Getting started with web-based device enrollment for iOS devices

This week is all about a new enrollment feature for iOS/iPadOS devices. That feature is web-based device enrollment. Web-based device enrollment is now one of the two device enrollment methods that is available for personal iOS/iPadOS devices. The other method is the already existing device enrollment with the Company Portal app. The main differentiator for web-based device enrollment is that it provides a faster and more user-friendly enrollment experience. It’s no longer required to first download the Company Portal app. Instead the user can just go to the Company Portal website, or start the new enrollment experience via an app that requires a compliant device. More user-friendly and accessible via the favorite browser of the user. Besides that, web-based device enrollment can be used in combination with Just-In-Time (JIT) registration, to reduce the number of times users have to sign in. Both, during the enrollment and when accessing apps. This post will walk through the advised configurations to fully utilize the potential of web-based device enrollment for iOS devices. That starts with the configuration of JIT, followed with the configuration of web-based device enrollment and the distribution of the Company Portal website. It all ends with the user experience.

Note: It’s strongly advised to at least distribute the Company Portal app as a web clip, to provide the user with easy access to the device (compliance) status and company status.

Configuring just-in-time registration

When looking at the best user experience, the configuration of web-based device enrollment starts with JIT. JIT greatly enhances the user experience. Especially after the enrollment of the device, as it reduces the authentication prompts during the session and establishes single sign-on (SSO) across all supported (and configured) apps. Besides that, it also provides the technical functionality to fully integrate compliance checks within Microsoft apps (and non-Microsoft apps configured with the Apple SSO extension). To provide all that functionality, JIT utilizes the Apple SSO extension. To configure JIT registration, a Device features profile can be used. The following eight steps walk through the minimal required configuration.

1. Open the Microsoft Intune admin center portal and navigate to Devices > iOS/iPadOS > Configuration profiles
2. On the iOS/iPadOS | Configuration profiles blade, click Create profile
3. On the Create a profile blade, provide the following information and click Create

• Platform: Select iOS/iPadOS to create a profile for iOS and iPadOS devices
• Profile type: Select Templates > Device features to configure the required setting

4. On the Basics page, provide the following information and click Next

• Name: Provide a name for the profile to distinguish it from other similar profiles
• Description: (Optional) Provide a description for the profile to further differentiate profiles
• Platform: (Greyed out) iOS/iPadOS
• Profile type: (Greyed out) Device features

5. On the Configuration settings page, as shown below in Figure 1, perform at least the following actions and click Next

• Navigate to Single sign-on app extension and configure the following settings
  • With SSO app extension type select Microsoft Entra ID as type
  • With Additional configuration add at least the following key-value pairs
    • Configure browser_sso_interaction_enabled as key, of the Integer type, with the value 1, to enable SSO within Safari
    • Configure device_registration as key, of the String type, with the value {{DEVICEREGISTRATION}}, to facilitate JIT

6. On the Scope tags page, configure the required scope tags and click Next
7. On the Assignments page, configure the assignment and click Next
8. On the Review + create page, verify the configuration and click Create

Note: This is the same configuration that can also be used for the Account driven user enrollment for personal devices and the Setup Assistant with modern authentication enrollment for company devices.

Configuring web-based device enrollment profile

When looking at the web-based device enrollment functionality itself, it all starts with the enrollment profile. That enrollment profile triggers the right enrollment experiences on the device and allows the usage of Safari for the enrollment. The following six steps walk though the creation of that enrollment profile.

1. Open the Microsoft Intune admin center portal and navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment types
2. On the Enrollment type profiles blade, click Create profile > iOS/iPadOS
3. On the Basics page, provide a valid name to distinguish it from other similar profiles and click Next
4. On the Settings page, as shown below in Figure 2, select Web based device enrollment as enrollment type and click Next

5. On the Assignments page, configure the assignment and click Next
6. On the Review + create page, verify the configuration and click Create

Note: When multiple enrollment profiles are available, use the priority to determine the order of those profiles.

Distributing Company Portal website

As users no longer need to have the Company Portal app, it is strongly advised to at least provided them with a link to the Company Portal website. That will provide those users with a relatively easy method for access potential apps and for looking at the device status. The easiest method to achieve that is by pushing a web clip to those users.

1. Open the Microsoft Intune admin center portal and navigate to Apps > iOS/iPadOS
2. On the iOS/iPadOS | iOS/iPadOS apps blade, click Add > iOS/iPadOS web clip
3. On the App information page, as shown below in Figure 3, provide at least the following information and click Next

• Name: Provide a unique name for the web clip to distinguish it from other apps
• Description: Provide a description for the app to describe the purpose of the web clip
• Publisher: Provide the publisher of the web clip
• App URL: Specify https://portal.manage.microsoft.com/ as the address for the web clip

4. On the Scope tags page, configure the required scope tags and click Next
5. On the Assignments page, configure the assignment and click Next
6. On the Review + create page, verify the configuration and click Create

Note: For better visibility, and less support calls, it’s also strongly advised to configure an icon with the web clip.

Experiencing web-based device enrollment

When the different configurations are in place, it’s relatively easy to experience the web-based device enrollment. Before starting, however, it is strongly advised to first install the Microsoft Authenticator app. The web-based device enrollment experience can be triggered by directly navigating to the URL, or by signing in to an app that requires device management. Either way, the user will end-up in the browser with the steps to set up the device (as shown below in Figure 4). Scroll a bit down and click Get started. That will bring the user to the next page explaining the management profile installation (as shown below in Figure 5). The user can simply click Allow and go to the Settings app to install the management profile. Once the management profile is installed, the device will eventually show up in the Company Portal website as a managed and compliant device. Also, when now starting the Teams app, for example, for the first time, it will shown an additional screen about check the device.

Note: At the moment of writing, the enrollment flow in the Company Portal website would still redirect to the Company Portal app. To trigger the web-based device enrollment flow, the direct URL can be used.

More information

For more information about web based device enrollment for iOS devices, refer to the following docs.

• Set up web based device enrollment – Microsoft Intune | Microsoft Learn
• Set up just in time registration – Microsoft Intune | Microsoft Learn
• Using the Intune Company Portal website | Microsoft Learn