Forum Discussion
iOS 18 release and support for Device enrolment with company portal?
As per the MS message center post below, User enrolment with company portal will not be supported. We use device enrolment with company portal as a enrolment type for all our users, will device enrolment with company portal also stop support post iOS 18?
in 2 enrolment types below, we only use DEVICE ENROLMENT WITH COMPANY PORTAL
1 - User enrolment with company portal
2 - Device enrolment with company portal
There is a lot of confusion surrounding this topic. It is a pretty small and rather insignificant change from Microsoft. The only enrollment type that is affected is User Enrollment. This is Apple's BYOD solution (it is not widely used by the way). You need Managed Apple ID's. With this management type the device creates an extra APFS volume, and dedicates this to a sort of work profile. There are some BYOD specific features for this User Enrollment type of devices. For example, as IT you are unable to wipe the devices and you have limited capabilities for setting devices wide setting with some exception (enforcing device pin complexity for example). You can find some more detail here: https://support.apple.com/en-vn/guide/deployment/dep23db2037d/web
For User Enrollment, so this native iOS Management type, only the Company Portal enrollment option will go away. So this one: https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-user-enrollment-with-company-portal . The newer ‘User Enrollment’ enrollment type called ‘Account driven’ is the replacement and is also a much nicer enrollment flow that is build into the Setting app. You can see a nice visual of the enrollment steps here: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Account-Driven_User_Enrollment_Experience_for_Personally_Owned_Mobile_Devices.html
Device Enrollment is not affected at all, this is a complete device MDM registration that is mostly used if you are unable to use Apple Business Manager (DEP) and Automated Device Enrollment (ADE). Device Enrollment with Company portal is a widely used enrollment method and would mean a big change if this was deprecated, but this won’t happen (not anytime soon at least).
2 Replies
There is a lot of confusion surrounding this topic. It is a pretty small and rather insignificant change from Microsoft. The only enrollment type that is affected is User Enrollment. This is Apple's BYOD solution (it is not widely used by the way). You need Managed Apple ID's. With this management type the device creates an extra APFS volume, and dedicates this to a sort of work profile. There are some BYOD specific features for this User Enrollment type of devices. For example, as IT you are unable to wipe the devices and you have limited capabilities for setting devices wide setting with some exception (enforcing device pin complexity for example). You can find some more detail here: https://support.apple.com/en-vn/guide/deployment/dep23db2037d/web
For User Enrollment, so this native iOS Management type, only the Company Portal enrollment option will go away. So this one: https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-user-enrollment-with-company-portal . The newer ‘User Enrollment’ enrollment type called ‘Account driven’ is the replacement and is also a much nicer enrollment flow that is build into the Setting app. You can see a nice visual of the enrollment steps here: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Account-Driven_User_Enrollment_Experience_for_Personally_Owned_Mobile_Devices.html
Device Enrollment is not affected at all, this is a complete device MDM registration that is mostly used if you are unable to use Apple Business Manager (DEP) and Automated Device Enrollment (ADE). Device Enrollment with Company portal is a widely used enrollment method and would mean a big change if this was deprecated, but this won’t happen (not anytime soon at least).
SebastiaanSmits - Thank you for the overview of the recent changes regarding User Enrollment and the introduction of the 'Account driven' enrollment method. The resources and explanations you've provided do help clarify a lot of the confusion surrounding this topic.
However, there's a specific aspect of the enrollment process that still raises some concerns, especially for larger organizations like ours that are navigating these changes. The requirement to uninstall the authenticator app before proceeding with the new enrollment process presents a significant challenge. This step, particularly in scenarios involving an employee's departure or transition, leads to the removal of not only the corporate credentials but also any personal multi-factor authentication (MFA) settings the employee may have configured on their device.
This requirement seems to be at odds with the smooth and user-friendly enrollment flow you've described. For organizations in the midst of rolling out or already utilizing Microsoft Authenticator extensively, this creates a practical dilemma. Balancing the need for security with the practicality and personal security needs of our staff is paramount.
Could you share any insights or suggestions on how organizations can better manage this transition? Are there potential workarounds or best practices that might mitigate the impact of this requirement on both the organization's security posture and the user's convenience and personal settings?
https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment
