Around two years ago, I wrote an article for "Managing iOS Devices with Microsoft Intune," a lot has happened since then. The transition from legacy authentication to modern authentication by both Apple and Microsoft has completely changed the way devices are enrolled to MDM in both COD and BYOD scenarios. So, here is an AIO guide to help you plan, prepare, manage, and secure your Apple platform using Microsoft Intune.
What we will cover in this series:
- The need to manage devices and data.
- Getting Started - Apple Device Enrollment types & MDM
- ABM or ASM, or ASE?
- Onboarding to ABM
- What is Apple Configurator & when to use it?
- Apple Identity Services & SSO
- Setup Assistant, Configurations & Restrictions
- The magic of Declarative Device Management
- Manage software update policies for iOS & macOS devices
- Distribute content
- Device management security
- Enroll an iOS/iPadOS & macOS as COD in Intune.
- Enroll an iOS/iPadOS & macOS as BYOD in Intune.
- App Protection Policies (MAM).
- Code Signing & app wrapping.
Before you begin
Before you begin enrolling Apple devices in Intune, it is essential to review & understand the requirements or use cases so that you can define the approach:
The below table should give you a fair idea about the different approaches:
For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, see the Enrollment guide: Microsoft Intune enrollment.
Managing Devices and Corporate Data
In today's world, for any organization, its most valuable asset is "data". Whether accessed from the end user's own devices or the devices given by the organization, keeping corporate data safe is one of the most challenging yet critical measures. When talking about Apple devices, Apple has made it simple for IT to accommodate various device management checks without impacting end users' productivity or privacy.
Apple gives IT teams the tools to be successful and have the control they need without compromising usability. This is achieved through the tight integration of Apple’s management framework and your mobile device management (MDM) solution.
In iOS, iPadOS, tvOS, and macOS, Apple includes a management framework that allows IT to configure and update settings, deploy apps, monitor compliance, query devices, and remotely wipe or lock devices. This framework supports corporate-owned and personally-owned devices and is the foundation for deployment and management. MDM solutions are available from a wide range of vendors who offer a choice of features and prices for maximum flexibility, regardless of whether an enterprise deploys a cloud-based or an on-premise server.
No matter what deployment strategy you choose, the MDM framework will never have access to your email, messages, or browsing history.
Device Ownership Model
Management of these devices can take many forms, depending on company needs and security concerns. The main device ownership models cover a wide spectrum of business requirements:
- Corporate-Owned Devices
- User-Owned Devices also known as BYOD
Any organization's security strategy must include device management as a critical element. To prevent unwanted access to the corporate network and data, it ensures that devices are safe, updated, and comply with organizational regulations. A sound device management strategy is more crucial than ever as businesses accommodate remote and hybrid workforces. Organizations are required to safeguard and secure all of their data and resources.
Microsoft Intune helps you to secure proprietary data that users access from their company-owned and personally-owned devices. Intune includes device and app policies, software update policies, and installation statuses (charts, tables, and reports).
In general, there are two methods for managing devices.
- To start, you can manage many features of devices using Intune's built-in features. This method is referred to as Mobile Device Management (MDM). Devices are "enrolled" by users. You can restrict devices to use a specific operating system, disable personal devices, and much more as an IT administrator. You can also securely wipe all data from a device if stolen or lost.
- The second method involves managing apps on devices. Mobile Application Management (MAM) is the term of this approach. Users can access company resources using their own personal devices. Users may be asked to authenticate when they launch an app like Outlook or any other enterprise app. You can erase all company data from the Intune-managed applications in the event that a device is ever lost or stolen.
- You can even use a combination of MDM and MAM together.
While you design your device management infrastructure, don't forget to consider these two critical points:
- Corporate-owned devices give the most control and protection over corporate data.
- User-owned devices managed through User Enrollment protect corporate data without accessing personal data, thereby protecting user privacy.
I'll end this section right here, so let's get started on part 2 of the series.