Getting started with web-based device enrollment for iOS devices

This week is all about a new enrollment feature for iOS/iPadOS devices. That feature is web-based device enrollment. Web-based device enrollment is now one of the two device enrollment methods that is available for personal iOS/iPadOS devices. The other method is the already existing device enrollment with the Company Portal app. The main differentiator for web-based device enrollment is that it provides a faster and more user-friendly enrollment experience. It’s no longer required to first download the Company Portal app. Instead the user can just go to the Company Portal website, or start the new enrollment experience via an app that requires a compliant device. More user-friendly and accessible via the favorite browser of the user. Besides that, web-based device enrollment can be used in combination with Just-In-Time (JIT) registration, to reduce the number of times users have to sign in. Both, during the enrollment and when accessing apps. This post will walk through the advised configurations to fully utilize the potential of web-based device enrollment for iOS devices. That starts with the configuration of JIT, followed with the configuration of web-based device enrollment and the distribution of the Company Portal website. It all ends with the user experience.

Note: It’s strongly advised to at least distribute the Company Portal app as a web clip, to provide the user with easy access to the device (compliance) status and company status.

Configuring just-in-time registration

When looking at the best user experience, the configuration of web-based device enrollment starts with JIT. JIT greatly enhances the user experience. Especially after the enrollment of the device, as it reduces the authentication prompts during the session and establishes single sign-on (SSO) across all supported (and configured) apps. Besides that, it also provides the technical functionality to fully integrate compliance checks within Microsoft apps (and non-Microsoft apps configured with the Apple SSO extension). To provide all that functionality, JIT utilizes the Apple SSO extension. To configure JIT registration, a Device features profile can be used. The following eight steps walk through the minimal required configuration.

  1. Open the Microsoft Intune admin center portal and navigate to Devices > iOS/iPadOS > Configuration profiles
  2. On the iOS/iPadOS | Configuration profiles blade, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Select iOS/iPadOS to create a profile for iOS and iPadOS devices
  • Profile type: Select Templates > Device features to configure the required setting
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  • Platform: (Greyed out) iOS/iPadOS
  • Profile type: (Greyed out) Device features
  1. On the Configuration settings page, as shown below in Figure 1, perform at least the following actions and click Next
  • Navigate to Single sign-on app extension and configure the following settings
    • With SSO app extension type select Microsoft Entra ID as type
    • With Additional configuration add at least the following key-value pairs
      • Configure browser_sso_interaction_enabled as key, of the Integer type, with the value 1, to enable SSO within Safari
      • Configure device_registration as key, of the String type, with the value {{DEVICEREGISTRATION}}, to facilitate JIT
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: This is the same configuration that can also be used for the Account driven user enrollment for personal devices and the Setup Assistant with modern authentication enrollment for company devices.

Configuring web-based device enrollment profile

When looking at the web-based device enrollment functionality itself, it all starts with the enrollment profile. That enrollment profile triggers the right enrollment experiences on the device and allows the usage of Safari for the enrollment. The following six steps walk though the creation of that enrollment profile.

  1. Open the Microsoft Intune admin center portal and navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment types
  2. On the Enrollment type profiles blade, click Create profile > iOS/iPadOS
  3. On the Basics page, provide a valid name to distinguish it from other similar profiles and click Next
  4. On the Settings page, as shown below in Figure 2, select Web based device enrollment as enrollment type and click Next
  1. On the Assignments page, configure the assignment and click Next
  2. On the Review + create page, verify the configuration and click Create

Note: When multiple enrollment profiles are available, use the priority to determine the order of those profiles.

Distributing Company Portal website

As users no longer need to have the Company Portal app, it is strongly advised to at least provided them with a link to the Company Portal website. That will provide those users with a relatively easy method for access potential apps and for looking at the device status. The easiest method to achieve that is by pushing a web clip to those users.

  1. Open the Microsoft Intune admin center portal and navigate to Apps > iOS/iPadOS
  2. On the iOS/iPadOS | iOS/iPadOS apps blade, click Add > iOS/iPadOS web clip
  3. On the App information page, as shown below in Figure 3, provide at least the following information and click Next
  • Name: Provide a unique name for the web clip to distinguish it from other apps
  • Description: Provide a description for the app to describe the purpose of the web clip
  • Publisher: Provide the publisher of the web clip
  • App URL: Specify https://portal.manage.microsoft.com/ as the address for the web clip
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: For better visibility, and less support calls, it’s also strongly advised to configure an icon with the web clip.

