Set up user enrollment with Company Portal
Set up user enrollment with Company Portal for iOS/iPadOS personal devices enrolling in Microsoft Intune. This Apple User Enrollment method gives you access to a limited but appropriate set of device management settings and actions, so you can protect work data without affecting the device user's personal data or apps.
When the device owner attempts to sign into an app with their work or school account, Intune prompts them to enroll their device and provides instructions for next steps. The device user authenticates and initiates enrollment by signing into the Intune Company Portal app. From there, they're redirected to Safari and the device settings app, where they download and install the enrollment profile.
This article describes how to set up an enrollment profile in the Microsoft Intune admin center for Apple User Enrollment with Company Portal.
User enrollment with Company Portal is supported on devices running iOS version 13 or later, and iPadOS version 13.1 or later. Before beginning setup, complete the following tasks:
- Set mobile device management (MDM) authority
- Get Apple MDM Push certificate
- Create Managed Apple IDs for device users (Opens Apple Support website)
Additionally, review the following information:
Apple User Enrollment requires you to create and provide managed Apple IDs to enrolling users. If you enable federated authentication, which consists of linking Apple Business Manager with Microsoft Entra ID, you don't have to create and provide unique Apple IDs to each user. Instead, a device user can sign in to their apps with the same credentials they use for their work account. For more information, see Intro to federated authentication with Apple Business Manager in the Apple Business Manager User Guide.
Apple released iPadOS in September 2019, which introduced a change that can affect Microsoft Entra ID and Intune customers who use Conditional Access policies in their organization. For more information about how this affects your policies and what actions to take, see Evaluate and update Conditional Access policies after new iPadOS release.
Create enrollment profile
A user enrollment profile overrides an Intune enrollment restriction policy.
Complete these steps to create an enrollment profile for devices enrolling via user enrollment with Company Portal.
Sign in to the Microsoft Intune admin center.
Go to Devices > iOS/iPadOS > iOS/iPadOS enrollment.
Under Enrollment Options, choose Enrollment types.
Select Create profile > iOS/iPadOS.
On the Basics page, enter a name and description for the profile so that you can distinguish it from other profiles in the admin center. Device users don't see these details.
You can use the name field to create a dynamic group in Microsoft Entra ID, and assign devices to the enrollment profile automatically. Use the profile name to define the enrollmentProfileName parameter. For more information, see Microsoft Entra dynamic groups.
On the Settings page, select User enrollment with Company Portal.
Alternatively, you can select Determine based on user choice, which lets assigned users select the enrollment type during enrollment. Their options:
- I own this device: As a follow-up, the user must select whether they want to secure the entire device or only secure work-related apps and data.
- (Company) owns this device: The device enrolls via Apple Device Enrollment. For more information about this enrollment method, see Device Enrollment and MDM on the Apple Support website.
The device user's selection determines which enrollment process is carried out. Their choice is also reflected in the device ownership attribute shown in Intune. To learn more about the user experience and what they see onscreen during enrollment, see Set up iOS/iPadOS device access to your company resources.
On the Assignments page, assign the profile to all users, or select specific groups. Device groups aren't supported in user enrollment scenarios because user enrollment requires user identities.
On the Review + create page, review your choices, and then select Create to finish creating the profile.
Intune applies enrollment profiles in the order you prioritize them. To change the order in which they're applied:
- Go back to Enrollment types to view your profiles.
- Drag and drop the profiles in the list to reorder their priority.
If a conflict occurs because a user is assigned more than one profile, Intune applies the profile with the higher priority.
Removing device from management
The volume and cryptographic keys created to manage the work data on the device are erased when the device unenrolls from Intune.
For an overview of supported user enrollment methods and management actions, see Overview of Apple User Enrollment in Microsoft Intune .
For more details about Apple User Enrollment features and functionality, see User Enrollment and MDM on the Apple support website.
For troubleshooting, see Troubleshooting iOS/iPadOS device enrollment errors in Microsoft Intune.
For supported settings in Intune device configurations profiles, see: