Tag: Enrollment

Comprehensive Android Device Onboarding Checklist for M365 Business Premium

bp1

Onboarding an Android phone into Microsoft 365 Business Premium (which includes Microsoft Intune for device management) ensures the device is fully managed and protected. This detailed checklist covers every step – from preparation to post-deployment – including security configurations, policies, and ongoing management. Follow the sequence below to set up the Android device securely and keep it compliant with your organisation’s standards.

Step-by-Step Onboarding Process

  1. Prepare the M365 Environment for Android Management

    • Verify Licensing & Access: Ensure the user is assigned a Microsoft 365 Business Premium license (this license includes Intune for Mobile Device Management). Also, have administrator access to the Microsoft 365 admin center and Endpoint Manager (Intune) portal.

    • Intune Tenant Preparation: Confirm Intune is set as the MDM authority (in modern tenants Intune is already the default). If not done previously, set up Intune by signing in to the Endpoint Manager admin center and reviewing enrollment preparation steps. For example, verify your tenant’s enrollment restrictions and device limit settings to allow Android enrollments.

    • Link Intune to Managed Google Play: Configure Android Enterprise integration by connecting Intune to a Managed Google Play account[1][2]. This is required for managing Android devices. In the Endpoint Manager portal, navigate to Devices > Android > Android Enrollment and connect your Intune account to Managed Google Play. Follow the on-screen steps to sign in with a corporate Google account and grant permissions[1]. Result: Intune is linked with Google Play, and the Company Portal app (and other Android Enterprise system apps) will be made available to devices automatically[2].

    • Choose Android Management Mode: Decide on the management mode. For corporate-owned devices that will be fully controlled by IT, use Android Enterprise Fully Managed (formerly COBO – Corporate Owned, Business Only)[1]. (For BYOD personal devices, you’d use Work Profile mode, but this guide focuses on fully managed corporate devices for maximum control and protection.) Ensure the Android OS version on the phone is supported by Intune and Android Enterprise (generally Android 9.0 or above for fully managed)[3]. If the device was previously enrolled in another MDM or used personally, factory reset it now – fully managed enrollment requires a fresh start[2].

    • Configure Initial Device Settings (Optional): If your organisation uses zero-touch enrollment or Samsung Knox Mobile Enrollment for bulk provisioning, set those up in advance. For Zero-Touch or Knox, you’d upload device IDs to those portals and link to Intune enrollment profiles. Otherwise, plan to enroll via QR code or the Company Portal app. Ensure you have a stable Wi-Fi network available for the device’s enrollment.

  2. Define Security Policies in Intune (Compliance & Configuration)
    Before enrolling the device, set up the security policies that will apply upon enrollment. This ensures that as soon as the phone is onboarded, it will receive the required configurations to be secure.

    • Create Compliance Policy: In Endpoint Manager (Devices > Compliance policies), create a new Android compliance policy to enforce your security requirements. Configure rules such as: require a password/PIN on the device (e.g. minimum 6-digit PIN, alphanumeric or complex as needed)[3][3], require device encryption to be enabled[3], set a minimum OS version (e.g. disallow Android versions lower than a certain release)[3], and block jailbroken/rooted devices by enabling Google Play Integrity or SafetyNet checks[3]. You can also mandate that the device is not on a blocked manufacturer/model list if relevant. Define an action for non-compliance (e.g. send user notification or block access after a grace period) – by default, marking the device non-compliant immediately is recommended[3].

    • Create Configuration Profiles: Next, create an Android device configuration profile (specifically an “Device Restrictions” profile for fully managed Android Enterprise). In Endpoint Manager (Devices > Configuration profiles), set restrictions to harden the device. Recommended settings include: disable USB file transfers and external media access to prevent data leaks[3]; block screen capture and screen recording; disable installation from unknown sources (to stop unapproved apps); enforce Google Play Protect app scanning (Threat Scan on apps: Require to ensure malware scanning is active)[3]; require device encryption if not already enforced via compliance; and enable other desired restrictions (e.g. block Bluetooth file sharing, block factory reset by the end-user[3], and force automatic system updates installation on a schedule). Also consider enabling biometric unlock (fingerprint/face) if available for user convenience on top of PIN – Intune can require biometrics for unlock via policy[1].