Experiencing web-based device enrollment

When the different configurations are in place, it’s relatively easy to experience the web-based device enrollment. Before starting, however, it is strongly advised to first install the Microsoft Authenticator app. The web-based device enrollment experience can be triggered by directly navigating to the URL, or by signing in to an app that requires device management. Either way, the user will end-up in the browser with the steps to set up the device (as shown below in Figure 4). Scroll a bit down and click Get started. That will bring the user to the next page explaining the management profile installation (as shown below in Figure 5). The user can simply click Allow and go to the Settings app to install the management profile. Once the management profile is installed, the device will eventually show up in the Company Portal website as a managed and compliant device. Also, when now starting the Teams app, for example, for the first time, it will shown an additional screen about check the device.

Note: At the moment of writing, the enrollment flow in the Company Portal website would still redirect to the Company Portal app. To trigger the web-based device enrollment flow, the direct URL can be used.

More information

For more information about web based device enrollment for iOS devices, refer to the following docs.


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

53 thoughts on “Getting started with web-based device enrollment for iOS devices”

  1. Where does the Microsoft Authenticator app come into play with this enrollment method? Is it required for web-based enrollment to work?

    Reply
  2. I don’t understand the purpose of this web based enrollment method if we still need to have the company portal app pushed as web-clip for compliance checks!

    Reply
  3. Hi Peter,

    I wonder if this is closer to User enrollment or device enrollment.
    I can’t find it in the doc, since the user enrolls kind of split the device in 2, while device is full-on management.

    where would Web-Enrollment fall ?
    thanks
    Jonathan

    Reply
  4. Hi Peter,

    is it possible that the login for SSO like described by you is always asking when accessing Outlook / Teams etc.?
    When I’m accessing Outlook or Teams that you are redirected automatically to the Web-Enrollment?

    At the moment I can login but is not redirected to the configured URL.

    Thank you.

    Regards,
    Matthew

    Reply
  5. Hi Peter,

    did you have the confusing Situation, that a iOS device with web based device enrollment profile would enroll as a Company Device instead of a personal one ? I did and I have no idea why, because the Ownership should be always Personal with that Profile. We don’t have CI.

    Reply
      • Hi Peter,

        no unfortunately not. That’s actually the Problem. Some Devices have after they are enrolled to Intune with the web based device enrollment Profile the ownership set to company some of them personal. But shouldn’t all the devices set to personal?

        Reply
        • Hi Christian,
          I see that I formulated my question a bit weird. Yes, all should be enrolled as personal devices when using web-based device enrollment. If you’re not seeing that, you might want to contact Microsoft to see what’s happening there. One last thing to double check is that you haven’t configured any corporate device identifiers.
          Regards, Peter

          Reply
  6. Hi Peter,

    thank you for your message.

    As mentioned in the first Comment no CI has been added in Intune.

    At least i can rule out that this is a expected behaviour.

    Ok, i will contact MS to solve the issue.

    Best regards

    Reply
  7. Peter, What is your opinion on this from MS?

    Plan for Change: Microsoft Intune ending support for User Enrollment with Company Portal for iOS/iPadOS

    With the upcoming release of iOS/iPadOS 18, Apple will no longer support profile based User Enrollment. Due to these changes, Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account driven User Enrollment for similar functionality and an improved user experience.
    How this will affect your organization:
    After Intune ends support for User Enrollment with Company Portal:
    1. Existing enrolled devices are not impacted.
    2. Users will not be able to enroll devices if they are targeted with this enrollment type profile.
    3. Intune technical support will only be provided for existing devices enrolled with this method. We will not provide technical support for any new enrollments.
    What you need to do to prepare:
    Use an alternate management method for enrolling devices. We recommend account driven User Enrollment for similar functionality and an improved user experience. For those looking for a simpler enrollment experience, try the new web based device enrollment for iOS/iPadOS.
    Additional information:
    Overview of Apple User Enrollment in Microsoft Intune

