With the new Intune on Azure portal released you can add iOS devices that are configured as Supervised devices via the Apple Configurator 2. Configuring the Apple iOS device via the Apple Configurator requires that you have the iOS device connected to a macOS device that is running the Apple Configurator.
What is Supervised Mode?
Supervised mode is introduced by Apple in iOS version 5 which allows you to differentiate the company owned devices and the personally owned devices. When an iOS device is in supervised mode we can fully control the iOS by configuring settings that cannot be configured when it is not. You see supervised devices often in schools, retail environments and healthcare were the devices are used for one or more goal and often are locked down.
So how do we configure a device to be in supervised mode? This can be done in two ways, via the Apple Device Enrollment Program (Apple DEP) or via the Apple Configurator. In this blog, I will focus on the Apple Configurator and how this can help you fully control the iOS devices.
Apple Configurator
The Apple Configurator can be used to create MOBILECONFIG files that you want to deploy via Microsoft Intune, but you can also place the device in supervised mode and take care of the fact that the device will be auto enrolled in Microsoft Intune. Before we can configure an iOS device with the Apple Configurator we need to prepare the Intune service.
Configure Apple Configurator Profile
In the Intune on Azure Portal, go to Intune >> Device Enrollment >> Apple Enrollment and click AC Profiles. In the AC Profiles, click Create. Supply a name and choose if you want to enroll the device with or without user affinity.
If you have a device where a user needs to be active you may want to choose the option to enroll with user affinity, if you have a KIOSK device that is used by lots of people you may want to choose to enroll without user affinity. For this blog I have choosen to enroll without user affinity.
Click Create to create the AC Profile.
Import and assign iOS devices
Next we need to import the devices that you want to enroll via the Apple Configurator Profile via an comma separated-values (CSV) file with the serial numbers and names of the devices.
In the Intune on Azure Portal, go to Intune >> Device Enrollment >> Apple Enrollment and click Apple Configurator Devices. In the Apple Configurator Devices, click Add and select the CSV file with the iOS devices. (The CSV file must have a list of serial numbers and descriptions of the devices that needs to be imported, eg. XXXXXXXXXXXXX,iOS Test device Peter Daalmans)
Click Add.
Export AC Profile
In the Intune on Azure Portal, go to Intune >> Device Enrollment >> Apple Enrollment and click AC Profiles. In the AC Profiles, click the profile that you just have created and click Export Profile.
Copy the URL and save it for later when configuring the Apple Configurator device.
( https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&AADTenantId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX )
Prepare device in Apple Configurator
So to be able to prepare a device for Supervised mode you need to disable Find My iPhone, this can be done by following the following steps;
On an iOS device:
- Go to Settings
- Click your name
- Click iCloud
- Click Find My iPhone
- Disable Find My iPhone
Next step is to connect the device to a macOS device and start the Apple Configuration 2 application. In this application you will see your connected iOS device.
Select the device and click Prepare, this will start a wizard to configure the device into Supervised mode.
Select the iPhone and click Prepare.
Next we need to configure the MDM enrollment, choose Manual since we will add the link to the configuration profile by not using DEP.
Click Next and select New Server. Click Next.
Supply a name and copy the URL we saved from the Intune portal earlier.
Click Next.
Review the certificates for the MDM (Intune) and click Next.
Leave Supervise devices and optionally Allow devices to pair with other devices enabled and click Next.
Configure the Company information and choose to Generate a new supervision identity.
Click Next and configure the screens you would like to show to the user while setting up the device.
Click Prepare.
The Configurator will prepare the iOS device, which is still connected via the USB cable with the macOS device and it will be erased.
Note: be sure to have a sim in the device so that the Apple Configurator can take care of the activation process
While the device is being wiped the device will be activated automatically and the device will be configured in Supervised mode.
Device experience
So after the device has been erased and rebooted it is ready to be used by the user.
Select the WiFi network or connect via 4G to connect to the Internet
Tap Apply configuration and Tap Next.
The configuration will be applied to the device and it will be automatically enrolled. If you enabled user affinity, then the user needs to authenticate with the user account.
After authenticating the configuration profile will be downloaded and installed to the device.
Next the user needs to accept the terms and conditions.
After the user has accepted the terms and conditions the iOS device ready for usage and can be managed via Microsoft Intune. If you enabled user affinity, then you are able to deploy policies, profiles and/or profiles to both the device and enrolled user. If you did not you are only able to deploy policies to devices in a (AAD) group.
Note: The last figure is taken from a device enrolled without user affinity
If we have a look at the figure of an iPad that is enrolled with user affinity you see that besides for instance the home screen layout, also other profiles are deployed.
Till next time!
Hello Peter
Thankyou for a useful guide on enforcing InTune on Apple devices, I was just wondering have you come across a method to force MDM enrolment (so that the device stays enrolled stopping a user from being able to un-enrol it from InTune.
I want to deploy a large group of ipads.. but really need to know that once enrolled they will not be unenrolled by a user.
Thanks
Richard
Hi Richard, what you can do is use the Apple Device Enrollment Program to enforce management. Is that something you already looked into?
https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Known-Issue-Profile-error-enrolling-iOS-devices-with-Apple/ba-p/294412
The scenario: When following the steps in this document (Enroll iOS devices with Apple Configurator) for Setup Assistant enrollment, you get “Invalid Profile: The configuration for your iPad/iPhone could not be downloaded from [Your Organization Name]” error after accepting “Apply configuration” on the device.
I created a MacOS profile in Intune without user affinity eventhough I actually want to have user affinity. But the issue is that if user affinity is switched on, the Apple MacOS device is prompting for a “kind of” random login credentials during setup phase. Admin account is not working, UPN name / email address is not working ….. So unless I know what I have to use or to do with this prompt i cant activate user infinity. Any ideas? The devices are Corporate owned and registrated on our tenant from the get-go.