Getting started with User Enrollment for iOS/iPadOS devices

This week is all around the User Enrollment option that was introduced with iOS 13 and iPadOS 13.1 and that is currently available as preview functionality in Microsoft Intune. User Enrollment feels similar to what already can be achieved on Android devices with Work Profiles. A separation between personal data and company data. In this post I’ll start with a short introduction about User Enrollment, followed with the steps to created an enrollment profile that will facilitate the User Enrollment. I’ll end this post by show the end-user experience during the enrollment and after the enrollment.

Introduction to User Enrollment

User Enrollment is created and designed by Apple to facilitate an enrollment and management scenario for Bring Your Own Devices (BYOD). That enrollment and management scenario requires Managed Apple IDs. Those Managed Apple IDs are used to create an additional user identity on the device and can live perfectly alongside personal Apple IDs. Actually that’s the main idea. User Enrollment can be compared to the Work Profile for Android devices. It creates a clear separation between personal and company data. During the enrollment a separate volume is created on the device that contains managed versions of Apps, Notes, Calendar attachments, Mail attachments and Keychain.

User Enrollment also impacts the apps that can be deployed to users. The managed parts on the device are related to the Managed Apple ID and not to the personal Apple ID that is connected to the store. That means that an IT administrator must rely on Apple Volume Purchase Program (VPP) with user licenses for the distribution and licensing of store apps when working with User Enrollment. Besides that, by using Microsoft Intune it’s also possible to assign weblinks and line-of-business apps.

When looking from a management perspective, Microsoft Intune can be used to manage everything related to the Managed Apple ID and nothing related to the personal Apple ID. Also, after enrollment, an administrator can only use Microsoft Intune to retire the device and not to wipe the device. When looking from a enrollment perspective, Microsoft Intune contains a new enrollment type that can be used to facilitate User Enrollment. That profile provides the following options:

  • User enrollment: This option will use User Enrollment for all the assigned users. That means that only work-related apps and data will be secured and that the device will be marked as personally-owned.
  • Device enrollment: This option will use Device Enrollment for all the assigned users. That means that the whole device will be managed and that the device will be marked as company-owned.
  • Determine based on user choice: This option will provide the assigned users with a choice. Users must choose between I own this device and {company} owns this device. When they choose the latter option, the device will be enrolled using device enrollment and when they choose the first option they’re provided another choice. User must choose between Secure entire device and Secure work-related apps and data only. With both options, the device will still be marked as personal, but the level of management will differ. For an overview of these choices, see also Figure 3.

Create an enrollment type profile for iOS/iPadOS

The User Enrollment can be facilitated by using an enrollment type profile. That enrollment type profile contains the configuration of the enrollment type for the assigned users. The following six steps walk through the process of creating and assigning an enrollment type profile for iOS and iPadOS devices.

Important: Keep in mind that User Enrollment requires the use of Managed Apple IDs.

Note: The best user experience is provided by using provisioning and federated authentication for Managed Apple IDs, by using Azure AD. More information regarding that subject can be found in my previous post.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices iOS/iPadOSiOS/iPadOS enrollment Enrollment types to open the Enrollment type profiles blade
  2. On the Enrollment type profiles blade, click Create profile > iOS/iPadOS to open the Create enrollment type profile wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the enrollment type profile
  • Description: (Optional) Provide a description for the enrollment type profile
  1. On the Settings page, select one of the earlier explained enrollment types (for an overview see Figure 1 below) and click Next

Note: For showing the end-user experience options, I’m using Determine based on user choice.

  1. On the Assignments page, configure the assignment of the profile and click Next

Important: The assignment must be a user group, as this feature is based on user identities.

  1. On the Review + create page, verify the configuration and click Create (for the result see below Figure 2)

Note: Enrollment type profiles are created with a priority. The administrator can adjust the priority and the profile with the highest priority will be applicable to the enrollment.

End-user experience when enrolling a personal iOS device

The best method to have a look at the end-user experience, is by enrolling a personal iOS device. In the following example that will be an iPhone 8. The 15 steps below walk through enrolling that iPhone 8, by relying on the User Enrollment. Those steps also include a few useful notes and some screenshots from were the enrollment differs from the “normal” device enrollment for personal iOS devices.

  1. Download and install the Company Portal app
  2. Open the Company Portal app and sign in using a work or school account
  3. On the Set up {company} access page, tap Begin
  4. On the Select device and enrollment type page, select I own this device and select Secure work-related apps and data only (as shown in Figure 3) and tap Continue

Note: Selecting {company} owns this device will result in a company-owned device and selecting I own this device will result in a personally-owned device.

