Enroll iOS and iPadOS devices

  • 7 minutes

You can let users enroll their personal devices for Intune management (BYOD) or enroll the devices as corporate-owned devices.

Once you've completed the prerequisites and assigned users licenses, they can download the Intune Company Portal app from the App Store, and follow enrollment instructions in the app.

Company-owned iOS devices

For organizations that buy devices for their users, Intune supports the following iOS company-owned device enrollment methods:

  • Apple Business Manager (ABM)
  • Apple’s Automated Device Enrollment (ADE)
  • Apple School Manager
  • Apple Configurator

Automated Device Enrollment: Organizations can purchase iOS devices through Apple's Automated Device Enrollment (ADE) program (formerly known as the Device Enrollment Program, or DEP). ADE lets you deploy an enrollment profile “over the air” to bring devices into management seamlessly.

Apple Automated Device Enrollment (ADE) is an online service that automates the enrollment and configuration of Apple iOS devices to MDM. Apple ADE is only available for devices that an organization purchases through either Apple or authorized resellers to provide to employees.

Choose an authentication method: When you create an ADE enrollment profile in Intune, you must choose an authentication method. This choice affects the user experience during Setup Assistant and whether the device can meet requirements like MFA and Microsoft Entra registration for Conditional Access.

  • Setup Assistant with modern authentication (recommended): Uses Microsoft Entra credentials during Setup Assistant and supports MFA, Entra registration, and Conditional Access. Users can start using the device after Setup Assistant, even if Company Portal installs later.
  • Company Portal app: The device is locked until Company Portal is installed and the user completes enrollment. Use this when you want to enforce enrollment (and MFA) before any device use. If you want to install Company Portal without prompting for an Apple ID, use VPP to deploy it.
  • Setup Assistant (legacy): Doesn’t support MFA or Entra registration, so it isn’t recommended for new deployments.

To enable ADE enrollment, you use both Intune and Apple Business Manager (ABM) or Apple School Manager (ASM). A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. On the ABM/ASM website, an administrator can preconfigure device settings, including what applications and company services each device can access, and set devices to automatically enroll to MDM. iOS devices enrolled in ADE don't require manual configuration, and users never have to select on MDM links or install the Company Portal app to enroll the device initially.

If an organization allows its users to bring their own devices, the users should perform the regular iOS enrollment. But if the company provides employees with iOS devices that are part of Automated Device Enrollment, users can enroll those devices to MDM by performing the following steps:

  1. Turn on your iOS device.

  2. After you select your Language, connect your device to Wi-Fi.

  3. On the Set up iOS device screen, choose whether you want to:

    • Set up as new device
    • Restore from iCloud backup
    • Restore from iTunes backup

  4. Once you’ve connected to Wi-Fi, the Remote Management (Configuration) screen will appear. This will say:

    • [Your Company] will automatically configure your device.
    • Configuration allows [Your Company] to manage this device over the air. An administrator can help you set up email and network accounts, install and configure apps, and manage settings remotely. An administrator may disable features, install and remove apps, monitor and restrict your Internet traffic and remotely erase this device.
    • Configuration is provided by: [Your Company's] iOS Team [Address]

  5. Log in with your Apple ID (or Managed Apple ID, depending on setup). Logging in lets Intune install the management profile that will let your company give you access to its resources, such as email and apps, and can push the Company Portal app automatically.

  6. Agree to the Terms and Conditions and decide whether you want to send diagnostic information to Apple.

  7. Once you complete your enrollment, your device may prompt you to take more actions. Some of these steps might be entering your password for email access or setting up a passcode.

You can enable ADE enrollment for large numbers of devices without ever touching them. You can ship devices like iPhones and iPads directly to users. When the user turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

For more information, refer to Automatically enroll iOS devices with Apple's Automated Device Enrollment.

Supervised mode

An iOS device in supervised mode can be managed with more controls. As such, it’s especially useful for corporate-owned devices. Intune supports configuring devices for supervised mode as part of ADE. We recommend that you use supervised mode even though it requires more configuration compared to other iOS enrollment methods. It gives you access to many policy settings in Intune that are otherwise unavailable (such as single-app kiosk mode or silent app installations).

ADE-enrolled devices are supervised by default. Supervised mode is absolutely required for full policy management on modern iOS versions, as Apple has deprecated unsupervised management features for corporate devices.

Enroll your personal iOS device for work

You can securely connect your personal iPhone or iPad to corporate resources (like Outlook and Teams) using either the Company Portal app or your device's native settings.

Enroll using the Company Portal app

  1. Download: Install the Intune Company Portal app from the Apple App Store.
  2. Sign In: Open the app, tap Sign In, and enter your work email and password.
  3. Review Privacy: The app will show you exactly what your company can and can't see. Review this and tap Continue.
  4. Download Profile: The app will prompt you to download a configuration profile. Tap Allow, then close the popup.
  5. Install in Settings: Leave the Company Portal and open your iPhone's native Settings app. Tap Profile Downloaded (near the top), tap Install, and enter your device passcode.
  6. Finish: Go back to the Company Portal app and tap Continue to finalize your setup.

Set up web based device enrollment for iOS

  1. Download the profile: Open Safari, go to https://portal.manage.microsoft.com/enrollment/webenrollment/ios, and sign in with your work account. When prompted, tap Allow to download the management profile.
  2. Install the profile: Open your device's native Settings app. Tap Profile Downloaded (near the top) and tap Install. Follow the prompts to finish the installation.
  3. Wait for Authenticator: Wait a few minutes for the Microsoft Authenticator app to automatically install in the background. (To check if it's ready, go to Settings > General > VPN & Device Management > Management Profile > More Details, and look for Authenticator under the SSO extension).
  4. Sign in and verify: Open a work app like Microsoft Teams and sign in. The app will check if your device meets company security rules. Complete any required actions (like updating your iOS), then select Recheck to access your work data.

Account driven user enrollment is a faster, more user-friendly BYOD enrollment method that users start directly from the Settings app (no Company Portal download required). It uses just-in-time (JIT) registration with Microsoft Authenticator to reduce sign-in prompts during enrollment and when accessing work apps.

Admin setup

  1. Configure JIT registration and assign Microsoft Authenticator as a required app.
  2. In the Microsoft Intune admin center, go to Devices > Enrollment.
  3. Select the Apple tab.
  4. Under Enrollment options, select Enrollment types.
  5. Select Create profile > iOS/iPadOS.
  6. Provide a name and description and select Account driven user enrollment in the Settings tab.

User enrollment steps

  1. On the device, open Settings > General > VPN & Device Management.
  2. Sign in with your work or school account, then select Allow Remote Management.
  3. Wait while the enrollment profile installs and policies apply.
  4. Wait a few minutes for Microsoft Authenticator to install (it’s required to access work apps).

Use account driven user enrollment as the preferred option for personal (BYOD) devices where user privacy is a priority. It applies a limited but appropriate set of management controls and keeps work data separated from personal data.