How to Enrol iOS and iPadOS Devices in Intune

iOS enrolment types

• User enrolment (BYOD) - the user installs Company Portal and enrols themselves. Intune manages work data only. Personal content is not visible to IT.
• Device enrolment (supervised) - full management of the device. Used for corporate-owned iPhones and iPads. Provides the most control.
• Automated Device Enrolment (ADE) - uses Apple Business Manager. Devices enrol automatically when powered on. Zero-touch setup for corporate devices.

Set up Apple Push Notification Service (APNs)

APNs is required for Intune to communicate with iOS devices. This is a one-time setup and must be renewed annually.

1. Go to Devices → iOS/iPadOS → iOS/iPadOS enrolment → Apple MDM Push Certificate
2. Click Download your CSR and save the file
3. Go to Apple Push Certificates Portal (identity.apple.com) and sign in with an Apple ID
4. Click Create a Certificate, upload the CSR file, and download the certificate
5. Back in Intune, upload the certificate file
6. The status shows the expiry date - renew this every year before it expires

BYOD user enrolment (personal devices)

For personal iPhones and iPads, users follow these steps:

1. On the iPhone or iPad, open the App Store
2. Search for and install Microsoft Intune Company Portal
3. Open Company Portal and sign in with their Microsoft 365 work account
4. Tap Begin and follow the prompts to install the management profile
5. When prompted, go to Settings → General → VPN and Device Management and tap Install on the Intune profile
6. Return to Company Portal and complete enrolment

The device appears in Intune within a few minutes. For BYOD, Intune can enforce a PIN, encrypt the device, and wipe corporate data, but cannot see personal photos, messages, or apps.

Apple Business Manager and Automated Device Enrolment

For corporate-owned iPhones and iPads, Automated Device Enrolment (ADE) is the recommended approach. Devices enrol into Intune automatically during initial setup - no user action required.

Step 1 - Set up Apple Business Manager

Go to business.apple.com and register your organisation. You need a DUNS number for this. Apple verifies the organisation within a few days.

Step 2 - Link Apple Business Manager to Intune

1. In Intune, go to Enrolment program tokens → + Add
2. Download the public key from Intune
3. In Apple Business Manager → Settings → MDM Servers → + Add, upload the public key and download the server token
4. Back in Intune, upload the server token

Step 3 - Create an enrolment profile

Go to Enrolment profiles → + Create profile → iOS/iPadOS. Key settings:

Step 4 - Assign devices to the enrolment profile

In Apple Business Manager, go to Devices, select the devices (or all devices from a specific order), and assign them to your Intune MDM server. Back in Intune, sync the token to pull in the new devices, then assign your enrolment profile to them.

When a device is powered on for the first time, it contacts Apple, gets redirected to Intune, and enrols automatically.

Deploy apps to iOS devices

To push apps to iOS devices without requiring users to pay or sign into the App Store, use Volume Purchase Program (VPP) through Apple Business Manager.

1. In Apple Business Manager, purchase app licences (free apps are available too)
2. In Intune, go to Tenant admin → Connectors and tokens → Apple VPP tokens and sync
3. Apps from VPP appear in Apps → iOS/iPadOS and can be assigned as Required or Available

Troubleshooting

Company Portal cannot connect during enrolment

Check the APNs certificate has not expired. Go to Devices → iOS/iPadOS → iOS/iPadOS enrolment → Apple MDM Push Certificate and check the expiry date.

Device not appearing after ADE enrolment

Sync the enrolment program token in Intune. Also confirm the device serial number appears in Apple Business Manager and is assigned to your MDM server. New purchases can take 24-48 hours to appear in ABM.

User cannot complete Company Portal setup

Check the user has an Intune licence and that the iOS enrolment restriction allows personal devices. Also confirm the APNs certificate was created with the correct Apple ID.