Set up iOS/iPadOS device enrollment with Apple Configurator

Microsoft Intune 4 Minutes

Scenario

Setting up device enrollment with Apple Configurator, organizations can ensure that their company owned devices can be managed with additional features (Supervised Mode) and will also avoid activation lock of these devices when reallocated.

What is Supervised mode? Apple iOS/iPadOS supervised mode gives administrators more options when managing Apple devices, making it useful for corporate-owned devices deployed at scale. For a list of settings which require supervised mode, see iOS device restriction settings in Intune.

Before we continue, we need to ensure that we have the following requirements in place.

  • macOS computer running Apple Configurator 2.0
  • iOS Device and USB connection cables
  • Set MDM authority
  • An Apple MDM push certificate

In this blog I will focus on Setup Assistant enrollment using Apple Configurator 2. This method wipes the device and prepares it to enroll during Setup Assistant. These steps are required for each corporate device.

Create an Apple Configurator Profile

We first need to create an Apple Configurator Profile that we will use during the enrollment using Apple Configurator 2.0.

  1. In the Microsoft Endpoint Manager admin center, Click Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator.
  1. Click Profiles > Create.
  2. Under Create Enrollment Profile, type a Name and Description for the profile for administrative purposes.
  3. ForĀ User Affinity, choose Enroll with user affinity.
    • Enroll with user affinity – Choose this option for devices that will be given to a user to use the company portal for services like installing apps. The device must be affiliated with a user with Setup Assistant and can then access company data and email.
    • Enroll without User Affinity – Choose this option for devices unaffiliated with a single user. Use this for devices that perform tasks without accessing local user data. Apps requiring user affiliation (including the Company Portal app used for installing line-of-business apps) won’t work. Required for direct enrollment.
      Note
      When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup Assistant within the first 24 hours of the device being enrolled. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.
  4. For Select where users must authenticate, choose Company Portal
  5. Click Next
  6. Click Create to save the profile.

Setup Assistant enrolment

Before we start enrolling devices, we need to add their serial number in Intune.

  1. Create a two-column, comma-separated value (.csv) list without a header. Add the serial number in the left column, and the details in the right column. The current maximum for the list is 5,000 rows. In a text editor, the .csv list looks like this:

F7TLWCLBX196,device details
DLXQPCWVGHMJ,device details

  • In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Devices > Add.
  • Select an Enrollment profile to apply to the serial numbers you’re importing. If you want the new serial number details to overwrite any existing details, choose Overwrite details for existing identifiers.
  • Under Import Devices, browse to the csv file of serial numbers, and select Add.

Export the profile

Now that we have created the profile we will need to export the profile from Intune as a URL to be imported in Apple Configurator.

  1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose the profile to export.
  2. On the profile, select Export Profile.
  3. Copy the Profile URL. You can then add it in Apple Configurator to define the Intune profile used by iOS/iPadOS devices.

Enroll devices with Setup Assistant

  1. On a Mac computer, openĀ Apple Configurator 2.
    •  Warning
      Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello screen when you connect the device. If the device was already registered with the Apple ID account, the device must be deleted from the Apple iCloud before starting the enrollment process. The prompt error appears as “Unable to activate [Device name]”.
  1. In the menu bar, choose Apple Configurator 2, and then select Preferences.
  1. In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server wizard.
  1. Enter the a Name and for the Host name or URL, enter the enrollment profile URL exported from Intune in Step 3 above. Click Next.
  1. Connect the iOS/iPadOS mobile devices to the Mac computer with a USB adapter.
  2. Select the iOS/iPadOS devices you want to manage, and then click Prepare.
  1. On the Prepare iOS/iPadOS Device pane, select Manual Configuration and Supervise devices, and then click Next.
  1. On the Enroll in MDM Server pane, select the server name you created, and then click Next.
  1. On the Assign to Organization pane, choose the Organization or create a new organization, and then click Next.
  1. On the Configure iOS/iPadOS Setup Assistant pane, select the steps to be presented to the user, and then click Prepare. If prompted, authenticate to update trust settings.
  1. When the iOS/iPadOS device finishes preparing, disconnect the USB cable.

Distribute devices

The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When users turn on their devices, Setup Assistant starts.

Setup Assistant User Experience

After users receive their devices, they must complete the Setup Assistant. Depending on the settings configured Step 9 above the user experience will differ.

  1. Powering on the device the user will be prompted to connect to a Wi-Fi network and then tap Next
  1. Next the user will select to apply the configuration and tap Next
  1. The user will enter their corporate credentials and tap Next
  1. User might be prompted to enter an Apple ID and the Company Portal application will be installed.
  2. Users will be required to open the Company Portal application to complete the setup and any configuration will be applied ie. Passcode

Author

Published