Enroll iPhones and iPads with Microsoft Intune

Home Blog Enroll iPhones and iPads with Microsoft Intune

4sysops - The online community for SysAdmins and DevOps

    , ,   0
Before you can manage mobile devices with Intune, you need to enroll them with Microsoft's cloud-based mobile device management (MDM) service. In addition to Android and Windows 10, it also supports iPhones and iPads. First you have to apply for a certificate from Apple, and then you can download the required Intune app onto the device.
Latest posts by Roland Eich (see all)
Contents of this article

To register an iOS device with Intune, at the Manage section of the console, go to Device enrollment > Apple enrollment. Once there, follow the link Apple MDM Push certificate to apply for one.

Start screen for Apple device enrollment in Microsoft Intune

Start screen for Apple device enrollment in Microsoft Intune

This is because Intune communicates with the iOS devices via push messages to manage them.

Requesting certificate from Apple ^

The certificate is free of charge, and you can apply it for using an Apple account. After executing the above command, a dialog with five sections opens. Under point 1, you must give Microsoft permission to send information to Apple.

Apple MDM Push certificate request form

Apple MDM Push certificate request form

The second step is to download the .csr file, which you will then use to request the Apple certificate. This occurs under point 3, where the corresponding link leads you to Apple's website. If necessary, you can create a new (free) account at this point or authenticate yourself with an existing account.

Log in to Apple's certificate portal

Log in to Apple's certificate portal

The page for creating a certificate should now display.

Start page for requesting a certificate from Apple

Start page for requesting a certificate from Apple

After clicking on Create a Certificate, you will confirm the Terms of Use next. Then you upload the request file, which you have downloaded under point 2.

Upload .csr file to request a certificate

Upload .csr file to request a certificate

Finally, the certificate is ready for download. It is important to make sure it is valid andto note the expiry date so you can renew it on time. Otherwise you can't manage the iOS devices any more.

Download Apple's push certificate as a .pem file

Download Apple's push certificate as a .pem file

Importing the certificate to Intune ^

After returning to the Intune console, enter the Apple ID used to request the certificate under point 4 and upload the certificate, available in .pem format, to Intune. This completes the initial setup.

Import Apple's push certificate as a .pem file into Intune

Import Apple's push certificate as a .pem file into Intune

Enroll devices via app ^

Now you can start enrolling iOS devices. There are several ways to do this: Apple's Device Enrollment Program (DEP), Apple School Manager, Apple Configurator, and finally the App Intune Enterprise Portal.

In our example, I use the app you have to download from the App Store to the iOS device.

Installation of the Intune company portal from the App Store

Installation of the Intune company portal from the App Store

You now log on to it with the company data.

Signing in at the Intune company portal

Signing in at the Intune company portal

The app then displays a series of dialogs you will need to confirm. These include, for example, information for transmitting data and how to set up access to the network.

The last step is to install the management profile on the smartphone. It will later serve to grant access to company apps and to resources.

You've now registered the smartphone and can view and manage it as a device in the Intune portal.

Subscribe to 4sysops newsletter!

List of managed iOS devices in Intune

List of managed iOS devices in Intune

If you have created policies before enrolling, they will now be applied to the device.

+1
avatar
Related Articles
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

Follow 4sysops

Twitter Facebook Linkedin RSS

Subscribe to email updates

4sysops Leaderboards

Member Leaderboard – Month

Member Leaderboard – Year

Author Leaderboard – 30 Days

Author Leaderboard – Year

Site Wide Activities [RSS]

Viewing 1 - 7 of 7 items

  • Jason Sandys commented on Block or force upgrade to Windows 11 with Group Policy 22 minutes ago

    The above is not correct with respect to WUfB. Devices will never be offered the upgrade to Win 11 until or unless you (the admin) explicitly opt them into getting the upgrade using one of the targeting mechanisms. Thus, doing nothing will not opt-in any devices and will prevent them from being offered Win 11 -- users cannot work around this (unless they use media). This is explicitly called out in the official docs at https://docs.microsoft.com/en-us/windows/whats-new/windows-11-prepare#cloud-based-solutions.

    0
  • Profile picture of ioannis

    ioannis commented on Patch management tips: Updating IT systems in large and small networks 4 hours, 20 minutes ago

    I guess it all comes to our experiences so far. I still find it impossible to automate user tasks on a server. Maybe it has to do with the diversity of the applications that they are already installed. Keep in mind that if an administrator takes that road he must also test/reconfigure/update the automation processes that he already created. Yes some simple login tests can be automated but still you add up extra workload....multiply that by 1000+ ...

