-->
Enroll iOS/iPadOS devices in Intune.; 4 minutes to read; In this article. Intune enables mobile device management (MDM) of iPads and iPhones to give users secure access to company email, data, and apps. As an Intune admin, you can set up enrollment for iOS/iPadOS and iPadOS devices to access company resources.
Enroll your macOS device with the Intune Company Portal app to gain secure access to your work or school email, files, and apps.
Organizations typically require you to enroll your device before you can access proprietary data. After your device is enrolled, it becomes managed. Your organization can assign policies and apps to the device through a mobile device management (MDM) provider, such as Intune. To get continuous access to work or school information on your device, you must configure your device to match your organization’s policy settings.
This article describes how to use the Company Portal app for macOS to enroll, configure, and maintain your device so that you meet your organization's requirements.
What to expect from the Company Portal app
During initial setup, the Company Portal app requires you to sign in and authenticate yourself with your organization. Company Portal then informs you of any device settings you need to configure to meet your organization's requirements. For example, organizations often set minimum or maximum character password requirements that you'll be required to meet.
After you enroll your device, Company Portal will always make sure that your device is protected according to your organization's requirements. For example, if you install an app from an untrusted source, Company Portal will alert you and might restrict access to your organization's resources. App protection policies like this one are common. To regain access, you'll likely need uninstall the untrusted app.
If after enrollment your organization enforces a new security requirement, such as multi-factor authentication, Company Portal will notify you. You'll have the chance to adjust your settings so that you can continue to work from your device.
To learn more about enrollment, see What happens when I install the Company Portal app and enroll my device?.
Get your macOS device managed
Use the following steps to enroll your macOS device with your organization. Your device must be running macOS 10.12 or later.
Note
Throughout this process, you might be prompted to allow Company Portal to use confidential information that's stored in your keychain. These prompts are part of Apple security. When you get the prompt, type in your login keychain password and select Always Allow. If you press Enter or Return on your keyboard, the prompt will instead select Allow, which may result in additional prompts.
Install Company Portal app
- Go to Enroll My Mac.
- The Company Portal installer .pkg file will download. Open the installer and continue through the steps.
- Agree to the software license agreement.
- Enter your device password or registered fingerprint to install the software.
- Open Company Portal.
Important
Microsoft AutoUpdate might open to update your Microsoft software. After all updates are installed, open the Company Portal app. For the best setup experience, install the latest versions of Microsoft AutoUpdate and Company Portal.
Enroll your Mac
Mac Management Apartments
Sign in to Company Portal with your work or school account.
When the app opens, select Begin.
Review what your organization can and can't see on your enrolled device. Then select Continue.
If prompted to, enter your device password on the Install management profile screen.
On the Confirm device management screen, select Open System Preferences.
Your device's system preferences will open. Select Management Profile from the device profiles list and then select Approve > Approve.
Return to Company Portal and select Continue.
Your organization might require you to update your device settings. When you're done updating settings, select Check settings.
When setup is complete, select Done.
Troubleshooting and feedback
If you run into issues during enrollment, go to Help > Send Diagnostic Report to report the issue to Microsoft app developers. This information is used to help improve the app. They'll also use this information to help resolve the problem if your IT support person reaches out to them for help.
After you report the problem to Microsoft, you can send the details of your experience to your IT support person. Select Email Details. Type in what you experienced in the body of the email. To find your support person's email address, go to the Company Portal app > Contact. Or check the Company Portal website.
Additionally, the Microsoft Intune Company Portal team would love to hear your feedback. Go to Help > Send Feedback to share your thoughts and ideas.
Unverified profiles
When you view the installed mobile device management (MDM) profiles in System Preferences > Profiles, some profiles might show an unverified status. As long as the management profile shows a verified status, you don’t need to be concerned.
The management profile is what defines the MDM channel connection. As long as the management profile is verified, any other profiles delivered to the machine via that channel inherit the security traits of the management profile.
Updating the Company Portal app
Updating the Company Portal app is done the same way as any other Office app, through Microsoft AutoUpdate for macOS. Find out more about updating Microsoft apps for macOS.
Next Steps
Still need help? Contact your company support. For contact information, check the Company Portal website.
| title | titleSuffix | description | keywords | author | ms.author | manager | ms.date | ms.topic | ms.service | ms.subservice | ms.localizationpriority | ms.technology | ms.assetid | ms.reviewer | ms.suite | search.appverid | ms.custom | ms.collection |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Microsoft Intune | Set up enrollment of iOS/iPadOS devices in Microsoft Intune. | ErikjeMS | dougeby | conceptual | enrollment | tisilver | MET150 | M365-identity-device-management |
Intune enables mobile device management (MDM) of iPads and iPhones to give users secure access to company email, data, and apps.