  1. Back on the Set up {company} access page, tap Continue
  2. On the Device management and your privacy page, review the information and tap Continue
  3. Back on the Set up {company} access page, tap Continue
  4. On the This website is trying to download a configuration profile. Do you want to continue? dialog box, tap Allow
  5. On the Profile Download dialog box, tap Close
  6. Open the Settings app (as shown in Figure 4) and tap on Enrol in {company}
  7. On the User Enrollment page, review the information (as shown in Figure 5) and tap Enrol My iPhone
  1. On the Enter iPhone Passcode To Install Profile page, provide the passcode of your iPhone
  2. On the Apple ID for {company} page, tap Continue and sign in with your Managed Apple ID
  3. Back to the Company Portal app, tap Continue now
  4. Back on the Set up {company} access (now renamed to You’re all set!) page, tap Done

Once the enrollment is successfully completed, there are still some interesting places to look and to verify a successful enrollment. The first place to look, is of course the Company Portal app. That app shows information regarding the enrollment and the ownership of the device. The ownership is set to Personal (as shown in Figure 6). Besides that, this enrollment model also separates personal and business data. That separation is clearly shown in apps like Reminders (see Figure 7) and Notes (see Figure 8).

More information

For more information about the user enrollment for iPhone and iPad devices, refer to the following docs.

48 thoughts on “Getting started with User Enrollment for iOS/iPadOS devices”

  1. Hi Peter,

    Thanks for sharing this! I have a question regarding Figure 3, if I were to apply the exact same configuration as you did and would setup a brand new ADE device, would that automatically be excluded from this process? Since it is clearly a company device, the user shouldn’t be getting the option to chose right?

    Kind regards, Julio

    Reply
    • Hi Julio,
      User Enrollment is mainly for personally-owned devices, which is what I’ve showed in this post. The device management option that you see in Figure 3 is – in my opinion – only for company-owned devices that require a manual enrollment. That means, devices that are not enrolling via ADE. When using ADE, this is not applicable.
      Regards, Peter

      Reply
  2. Other than the need to use managed Apple ID’s, How does managing personal devices with user enrollment compare with managing them through MAM policies? Why would I choose one over the other?

    Reply
  3. Hi Peter, interesting presentation yesterday!

    What’s the difference between “Secure entire device” and “Secure work-related apps and data only” when it comes to pushing apps, does that even work in both scenarios? And what about Configuration Policies, do they work in either one of the scenarios?

    Last one, in this blog, you picked “Determine based on user choice”, does the user still see “Secure entire device” and “Secure work-related apps and data only” during enrollment?

    Reply
    • Thank you Jordi!
      You should still be able to push apps and the policy described which settings are available for which scenario. In my blog I deliberately chose that the user can pick. That provides the user with the choice. Either other option would force a specific enrollment and would take the choice away from the UI.
      Regards, Peter

      Reply
  4. So if i understand correctly, only apple services get data separation. We cannot have a work outlook and a personal outlook like Android for work?

    Reply
  5. Thank you for this article. It was very helpful. I’m looking at deploying User Enrollment with Intune for MDM and use MAM policies. Has anyone else deployed this configuration? We have 100% byod iOS devices.

    We just completed Apple Business Manager enrollment. Apple support will ask who owns the devices. I told them all devices are byod. They gave me a hard time, saying ABM was for company owned devices. They must not be up to date on user enrollment. I guess they haven’t seen this Apple documentation. They did finally approve our ABM account.

    https://support.apple.com/guide/deployment-reference-ios/user-enrollment-apdeb00576b2/web

    Reply
  6. Hi Peter,

    Thank you so much for the valuable information about this. I can’t found a decent documentation on Microsoft about this.

    We are trying to implement the BYOD on our company and i follow the steps but i have some doubts.

    I understand that we need Managed Apple ID’s for the User enrolment, but they need to be created with ABM Federation ?

    I ask this because i follow your other post about how to configure the ABM federation with Azure but i found a big issue … a lot of users (54 at least) are using already our enterprise domain for personal Apple ID’s.

    It’s possible to make some tests with User Enrolment without having the Federation between ABM and Azure working ?

    Thank you so much

    Best regards

    Reply
  7. Hi managed to move forward without the federation between ABM and Azure but in the end i don’t see any data separation between personal and corporate ?

    any ideas on what could be ?

    Thank you so much

    Reply
  8. Wiping a device … a little off topic but a device is company owned and are assigned directly to certain users, they pickup and quit how do we wipe the unit? I sent a wipe and it doesnt wipe the device. The device is on LTE currently and therefore i though this would work.

    Reply
  9. Great article. Coming from a school environment where our younger students never had to use the AppStore and therefore have not needed AppleID’s in order to enroll their BYOD devices, is this the only way for a BYOD device to be user enrolled? (By downloading the Company Portal app and then logging in and enrolling).