    Reply
    • Hi Mat,
      It’s a change by Apple that Microsoft basically has to follow. Besides that, account-driven Apple User Enrollment is the more evolved version of User Enrollment. So, I would say that it’s a good response on the moves by Apple.
      Regards, Peter

      Reply
  8. Hello Peter

    We have been testing this already few months ago and we did it still like the old way with download Company Portal App, login and get redirected to the web based enrollment automatically. This is working for us well and much better then enter the very long URL into a Browser to start the Rollout.
    My Question is, will this still working like that and can we still use the Company Portal App for get Apps etc, or do we need provide the WebLink as App?
    2nd Question, if i want to enroll e.g with open Teams or Outlook, what do we need to configure? at the moment when we sign in to e.g Outlook, the device is acting as personal device (BYOD) what we want also keep, because not every User has a full managed device in our company, so how can we provide both scenarios? Like enroll with e.g Outlook but also keep the possibility to sign in and use it as BYOD?

    Thanks and regards
    Kaya

    Reply
  9. If I understand it correctly, you can no longer register the device via the Company Portal app, so we have to switch to web based and the Microsoft recommended procedure of providing the link that you then have to enter in the browser is simply not user-friendly
    because it is so long.
    Therefore, we want to continue to provide the registration of new devices via Company Portal, where you are redirected to the web based enrollment after registration.

    Or, as previously asked, if we can use Outlook as a possible app to start the enrollment instead of Company Portal, for example, but even better, but how do you configure this without disrupting the use of BYOD devices?

    Reply
    • Hi Kaya,
      When you are using Conditional Access, you can use that to enforce the enrollment. That will make sure that apps like Outlook and Teams will automatically start the enrollment flow.
      Regards, Peter

      Reply
  10. Hi Peter

    I’m sure this situation isn’t unique to my environment. I have users who have supervised devices that are synced over from Apple Business Manager and set up using the enrolment profile configured under Devices > iOS > Enrolment > Enrolment Program Tokens > Profiles.

    This works great and once devices are enrolled they go into InTune as Corporate devices. Occasionally the InTune Cleanup policies remove a device and the user has to sign into the Company Portal app to get it Re-Enrolled.

    As Microsoft will soon be blocking enrolment for personal devices using the Company Portal app I have set up Web Based enrolment because we have users who also need to enrol personal devices. However, i noticed that if a user re-enrols a corporate device it now uses the web based Company Portal and listed the device as Personal.

    How can I allow users to enrol BYOD devices whilst still making sure that re-enrolment of corporate devices do not list them as personal?

    Thank you for any guidance you might be able to offer.

    Regards

    Lee

    Reply
  11. Hi Peter

    Thanks for your article, I have set up Web based enrollment exactly as you described here and all works as expected. Compliance policy and JIT configuration are correctly applied because user is in the assigned group. Two questions:

    – device is still marked as Personal, so I have to manually change it. Would there be a way to make it Enroll as Corporate?

    – in the Intune Device > Hardware tab, Enrollment Profile remains empty (unlike iPhones enrolled via ABM token which show the correct profile name. Is this normal or there’s some issue/bug? (https://postimg.cc/ctN6X03C)

    For context: we don’t use ABM, our iPhones are bought by the org from regular stores so it’s as they are BYOD, and I want to use Web Based Enrollment to avoid the need for the user Apple ID during the configuration (which is necessary to download Company Portal App from App Store) as we also do not manage Apple IDs.

    Cheers
    nick

    Reply
    • Hi Nick,
      This configuration example is indeed focused on personal devices. That also causes the device to be automatically tagged as a personal device. And if I’m not mistaken that will not register the enrollment profile property (seeing the same with my test device).
      Regards, Peter

      Reply
  12. I saw the message ID MC810406 – Plan for Change: Microsoft Intune ending support for User Enrollment with Company Portal for iOS/iPadOS

    Saw your article and set up and tested web based device enrollment based on your instructions which were brilliant. Thanks Peter.

    My only comment when setting up the Web Clip shortcut to Company Portal I have found is this.
    Ensure you have uploaded a picture file for the logo as I could not get it to update, post auto install even after a sync.