As an Intune admin, you can set up enrollment for iOS/iPadOS and iPadOS devices to access company resources. You can let users enroll personally-owned devices, known as 'bring your own device' (BYOD) enrollment. You can also set up enrollment of company-owned devices.
Prerequisites for iOS/iPadOS enrollment
Before you can enable iOS/iPadOS devices, complete the following steps:
- Make sure your device is eligible for Apple device enrollment.
- Set up Intune - These steps set up your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority.
- Get an Apple MDM Push certificate - Apple requires a certificate to enable management of iOiOS/iPadOS and macOS devices.
User-owned iOS/iPadOS and iPadOS devices (BYOD)
You can let users enroll their personal devices for Intune management, know as 'bring your own device' or BYOD. There are three options for enrolling users:
- App Protection Policies give you the lightest BYOD experience, providing management at an app level only. However, if you want to also secure the device with a 6-digit complex PIN, you can use these policies along with User Enrollment.
- Device Enrollment is what you may think of as typical BYOD enrollment. It provides admins with a wide range of management options.
- User Enrollment is a more streamlined enrollment process that provides admins with a subset of device management options. This feature is currently in preview.
After you've completed the prerequisites and assigned user licenses, users can download the Intune Company Portal app from the App Store, and follow enrollment instructions in the app. You can customize the Company Portal privacy statement on iOS/iPadOS devices as explained in privacy statement customization.
Company-owned iOS/iPadOS devices
Set Up Ios And Mac Management With Microsoft Intune Download
For organizations that buy devices for their users, Intune supports the following iOS/iPadOS company-owned device enrollment methods:
- Apple's Device Enrollment Program (DEP)
- Apple School Manager
- Apple Configurator Setup Assistant enrollment
- Apple Configurator direct enrollment
You can also enroll company-owned iOS/iPadOS devices with a device enrollment manager account.
Device Enrollment Program
Organizations can purchase iOS/iPadOS devices through Apple's Device Enrollment Program (DEP). DEP lets you deploy an enrollment profile “over the air” to bring devices into management. For more information, see Device Enrollment Program.
User enrollment
Intune For Mac Management
User Enrollment gives admins a subset of management options compared to other enrollment methods. For more information, see User Enrollment supported actions, passwords, and other options and Set up iOS/iPadOS and iPadOS User Enrollment.
Apple School Manager
Set Up Ios And Mac Management With Microsoft Intune Software
Apple School Manager is a device purchase and enrollment program for schools. Like DEP, you can deploy a profile to enroll devices in management. Learn more about Apple School Manager.
Mac Management Ventura
Apple Configurator
You can enroll iOS/iPadOS devices with Apple Configurator running on a Mac computer. To prepare devices, you USB-connect them and install an enrollment profile. You can enroll devices with Apple Configurator in two ways:
- Setup Assistant enrollment - Wipes the device, prepares it to run Setup Assistant, and installs the company's policies for the device’s new user.
- Direct enrollment - Doesn't wipe the device and enrolls the device with a predefined policy. This method is for devices with no user affinity.
Learn more about Apple Configurator enrollment.
Use the Company Portal on DEP-enrolled or Apple Configurator-enrolled devices
Mac Management With Intune
Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices. After users receive their devices, they must complete a number of additional steps to complete the Setup Assistant and install the Company Portal app.
User affinity is required to support the following:
- Mobile application management (MAM) apps
- Conditional Access to email and company data
- Company Portal app
How users enroll corporate-owned iOS/iPadOS devices with user affinity
- When users turn on their device, they are prompted to complete the Setup Assistant.
- After completing setup, users are prompted for an Apple ID. They must provide an Apple ID to allow the device to install Company Portal.
- The iOS/iPadOS device automatically installs the Company Portal app from the App Store.
- Users should launch the Company Portal app and sign in using the credentials (like the unique personal name or UPN) that are associated with their subscription in Intune.
- After logging in, enrollment is complete. Users can now use this device with the full set of capabilities.
About corporate-owned managed devices with no user affinity
Devices that are configured with no user affinity do not support the Company Portal and should not have the app installed. The Company Portal is designed for users who have corporate credentials and require access to personalized corporate resources (like email). Devices that are enrolled with no user affinity aren't intended to have a dedicated user sign in. Kiosk, point of sale (POS), or shared-utility devices are typical use cases for devices that are enrolled with no user affinity.
If user affinity is required, be sure that the device’s enrollment profile has User Affinity selected before enrolling the device. To change the affinity status on a device, you must retire the device and reenroll it.