The evolution of modern work sparked widespread adoption of bring-your-own device (BYOD) policies in organizations. This trend added complexity to mobile security deployments by challenging security and IT teams to protect work data without accessing personal data on those devices. With deployment options like Apple’s “User Enrollment”, work data and personal data on user-enrolled iOS devices are containerized on separate volumes on the same phone. This separation of work and personal data makes it easier than ever for security and IT teams to protect the most critical work data and applications on BYODs, while upholding end-user privacy.
Today we are excited to announce the Public Preview of Apple User Enrollment support for Microsoft Defender for Endpoint on iOS. This new feature offers security and IT teams the flexibility to deploy Defender for Endpoint to user-enrolled devices so that work data and applications are protected, while end-user privacy is upheld on those devices.
What is User Enrollment?
Apple User Enrollment is an enrollment solution specifically for BYOD scenarios. This enrollment type balances security and privacy for user-owned devices, by storing work and personal data in separate containers on the device. This containerized method only permits security and IT teams to have access to the data and managed applications found in the work container. As the admin, you get access to a limited but appropriate subset of Intune management options and restrictions to ensure that your organization's data stays safe.
Note: Admins cannot push a device-wide VPN profile with User Enrollment. Therefore, zero touch (silent) deployment and auto-onboarding of VPN is not supported with this feature.
Getting started
- Set up a User Enrollment Profile in Microsoft Intune. Intune supports account driven Apple User Enrollment and Apple User Enrollment with Company Portal. Read more about each method to determine which best fits your organization.
- Set up user enrollment with Company Portal
- Set up account driven user enrollment
- Set up Single Sign On (SSO) plugin. Microsoft Authenticator app with SSO extension is a pre-requisite for user enrollment in an iOS device.
- Learn how to create a device configuration profile in Intune
- Be sure to add these two keys to the above configuration:
- App bundle ID: Include the Defender App bundle ID in this list “com.microsoft.scmx”
- Additional configuration: Key: device_registration ; Type: String ; Value: {{DEVICEREGISTRATION}}
- Set up the Mobile Device Management (MDM) key for User Enrollment.
- In Intune, go to Go to Apps > App configuration policies > Add > Managed devices
- Give the policy a name, select Platform > iOS/iPadOS
- Select Microsoft Defender for Endpoint as the targeted app.
- In the Settings page, select Use configuration designer and add UserEnrolmentEnabled as the key, value type as String, value as True.
- Admin can push Defender as a required VPP app from Intune.
Learn more
Looking to learn more about User Enrollment support for Microsoft Defender for Endpoint?
Read our Apple User Enrollment support documentation on Microsoft Learn
Compare Apple User Enrollment methods
Review limitations and capabilities not supported
Let us know what you think!
We are excited to share Apple User Enrollment support for Microsoft Defender for Endpoint with you. Let us know what you think in the comments below. We take all feedback into consideration as we work to enhance your security experience with Microsoft Defender for Endpoint.
