This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
Would like to know how intune pushes the policy configuration down to iOS device ?? I want to know exact flow and components involved in cloud and on device who catches the policy push.
Basically when Intune admin modifies or creates a new policy that is applicable to the iPhone, does intune uses apple-push-notification service and sends the whole payload on it OR is it some other means ?
And who enforces it on the on the device. In case Android we have "Android Device Policy" app. What is on Apple devices ??
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@testuser7, Thanks for posting in Q&A. In General, Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network.
Your understanding is correct. When an Intune policy is created or modified, the relevant information is sent to APNs, which then pushes it to the device. Unlike Android, there isn’t a specific “Intune Device Policy” app on iOS, the enforcement of policies happens directly within the managed apps themselves.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Crystal-MSFT So the whole policy-payload is sent out on the push-notification. OK so that part is understood.
You said that , unlike Android, there isn’t a specific “Intune Device Policy” app on iOS, the enforcement of policies happens directly within the managed apps themselves. However some SPECIFIC app has to be designated to receive the messages from APNs Which is that app ??
Besides, some configurations are not for any specific app. It is for whole device ? So how does it happen ??
@testuser7, Thanks for the reply. For app configuration policy, it is target to specific app. The app receives messages from APN is the one you set in app configuration policy.
For device configuration policy like some device system setting, based on my understanding, when the device checks in, it receives the push notification from APN, prompting it to retrieve the profile from Intune. The device processes the configuration profile and the native Settings app applies the specified settings . if there's any update on the configuration profile, the changes are pushed to the device via APN. The device receives the change setting and the native Settings app change the specified settings.
Thanks @Crystal-MSFT So there is NO role of company-portal app to play here in Apple platform.
@testuser7, Not exactly, the device checks in will use company portal.
not really. you can run the show without company portal if you are doing latest enrollment method. NO NEED of CP in the device atall.
@testuser7, For the enrollment method without company portal, I think yes.