Getting started with User Enrollment for iOS/iPadOS devices

This week is all around the User Enrollment option that was introduced with iOS 13 and iPadOS 13.1 and that is currently available as preview functionality in Microsoft Intune. User Enrollment feels similar to what already can be achieved on Android devices with Work Profiles. A separation between personal data and company data. In this post I’ll start with a short introduction about User Enrollment, followed with the steps to created an enrollment profile that will facilitate the User Enrollment. I’ll end this post by show the end-user experience during the enrollment and after the enrollment.

Introduction to User Enrollment

User Enrollment is created and designed by Apple to facilitate an enrollment and management scenario for Bring Your Own Devices (BYOD). That enrollment and management scenario requires Managed Apple IDs. Those Managed Apple IDs are used to create an additional user identity on the device and can live perfectly alongside personal Apple IDs. Actually that’s the main idea. User Enrollment can be compared to the Work Profile for Android devices. It creates a clear separation between personal and company data. During the enrollment a separate volume is created on the device that contains managed versions of Apps, Notes, Calendar attachments, Mail attachments and Keychain.

User Enrollment also impacts the apps that can be deployed to users. The managed parts on the device are related to the Managed Apple ID and not to the personal Apple ID that is connected to the store. That means that an IT administrator must rely on Apple Volume Purchase Program (VPP) with user licenses for the distribution and licensing of store apps when working with User Enrollment. Besides that, by using Microsoft Intune it’s also possible to assign weblinks and line-of-business apps.

When looking from a management perspective, Microsoft Intune can be used to manage everything related to the Managed Apple ID and nothing related to the personal Apple ID. Also, after enrollment, an administrator can only use Microsoft Intune to retire the device and not to wipe the device. When looking from a enrollment perspective, Microsoft Intune contains a new enrollment type that can be used to facilitate User Enrollment. That profile provides the following options:

• User enrollment: This option will use User Enrollment for all the assigned users. That means that only work-related apps and data will be secured and that the device will be marked as personally-owned.
• Device enrollment: This option will use Device Enrollment for all the assigned users. That means that the whole device will be managed and that the device will be marked as company-owned.
• Determine based on user choice: This option will provide the assigned users with a choice. Users must choose between I own this device and {company} owns this device. When they choose the latter option, the device will be enrolled using device enrollment and when they choose the first option they’re provided another choice. User must choose between Secure entire device and Secure work-related apps and data only. With both options, the device will still be marked as personal, but the level of management will differ. For an overview of these choices, see also Figure 3.

Create an enrollment type profile for iOS/iPadOS

The User Enrollment can be facilitated by using an enrollment type profile. That enrollment type profile contains the configuration of the enrollment type for the assigned users. The following six steps walk through the process of creating and assigning an enrollment type profile for iOS and iPadOS devices.

Important: Keep in mind that User Enrollment requires the use of Managed Apple IDs.

Note: The best user experience is provided by using provisioning and federated authentication for Managed Apple IDs, by using Azure AD. More information regarding that subject can be found in my previous post.

1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment types to open the Enrollment type profiles blade
2. On the Enrollment type profiles blade, click Create profile > iOS/iPadOS to open the Create enrollment type profile wizard
3. On the Basics page, provide the following information and click Next

• Name: Provide a valid name for the enrollment type profile
• Description: (Optional) Provide a description for the enrollment type profile

1. On the Settings page, select one of the earlier explained enrollment types (for an overview see Figure 1 below) and click Next

• Figure 1: Enrollment type options

Note: For showing the end-user experience options, I’m using Determine based on user choice.

1. On the Assignments page, configure the assignment of the profile and click Next

Important: The assignment must be a user group, as this feature is based on user identities.

1. On the Review + create page, verify the configuration and click Create (for the result see below Figure 2)

• Figure 2: Enrollment type profiles overview

Note: Enrollment type profiles are created with a priority. The administrator can adjust the priority and the profile with the highest priority will be applicable to the enrollment.

End-user experience when enrolling a personal iOS device

The best method to have a look at the end-user experience, is by enrolling a personal iOS device. In the following example that will be an iPhone 8. The 15 steps below walk through enrolling that iPhone 8, by relying on the User Enrollment. Those steps also include a few useful notes and some screenshots from were the enrollment differs from the “normal” device enrollment for personal iOS devices.

1. Download and install the Company Portal app
2. Open the Company Portal app and sign in using a work or school account
3. On the Set up {company} access page, tap Begin
4. On the Select device and enrollment type page, select I own this device and select Secure work-related apps and data only (as shown in Figure 3) and tap Continue

Note: Selecting {company} owns this device will result in a company-owned device and selecting I own this device will result in a personally-owned device.

1. Back on the Set up {company} access page, tap Continue
2. On the Device management and your privacy page, review the information and tap Continue
3. Back on the Set up {company} access page, tap Continue
4. On the This website is trying to download a configuration profile. Do you want to continue? dialog box, tap Allow
5. On the Profile Download dialog box, tap Close
6. Open the Settings app (as shown in Figure 4) and tap on Enrol in {company}
7. On the User Enrollment page, review the information (as shown in Figure 5) and tap Enrol My iPhone

1. On the Enter iPhone Passcode To Install Profile page, provide the passcode of your iPhone
2. On the Apple ID for {company} page, tap Continue and sign in with your Managed Apple ID
3. Back to the Company Portal app, tap Continue now
4. Back on the Set up {company} access (now renamed to You’re all set!) page, tap Done

Once the enrollment is successfully completed, there are still some interesting places to look and to verify a successful enrollment. The first place to look, is of course the Company Portal app. That app shows information regarding the enrollment and the ownership of the device. The ownership is set to Personal (as shown in Figure 6). Besides that, this enrollment model also separates personal and business data. That separation is clearly shown in apps like Reminders (see Figure 7) and Notes (see Figure 8).

More information

For more information about the user enrollment for iPhone and iPad devices, refer to the following docs.