1. Home
  2. Training Library
  3. Microsoft 365
  4. Microsoft 365 Courses
  5. Enrolling Apple Devices in Microsoft 365 via Intune

iPad and iOS Enrollment Options

Start course

In this course, we review the enrollment options available and processes to follow for enrolling Apple devices such as iPhones, iPads, and Macs in Microsoft 365. We look at some prerequisites and the options available for enrolling each type of device. We also work through a few hands-on demonstrations.

Learning Objectives

Understand the enrollment options and procedures for enrolling different Apple devices in Microsoft 365.

Intended Audience

  • Anyone who wants to earn a Microsoft 365 certification
  • Anyone who needs to enroll devices in Intune and Mobile Device Manager within Microsoft 365


You will require a basic understanding of Mobile Device Management in Microsoft 365.


Welcome to iOS and iPadOS Enrollment Options! In this lesson, I’m going to introduce you to the options that are available when enrolling iOS and iPadOS devices in Intune. We’re gonna look at supervised Automated Device Enrollment, Apple Configurator, BYOD User and Device enrollment, and MAM-WE. Automated device enrollment used to be called the Apple Device Enrollment Program, or DEP. This option can be used on devices that are owned by the organization. It’s not recommended for user-owned devices. ADE allows you to enroll large numbers of devices without requiring you to ever touch a device. 

You can use ADE to set up automated Intune enrollment for iOS and iPadOS devices that have been purchased through Apple Business Manager or through Apple School Manager, because ADE configures settings, using those services. After purchasing your devices from Apple, they can be shipped directly to your users or organization with your pre-configured settings already configured on them. You then create an enrollment profile in the Endpoint Manager admin center to push your profile to the devices. 

Before attempting to use ADE to enroll iOS and iPadOS devices, you need to ensure that your devices are supported and that you have access to either the Apple Business Manager portal or the Apple School Manager portal, depending on your environment. You also need to ensure that you have an Apple ADE token and that it is active. You should also make sure that you’ve added your Apple MDM push certificate to Endpoint Manager, and that it’s active. 

Before creating your enrollment profile, you’ll need to decide how you want your users to authenticate on their devices. You can use the Company Portal app, the legacy Setup Assistant, or Setup Assistant with modern authentication. Using the Setup Assistant with modern authentication provides the benefits that you see on your screen:

  • You can wipe devices
  • You can use multi-factor authentication
  • you can ensure Users are prompted to update expired passwords when they first sign in
  • They can be prompted to reset expired passwords during enrollment
  • Devices can be registered in Azure AD
  • And those registered devices can use Azure AD features, like conditional access

Setup Assistant with modern authentication should also be used if you want to automatically install the Company Portal app during enrollment, OR if you want to allow users to use their devices, even when the Company Portal app isn't installed.

It’s important to note that Microsoft recommends using either the Company Portal app or the Setup Assistant with modern authentication options for authentication. Intune also supports iOS and iPadOS device enrollment via Apple Configurator, running on a Mac computer. In other words, when using Apple Configurator to enroll iOS and iPadOS devices, you need to connect each device to a Mac computer via USB in order to set up corporate enrollment. 

Apple Configurator offers two ways to enroll devices. It offers Setup Assistant enrollment and Direct enrollment. Setup Assistant enrollment wipes the device and prepares it to enroll during Setup Assistant. When using Setup Assistant, you need the serial number of each device you are enrolling. Direct enrollment enrolls devices through their iOS and iPadOS settings without wiping the devices. I do need to point out, however, that direct enrollment only supports devices with no user affinity. I should also mention that when using direct enrollment to enroll iOS or iPadOS devices with Apple Configurator, you can enroll them without the device serial numbers.

To enroll iOS and iPadOS devices with Apple Configurator, you need physical access to the devices, you need to set your MDM authority, you need to configure your Apple MDM push certificate, and you need USB connection cables to connect your devices to a macOS computer running the Apple Configurator software. As I mentioned a moment ago, you also need device serial numbers if you plan to use Setup Assistant enrollment.

For step-by-step enrollment instructions when using Apple Configurator, visit the URL that you see on your screen. When users have their own BYOD devices, you can allow them to enroll their devices for Intune management. There are three options for enrolling users with their own devices. You can use App Protection Policies, Device Enrollment, and User Enrollment.

App Protection Policies allow for management of BYOD devices only at the app level. They don’t offer management of the devices themselves. However, that said, you CAN secure the devices with a 6-digit complex PIN and use these policies in conjunction with User Enrollment. While App Protection Policies don’t really offer enrollment in the strictest sense, Device Enrollment, however, is the more typical BYOD enrollment option. When using Device Enrollment, you get a range of management options that become available for the enrolled devices.

User Enrollment, at the time of this video recording, is in preview. This option offers a more streamlined enrollment process that provides admins with a subset of device management options. Before we wrap up this introduction to the various iOS and iPadOS enrollment options, I do want to mention MAM-WE.

While MAM-WE isn't a traditional "enrollment" method, it can be used to protect data within apps on devices via app configuration profiles. This method uses app configuration profiles to deploy and configure apps on devices. The devices aren't actually enrolled. Combining this with app protection policies allows you to protect data within the apps on the protected devices.

Organizations typically use MAM-WE to protect BYOD devices or managed devices that require additional security. I should mention that MAM-WE isn’t just for iOS and iPadOS devices. It also works with Android devices and with Windows devices. MAM-WE is a good enrollment option when you need to configure specific apps like Outlook and Teams on BYOD devices, or when you need to control access to these apps on those devices. You shouldn’t use MAM-WE with devices that are owned by your organization.

To read more about MAM-WE, visit the URL that you see on your screen. So, that about wraps it up. I know we covered quite a bit of info, so let’s summarize a bit here. Before you can enroll iOS and iPadOS devices, you need to ensure your devices are supported. You need to set up your Intune infrastructure, including your MDM authority, and you need to get an Apple MDM Push certificate and set it up.

To allow enrollment of user-owned iOS and iPadOS devices, you can use App Protection Policies, Device Enrollment, and User Enrollment. Once you’ve assigned user licenses, your users can download and install the Intune Company Portal app from the App Store, and then follow the enrollment instructions it provides. To enroll organization-owned devices, you can use Automated Device Enrollment, Apple School Manager, Apple Configurator with Setup Assistant, or you can use Apple Configurator direct enrollment.

MAM-WE is also an option in some cases. In the upcoming demonstrations, I’ll show you how to obtain and configure the MDM push certificate, how to create an iOS enrollment profile, and how users can enroll iPhones via the Company Portal.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.