cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Enrollment iOS - BYOD

Guilherme1020
Copper Contributor

‎Mar 20 2024 07:31 AM

‎Mar 20 2024 07:31 AM

Enrollment iOS - BYOD

Hello everyone,

 

Currently, I'm deeply immersed in learning about Intune and its functionalities. As an intern, my project involves implementing Intune to manage enterprise devices and personal devices brought in by employees (BYOD). I'm encountering some difficulties dealing with BYOD on iOS, unlike Android, which seemed to be more straightforward.

 

Unlike Android, where a separate work profile is created from the personal one, this doesn't occur on iOS. It seems to require a different approach to secure and manage devices. Previously, all restrictions applied on Android only affected the work profile, whereas on iOS, they affect the entire device.

 

I would like to ask for your assistance with tips and guides on the best way to ensure that company data and applications are used securely on iOS devices. Any guidance would be greatly appreciated.

282 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Guilherme1020 (Copper Contributor)
SebastiaanSmits

‎Mar 20 2024 08:20 AM - edited ‎Mar 20 2024 08:23 AM

‎Mar 20 2024 08:20 AM - edited ‎Mar 20 2024 08:23 AM

Solution

Re: Enrollment iOS - BYOD

@Guilherme1020 

 

This is a very general question. But indeed the normal iOS management, that is commonly called Personal is just a MDM enrollment. The different approaches for iOS Management are as follows ( starting from full management 'downward' to BYOD):

 

- Intune enrollment using DEP (Apple Business Manager) and through the Enrollment Profile make the device Supervised. Supervised means the device is completely Company Owned and you have a lot of Settings available normally not available to 'normal' device. It is even possible to restrict the device to a point it is a Kiosk. For Intune and ABM see the following: https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enrol...

 

-Intune Enrollment without DEP. The device is not supervised and not all settings are available from MDM (see here a list of settings only for supervised devices: https://support.apple.com/en-gb/guide/deployment/dep6b5ae23e9/1/web/1.0) . You register the device with the Company Portal that you download for the App Store on the device. This is a full MDM enrollment and you are able to wipe the devices from MDM for example. This is the enrollment you were referring to but this is not BYOD!

 

- Apple's User Enrollment. This is Apple's own solution for BYOD (this is real BYOD enrollment, comparable to Android Enterprise Work Profile). Basically this accomplished on the device by creating an second (company) APFS volume. You are unable to wipe the device from mdm, only able to remove the work partition. This method has downsides, you need ABM and user need an Managed Apple ID, created in ABM. See here for getting started: https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions

 

- Application Protection policies (MAM-WE). This is not accomplished by any device enrollment and this is not an Apple method but Microsoft's. With the App Protection Policies (APP) only the company apps are managed (works out-of-the-box only for Microsoft apps and some partner apps) en all security policies are applied to the apps, like a app pincode. This is a much used method of providing company data to private devices (hence a BYOD solution). You can start here: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies

 

Beside this break down there are a lot of other details, for example we discussed the APP to create a sort of 'company container' where company data can flow but for example is not allowed to be shared outside of the container. Within iOS there is a similar feature (is not as feature rich and sophisticated as APP) called Managed Open-in. You can read about it here, and this is good document to read in general for this topic: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf

1 Like
Reply
Guilherme1020

‎Apr 08 2024 06:23 AM

‎Apr 08 2024 06:23 AM

Re: Enrollment iOS - BYOD

@SebastiaanSmits 

 

I want to thank you for helping me.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Guilherme1020 (Copper Contributor)
SebastiaanSmits

‎Mar 20 2024 08:20 AM - edited ‎Mar 20 2024 08:23 AM

‎Mar 20 2024 08:20 AM - edited ‎Mar 20 2024 08:23 AM

Solution

Re: Enrollment iOS - BYOD

@Guilherme1020 

 

This is a very general question. But indeed the normal iOS management, that is commonly called Personal is just a MDM enrollment. The different approaches for iOS Management are as follows ( starting from full management 'downward' to BYOD):

 

- Intune enrollment using DEP (Apple Business Manager) and through the Enrollment Profile make the device Supervised. Supervised means the device is completely Company Owned and you have a lot of Settings available normally not available to 'normal' device. It is even possible to restrict the device to a point it is a Kiosk. For Intune and ABM see the following: https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enrol...

 

-Intune Enrollment without DEP. The device is not supervised and not all settings are available from MDM (see here a list of settings only for supervised devices: https://support.apple.com/en-gb/guide/deployment/dep6b5ae23e9/1/web/1.0) . You register the device with the Company Portal that you download for the App Store on the device. This is a full MDM enrollment and you are able to wipe the devices from MDM for example. This is the enrollment you were referring to but this is not BYOD!

 

- Apple's User Enrollment. This is Apple's own solution for BYOD (this is real BYOD enrollment, comparable to Android Enterprise Work Profile). Basically this accomplished on the device by creating an second (company) APFS volume. You are unable to wipe the device from mdm, only able to remove the work partition. This method has downsides, you need ABM and user need an Managed Apple ID, created in ABM. See here for getting started: https://learn.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment-supported-actions

 

- Application Protection policies (MAM-WE). This is not accomplished by any device enrollment and this is not an Apple method but Microsoft's. With the App Protection Policies (APP) only the company apps are managed (works out-of-the-box only for Microsoft apps and some partner apps) en all security policies are applied to the apps, like a app pincode. This is a much used method of providing company data to private devices (hence a BYOD solution). You can start here: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies

 

Beside this break down there are a lot of other details, for example we discussed the APP to create a sort of 'company container' where company data can flow but for example is not allowed to be shared outside of the container. Within iOS there is a similar feature (is not as feature rich and sophisticated as APP) called Managed Open-in. You can read about it here, and this is good document to read in general for this topic: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf

View solution in original post

1 Like
Reply