    The only way was to remove the Management Profile and re-onboard which delivered the updated web clip complete with associated image. Perhaps I was just impatient.

    In either case very relieved with a working solution, ready for the change coming down the line.

    Reply
  13. Hi Peter,

    I’m a bit confuse with the latest note from Apple mentioning they will no longer support profile based User Enrollment. Does this apply also to Automated Device Enrollment ? I know that we can switch to Web based device enrollement and I plan to test it eventually, but if there is no rush, I would wait a bit more and keep using the intune portal app.

    Thank you.

    Reply
  14. Hi Peter,

    if I register an iOS Device through the Company Portal and I have no Enrollment Profile assigned (either User or Device Enrollment) in which state is the deivce registered then?

    Is it user or device enrolled then?

    Thanks in advance!

    Greetings,
    Aaron

    Reply
  15. Hi Peter,

    With the web-based device enrollment, I’m getting a “device action” in Intune to “Wipe” the device. Is it normal to have the wipe option available when using this enrollment method? I’d prefer to have that option greyed out entirely to avoid any accidents with personal phones.

    Thanks

    Reply
  16. Hello Peter-

    Quick question regarding iOS enrollment profiles. We have an existing iOS device enrollment profile based on enrollment type: Device enrollment with Company Portal and all users enrolling iOS devices should use this default profile. But we wanted to test other enrollment types as well, example : JIT & Account driven enrollment types, the issue is if testing user exists in the assignment group for iOS device enrollment profile, and they try web or account driven enrollment ,they get an error , device can’t be added during enrollment. Wanted to check and reconfirm if creating an assignment group for JIT & account driven users and add them as exclusion group in Device enrollment with Company Portal profile is the only option to give these users ability to use other enrollment profiles or there is another way to assign testing users other enrollment polices. Not sure how the priority feature for enrollment type works. Please advice

    Reply
  17. Hi Peter
    how are you guys handling the enrollment types priorities.? I used to use ‘user choice’ for all users and that will send them the correct enrollment path based on what they chose. But now that is broken down I am debating on the best way to do this, so that the users can decide whether go the device enrollment route or the account drive user enrollment route.
    What I seen in my testing, if I assign the same group to all the policies and if I prioritize device enrollment then account driven stops working, but if I prioritize account driven when users download the company portal for device enrollment it forces account driven.
    Am I going to have to create groups and keep adding users to each group as requested? I liked the method of user choice since it was less management on the IT side. In our company the all users worked well.

    Reply
    • Hi Andres,
      Yes, it now indeed gets more priority-based. Personally, I don’t think that it’s a bad thing, as I like to be in control of the management that is required on the device. Mainly because the capabilities differ per enrollment type.
      Regards, Peter

      Reply
  18. Hi Peter,
    Like someone else here, https://portal.manage.microsoft.com/enrollment/webenrollment/ios works. But after clicking on “get started” I get an error: “Couldn’t add your device, your Admin has not enabled Web Desive Enrollment for this account. Contact your admin….”
    My enrollment profile and JIT profile are both assigned to All Users and my test user is registered in my azure AD, no problem there. I’m at a loss as to where the issue could be…
    regards,

    Reply
      • Hi,
        It was 18.1 and I was using Safari. But it’s working now !
        The issue was that the guy who had my job before me tried to set it up multiple time, going through half the needed configuration and left bits and pieces everywhere. I did a clean house, set it up from scratch and waited 24h to be sure. It worked like a charm.
        So, PSA, please guys, don’t leave half finished configuration in a production space, be kind to your fellow Adminsys.
        And thanks for the great blog Peter.
        regards,

        Reply
  19. Hi, I created the web based Intune enrollment type and it works, but the device is not registered in Entra although i also created the JIT registration as instructed
    The old company portal user enrollment registers the device in Entra also
    What could be the issue?

    Reply
  20. @peter I have configured the web based enrollment but i have one confusion.
    Earlier user was able to download the apps from company portal apps.
    but now after web based enrollment from where they will install the apps ?
    Or do we need to use MAM for web based enrollment ?

    Reply

Leave a Reply to Mat Fudge Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.