Intune Enrollment and App mgt for company iOS devices even if user is not in Active Directory

%3CLINGO-SUB%20id%3D%22lingo-sub-1789379%22%20slang%3D%22en-US%22%3EIntune%20Enrollment%20and%20App%20mgt%20for%20company%20iOS%20devices%20even%20if%20user%20is%20not%20in%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1789379%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20migrating%20from%20one%20MDM%2C%20which%20was%20device%20based%2C%20to%20Endpoint%2FIntune.%20Everything%20seems%20to%20be%20going%20okay%20for%20all%20users%20who%20have%20an%20Azure%20AD%20account%2C%20but%20we%20have%20many%20users%20who%20are%20not%20in%20AD.%20Is%20there%20a%20way%20to%20manage%20the%20devices%20AND%20push%20apps%20out%20to%20the%20iPhones%20%2F%20iPads%20by%20Serial%20number%20ONLY%3F%20So%20the%20user%20never%20actually%20needs%20to%20sign%20in%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20in%20our%20previous%20MDM%2C%20we%20pushed%20apps%20using%20tags%20and%20were%20able%20to%20differentiate%20between%20iPhones%20(only%20got%20two%20required%20apps)%20and%20iPads%20(two%20required%20and%20eight%20default%20apps)%20to%20automatically%20push%20when%20the%20device%20enrolled.%20Everything%20I'm%20seeing%20just%20says%20iOS%2FiPad%20and%20we'd%20like%20different%20things%20to%20happen%20for%20iPhones%20than%20for%20iPads.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%20in%20advance.%3C%2FP%3E%3CP%3E~%20H%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1789379%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1792371%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20Enrollment%20and%20App%20mgt%20for%20company%20iOS%20devices%20even%20if%20user%20is%20not%20in%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1792371%22%20slang%3D%22en-US%22%3EHi%2C%20you%20can%20absolutely%20mange%20device%20without%20user%20affinity.%20How%20are%20you%20currently%20enrolling%20device%3F%20I%20would%20suggest%20using%20Apple%20Business%20(or%20School)%20manager%2C%20combined%20with%20ADE(DEP)%20and%20device%20assigned%20VPP%20apps.%3CBR%20%2F%3E%3CBR%20%2F%3EDepending%20on%20your%20Azure%20AD%20licensing%20level%2C%20you%20can%20also%20configure%20dynamic%20groups%20for%20devices%20so%20all%20iPads%20fall%20onto%20one%20group%20and%20all%20iPhones%20fall%20into%20another.%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20if%20this%20sounds%20like%20something%20that%20would%20be%20of%20interest%20and%20we%20can%20chat%20further%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1795563%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20Enrollment%20and%20App%20mgt%20for%20company%20iOS%20devices%20even%20if%20user%20is%20not%20in%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1795563%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319913%22%20target%3D%22_blank%22%3E%40robunger%3C%2FA%3E%2C%20for%20the%20reply.%20We%20are%20using%20ABM%20%2B%20ADE%20%2B%20device%20assigned%20VPP%20(well%2C%20we%20are%20using%20VPP...and%20I%20choose%20'license%20type%20%3D%20device'%20when%20I%20add%20groups%20to%20them%20in%20Intune).%20Setting%20up%20AD%20groups%20specifically%20for%20iPad%20and%20iPhone%20was%20a%20thought%20I%20had%2C%20as%20well%2C%20but%20wasn't%20sure%20if%20that%20was%20the%20only%20way%20to%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tried%20to%20set%20up%20'dynamic'%20security%20groups%20for%20the%20purpose%20of%20pushing%20apps%20to%20devices%20for%20users%20who%20are%20unable%20to%20use%20the%20portal%20due%20to%20not%20having%20an%20AD%20account%2C%20but%20wasn't%20able%20to%20get%20it%20going.%20I%20am%20unable%20to%20figure%20out%20how%20to%20put%20devices%20into%20the%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We are migrating from one MDM, which was device based, to Endpoint/Intune. Everything seems to be going okay for all users who have an Azure AD account, but we have many users who are not in AD. Is there a way to manage the devices AND push apps out to the iPhones / iPads by Serial number ONLY? So the user never actually needs to sign in?

 

Also, in our previous MDM, we pushed apps using tags and were able to differentiate between iPhones (only got two required apps) and iPads (two required and eight default apps) to automatically push when the device enrolled. Everything I'm seeing just says iOS/iPad and we'd like different things to happen for iPhones than for iPads.

 

Thank you, in advance.

~ H

3 Replies
Highlighted
Hi, you can absolutely mange device without user affinity. How are you currently enrolling device? I would suggest using Apple Business (or School) manager, combined with ADE(DEP) and device assigned VPP apps.

Depending on your Azure AD licensing level, you can also configure dynamic groups for devices so all iPads fall onto one group and all iPhones fall into another.

Let me know if this sounds like something that would be of interest and we can chat further
Highlighted

Thank you, @robunger, for the reply. We are using ABM + ADE + device assigned VPP (well, we are using VPP...and I choose 'license type = device' when I add groups to them in Intune). Setting up AD groups specifically for iPad and iPhone was a thought I had, as well, but wasn't sure if that was the only way to go.

 

I've tried to set up 'dynamic' security groups for the purpose of pushing apps to devices for users who are unable to use the portal due to not having an AD account, but wasn't able to get it going. I am unable to figure out how to put devices into the group.

Highlighted

Hi @Hollis255 

 

To use dynamic groups you need Azure AD P1 (or a qualifying license such as M365 Business Premium, M365 E3 or EMS E3 - best to check https://github.com/AaronDinnage/Licensing as this will give you a great idea of where licenses sit).

 

MS documentation on rules for devices is here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#r...

 

This is what my dynamic device group (Azure AD, Groups, New Group) looks like;image.png

 

and the query would be;

 

image.png

iPhones would simply be (device.deviceOSType -eq "iPhone")

 

Hope this helps?