Setup Microsoft Intune for iOS/iPadOS

In this tutorial I will show you how to set up Microsoft Intune for iOS/iPadOS. In short, we ensure that devices are configured and secured to your standards. Let’s jump right in and set up Microsoft Intune.

For this post I will be solely focussing on manual enrollment. In addition to that, I will provide some information about the Automatic Device Enrollment from Apple.

Configure Microsoft Intune for iOS/iPadOS

Grant access to Microsoft to transfer information to Apple.

Intune MDM Setup Portal - Grant Permission

Download the Intune certificate signing request (CSR). We need that to create a new Apple Push Certificate.‚Äč

Intune MDM Setup Portal - Download CSR

Now it is time to let Apple generate a new Apple MDM push certificate for us. This certificate will give you the ability to manage iOS/iPadOS devices.

You need to have an Apple ID. This can be a personal or business account. For production environments, it is best practise to use a company mail address.

Click on the button to start the process or click the link in the Endpoint Manager portal.

Apple Push Certificates Portal - Create Certificate

Apple Push Certificates are valid for one year. Therefore you will have to renew this certificate in time. You must use the same Apple ID where you initially created the certificate from.

Grab the CSR file from Microsoft Endpoint Manager. Upload it into the portal.

Apple Push Certificates Portal - Upload CSR

Download the certificate on the confirmation page. Please make note of the expiration date and renew the certificate in time.

Apple Push Certificates Portal - Download Certificate

Go back to the Endpoint Manager portal. Enter the Apple ID that you have used to create the new certificate.

Intune MDM Setup Portal - Enter Apple ID

Upload the certificate and click Upload.

Intune MDM Setup Portal - Upload new certificate

Microsoft Intune is now ready to enroll iOS/iPadOS devices. Download the Company Portal on a test device to verify the configuration. Do this before anything else to make sure that the configuration works.

Manual Device Enrollment

Users enroll the device with the Company Portal app. It is available for download in the Apple App Store. Meaning that every user can start right away. The app is the central place for applications and synchronizes the device with Microsoft Intune. To enroll a device follow the steps below.

Download the Intune Company Portal app from the App Store. Open the app and sign in with your Azure Active Directory credentials.

Company Portal App - Install App Store
Company Portal App - Sign in

The app will now display the steps for the user to complete. Because privacy on a private device is such a huge topic, the app shows you what Microsoft Intune cannot read or do on the device.

Company Portal App - Set up screen
Company Portal App - Privacy Info

Error: Couldn’t add your device
This means that your Microsoft Intune environment is not fully setup for iOS/iPadOS enrollment. Make sure that you have completed the above steps described in this post.

Allow the policy download and install the profile on the device. As a result, Microsoft Intune is capable of configuring the device.

Company Portal App - Allow profile download
Company Portal App - Install Profile
Company Portal App - Confirm install

The Company Portal should now report that the device is set up. After that, we can access the application store and manage the device details from the app. But deleting the app won’t make any difference, since the management profile will always be present.

Company Portal App - Done
Company Portal App - Overview

In conclusion of the above steps, this is how you setup a device within Microsoft Intune.

Device details in Endpoint Manager

Now we verify the device in Microsoft Endpoint Manager:

  • Search for the device in the portal.
  • Check device details and enrollment details.

Open the Endpoint Manager portal and go to Devices. After that, click on iOS/iPadOS. You will be presented with a similar overview for Windows devices.

Endpoint Manager portal iOS/iPadOS section

Next, we click on the device. It takes while for device to appear in the list. The portal presents us with the overview of hardware information and installed apps. The ownership in this case is Personal. In other words, the device is privately owned and enrolled by the user.

Endpoint Manager portal device ownership
Endpoint Manager portal hardware details

Automatic Device Enrollment

Note: You must have a managed Apple ID for Automatic Device Enrollment. Visit this link to check the requirements.

Since iOS 13 a lot of things changed for Mobile Device Management. From now User Enrollment mode is available which is a Bring Your Own Device (BYOD) model. This feature is now in preview in Microsoft Intune.

Users can enroll their personal devices just fine as long as they are willing to get compliant. Click the button below for a full list of support capabilities,.

In conclusion

To sum it all up: It is not complicated to setup Microsoft Intune for iOS/iPadOS devices. Create and renew an Apple Push Certificate in time. The Company Portal provides access to resources and syncs information from and to Microsoft Intune. Personal devices are enrolled with just a few taps. However, automatic enrollment with company owned devices is a bit more complicated. It involves Automatic Device Enrollment from Apple and Apple Business Manager.