SOLVED

iOS Enrollment Profile for BYOD devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2323209%22%20slang%3D%22en-US%22%3EiOS%20Enrollment%20Profile%20for%20BYOD%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2323209%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20I%20setup%20an%20enrollment%20profile%20that%20is%20set%20to%20%22Determine%20based%20on%20user%20choice%22%20(we%20are%20still%20in%20testing).%26nbsp%3B%20All%20fine%20and%20good%20there.%26nbsp%3B%20When%20I%20test%20enrolling%20a%20BYOD%20iOS%20device%20into%20Intune%2C%20we%20download%20the%20Company%20Portal%20app%2C%20set%20up%20access%2C%20on%20the%20dialog%20for%20%22Select%20device%20and%20enrollment%20type%22%20we%20choose%20%22I%20own%20this%20device%22%20and%20%22Secure%20work-related%20apps%20and%20data%20only%22.%26nbsp%3B%20Download%20MS%20Authenticator%20and%20install%2C%20trust%20the%20profile%2C%20install%20root%20cert%2C%20allow%20the%20configuration%20profile%2C%20install%20the%20management%20profile.%26nbsp%3B%20But%20when%20I%20try%20to%20enroll%20the%20device%2C%20it%20asks%20for%20%22User%20Enrollment%22%20sign-in%2C%20what%20Apple%20ID%20do%20I%20use%20there%3F%26nbsp%3B%20I%20assumed%20it%20was%20a%20managed%20Apple%20ID%20that%20I%20would%20get%20from%20an%20Apple%20Business%20Manager%20account%2C%20but%20the%20tech%20at%20Apple%20is%20telling%20me%20that%20they%20only%20allow%20ABM%20accounts%20for%20corporate%20owned%20devices.%26nbsp%3B%20My%20question%20is%2C%20how%20do%20I%20get%20a%20corporate%20Apple%20ID%20to%20use%20int%20Intune%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2323209%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2324823%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20Enrollment%20Profile%20for%20BYOD%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2324823%22%20slang%3D%22en-US%22%3EI%20was%20testing%20the%20same%20thing%20in%20a%20test%20tenant%2C%20some%20weeks%20ago.%20I%20also%20ended%20up%20on%20the%20apple%20id%20question.%20I%20assumed%20I%20needed%20to%20set%20up%20ABM%20and%20setup%20federation%20with%20my%20domain%20with%20intune%20to%20get%20it%20working....%20but%20never%20tried%20it%20.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2338759%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20Enrollment%20Profile%20for%20BYOD%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2338759%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20Apple%20Business%20Manager%20(ABM)%20to%20create%20a%20Managed%20Apple%20ID%20which%20you%20need%20for%20this%20scenario.%20It%20is%20also%20listed%20on%20this%20page%20under%20prerequisites.%20You%20can%20create%20these%20accounts%20manually%20in%20ABM%20or%20you%20can%20setup%20federation%20with%20Azure%20using%20JIT%20or%20SCIM%20(%3CA%20href%3D%22https%3A%2F%2Fvmlabblog.com%2F2020%2F11%2Ffederated-authentication-with-apple-business-manager%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fvmlabblog.com%2F2020%2F11%2Ffederated-authentication-with-apple-business-manager%2F%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20let%20me%20know%20if%20you%20want%20to%20know%20more%20about%20this%20topic.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAad%20Lutgert%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2361909%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20Enrollment%20Profile%20for%20BYOD%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2361909%22%20slang%3D%22en-US%22%3EThanks%20you%20for%20confirming%20Aad.%20I%20will%20yell%20at%20the%20Apple%20guys%20now.%3C%2FLINGO-BODY%3E
New Contributor

So, I setup an enrollment profile that is set to "Determine based on user choice" (we are still in testing).  All fine and good there.  When I test enrolling a BYOD iOS device into Intune, we download the Company Portal app, set up access, on the dialog for "Select device and enrollment type" we choose "I own this device" and "Secure work-related apps and data only".  Download MS Authenticator and install, trust the profile, install root cert, allow the configuration profile, install the management profile.  But when I try to enroll the device, it asks for "User Enrollment" sign-in, what Apple ID do I use there?  I assumed it was a managed Apple ID that I would get from an Apple Business Manager account, but the tech at Apple is telling me that they only allow ABM accounts for corporate owned devices.  My question is, how do I get a corporate Apple ID to use int Intune for this?

3 Replies
I was testing the same thing in a test tenant, some weeks ago. I also ended up on the apple id question. I assumed I needed to set up ABM and setup federation with my domain with intune to get it working.... but never tried it .
best response confirmed by cesoup (New Contributor)
Solution

Hi,

You need Apple Business Manager (ABM) to create a Managed Apple ID which you need for this scenario. It is also listed on this page under prerequisites (Enroll iOS/iPadOS devices with user enrollment in Microsoft Intune - Microsoft Intune | Microsoft D...). You can create these accounts manually in ABM or you can setup federation with Azure using JIT or SCIM (https://vmlabblog.com/2020/11/federated-authentication-with-apple-business-manager/)

Just let me know if you want to know more about this topic.

Best regards,

Aad Lutgert


Thanks you for confirming Aad. I will yell at the Apple guys now.