    • Email and App Configuration (Policy): If you plan to use the native email app (Gmail) for work email, create an “Email profile” configuration profile (with Exchange Online details) to push to the device. However, the recommended approach is to deploy Outlook (covered in the next step) instead of using native email. You can also prepare App Configuration policies for certain apps if needed (for example, pre-configure Outlook’s settings or require a PIN within Outlook app using an App Protection Policy).

    • Conditional Access (Integration with Azure AD): Set up a conditional access policy in Azure AD (if not already) to require device compliance for accessing corporate resources. For example, enforce that only devices marked Compliant by Intune (meaning they meet the above policy conditions) can access Exchange Online, SharePoint, Teams, etc.[4]. This ties the Intune compliance policy to actual access control, ensuring unmanaged or non-compliant devices are blocked from M365 data. (Note: Conditional Access requires Azure AD Premium, which is included in Business Premium.)
    • Review and Save Policies: Save and deploy these policies to the target user or device groups (e.g. to “All corporate devices” or specific user groups). Result: With compliance and configuration profiles in place, any enrolled device must adhere to these security requirements to be deemed compliant and maintain access[4].

  3. Enroll the Android Device into Intune (M365 Management)
    Now that the backend is prepared, proceed to enroll the phone. There are a few enrollment methods for a fully managed device – here we use the QR code method (suitable for Android Enterprise fully managed) or the Company Portal app method:

    • Generate Enrollment QR Code/Token: In Endpoint Manager, go to Devices > Android > Android Enrollment > Enrollment Profiles. Create a “Corporate-owned, fully managed user device” enrollment profile if you haven’t already[1]. Intune will provide an enrollment token (string code) and an option to get a QR code. This QR code or token will be used on the device during setup. (If using Android’s Zero-Touch enrollment or Samsung Knox, you would assign this profile to the device in those portals instead.) For a streamlined experience, the QR code is very convenient – it embeds the enrollment token and Intune’s info.

    • Factory Reset & Initial Setup: Ensure the Android phone is factory reset. Turn on the device (or if just reset, start the setup wizard). Follow the initial prompts (select language, connect to Wi-Fi, etc.). When prompted to sign in or when you reach a screen for device management, use the enrollment method:
      • QR Code enrollment: Tap multiple times on the welcome screen (or in setup, choose “Perform QR code enrollment” if available). Scan the QR code from Intune using the device’s camera. This will automatically configure the device to enroll in Intune.

      • Token entry enrollment: Alternatively, in the Wi-Fi selection screen, you can enter the code afw#setup in the Wi-Fi SSID field (this triggers Android Enterprise setup) and then you will be prompted to enter the enrollment token manually (or sign in to Google to retrieve it). Enter the enrollment token from Intune to proceed.

      • Company Portal app (for BYOD or if already set up): If the device was not factory reset (for example, if doing a personal device with work profile), the user could simply install the Intune Company Portal app from Google Play, launch it, and sign in with work credentials to enroll. In our fully managed scenario, the QR code method is more automated and ensures full control.
    • Intune Enrollment Process: After scanning the QR code or entering the token, the device will automatically download and install the Intune Company Portal and related management apps. It will prompt for the user’s Azure AD (M365) credentials. Sign in with the company (work) account when prompted (this binds the device to the user in Azure AD). The device will then enroll into Intune – you’ll see screens indicating the device is being managed by your organization.

    • Apply Corporate Profile: The enrollment profile will apply, marking the device as corporate-owned. The device may also set up a work Google account silently to manage Managed Play apps. The phone will likely enforce a PIN code setup at this point if your compliance policy requires one. Follow any on-screen instructions (e.g. “create a work profile” or “set a PIN to secure your device”). For fully managed devices, the entire device is now under management (not just a work profile).

    • Network & Sync: Ensure the phone stays connected to the internet during this process. Intune will start pushing down the configurations and apps assigned to this device/user. This can take a few minutes.

    • Verification: In the Endpoint Manager portal, you can check Devices > All Devices, and you should see the new Android phone appear in the list once enrollment is complete. It will show as “Compliant” or “Not compliant” depending on whether it has finished applying policies. (At first, it might be non-compliant until all policies are applied – this is normal. The device will continuously sync until it meets the compliance criteria.)

