![](/style/images/good.png)
![](/style/images/bad.png)
iOS/iPadOS
source link: https://docs.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-platform-ios-ipados
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Deployment guide: Manage iOS/iPadOS devices in Microsoft Intune
- 05/11/2021
- 12 minutes to read
In this article
Intune supports mobile device management (MDM) of iPads and iPhones to give users secure access to work email, data, and apps. This guide provides iOS-specific guidance to help you set up enrollment and deploy apps and policies to users and devices.
Prerequisites
Before you begin, complete these prerequisites to enable iOS/iPadOS device management in Intune. For more detailed information about how to set up, onboard, or move to Intune, see the Intune setup deployment guide.
Plan for your deployment
The Microsoft Intune planning guide provides guidance and advice to help you determine goals, use-case scenarios, and requirements. It also describes how to create plans for rollout, communication, support, testing, and validation.
Leverage the iOS/iPadOS security configuration framework
The iOS/iPadOS security configuration framework is a series of recommendations for device compliance and configuration policy settings. These recommendations help you tailor your organization's mobile device security protection to your specific needs.
Microsoft Intune uses a taxonomy for this framework that's similar to the one used for security configurations in Windows 10. It applies to both personally owned and supervised devices, and includes the recommended settings for basic, enhanced, and high-level security. Each security level builds off the previous one and offers more protection than the last.
The security levels for personally owned devices are:
Basic security (Level 1) – This configuration is recommended as the minimum security configuration for personal devices from which users access work or school data. This configuration enforces password policies, defines device lock characteristics, and disables certain device functions (such as untrusted certificates).
Enhanced security (Level 2) – This configuration is recommended for devices from which users access sensitive or confidential information. This configuration enacts data sharing controls. It's applicable to most mobile users accessing work or school data on a device.
High security (Level 3) – This configuration is recommended for devices used by specific users or groups who are uniquely high risk. For example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization. This configuration enacts stronger password policies than the previous levels, disables more device functions, and enforces additional data transfer restrictions.
The security levels for supervised devices are:
Basic security (Level 1) – This configuration is recommended as the minimum security configuration for supervised devices where users access work or school data. This level is achieved by enforcing password policies, defining device lock characteristics, and disabling certain device functions (such as untrusted certificates).
Enhanced security (Level 2) – This configuration is recommended for devices from which users access sensitive or confidential information. This configuration enacts data sharing controls and blocks access to USB devices. It's applicable to most mobile users accessing work or school data on a device.
High security (Level 3) – This configuration is recommended for devices used by specific users or groups who are uniquely high risk. For example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization. This configuration enacts stronger password policies, disables more device functions, enforces additional data transfer restrictions, and requires apps to be installed through the Apple volume purchase program (VPP).
For more information about the security framework, including specific recommendations and the minimum apps that must be protected, see the articles listed in the following table.
Create compliance rules
Use compliance policies to define the rules and conditions that users and devices should meet to access your protected resources. If you use Conditional Access, your Conditional Access policies can use your device compliance results to block access to resources from noncompliant devices. For a detailed explanation about compliance policies and how to get started, see Use compliance policies to set rules for devices you manage with Intune.
Configure endpoint security
Use the Intune endpoint security features to configure device security and to manage security tasks for devices at risk.
Configure device settings
Use Microsoft Intune to enable or disable settings and features on iOS/iPadOS devices. To configure and enforce these settings, create a device configuration profile and then assign the profile to groups in your organization. Devices receive the profile once they enroll.
Set up secure authentication methods
Set up authentication methods in Intune to ensure that only authorized people access your internal resources. Intune supports multi-factor authentication, certificates, and derived credentials. Certificates can also be used for signing and encryption of email using S/MIME.
Deploy apps
As you set up apps and app policies, think about your organization's requirements, such as the platforms you'll support, the tasks people need to do, the type of apps they need to complete those tasks, and finally, the groups who need those apps. You can use Intune to manage the whole device (including apps) or use Intune to manage the apps only.
Enroll devices
Enrolling devices allows them to receive the policies you create, so have your Azure AD user groups and device groups ready.
For information about each enrollment method and how to choose one that's right for your organization, see the iOS/iPadOS device enrollment guide for Microsoft Intune.
Run remote actions
After devices are set up, you can use remote actions in Intune to manage and troubleshoot devices from a distance. Availability varies by device platform. If an action is absent or disabled in the portal, then it isn't supported on the device.
Next steps
Check out these enrollment tutorials to learn how to do some of the top tasks in Intune. Tutorials are 100 – 200 level content for people new to Intune or a specific scenario.
For the Android version of this guide, see Deployment guide: Manage Android devices in Microsoft Intune.
Is this page helpful?
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK