Set up iOS/iPadOS and iPadOS User Enrollment (preview)
You can set up Intune to enroll iOS/iPadOS and iPadOS devices using Apple's User Enrollment process. User Enrollment gives admins a streamlined subset of management options compared to other enrollment methods.
For more information about the options available with User Enrollment, see User Enrollment supported actions, passwords, and other options.
Support for Apple's User Enrollment in Intune is currently in preview.
- Mobile Device Management (MDM) Authority
- Apple MDM Push certificate
- Managed Apple ID
- iOS 13 or later
Apple released iPadOS in September 2019, which introduced a change that can affect Microsoft Azure Active Directory (Azure AD) and Intune customers who use Conditional Access policies in their organization. For more information about how this affects your policies and what actions to take, see Evaluate and update Conditional Access policies after new iPadOS release.
User enrollment requires managed Apple IDs. These can be created manually, but we strongly recommend federating with Apple Business Manager. For more information about federation, see Federated Authentication with Apple Business Manager
Create a User Enrollment profile in Intune
An iOS User Enrollment profile overrides an enrollment restriction policy.
An enrollment profile defines the settings applied to a group of devices during enrollment.
In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment > Enrollment types (preview) > Create profile > iOS/iPadOS. This profile is where you'll indicate what enrollment experience your iOS/iPadOS and iPadOS end users will have on devices not enrolled through a corporate Apple method. If you'd like to make changes, you can edit this profile after you've created it.
On the Basics page, enter a Name and Description for the profile for administrative purposes. Users don't see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.
On the Settings page, select one of the following options for Enrollment type:
- Device enrollment: All the users in this profile will use Device Enrollment.
- User enrollment: All the users in this profile will use User Enrollment.
- Determine based on user choice: All users in this group will be given the choice of which enrollment type to use. When users enroll their devices, they'll see an option to choose between I own this device and (Company) owns this device. If they choose the latter, the device will be enrolled by using Device Enrollment. If the user chooses I own this device, they'll get another option to secure the entire device or only secure work-related apps and data. The end user's selection of whether they own the device determines which enrollment type is implemented on their device. This user choice is also reflected in the Device Ownership attribute in Intune. To learn more about the user experience, see Set up iOS/iPadOS device access to your company resources.
On the Assignments page, choose the user groups containing the users to which you want this profile assigned. You can choose to assign the profile to all users or specific groups. All users in the selected groups will use the enrollment type chosen above. Device groups aren't supported for User Enrollment scenarios because the feature is based on user identities, rather than devices. You can choose to assign the profile to all users or specific groups.
On the Review and Create page, review your choices, and then select Create to assign the profile to the users.
After you've created more than one enrollment type profile, you can change the priority order in which they're applied.
- In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment > Enrollment types (preview).
- Drag and drop the profiles in the list in the order you want them applied.
In case of conflicts between profiles for any user, the higher priority profile is applied for the user.
Submit and view feedback for