When it comes to managing iOS and iPadOS devices within the organization, Microsoft Intune (aka Microsoft Endpoint Manager) has the capability to manage these devices via Mobile Device Management (MDM). This allows the operating system (OS) to be managed, fully customizing the device to the organization’s requirements.
Background
For Apple iOS/iPadOS devices specifically (excluding Mac and Apple TV, although can be managed), there are two methods that can be used to manage them:
- Intune MDM. Through device configuration profiles, Intune can manage settings within the OS, push apps, ensure device compliance is met, remote wipe all data or just business data, etc. The device is typically enrolled by downloading the Company Portal app and the user self-enrolls.
- The device can be managed through Apple’s deployment programs (formerly known as Device Enrollment Program (DEP): Apple School Manager or Apple Business Manager which allows it to be “supervised“. This enables additional functionality like GPS tracking when the device is entered into “lost mode” among other (really cool) managed features. For more information see Deployment Reference for iPhone and iPad
IMPORTANT: MDM and Apple Deployment Programs can be combined to provide even greater management of a device, and even fully automate the provisioning of a device such as a “Zero Touch” approach. For more information see Deployment Models. However, I need to stress, majority of scenarios can be accomplished through just normal MDM enrollment. Review your business requirements to determine which path to go down.
Note: For purposes of this blog, we will only be discussing Intune MDM enrollment for iOS/iPadOS. As much as I would love to show you DEP and Supervision – and even Zero Touch, I don’t have the means neccessary to lab this up (It requires a company’s DUN, TaxID and Purchase Order to complete the process with Apple to obtain a business account).
See my blog Intune: How to MDM Enroll Android Devices (Personal w/ Work Profile) for how to MDM manage Android devices.
Setup Intune for Apple Device Enrollment & Management
To allow for Apple devices to be enrolled, we need to configure Intune so that it can properly manage an Apple device. Before we begin I recommend you review this documentation so you have a good understanding of what this entails. Let’s walk through it together.
Note: I will be using Microsoft Endpoint Manager (MEM), which Intune is built into, for this blog. It can be accessed at https://endpoint.microsoft.com
Configure Apple MDM Push Certificate
This starts with setting up the Apple MDM Push Certificate. Within MEM navigate to Devices -> Enroll Devices -> Apple Enrollment and click on Apple MDM Push Certificate:
I have already performed this step in my lab. Simply follow the 5 steps in the wizard to setup the certificate.
IMPORTANT: You do not need a Certificate Authority or worry about creating a certificate. This is a special certificate that Apple will generate for you. Simply download the Certificate Signing Request from the portal, upload it to the Apple tool and then download the certificate.
Once the certificate has been uploaded, you are ready to start managing Apple devices! Note, the other methods we called out using Apple Device Enrollment Program and Apple Configurator can also be setup on this screen – but for purposes of this blog we will not go into those.
MDM Enroll the Device using Company Portal
Now it’s time to start the MDM enrollment process. For this blog, we will use the Company Portal app to “self enroll”, meaning the end-user will download the Company Portal app from the Apple App Store and will manually enroll the device into Intune MDM.
- From the Home Screen, launch the App Store app:
2. Download the Company Portal app from the App Store:
3. Launch the Company Portal app:
4. Sign in with your Azure AD credentials
5. Once signed in, you will be presented with the steps required to complete enrollment, tap Begin.
6. At the Device management and your privacy screen, carefully review what the employer can see and not see on a device, and tap Continue
7. Tap Continue on the Setup Contoso Access screen:
8. Tap Allow on the dialog box This website is trying to download a configuration profile. Do you want to allow this?
9. Tap Close on the dialog box Profile Downloaded: Review the profile in Settings app if you want to install it.
Note: This downloaded the MDM profile from Intune and we will not install that profile on the device.
10. Tap Continue Now on the Download management profile screen
11. On the Setup Contoso access screen, tab Continue
12. On the How to install Management Profile screen, goto the Home Screen on the device.
13. On the home screen, tap Settings
14. Within Settings tap General
15. Tap Profile
16. Tap Management Profile
17. Tap Install
18. Enter your device’s passcode
19. Tap Install to install the profile
20. On Warning tap Install
21. On Remote Management dialog box tap Trust
22. On Profile Installed tap Done
23. Go back to the Company Portal app and on the Allow “Comp Portal” to use your location? dialog box tab Allow while using app
24. At this point the device is now enrolled into Intune MDM, and if there are any apps that are required to be installed – they will start to be pushed down. (note, we have not configured those yet in this blog)
25. On Set up Contoso access tap Continue
26. Intune will now check to see if the device adheres to any compliance policies (note, we have not configured those yet in this blog)
27. From here you can navigate the Company Portal app and see apps that are available for download:
28. Tapping on Devices at the bottom of the screen shows all devices under MDM management for the user:
Here is a PowerPoint or “Click Thru” deck of these screenshots, feel free to download and reuse.
Matt Soseman's Blog 
Pingback: Guest Post: Managing iOS / iPadOS Devices with Intune (Microsoft Endpoint Manager) – SamuelMcNeill.com