Getting started with User Enrollment for iOS/iPadOS devices

This week is all around the User Enrollment option that was introduced with iOS 13 and iPadOS 13.1 and that is currently available as preview functionality in Microsoft Intune. User Enrollment feels similar to what already can be achieved on Android devices with Work Profiles. A separation between personal data and company data. In this post I’ll start with a short introduction about User Enrollment, followed with the steps to created an enrollment profile that will facilitate the User Enrollment. I’ll end this post by show the end-user experience during the enrollment and after the enrollment.

Introduction to User Enrollment

User Enrollment is created and designed by Apple to facilitate an enrollment and management scenario for Bring Your Own Devices (BYOD). That enrollment and management scenario requires Managed Apple IDs. Those Managed Apple IDs are used to create an additional user identity on the device and can live perfectly alongside personal Apple IDs. Actually that’s the main idea. User Enrollment can be compared to the Work Profile for Android devices. It creates a clear separation between personal and company data. During the enrollment a separate volume is created on the device that contains managed versions of Apps, Notes, Calendar attachments, Mail attachments and Keychain.

User Enrollment also impacts the apps that can be deployed to users. The managed parts on the device are related to the Managed Apple ID and not to the personal Apple ID that is connected to the store. That means that an IT administrator must rely on Apple Volume Purchase Program (VPP) with user licenses for the distribution and licensing of store apps when working with User Enrollment. Besides that, by using Microsoft Intune it’s also possible to assign weblinks and line-of-business apps.

When looking from a management perspective, Microsoft Intune can be used to manage everything related to the Managed Apple ID and nothing related to the personal Apple ID. Also, after enrollment, an administrator can only use Microsoft Intune to retire the device and not to wipe the device. When looking from a enrollment perspective, Microsoft Intune contains a new enrollment type that can be used to facilitate User Enrollment. That profile provides the following options:

  • User enrollment: This option will use User Enrollment for all the assigned users. That means that only work-related apps and data will be secured and that the device will be marked as personally-owned.
  • Device enrollment: This option will use Device Enrollment for all the assigned users. That means that the whole device will be managed and that the device will be marked as company-owned.
  • Determine based on user choice: This option will provide the assigned users with a choice. Users must choose between I own this device and {company} owns this device. When they choose the latter option, the device will be enrolled using device enrollment and when they choose the first option they’re provided another choice. User must choose between Secure entire device and Secure work-related apps and data only. With both options, the device will still be marked as personal, but the level of management will differ. For an overview of these choices, see also Figure 3.

Create an enrollment type profile for iOS/iPadOS

The User Enrollment can be facilitated by using an enrollment type profile. That enrollment type profile contains the configuration of the enrollment type for the assigned users. The following six steps walk through the process of creating and assigning an enrollment type profile for iOS and iPadOS devices.

Important: Keep in mind that User Enrollment requires the use of Managed Apple IDs.

Note: The best user experience is provided by using provisioning and federated authentication for Managed Apple IDs, by using Azure AD. More information regarding that subject can be found in my previous post.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices iOS/iPadOSiOS/iPadOS enrollment Enrollment types to open the Enrollment type profiles blade
  2. On the Enrollment type profiles blade, click Create profile > iOS/iPadOS to open the Create enrollment type profile wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the enrollment type profile
  • Description: (Optional) Provide a description for the enrollment type profile
  1. On the Settings page, select one of the earlier explained enrollment types (for an overview see Figure 1 below) and click Next

Note: For showing the end-user experience options, I’m using Determine based on user choice.

  1. On the Assignments page, configure the assignment of the profile and click Next

Important: The assignment must be a user group, as this feature is based on user identities.

  1. On the Review + create page, verify the configuration and click Create (for the result see below Figure 2)

Note: Enrollment type profiles are created with a priority. The administrator can adjust the priority and the profile with the highest priority will be applicable to the enrollment.

End-user experience when enrolling a personal iOS device

The best method to have a look at the end-user experience, is by enrolling a personal iOS device. In the following example that will be an iPhone 8. The 15 steps below walk through enrolling that iPhone 8, by relying on the User Enrollment. Those steps also include a few useful notes and some screenshots from were the enrollment differs from the “normal” device enrollment for personal iOS devices.

  1. Download and install the Company Portal app
  2. Open the Company Portal app and sign in using a work or school account
  3. On the Set up {company} access page, tap Begin
  4. On the Select device and enrollment type page, select I own this device and select Secure work-related apps and data only (as shown in Figure 3) and tap Continue

Note: Selecting {company} owns this device will result in a company-owned device and selecting I own this device will result in a personally-owned device.