  4. Deploy and Configure Microsoft 365 Apps (Email, Teams, etc.)
    To ensure productivity and security, install the required Office/M365 applications on the device through Intune and configure them properly:

    • App Deployment via Managed Play: Using Intune’s integration with Managed Google Play, you should have added key apps in advance. If not done yet, go to Apps > Android Apps in Intune, and Add apps from the Managed Google Play store. Search and add apps like Microsoft Outlook, Microsoft Teams, OneDrive, Office (Mobile), Microsoft Authenticator, and any other required apps (such as Line of Business apps)[1]. Assign these apps to the device or user group (as “Required” for corporate devices so they install automatically)[1]. Intune will then push these apps to the enrolled phone.

    • Email Configuration: Outlook Mobile is the recommended email client. Once Intune pushes Outlook and it installs on the phone, the user should launch Outlook. The app may auto-detect the user’s account (through single sign-on with the managed device) or prompt the user to add their Office 365 email account. The user should sign in with their work credentials. Because the device is marked compliant (and conditional access is in place), the email account will successfully configure and start syncing mail. If you instead use the native email app, ensure an email profile policy was sent or instruct the user to add the account via system settings (and expect a prompt to enforce Device Administrator if Office 365 MDM was not already in effect – but since Intune MDM is handling it, Outlook is simpler).

    • Other App Sign-ins: Have the user open other apps like Teams and OneDrive – these should similarly either SSO sign-in or prompt for login with the work account. Verify that each app works and that policies like App Protection (if configured) are applied (for instance, if you set an App Protection Policy, it might require a PIN when opening Outlook or prevent copying data from Outlook to personal apps).

    • Policy Enforcement on Apps: Thanks to the earlier Managed Google Play setup, all apps deployed are the approved versions. Intune can manage permissions for certain apps if configured (for example, you can pre-grant or deny permissions to apps through the Device Restrictions profile). Ensure that Microsoft Defender (if your organisation uses it for mobile threat defense) is also deployed (see next step for more on Defender).

  5. Verify Device Compliance and Security Settings
    At this stage, the phone is enrolled and apps installed. Now verify that all security configurations are in effect and the device is compliant:

    • Compliance Check: On the device, open the Company Portal app. It should show the device status as compliant (green check) or list any actions needed. If any compliance item is missing, the Company Portal will typically prompt the user (for example, “Set a device PIN of at least 6 digits” if the user hadn’t done so, or “Encrypt your device” if encryption wasn’t automatic). Follow any prompts to resolve outstanding issues. Modern Android devices usually encrypt by default when a PIN/password is set, satisfying the encryption requirement automatically[3].

    • Intune Portal Status: In the Endpoint Manager admin center, check the device’s Compliance status. It should be Compliant if all policies are met. If it shows Not Compliant, review which setting is not met. Common causes: the user hasn’t set a required PIN or the device is still installing a required update or app. You can select the device in Intune and view Device Compliance to see a per-setting report. Resolve any outstanding compliance issues by either adjusting the device settings or updating the policies if necessary.

    • Security Policy Enforcement: Verify specific configurations: try taking a screenshot on the device – if you set “block screen capture,” it should be disabled by policy[1]. Attempt to plug the phone into a PC via USB – with USB data transfer blocked, the phone’s storage should not be accessible[3]. These tests confirm that the device restrictions profile is active. Also check that the required PIN complexity is enforced (e.g., try setting a too-simple PIN to see if it gets rejected as per policy).

    • Defender for Endpoint (Optional): If Microsoft Defender for Endpoint (part of Defender for Business in M365 Business Premium) is being used, ensure the Defender app is installed and onboarded. (Intune can deploy the Defender app just like other apps[1][1]. After installation, the user should open the Defender app and sign in to activate it[1][1]. Once onboarded, the device will show up in the Defender portal with its threat status.) This adds an extra layer of protection by scanning for malicious apps, phishing SMS, unsafe network connections, etc.

    • Encryption Status: Confirm the device storage is encrypted. On the phone, you can usually see this under Settings > Security > Encryption (it might say “Encrypted” if all is well). Intune can also report encryption status as part of compliance. This ensures data on the phone is protected if the device is lost.

    • Corporate Data Separation: Although this is a fully managed device (all data is corporate-managed), if any work/personal profile distinction exists (in COPE scenarios), verify that policies for data separation are applied (e.g. copying data from work apps to personal apps is restricted). In our fully managed case, all apps are corporate, so all data is under management and protected by policies like App Protection or the device encryption.

    • Compliance Reports: Intune provides compliance reports and dashboards. Use Devices > Monitor > Compliance in the portal to see an overview of device compliance across your organisation. Ensure this newly onboarded device appears with green status. Monitoring these reports regularly is important for ongoing compliance[5].

  6. Enable and Test Device Management Features
    With the device now managed, you have various remote management capabilities to secure and support it throughout its lifecycle:

    • Remote Wipe / Reset: In Intune, locate the device and test a Retire or Wipe command (caution: do this only for testing if you have no real data on the device, or just be aware of the capability). A Retire action removes the company’s data and management profiles but leaves personal data intact[6]. A Wipe fully resets the device to factory settings, erasing all data[6]. Use Retire for employee personal devices when they leave the company, and use Wipe if a device is lost/stolen or being reissued to someone else. Verify: If possible, simulate a Retire on a test device – the Company Portal and managed apps should get removed, and the device will lose access to corporate email (this demonstrates your ability to protect data if needed). Cancel or avoid a full wipe unless you are ready to reset the device.

    • Remote Lock and Passcode Reset: Intune supports remote locking of a device and resetting the passcode. These actions can be initiated from the device’s page in Endpoint Manager. This is useful if a device is misplaced or the user forgets their PIN. (Fully managed Android devices may support these commands – verify on a test device.)

    • Device Encryption Enforcement: We already required encryption via compliance. If the device for some reason wasn’t encrypted, Intune would mark it non-compliant. There isn’t usually a separate action needed, as modern Android will encrypt upon setting a PIN. However, it’s worth noting for older devices: you might instruct the user through Company Portal to enable encryption if it didn’t happen automatically. Ensure no one turns encryption off (some devices might allow decrypting via settings – which should also flip compliance to non-compliant).

    • Policy Updates & Sync: Know that you can push policy updates or new configurations anytime. For example, if you want to enable a new Wi-Fi profile or VPN configuration on the phone, you can create a profile in Intune and assign it; the device will receive it on next check-in (devices check in with Intune periodically, or the user can open Company Portal and tap “Check Device Settings” to force a sync).

    • Defender and Threat Management: If using Defender, you can view device risk in the Defender Security portal. Intune can also take action based on device risk (via compliance policies integrating with Defender threat level). Make sure Defender is actively protecting the device (run a test EICAR virus file if you want to see if Defender catches it, for example).

    • User Support Abilities: In the Company Portal, the user can see company contacts or support info (you can customise the Company Portal branding and contact details in Intune). It’s good practice to configure Help Desk information there so users know how to get assistance. Also, the user can use the Company Portal to see which policies are applied, which apps are available, and initiate a sync or check compliance. Encourage users to familiarize themselves with the Company Portal app.

  7. Manage Operating System and App Updates
    Keeping the device up-to-date is critical for security. Microsoft Intune provides mechanisms to manage Android OS updates for corporate devices:

    • Configure System Update Policy: In your Device Restrictions configuration profile (created earlier), use the System update settings to control how updates are applied[7]. Options include: using the device default (updates auto-install when idle, charging, on Wi-Fi), forcing automatic install ASAP (no user delay)[7], or postponing updates for a defined period (e.g. postpone up to 30 days)[7]. You can also set a maintenance window for updates (so updates install during off-hours)[7]. For example, you might allow automatic nightly updates or weekend updates to minimise disruption.

    • Enforce Updates (Don’t Rely on Users): It’s best practice not to rely on end users to install OS patches[7]. Intune policies ensure updates happen so that users cannot indefinitely defer important patches[7]. For instance, if an update is deferred 30 days, Intune will prompt or force installation after that. Make sure devices are set to a schedule that balances security with usability (and communicate this to users so they know their device may reboot for updates at designated times).

    • App Updates via Managed Play: Apps deployed through Managed Google Play will be updated automatically via the Play Store (according to Play Store policies). Intune itself doesn’t directly schedule app updates, but by using Managed Play, you ensure the user cannot disable auto-updates for those apps. Periodically check in the Managed Play store if critical apps (e.g. Outlook, Teams) have updates that might require admin approval (for apps in Managed Play, you might need to approve new versions depending on your Play enterprise settings – the default is usually automatic approval).

    • Monitor Update Compliance: Use Intune’s Reports (under Devices > Monitor > Software update status for Android) to see the OS update status of devices. Ensure all devices, including this one, are not running significantly outdated patch levels. You can also enforce compliance by setting a Minimum Android security patch level in the compliance policy if desired (for example, require that the device’s security patch date is no older than 2 or 3 months)[3]. This will mark devices non-compliant if they fall behind on security updates, adding pressure to get them updated.