    Reply
  10. Hi Peter,
    I follow up the instructions in the article as I have about 10 personal Iphones need to enroll them in intune but when I try to sign in to the company portal on the Iphone , it just login successfully and it doesn’t show the setup page.
    I tried different Iphones and different users , the issue is still the same.
    Iphone version is IOS 15.0
    Any clue to resolve this issue?

    Reply
  11. Hi Peter,

    I am not able to see my device information such as Serial number on Microsoft Endpoint manager portal. However, after device enrollment, I can see it.
    Is it something related to this user enrollment?

    Reply
  12. Hello,
    Thank you for taking the time to share all this information, it is really difficult to find useful help for iOS devices.

    In terms of the “user experience”, I tried reading your scenario as if I was a user and I stumble upon this:
    “sign in with your Managed Apple ID”

    What does that mean? As a user, I do not recall having a “managed Apple ID”, even less having a password for it…
    How would I successfully pass that step? Will the company administrator give me a password for this account to enter during the enrollment?

    Thank you for your time again,

    Reply
  13. Do we believe MDM User Enrollment can totally replace MAM? I have created a restriction policy to be used in the MDM User Enrollment scenario and blocked the “Copy and paste…” from an managed to unmanaged app, however that restriction didn’t apply. It works fine on the MAM scenario. Regards, Cata

    Reply
  14. Hi Peter,

    Great work as usual.

    In terms of assigning apps and device configuration policies. Would you target these at the device or the user in this instance. Normally we would use a Dynamic device group to target apps and policies based on the enrolment profile used. User enrolled devices just seem to use the default enrolment profile and not the “user enrolment” profile type.

    Reply
  15. Hi Peter… this article helped me a lot, thanks for sharing!

    If I may, two questions: right now we’re already using Android-Enterprise and the WorkProfile for BYOD Devices, of course we want to allow iOS Devices as well.. hence reading this article. Am I correct in understanding that with UserEnrollment on a private iPad there’s separation in storage but not in apps like in Android we have – for example – two versions of Outlook running side-by-side. One personal and one from the WorkProfile container. I’m testing this with my personal iPad which is now “AAD registered” and I could setup my work-e-mail in the Outlook app. So basically UserEnrollment allows access (if blocked by ConditionalAccess) and that’s it. Or am I missing something here?

    Second question: trying to present or even push apps to personal owned user enrolled devices, like my iPad in this example I made MS-Teams available for my groups. When I open CompanyPortal for a split second I see an overview of those recently added apps (search bar on top, recently published apps, categories) but with a blink of an eye that page is gone an it only shows “Hello… no apps available.” and how many devices I have registered. And there is no way for me to return to the page I saw. What’s going on there? We have ABM setup with all the things, federated domain acconts, vpp-tokens and all this is synced and working fine apparently. Is it even possible on a personal user erolled device to push an app after aad regsistration is completed?

    Any hint much appreciated, if not no worries we’ll figure it out. Apple stuff just new to us.

    Reply
    • Hi Andreas,
      You’re correct. You can’t compare managing Android with iOS. Android has the separation on a profile-level, which creates the experience of two separate apps. iOS, however, has the separation on a data-level. That allows the user to use a single app with a separate location for the data (see also the example screenshots).
      Regards, Peter

      Reply
      • Hmkay yes it’s just a knot in my head to get the concept right, like how does the feature look at the end. Thanks. Bummer though, really enjoy the Android profile-container feature.

        Reply
  16. Personal owned device selected during enrollment and secure work related related apps and data only does NOT allow automated install of apps (doesn’t matter if VPP or ios App Store.. ie. Outlook, Office, Edge, Teams). However if option selected as personal owned device and secure entire device selected then apps are successfully pushed to device.
    Issue with this, company or org should not have ability to wipe entire phone for BYOD devices. This ability appears when personally owned and secure entire device selected. But, this is the only way to get apps auto deployed to ios devices.
    Do you see this as “by design” or “bug” ? Have you tested this scenerio ?

    Reply
      • Deploying of apps via VPP Licensing is possible – but if the user has the app alredy installed via Apple Appstore these app belive unmanaged – there is no “converting” to managed.

        Sample: User installs Outlook mobile on private device, CA-Rule blocks the connection – user have to register the device. User is registering the device with user registration – voila, the alredy installed (unmanaged) Outlook is able to use the corporate account (no CA blocking – device is registered now). In this case the planned VPP-based installation of outlook via intune is waiting and will be not finished.

        This is a huge problem, mailbox-content can be shared with any app. Is there a solution for this behavior?

        Reply
          • With app protection only a limited set of restrictions is available – we want to establish a “real” management of BYOD devices. As i can see i cannot block the usage of personal installed app with app protection policies (right?) – the management of company-apps and -data needs to be done via mdm inside the “coporate” area.

Leave a Reply to Farid Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.