Understanding Apple enrollment methods in Microsoft Intune

By: Rishita Sarin – Product Manager | Microsoft Intune

Microsoft Intune, together with Microsoft Entra ID, facilitates a secure, streamlined process for registering and enrolling devices to access your organization’s resources. Once users and devices are registered within your Microsoft Entra ID (also called a tenant), then you can utilize Intune for its endpoint management capabilities. The process that enables device management for a device is called device enrollment.

During enrollment, Intune installs a mobile device management (MDM) certificate on the enrolling device. The MDM certificate communicates with the Intune service, and enables Intune to start enforcing your organization's policies, like:

• Enrollment policies that limit the number or type of devices someone can enroll.
• Compliance policies that help users and devices meet your organization’s requirements.
• Configuration profiles that configure work-appropriate features and settings on devices.

This blog aims to provide an overview of Microsoft Intune’s enrollment methods for Apple devices to help you make informed decisions about device management.

Enrollment methods

Personal owned devices (BYOD)

To get started with enrolling personally owned devices navigate to the Intune admin center, Devices > Enrollment > Apple > Enrollment types > Create.

Corporate owned devices

Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create

💡 Tip: If you’re enrolling Apple devices for frontline worker scenarios, make sure to check out this detailed guide: Get started with iOS/iPadOS frontline worker devices.

Improvements

Based on customer feedback, Intune introduced a faster and more intuitive version of device enrollment with the Intune Company Portal called web enrollment in 2023. Web enrollment retains all the benefits of device enrollment with added benefits of reduced latency and without requiring installation of the Company Portal app. We strongly encourage you to take advantage of web enrollment for a faster and more efficient enrollment process for your users.

Additionally, turning on just-in-time (JIT) registration and compliance remediation (automatically set up as part of JIT registration setup) for all iOS/iPadOS enrollments can significantly improve the registration and compliance remediation experience. By bringing the enrollment experience to where the user is, we help them get productive faster and ensure a smoother transition.

This applies to both iOS/iPadOS bring-your-own-device (BYOD) web enrollment and corporate Automated Device Enrollment (ADE), specifically for Setup Assistant with modern authentication within ADE. For more information on JIT registration and compliance remediation, check out this blog post: Use JIT registration and JIT compliance remediation for all your iOS/iPadOS enrollments.

As a result of recent enhancements to our enrollment workflows, the Company Portal app is no longer required for some enrollment methods. However, we recognize the use cases for the Company Portal go beyond enrollment, and we’ll continue to support and invest in improvements for the app.

One example of upcoming improvements to the Company Portal is the addition of the user-less app catalog. This enhancement opens the doors for future frontline worker (FLW) scenarios, allowing for more flexible and efficient device management without the need for user-specific configurations. Stay tuned to What’s new in Intune for the release and more!

If you have any questions or want to share how you’re using Apple enrollment across your organization in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked.