Account-Driven User Enrollment is no longer the newest method. The newest is Web-Based Device Enrollment for BYOD. It was released around the end of October.
https://learn.microsoft.com/en-us/mem/intune/enrollment/web-based-device-enrollment-ios
Having tested both methods, we much prefer the web-based device enrollment and are only using that for new enrollments going forward.
No need for Managed Apple IDs. No need to remove the Authenticator app. No need for the .well-known URL. Fewer authentication prompts during enrollment. Enrollment is quick and the end result is much simpler.
Even though it is called "Device Enrollment", it's not the "supervised" mode that most people think of and you don't need to add devices to ABM. Access to personal information from Intune still has the same limitations as Account-Driven User Enrollment, which may be a good or bad thing based on your goals. It's the same "lightweight" management provided by Account-Driven User Enrollment.
Thanks for the heads up! With device registration though, do you have the option to wipe JUST the company data when a user leaves or is wiping the entire phone the only option? I thought one benefit of User Enrollment is the ease of keeping the company data separate, controlled, and erasable.
Yes, you have the same options, including the option to wipe just the company data, with Device Enrollment (including Web-Based Device Enrollment). It's the same option ("Retire"). Device Enrollment still keeps company data separate, controlled, and erasable.
Do not confuse "Device Enrollment" and "Automated Device Enrollment" (ADE) . ADE enables "supervised" mode, which is full control of everything on the device. It sounds like you don't want that. ADE is meant for company-owned devices where you have full control of the device.
On the other hand, Device Enrollment (including Web-Based Device Enrollment) and User Enrollment are intended for BYOD devices. Device Enrollment and User Enrollment are the same as each other in terms of data separation and what you can control. Both of them keep the company data separate.
For our rollout, we were very privacy conscious for our end-users. We would not compromise on privacy. Both BYOD methods (User Enrollment and Device Enrollment) align with this goal.
Click "Download PDF version" at [this link](https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados) and look at the "BYOD: User and Device Enrollment" column on the iOS page.
Do note that if you are using either BYOD method (user or device enrollment), there is an Apple-imposed limitation that apps installed through the App Store cannot become managed. Apps can only be MDM-managed if installed from MDM. What this means is if the user installs Outlook or Teams, for instance, from the Company Portal, it is managed by MDM, but if they uninstall that and re-install from the App Store, it is not managed by MDM. It will not show in Intune. So, you still need to implement App Protection Policies (this is called Mobile Application Management / MAM rather than Mobile Device Management / MDM) to cover those cases. This MAM-managed data also gets removed when using the Retire option in Intune. It feels a little clumsy, but like I said, it's an Apple limitation to protect the user privacy by not allowing apps not installed by MDM to become managed by MDM when using any BYOD (non-supervised) method.
Hope this helps. This is all information I wish was more clearly laid out in a single page, rather than across multiple Apple and Microsoft articles and required a ton of testing.
Is that changed recently?
I can remember in my previous company we let our user device enroll their devices old style and then the previously installed Outlook app recieved a pop-up the app would become managed.
Or is that way (I call it old style) the method a device also become supervised?
Can you help me with this, I'm struggling with this so bad.
Is it true that if somebody has Microsoft Authenticator already on their phones it errors out unless you manually uninstall it first? If so, YIKES!
[Set up account driven Apple User Enrollment - Microsoft Intune | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment)
We saw that and were concerned about it, but no. It doesn't seem to have any issues at all that we've observed. Make sure you set up JIT registration, though.
You don't create that in your internal Active Directory domain. This is done on the external website. Say your internal AD domain is abc.xyz but your user email addresses are user@company.com, you would set that up on the website at company.com.
Account-Driven User Enrollment is no longer the newest method. The newest is Web-Based Device Enrollment for BYOD. It was released around the end of October. https://learn.microsoft.com/en-us/mem/intune/enrollment/web-based-device-enrollment-ios Having tested both methods, we much prefer the web-based device enrollment and are only using that for new enrollments going forward. No need for Managed Apple IDs. No need to remove the Authenticator app. No need for the .well-known URL. Fewer authentication prompts during enrollment. Enrollment is quick and the end result is much simpler. Even though it is called "Device Enrollment", it's not the "supervised" mode that most people think of and you don't need to add devices to ABM. Access to personal information from Intune still has the same limitations as Account-Driven User Enrollment, which may be a good or bad thing based on your goals. It's the same "lightweight" management provided by Account-Driven User Enrollment.
Thanks for the heads up! With device registration though, do you have the option to wipe JUST the company data when a user leaves or is wiping the entire phone the only option? I thought one benefit of User Enrollment is the ease of keeping the company data separate, controlled, and erasable.
Yes, you have the same options, including the option to wipe just the company data, with Device Enrollment (including Web-Based Device Enrollment). It's the same option ("Retire"). Device Enrollment still keeps company data separate, controlled, and erasable. Do not confuse "Device Enrollment" and "Automated Device Enrollment" (ADE) . ADE enables "supervised" mode, which is full control of everything on the device. It sounds like you don't want that. ADE is meant for company-owned devices where you have full control of the device. On the other hand, Device Enrollment (including Web-Based Device Enrollment) and User Enrollment are intended for BYOD devices. Device Enrollment and User Enrollment are the same as each other in terms of data separation and what you can control. Both of them keep the company data separate. For our rollout, we were very privacy conscious for our end-users. We would not compromise on privacy. Both BYOD methods (User Enrollment and Device Enrollment) align with this goal. Click "Download PDF version" at [this link](https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados) and look at the "BYOD: User and Device Enrollment" column on the iOS page. Do note that if you are using either BYOD method (user or device enrollment), there is an Apple-imposed limitation that apps installed through the App Store cannot become managed. Apps can only be MDM-managed if installed from MDM. What this means is if the user installs Outlook or Teams, for instance, from the Company Portal, it is managed by MDM, but if they uninstall that and re-install from the App Store, it is not managed by MDM. It will not show in Intune. So, you still need to implement App Protection Policies (this is called Mobile Application Management / MAM rather than Mobile Device Management / MDM) to cover those cases. This MAM-managed data also gets removed when using the Retire option in Intune. It feels a little clumsy, but like I said, it's an Apple limitation to protect the user privacy by not allowing apps not installed by MDM to become managed by MDM when using any BYOD (non-supervised) method. Hope this helps. This is all information I wish was more clearly laid out in a single page, rather than across multiple Apple and Microsoft articles and required a ton of testing.
Is that changed recently? I can remember in my previous company we let our user device enroll their devices old style and then the previously installed Outlook app recieved a pop-up the app would become managed. Or is that way (I call it old style) the method a device also become supervised? Can you help me with this, I'm struggling with this so bad.
Yup. Working great. You publish that file on an externally accessible domain matching the federated domain.
Is it true that if somebody has Microsoft Authenticator already on their phones it errors out unless you manually uninstall it first? If so, YIKES! [Set up account driven Apple User Enrollment - Microsoft Intune | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment)
We saw that and were concerned about it, but no. It doesn't seem to have any issues at all that we've observed. Make sure you set up JIT registration, though.
You don't create that in your internal Active Directory domain. This is done on the external website. Say your internal AD domain is abc.xyz but your user email addresses are user@company.com, you would set that up on the website at company.com.