYOD):

     

    - Intune enrollment using DEP (Apple Business Manager) and through the Enrollment Profile make the device Supervised. Supervised means the device is completely Company Owned and you have a lot of Settings available normally not available to 'normal' device. It is even possible to restrict the device to a point it is a Kiosk. For Intune and ABM see the following: https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enroll-ios

     

    -Intune Enrollment without DEP. The device is not supervised and not all settings are available from MDM (see here a list of settings only for supervised devices: https://support.apple.com/en-gb/guide/deployment/dep6b5ae23e9/1/web/1.0) . You register the device with the Company Portal that you download for the App Store on the device. This is a full MDM enrollment and you are able to wipe the devices from MDM for example. This is the enrollment you were referring to but this is not BYOD!

     

    - Apple's User Enrollment. This is Apple's own solution for BYOD (this is real BYOD enrollment, comparable to Android Enterprise Work Profile). Basically this accomplished on the device by creating an second (company) APFS volume. You are unable to wipe the device from mdm, only able to remove the work partition. This method has downsides, you need ABM and user need an Managed Apple ID, created in ABM. See here for getting started: https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions

     

    - Application Protection policies (MAM-WE). This is not accomplished by any device enrollment and this is not an Apple method but Microsoft's. With the App Protection Policies (APP) only the company apps are managed (works out-of-the-box only for Microsoft apps and some partner apps) en all security policies are applied to the apps, like a app pincode. This is a much used method of providing company data to private devices (hence a BYOD solution). You can start here: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies

     

    Beside this break down there are a lot of other details, for example we discussed the APP to create a sort of 'company container' where company data can flow but for example is not allowed to be shared outside of the container. Within iOS there is a similar feature (is not as feature rich and sophisticated as APP) called Managed Open-in. You can read about it here, and this is good document to read in general for this topic: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf

Resources