Microsoft Intune: Set Up iOS Web-Based Device Enrollment
Learn how to streamlining iOS device management with Intune's web-based enrollment
Published: Feb 10, 2025
The introduction of iOS web-based device enrollment marked a significant step forward in simplifying how personal devices are managed by Microsoft Intune. As one of two methods now available for enrolling personal iOS devices, the other being the traditional Intune Company Portal app that is obtained from the Apple app store, web-based enrollment offers a faster, more user-friendly experience.
Web-based enrollment is a streamlined entry point, allowing users to enroll their devices directly through a browser, bypassing the need to download the Company Portal app to kick things off. Combined with Just-In-Time (JIT) registration, web-based enrollment minimizes sign-ins during setup through the use of Single Sign-On (SSO).
Here’s a guide to configuring and implementing web-based enrollment for your organization.
Note: I’m not typically an advocate for enrolling personal devices, as Intune App Protection policies often provide a more secure and less intrusive alternative, after all – this is a user’s own device! By managing only the app and its data, App Protection offers a good level of security without requiring full device enrollment. That said, for scenarios where device management is necessary, web-based enrollment provides a much-improved experience.
Configuring Just-In-Time (JIT) Registration
JIT registration improves the overall user experience by reducing authentication prompts and enabling seamless SSO across supported apps. It leverages the Apple SSO extension for tighter compliance integration with Microsoft and non-Microsoft apps.
Follow these steps to configure JIT registration:
- Navigate to Configuration Profiles
- Open the Microsoft Intune admin center and go to Devices > iOS/iPadOS > Configuration profiles.
- Create a New Profile
- Select Create profile and set the platform to iOS/iPadOS.
- Choose Templates > Device features for the profile type.
- Define Profile Basics
- Provide a clear name and optional description for the profile.
- Configure SSO App Extension
- Under Single sign-on app extension, set the type to Microsoft Entra ID.
- Add the following key-value pairs:
browser_sso_interaction_enabled(Integer): Value: “1”device_registration(String): Value:{{DEVICEREGISTRATION}}
- Assign and Deploy
- Add scope tags, configure assignments, and click Create.
Setting up iOS web-based device enrollment in Microsoft Intune
The heart of web-based enrollment is the enrollment profile, which dictates the enrollment experience and enables Safari-based setup. Here’s how to create a web-based enrollment profile:
- From the Intune admin center:
- Go to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment types
- Create a New Profile
- Click Create profile > iOS/iPadOS.
- Name the profile for easy identification.
- Select Web-Based Enrollment
- On the Settings page, choose Web-based device enrollment as the enrollment type.
- Assign and Deploy
- Configure assignments and click Create.
User experience: Enroll an iOS device to Microsoft Intune
With the configurations in place, users can start the web-based enrollment process via their browser or by signing into an app requiring device management. The process includes:
- From the target iOS / iPadOS device, open a web browser and:
- Navigate to the enrollment url: https://portal.manage.microsoft.com/enrollment/webenrollment/ios
- Click Get started to begin.
- Install the Management Profile
- Follow the prompts to allow and install the management profile through the device’s Settings app.
- Complete Setup
- Once the profile is installed, the device appears as managed and compliant in the Company Portal.
Conclusion
Web-based device enrollment simplifies and accelerates the enrollment process for personal iOS devices, offering a streamlined alternative to traditional methods. By leveraging Just-In-Time (JIT) registration, users experience a reduced number of sign-ins and a seamless Single Sign-On (SSO) experience. Optionally, Intune admins can choose to deploy the Company Portal website as a web-clip to devices, so that user’s can see the compliance of their device.
While Intune’s App Protection policies remain my preferred choice for securing corporate data on personal devices, I can fully appreciate where web-based enrollment fills a critical need for scenarios where full device management is unavoidable.