  1. Back on the Set up {company} access page, tap Continue
  2. On the Device management and your privacy page, review the information and tap Continue
  3. Back on the Set up {company} access page, tap Continue
  4. On the This website is trying to download a configuration profile. Do you want to continue? dialog box, tap Allow
  5. On the Profile Download dialog box, tap Close
  6. Open the Settings app (as shown in Figure 4) and tap on Enrol in {company}
  7. On the User Enrollment page, review the information (as shown in Figure 5) and tap Enrol My iPhone
  1. On the Enter iPhone Passcode To Install Profile page, provide the passcode of your iPhone
  2. On the Apple ID for {company} page, tap Continue and sign in with your Managed Apple ID
  3. Back to the Company Portal app, tap Continue now
  4. Back on the Set up {company} access (now renamed to You’re all set!) page, tap Done

Once the enrollment is successfully completed, there are still some interesting places to look and to verify a successful enrollment. The first place to look, is of course the Company Portal app. That app shows information regarding the enrollment and the ownership of the device. The ownership is set to Personal (as shown in Figure 6). Besides that, this enrollment model also separates personal and business data. That separation is clearly shown in apps like Reminders (see Figure 7) and Notes (see Figure 8).

More information

For more information about the user enrollment for iPhone and iPad devices, refer to the following docs.

26 thoughts on “Getting started with User Enrollment for iOS/iPadOS devices”

  1. Hi Peter,

    Thanks for sharing this! I have a question regarding Figure 3, if I were to apply the exact same configuration as you did and would setup a brand new ADE device, would that automatically be excluded from this process? Since it is clearly a company device, the user shouldn’t be getting the option to chose right?

    Kind regards, Julio

    • Hi Julio,
      User Enrollment is mainly for personally-owned devices, which is what I’ve showed in this post. The device management option that you see in Figure 3 is – in my opinion – only for company-owned devices that require a manual enrollment. That means, devices that are not enrolling via ADE. When using ADE, this is not applicable.
      Regards, Peter

  2. Other than the need to use managed Apple ID’s, How does managing personal devices with user enrollment compare with managing them through MAM policies? Why would I choose one over the other?

  3. Hi Peter, interesting presentation yesterday!

    What’s the difference between “Secure entire device” and “Secure work-related apps and data only” when it comes to pushing apps, does that even work in both scenarios? And what about Configuration Policies, do they work in either one of the scenarios?

    Last one, in this blog, you picked “Determine based on user choice”, does the user still see “Secure entire device” and “Secure work-related apps and data only” during enrollment?

    • Thank you Jordi!
      You should still be able to push apps and the policy described which settings are available for which scenario. In my blog I deliberately chose that the user can pick. That provides the user with the choice. Either other option would force a specific enrollment and would take the choice away from the UI.
      Regards, Peter

  4. So if i understand correctly, only apple services get data separation. We cannot have a work outlook and a personal outlook like Android for work?

  5. Thank you for this article. It was very helpful. I’m looking at deploying User Enrollment with Intune for MDM and use MAM policies. Has anyone else deployed this configuration? We have 100% byod iOS devices.

    We just completed Apple Business Manager enrollment. Apple support will ask who owns the devices. I told them all devices are byod. They gave me a hard time, saying ABM was for company owned devices. They must not be up to date on user enrollment. I guess they haven’t seen this Apple documentation. They did finally approve our ABM account.

  6. Hi Peter,

    Thank you so much for the valuable information about this. I can’t found a decent documentation on Microsoft about this.

    We are trying to implement the BYOD on our company and i follow the steps but i have some doubts.

    I understand that we need Managed Apple ID’s for the User enrolment, but they need to be created with ABM Federation ?

    I ask this because i follow your other post about how to configure the ABM federation with Azure but i found a big issue … a lot of users (54 at least) are using already our enterprise domain for personal Apple ID’s.

    It’s possible to make some tests with User Enrolment without having the Federation between ABM and Azure working ?

    Thank you so much

    Best regards

  7. Hi managed to move forward without the federation between ABM and Azure but in the end i don’t see any data separation between personal and corporate ?

    any ideas on what could be ?

    Thank you so much

  8. Wiping a device … a little off topic but a device is company owned and are assigned directly to certain users, they pickup and quit how do we wipe the unit? I sent a wipe and it doesnt wipe the device. The device is on LTE currently and therefore i though this would work.

  9. Great article. Coming from a school environment where our younger students never had to use the AppStore and therefore have not needed AppleID’s in order to enroll their BYOD devices, is this the only way for a BYOD device to be user enrolled? (By downloading the Company Portal app and then logging in and enrolling).

  10. Hi Peter,
    I follow up the instructions in the article as I have about 10 personal Iphones need to enroll them in intune but when I try to sign in to the company portal on the Iphone , it just login successfully and it doesn’t show the setup page.
    I tried different Iphones and different users , the issue is still the same.
    Iphone version is IOS 15.0
    Any clue to resolve this issue?

  11. Hi Peter,

    I am not able to see my device information such as Serial number on Microsoft Endpoint manager portal. However, after device enrollment, I can see it.
    Is it something related to this user enrollment?


Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.