BYOD Reimagined: A Web-Based Enrollment Journey for iOS

Somesh Pathak -

Streamlining the device enrolment process is crucial for administrators and enterprises implementing BYOD policies. With Microsoft Intune's web-based device enrolment for iOS/iPadOS, setting up and managing devices becomes more efficient than ever. By eliminating the need for the Company Portal app, this solution offers a faster enrollment experience. As an MDM admin, you can now easily enrol personal devices in Microsoft Intune without requiring users to install additional apps. This not only saves time but also enhances productivity by simplifying the enrollment process. In the following sections, we will explore the benefits of web-based device enrolment and provide step-by-step instructions on how to set it up effectively.

What is Just-in-Time Registration?

Just-in-Time Registration allows users to enroll their iOS devices seamlessly by simply signing in with their corporate credentials. This eliminates the need for complex manual configurations and reduces the time and effort required for device enrolment. By leveraging Entra ID authentication, just-in-time registration ensures a secure and efficient enrolment process.

For steps, see Set up JIT registration in Intune. Return to this article when you're done so you can continue to the next step.

Just in Time Registration for iOS/iPadOS
Overview Just in Time, more commonly referred to as JIT, is a management philosophy used in several industries for decades. “Waste” is taken in its most general sense and includes time, resources, and materials. There are many elements to JIT in production; however, when referring to Mobile Dev…
Intune - In Real LifeSomesh Pathak

During the enrolment process, users will be prompted to sign in with their corporate credentials, which will authenticate them through Entra ID and automatically register their device with Intune. It's important to consider some settings and considerations for successful implementation of just-in-time registration:

  • Ensure that your organization has an active Apple Business Manager or Apple School Manager account.
  • Verify that your devices are eligible for just-in-time registration based on Apple's requirements.
  • Configure any necessary network settings to allow communication between enrolled devices and Intune.

Creating an Enrollment Profile

Create an enrollment profile for devices enrolling via web-based device enrollment. The enrolment profile triggers the device user's enrolment experience, and enables them to initiate enrolment in Safari.

  • In the Microsoft Intune admin center, go to Devices > iOS/iPadOS > iOS/iPadOS enrolment.
  • Select Enrollment types.
  • Select Create profile > iOS/iPadOS.
  • On the Basics page, enter a name and description for the profile so that you can distinguish it from other profiles in the admin center. Device users don't see these details.
  • Select Next.
  • On the Settings page, for Enrollment type, select Web based device enrolment.
  • Select Next.
  • On the Assignments page, assign the profile to all devices, or select specific groups.
  • Select Next.
  • On the Review + create page, review your choices, and then select Create to finish creating the profile.

Distributing Company Portal as Web Clip

Since the Company Portal app is no longer a necessity, it's highly recommended to furnish users with a link to the Company Portal website instead. This approach offers a straightforward way for users to access potential apps and check their device status. The most convenient way to facilitate this is by deploying a web clip to the users' devices.

  • Sign in to the Microsoft Intune admin center.
  • Navigate to Apps > iOS/iPadOS
  • In the Select app type, select iOS/iPadOS web clip
  • Click Select.
  • On the App information page, add the following information:

Preparing Employees for Enrollment

Before initiating the device enrollment process, it's crucial to effectively communicate with employees and provide them with the necessary support and resources. This ensures a smooth and successful enrolment experience.

To inform employees about the enrolment process, consider the following effective ways:

  • Email Communication: Send out a detailed email explaining the purpose of device enrolment, its benefits, and step-by-step instructions on how to proceed. Clearly outline any prerequisites or requirements, such as having an active corporate account or network connectivity.
  • Intranet or Internal Portal: Utilise your organization's intranet or internal portal to create a dedicated page that provides comprehensive information about device enrolment. Include FAQs, video tutorials, and any relevant documentation to assist employees in understanding and completing the process.
  • Training Sessions: Conduct training sessions where your IT Support can learn about the enrolment process firsthand. This allows for interactive discussions, addressing questions, and providing real-time guidance.

End User Experience

When an employee attempts to sign into a work app on their personal device, the app alerts them to the enrollment requirement and redirects them to the Company Portal website for enrollment.

Alternatively, you can provide employees and students with a URL that opens the Company Portal website. If you aren't utilizing conditional access, it's important to share the enrollment link with device users so that they know how to initiate enrollment. The link to share is:

portal.manage.microsoft.com/conditionalaccess/enrollment

This section provides the high-level enrollment steps for device users.

How Does It Works At Device Level

The events of interest included profile installations, communication with the MDM server, security policy updates, and compliance checks.

MDM Profile Installation Events
  • Initiation of Installation: The logs show when Intune initiated a power assertion to commence the installation of a management profile, identified by entries tagged with "Starting MDM power assertion" and "InstallProfile."
  • Profile Installation Attempt: Following initiation, the logs shows an "Attempting to perform MDM request: InstallProfile," indicating that the device made an attempt to install the MDM profile.
  • Completion of Installation: The installation attempt transitions to a completion phase, marked by "Ending MDM power assertion" which signifies the end of the profile installation process.
MDM Server Communication Events:
  • Job Block Enqueueing: The logs detail how job blocks are enqueued, that is when the device's preparation to send or receive data from Intune.
  • Job Block Execution: The execution of job blocks shows active communication with Intune, showing the transmission of commands/policies.

Conclusion

Implementing web-based device enrollment not only enhances productivity but also strengthens Bring Your Own Device (BYOD) policies within organizations. It provides you as an administrators greater control over device configurations while ensuring a seamless user experience. With improved efficiency and user satisfaction, web-based device enrollment in Microsoft Intune is a valuable tool for organizations looking to simplify and optimize their iOS device onboarding process.