    • Plan for Upgrade Cycles: When Android releases major new versions, test them with your policies. Intune allows setting a minimum or maximum OS version in compliance, so update those rules over time as you

References

[1] Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune

[2] Android device enrollment guide for Microsoft Intune

[3] Android Enterprise security configurations for corporate-owned fully …

[4] How Conditional Access Works in M365 Business Premium

[5] iPhone Onboarding into M365 Business Premium Step-by-Step Guide

[6] Administrative Intune Offboarding

[7] Admin checklist for Android software updates in Microsoft Intune

iPhone Onboarding into M365 Business Premium: Step-by-Step Guide

bp1

Overview:
This guide provides a comprehensive checklist for onboarding an iPhone into Microsoft 365 Business Premium (which includes Microsoft Intune) so that the device is fully managed and protected. It covers initial setup, detailed step-by-step enrollment procedures, specific security configurations, ongoing management tasks, and compliance considerations. By following this checklist, your organisation can ensure iPhones are enrolled in Mobile Device Management (MDM), secured with best-practice policies, and compliant with relevant standards.

Prerequisites and Preparation

Before enrolling an iPhone in M365 Business Premium/Intune, make sure the following prerequisites are in place:

  • Licenses and Accounts:

    • The user must have a valid Microsoft 365 Business Premium license (which includes Intune). Ensure the user’s account has an Intune license assigned[1].

    • You must have appropriate admin roles in Intune (e.g. Intune Administrator or Policy and Profile Manager) to perform the setup.

  • Device Requirements:

    • The iPhone should be running a supported iOS version (iOS 14.0 or later is required for Intune enrollment)[1][2]. Newer iOS versions are recommended.

    • The device should be factory reset or not previously MDM-enrolled. Remove any existing management profiles or accounts from the iPhone. (On the device, check Settings > General > Device Management; if a management profile is listed, remove it before proceeding[2].)

  • Network and Apps:

    • The iPhone has a reliable Wi-Fi or mobile data connection (maintain connectivity throughout the enrollment)[1].

    • The Safari browser (built-in) should be available for profile installation during enrollment[1].

    • Install the Intune Company Portal app from the Apple App Store on the iPhone[1]. This app is used for user-driven enrollment and device compliance checks.

  • MDM Setup in Microsoft 365:

    • Set MDM Authority: Verify that Intune is enabled as the Mobile Device Management authority in your tenant (for new M365 tenants this is usually already the case).

    • Apple MDM Push Certificate (APNs): Set up an Apple Push Notification Service certificate in Intune before any iOS device enrollment[2]. This certificate allows Intune to manage Apple devices.

    • In the Intune admin center, navigate to Devices > Enroll devices > Apple enrollment > Apple MDM Push certificate. Follow the steps to create and download a Certificate Signing Request (CSR), then upload it to Apple’s Push Certificates Portal to obtain the APNs certificate, and finally upload that certificate to Intune[1][1].

    • Note: The APNs certificate must be renewed annually. It’s tied to an Apple ID (use a company Apple ID email account for this). Intune will warn you as the expiration approaches; renew the certificate before it expires to avoid losing the ability to manage iOS devices[2].

  • Apple Business Manager (for Corporate Devices):
    If your organisation uses Apple Business Manager (ABM) or Apple School Manager for corporate-owned iPhones, integrate it with Intune for Automated Device Enrollment (formerly DEP). This allows zero-touch setup of devices that are purchased through Apple and makes them supervised (giving greater management control).

    • Ensure devices are added to your ABM account (either by purchasing through ABM or via Apple Configurator for existing devices).

    • In Intune, go to Devices > iOS/iPadOS > Enrollment Program Tokens and create an ABM token by uploading the key from Intune to Apple and vice versa[3][3].

    • Create an enrollment profile in Intune and assign it to the ABM devices (specify supervision, MDM user affinity, etc.)[3][3].

    • Outcome: When a new or erased iPhone is turned on, it will automatically enroll into Intune during setup with the defined management profile[3]. (If you are not using ABM, or for BYOD scenarios, you will use the Company Portal method described below.)

  • Intune Groups and Policies Preparation:

    • Set up Azure AD groups for device or user targeting (for example, a group for “Managed iPhone Users”). This will help in assigning policies and apps.