    Concerning the pre-prod environment (when one is present) , the key users also dont want to spend extra time testing the updates on your test environment. For them it is your test environment, not theirs. "Their" pre-prod is valuable even more than the live one....and you should treat it like the production one as well :-/ I would also like to mention that sometimes the pre-prod environment does not exist in the corporate Network.More than 50% of the applications that run on our Servers come directly from external partners that just install them and update them without even sometimes letting you know.Imagine how difficult it is to keep track of the documentation, changes and the automated users tasks you mentioned before.

    With the backups themselves it depends on the administrator and how far is he willing to go.My approach to that is the following(considering that i am the sole responsible if something goes wrong):

    Every backup system has a database.All that an administrator needs is a read-only account on that database.Then with a simple SQL query you can see if there is a succesfull backup for your servers. Simple and fast (i am already doing that with Sesam, Veeam and Netbackup). Another solution would be to ask for a daily report.It is not that big deal to receive the backup report as well. Still doing the SQL thing though because i automate it with PS.

    thank you for your reply. It is always nice to have a solid conversation.

    0
  • Profile picture of Wolfgang Sommergut

    Wolfgang Sommergut wrote a new post, Block or force upgrade to Windows 11 with Group Policy 4 hours, 49 minutes ago

    Microsoft has already started rolling out Windows 11 via Windows Update and WSUS. It is not entirely clear when individual PCs will receive the upgrade, but most companies currently do not want it anyway. This upgrade can be blocked or specifically requested using a GPO setting.

    0
  • Profile picture of Leos Marek

    Leos Marek commented on Patch management tips: Updating IT systems in large and small networks 5 hours, 20 minutes ago

    BUT having a test environment similar to your production one is simply impossible.

    Can't agree on this one. Its very easy to have identical servers/applications. What differs is the load. You can have automated tests which simulate standard user behavior. With LOB applications its common to have key users that do the tests in the test/pre-prod environment. Thats the only way how an functional update can be validated.
    When we patched business critical application (not only from OS point of view, but also the application itself) we always had a Key user who did the app test and a Local IT support guy who did OS related tests.
    Yes, system admins do not always know the app itself, thats why I said its responsibility of system AND app owners 🙂

    With the backups its not that easy. Its the same like the system/app owner relation... In large organizations, Windows admins have no access to backup systems (Tivoli, etc etc). You cant ask backup team if your 3000 servers that you are going to patch were backed up successfully.
    Cheers

    0
  • Profile picture of ioannis

    ioannis commented on Patch management tips: Updating IT systems in large and small networks 6 hours, 13 minutes ago

    Very usefull piece of Information. Thank you.
    Since it is mentioned in various articles , guides etc i have to comment on the existence of a test environment. Yes having a test environment is a must and it should be used exactly like mentioned above , BUT having a test environment similar to your production one is simply impossible. A server in the test environment will never be even close to a "live" one. Even if you clone the server and make the copie available in the test environment , the administrator cannot make sure that the server is used like the live one or even test the server himself.
    We are unaware of the specific details of the applications that run on a server and only a real user or an App Admin can really tell the impact (if there was) that an update had. Real users don't connect to our test environment. They connect to the production one.
    What are we testing then? Mostly Server stability (BSOD, reboots etc) or known issues. What kind of precautions do we take? We take snapshots or make sure that a snapshot exists. We also make sure that we take backups (or check if they exist) of crucial Applications (such as databases ) that are not covered from a snapshot.
    I also believe that no matter how big is an organisation, the administrator who performs the patch management should always be aware of the backup procedures and be always in contact with the backup team.

    0
  • Profile picture of Paolo Maffezzoli

    Paolo Maffezzoli posted an update 10 hours, 38 minutes ago

    Microsoft Defender ATP adds live response for Linux and macOS
    Microsoft Defender ATP adds live response for Linux and macOS
    Microsoft has announced the addition of new live macOS and Linux response capabilities to Defender for Endpoint,, the enterprise version of Redmond's Windows 10 Defender antivirus.
    +1
  • Profile picture of Paolo Maffezzoli

    Paolo Maffezzoli posted an update 10 hours, 38 minutes ago

    Were Excited to Announce the Launch of Comms Hub! Microsoft Security Response Center
    We are excited to announce the launch of Comms Hub to the Researcher Portal submission experience! With this launch, security researchers will be able to streamline communication with MSRC case SPMs (case managers), attach additional files, track case and bug bounty status all in the Researcher Portal.
    +1
© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account