How i OS devices enrolled in Intune can be moved to iOS Web enrollment?

Question

Hi,

We currently have iOS BYOD device enrollment in our tenant, and we must move to iOS BYOD web enrollment. But I would like to know If we have implemented web enrollment in the correct way.

A web enrollment profile was created, JIT registration was created, CA rules that require MFA were already created, Company portal web clip and Authenticator app are added as required VPP apps. All those configurations are assigned to a test user group.

Our company requires MFA to be already installed and working on the iOS devices, so the app will only be administrated after the enrollment.

This is the result of my tests:

1. Test 1. Unenrolled device/new device. If I removed the device in the company portal app (unenroll the device) and then uninstall the app, I can start a web enrollment downloading Teams who triggers the web enrollment. The MFA works ok, the Authenticator gets administrated, all apps are installed and working.
2. Test 2. A new user is added to the test user group. His device is already enrolled. When the user gets the new profile, the company portal web clip is automatically installed, and the authenticator gets administrated. The device has both Company portal app (from previous enrollment) and Company portal web clip. All apps work, and no app will trigger a web enrollment until the device is unenrolled (Test 1). This is confusing. The user may not start web enrollment.
3. Test 3. If I execute Test 2, But I uninstall the Company portal app without unenrolling the device. The web enrollment did not start, but the work apps installed in the previous enrollment worked fine. An administrator cannot see on Intune if the device is web enrolled or not. The enrollment date has not changed. The user may not start web enrollment.
4. Test 4. If I execute test 3 and I remove the device from the company portal web clip (unenroll the device). The work apps that were installed form before are removed.  It seems the company portal web clip to over after the company portal app was uninstalled. This is confusing.  

The perfect situation is test 1, but I know some users do not follow instructions, so they can have the 4 scenarios described above.

·         I would like to know if this is the normal behavior for web enrollment.  

·         Does exist best practices to move the users from device enrollment to web enrollment without many steps and confusion.

·         Shall we use small groups or assign the profile to all users at once?

·         Shall we retire devices in Intune to ensure users would reenroll their devices?

 

I hope someone can help me with this issue.

 

Answer 1

@Veronica Rodriguez Stormo, Thanks for posting in Q&A. Yes, the behavior you're observing is generally expected for web enrollment. The key points are:

• Test 1: This is the ideal scenario where a new or unenrolled device triggers web enrollment correctly.
• Test 2: If a device is already enrolled, the web clip and Authenticator app get installed, but web enrollment won't trigger until the device is unenrolled.
• Test 3: Uninstalling the Company Portal app without unenrolling the device won't trigger web enrollment, and the device retains its previous enrollment status.
• Test 4: Unenrolling via the web clip removes work apps, indicating the web clip takes over after the Company Portal app is uninstalled.

To move users from device enrollment to web enrollment, it's generally recommended to start with small groups. And yes, retiring devices in Intune can help ensure users reenroll their devices correctly: It is a good option.

Hope the above information can address your questions.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.