    • Draft your Compliance Policy and Configuration Profiles for iOS in Intune ahead of time (detailed in the security configuration section). Having these in place ensures that once the device enrolls, it will automatically receive the required settings and be evaluated for compliance[4].

    • Optionally, prepare Company Portal branding and Terms of Use in Intune to show a corporate welcome or usage policy to users during enrollment (this can include an acceptable use policy for mobile devices).

  • User Communication:

    • Plan a communication to the end user (if user-assisted enrollment) explaining the enrollment steps and why device management is needed. End-user guides or an enrollment workshop can improve success rates. Make sure users are aware of what data IT can and cannot see on managed personal devices (privacy notice).

    • Training: Be ready to provide help or training on using the Company Portal app, accessing work resources, and any changes in device behavior after enrollment (such as needing a stronger passcode) – this helps user adoption.

With these prerequisites complete, you are ready to onboard the iPhone into Intune (M365 Business Premium) with full management and security.

Initial Onboarding Steps

Follow these steps to enroll the iPhone in Microsoft 365 Business Premium’s management (Intune):

1. Configure Intune for iOS Management (Admin Task)

  • Intune Portal Access: Sign in to the https://endpoint.microsoft.com with an administrator account.

  • Verify Prerequisites: Double-check that the Apple MDM Push Certificate is configured in Intune[1] and that the user account is properly licensed for Intune (M365 Business Premium assigned)[1].

  • Device Enrollment Restrictions: Optionally, review enrollment restrictions under Devices > Enroll devices > Enrollment restrictions. You can restrict which platforms can enroll (ensure iOS is allowed) or limit enrollment to certain OS versions, device ownership types, etc[2][2]. For example, you might block very old iOS versions or limit personal device enrollments if desired.

2. Create Compliance and Configuration Policies (Admin Task)
Before or immediately after enrollment, apply security configurations by creating policies in Intune. This ensures the device will be fully protected as soon as it’s managed. Key policies include:

  • Device Compliance Policy for iOS: Define the minimum requirements the iPhone must meet to be considered compliant[2]. For instance: require a device passcode, block jailbroken devices, require encryption (on iOS, setting a passcode automatically enables encryption)[2], enforce a minimum OS version, and set other security rules (detailed in the next section). Once created, assign this policy to the relevant user/device group. This policy will evaluate the iPhone after enrollment and mark it as Compliant or Non-compliant according to your rules.

  • Configuration Profiles: Set up any device configuration profiles needed. Examples:

    • Device Restrictions profile: to enforce specific settings (like disallowing backup to iCloud for corporate data, blocking installation of untrusted apps, or preventing removal of the management profile for supervised corporate devices).

    • Wi-Fi or Email profiles: to automatically configure company Wi-Fi networks or email accounts on the device[5] (note: for email, Intune can deploy a managed email profile; requiring the device to use that ensures email is accessed securely[5]).

    • App Deployment: Prepare required app deployments (e.g., Outlook, Teams, OneDrive) or app protections. In Intune, you can assign Managed Apps to the device or user group so they install during or after enrollment.

  • App Protection Policies (MAM): (Optional, mostly for BYOD scenarios) If some users won’t fully enroll devices, you could use App Protection Policies to protect company data at the application level[6][6]. However, since this scenario is for fully managed devices, we assume full enrollment. Still, Intune MAM policies can add an extra layer of data protection for corporate apps (e.g. requiring a PIN in Outlook, blocking data transfer to personal apps)[6][6].

    By setting these policies now, you ensure that as soon as the device is enrolled, Intune will apply all the security requirements automatically.

3. Initiate iPhone Enrollment
Now it’s time to enroll the device. There are two primary enrollment methods depending on ownership:

  • (A) Corporate-Owned Device – Automated Enrollment via Apple Business Manager:
    If the iPhone is company-owned and has been added to Apple Business Manager (ABM):

    • Turn on or reset the iPhone. During the initial setup wizard, after choosing language/region and network, the device will contact Apple’s deployment service and recognize that it is assigned to your organisation’s MDM (Intune).

    • You will see a screen indicating the device will be automatically configured by your organisation. Continue with the prompts. The device will enroll itself over the air into Intune with the settings from the enrollment profile you assigned (no need to manually download a profile)[3][3].

    • Sign in with the user’s work or school (Microsoft Entra/Azure AD) account when prompted. This will register the device to that user in Intune (user affinity) and complete the enrollment.

