Contact Us Get Free Products
Search icon Contact Us Get Free Products
Intune

How to use Intune Web-based Enrollment for iOS devices

Jonathan LefebvreMay 08 20243 Min Read

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

Jonathan Lefebvre

Table of Content
SCD Collaborators

Intune constantly evolves month to month with new ways to manage devices. One of the fairly recent additions is the ability to do Web-based device enrollment for iOS devices. This is for Bring Your Own Device (BYOD) scenario. User enrollment and device enrollment have been around for a long time, with a known process that essentially consists of the user installing the Company portal, sign-in and following on-screen instructions to achieve enrollment.

The Web-based device enrollment eases the process for the end-user to simply access a dedicated web-page, and sign-in. Everything else, including the Company Portal, will be pushed later from Intune after the enrollment is completed. This enrollment method will set the device in the same state as a Device enrollment, which means the device is fully managed, compared to User enrollment which splits the device into personal/corporate sections.

In this post, we’ll detail how to configure Intune to support web-based device enrollment and demonstrate the enrollment behaviour with an iPad.

Intune Web-based Enrollment Prerequisites

Create Web-based device enrollment profile for iOS in Intune

Intune Web-based Enrollment
  • Select Create Profile/iOS/iPadOS
Intune Web-based Enrollment
  • Provide a name of the enrollment profile
Intune Web-based Enrollment
  • Select Web-based device enrollment
Intune Web-based Enrollment
  • Like other enrollment profiles, select a target group of users allowed to use it.
Intune Web-based Enrollment
  • Use the left section to change the priority order of the various profiles in case the user is targeted by multiple enrollment profiles.
Intune Web-based Enrollment

Create a Just-in-time registration device configuration profile

Why JIT configuration?

Just-in-time registration is required to use the Apple Single sign-on(SSO) extension to complete the Microsoft Entra registration of the device. Just in time will limit the number of authentication prompts by establishing the SSO across the whole device for Microsoft products.

  • Select iOS, Templates and Device Features. Click Create.
  • Provide the name
  • Under Single sign-on app extension, select Microsoft EntraID
  • Additional configurations are needed.
    • App Bundle ID isn’t required for our current need.
    • 2 keys are needed
      • Key: device_registration
      • Type: String
      • Value: {{DEVICEREGISTRATION}}
      • Key: browser_sso_interaction_enabled
      • Type: Integer
      • Value: 1

Avoid additional space before/after those values, otherwise Just-in-Time won’t work!!

  • Assign the device configuration to the same group as the Enrollment profile for convenience.
Intune Web-based Enrollment

For more details about the Just-in-time registration, see Microsoft Docs.

Enroll iOS using Web-based device enrollment

Intune Web-based Enrollment

This enrollment method is only supported from Safari browser!

  • Sign-in with Microsoft Entra ID credentials.
  • Click on Get Started
Intune Web-based Enrollment
  • Allow this website to download a configuration profile.
  • Go to Settings / General / VPN & device management
  • A prompt will ask to install the Microsoft Intune root certification authority, click on Install and Trust
  • Once the profile is installed, the enrollment is completed and the device will begin to process policies and applications!

A few additional notes

  • The Company portal isn’t required to be installed at all.
    • Microsoft recommends at least providing a web app pointing to https://portal.manage.microsoft.com/
  • Microsoft Authenticator is required for work/school access. It is recommended to share instructions accordingly.

For more details about Web-based device enrollment, see Microsoft docs.

Enrollment Intune Ipad iPhone just in time Web based device enrollment
SCD Collaborators
Comments (0)
Related posts
Benoit LecoursMarch 27 20242 Min Read
Block USB Drive using Intune

Personnal USB drives connected to work computers is a bit risky. Anyone could copy important stuff...

Intune
Benoit LecoursMarch 19 20243 Min Read
How to use Intune Remediation script

A feature that was somewhat hidden under the wrong location is finally rising. Intune remediation...

Intune
Benoit LecoursMarch 02 20242 Min Read
Uninstall Intune app on Windows devices

Since Intune 2307, Intune administrator has the new capability to uninstall applications directly...

Intune
Request a Quote

Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours. We are open from Monday to Friday.

Consulting Services

Subscription

PatchMyPC

Reports and Guides

I'm interested in working with you

Consulting services and time banks are used for generic requests. All others are fixed-price plans.

Never share sensitive information (credit card numbers, social security numbers, passwords) through this form.
Request Sent

Thank you for your request. You will receive an email with more details. Take note that we normally work from Monday to Friday. We will get in touch with you as soon as possible.

Comment Sent

Thank for your reply!

Error

Something went wrong!