Thursday, 16 April 2015

Corporate Device Enrollment of iOS devices in Microsoft Intune

EMS Landing page

Corporate Device Enrollment is an Intune feature that I've wanted to investigate for quite some time. Have a look in the Intune Console and you will see Policy > Corporate Device Enrollment. What is this all about?

I recently carried out some research and testing of the feature and I've documented what I learned in this blog. I made a few mistakes on the way (one more serious than the others) but we'll get to that. Note that you can read all about Corporate Device Enrollment on TechNet Library

Enroll corporate-owned iOS devices in Microsoft Intune

This is an extract from that document.

Intune supports the enrollment of corporate-owned iOS devices using the Apple Device Enrollment Program (DEP) or the Apple Configurator tool running on a Mac computer. Devices enrolled through DEP cannot be un-enrolled by users.

You can enroll corporate-enrolled iOS devices in two ways:

  • Setup Assistant Enrollment – Factory resets the device and prepares it for setup by the device’s new user. This method supports DEP or Apple Configurator enrollments.
  • Direct Enrollment – Creates an Apple Configurator-compliant file for use during device preparation. The enrolled device isn’t factory reset but has no user affiliation. This method cannot be used for DEP enrollment.
So what is the Apple Device Enrollment Program (DEP). It provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices, whether purchased directly from Apple or through participating Apple Authorized Resellers. It is available only in the following countries and you must register directly with Apple to participate in the program:
Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

DEP was not available to me so I decided on the Apple Configurator method with Direct Enrollment. Did I tell you that I was testing with my wife's iPhone?

Features of Apple Configurator

The process is very simple and is only a few steps

  1. Create Intune Device Enrollment Profile
  2. Export the Profile 
  3. Copy the Profile to the management computer install the Apple Configurator
  4. Prepare the iOS device

1. Create Intune Device Enrollment Profile

First create an empty Group.

We can apply compliance policies to this Group and will use it when configuring the Profile.

Navigate to Policy > Corporate Device Enrollment / click to Add a Profile.

Enter a name for the Profile and select the Group created earlier.

Save the Profile.

2. Export the Profile

The Profile has now been created. Click Export.

This was my first mistake. I had forgotten to configure Intune with an Apple APN Certificate.

That was easy to solve. I downloaded an APN Certificate Request and subsequently uploaded the APN (you can read about this process here). Then I tried the export again.

Better success this time. See the section for "Setup Assistant enrollment". We're not interested in this at this time. Click to "Download Profile" in the Direct Enrollment section.

This is the Intune profile ready to be used in the Apple Configurator.

3. Copy the Profile to the management computer and install the Apple Configurator

This is the Apple Mac that I borrowed for my testing. I had to upgrade to Yosemite 10.10.3 in order to support the Apple Configurator.

I copied the Intune Profile to the Mac and then it was time to install the Apple Configurator.

Apple Configurator is available from the Apple Store.


4. Prepare the iOS device

The Wrong way (for me)

Great. I had done a lot and was ready to "Prepare my iOS device". Did I tell you that I was testing with my wife's iPhone? Unfortunately I chose the wrong option for me.

I saw "Supervision" and thought - yes, that's what I need. I also imported the previously created Intune profile and started to prepare the device.........

......and performed a Factory Reset on my wife's iPhone. OUCH. She wasn't very happy and wouldn't let me use it again after that (I don't know why, I tried to explain that the damage was already done).

To make matters worse the process didn't even work and the Intune profile was not installed. The device was never enrolled - more on that later.

The Right Way (for me)

OK. So I got myself organised with a new test device (or rather an old iPhone with a broken screen - hence the quality of some of the pictures below).

I carried out the process differently this time and it was really simple. 

I entered a device name and chose to number sequentially. I did NOT choose supervision.

Configured some Organization details.

Now I was ready to add a Profile - "Install Profiles".

I was asked to connect my iPhone via USB. See the blue symbol above Prepare.

My device was detected - see the blue "1" above Prepare > Next.

I chose my Management Profile. I only had one - the Intune Profile.......

.....and I was off.

I was prompted immediately on the iPhone to install the Managment Profile. I did.

The Profile installed and verified. Looked pretty good.

Almost immediately (less than a minute) the device could be seen in the Intune console......

.....and it was in the required Group to get it's compliance policy.

The Right Way to do the Wrong Way (if that makes sense)

My original approach would have been perfectly valid if I wasn't using a device that was already in use and had personal data. For a new device it's perfectly OK and sometimes preferred to perform a Factory Reset. However we want to be able to install the Intune Profile in the same operation so that the device can be enrolled immediately. I found that my problem occured because the Factory Reset removed the wireless settings and an Internet connection is required to activate the device.

This is solved by adding a second profile to the Apple Configurator which configured the wireless networking on the device during the installation.

This blog post pointed me in the right direction.


The combination of the Apple Configurator and the Intune Management Profile produces a very slick process. The device can be configured in a few minutes. It's really great for bulk enrollment of iOS devices. 30 devices can be prepared simultaneously.

The following points should be noted

  • This process is only for iOS devices.
  • An Apple Mac management device is required.
  • Operating System must be Yosemite 10.10.3 to support the Apple Configurator.
  • The process simply enrols the device (by deploying a managment profile) so that it can be managed and receive policies.
  • Intune Company Portal is not installed as part of the process. If you wish to deploy apps to users this must be done separately.
  • An Intune enrollment profile file is only valid for 2 weeks (I don't quite understand the point of that).
  • A SIM card has to be installed in the device so that it can be automatically activated.
  • Only choose "Supervision" if you want to perform a Factory Reset of the device.
  • If you do want to perform a Factory Reset and enrol the device you must add a wireless profile to the Apple Configurator.


No comments:

Post a Comment