    • Once finished, the iPhone will be in supervised mode (granting enhanced control) and the Company Portal app may be pre-installed as part of the process. The user might still need to open Company Portal to finalize compliance checks.

      ABM enrollment streamlines the process – it’s largely automatic after initial setup, and the device is fully managed from the start.

  • (B) BYOD or Non-ABM Device – User-Driven Enrollment via Company Portal:
    For personal or non-ABM devices, use the Intune Company Portal app:

    1. On the iPhone, launch the Company Portal app (which was installed earlier).

    2. Sign in with the user’s work Microsoft 365 credentials (email and password). The app will identify that the device is not managed and will begin the enrollment process.

    3. Follow the on-screen prompts in Company Portal. The user will typically tap Begin or Enroll to start. Privacy information is shown; the user should review what the company can and cannot see.

    4. Download Management Profile: The Company Portal will redirect to the Safari browser to download a management configuration profile. When prompted “This website is trying to download a configuration profile”, the user should tap Allow. A message will confirm the profile is downloaded. [2]

    5. Install Management Profile: After the profile is downloaded, the user must go to the iPhone Settings app to install it (Apple requires manual installation for profiles on user-enrolled devices). In Settings, a new item “Profile Downloaded” will appear near the top – tap this, or navigate to General > VPN & Device Management, then under “Downloaded Profile” select the Intune management profile.

    6. Tap Install. The device may prompt for the phone’s passcode to authorize profile installation. A warning about device management will be shown – the user should confirm by tapping Install again, and then Trust when asked to trust the remote management. Now the Intune MDM profile is installed on the iPhone[2]. Tap Done when finished.

    7. Return to the Company Portal app (or the Safari page) to continue any final steps. The Company Portal will complete the enrollment and register the device with Intune.

      The device is now enrolled in Intune as a managed device (in a state often called “MDM enrolled”). The Company Portal app will show the device status and any compliance requirements.

    (Choose the method above that fits the scenario. Both achieve an enrolled, managed iPhone in Intune, but the user experience differs.)

4. Verify Enrollment and Compliance
After enrollment, verify that the iPhone appears in Intune and meets compliance:

  • In the Intune Admin Center, go to Devices > iOS/iPadOS > All devices (or Devices > All devices) and confirm the iPhone is listed, assigned to the correct user, and shows as “Compliant” or “Not compliant”. Initial status might be not compliant until policies apply.

  • Intune will automatically deploy the compliance policy and evaluate the device. If any compliance requirement is not met, the Company Portal will notify the user of what needs to be done. For example, if your policy requires a PIN/passcode or a stronger password, the user will be prompted to set a device passcode to meet the policy[2]. The Company Portal app can guide the user through resolving issues (e.g., setting a new PIN, removing a jailbreak, updating iOS to a required version).

  • Once all conditions are satisfied, the device status in Intune will update to Compliant, meaning it adheres to your organisation’s security rules and can access resources. The user now has access to corporate email, Teams, OneDrive, etc. on the device (or will shortly, once those apps are installed and the device syncs policies).

    Tip: In Intune, you can check Device Compliance > Reports for a compliance overview and drill down into the specific device to see any settings that are not met. Ensure that the device has checked in recently (an initial check-in happens during enrollment).

5. Apply Security Configurations and Policies
Many security settings should already be active thanks to the compliance and configuration profiles applied in Step 2. However, ensure the following configurations are in place (some of these are automatically enforced via the compliance policy, but it’s good to review):

  • Passcode Policy: The iPhone must have a lock screen passcode that meets your requirements. Intune compliance can require a password to unlock the device[5]. Typically, enforce a strong passcode (e.g. at least 6 digits or an alphanumeric code, no simple sequences). You can block simple PINs like “1234” or “111111”[5] and require a mix of characters if using alphanumeric.

  • Device Encryption: iOS devices encrypt all data when a passcode is set. By requiring a passcode, you are also ensuring the device storage is encrypted[5]. No additional action is needed for encryption beyond the passcode requirement (there’s no separate encryption setting on iPhone; it’s automatic).

  • Jailbreak Detection: The compliance policy should mark jailbroken (rooted) devices as noncompliant, effectively blocking them[5][6]. This protects against devices that might be compromised. Intune can’t run on a jailbroken device without being detected – if a device is jailbroken, the user should remove the jailbreak or use a different device.

  • OS Version Requirements: Enforce a minimum OS version (and optionally block specific older OS builds). For example, if you require at least iOS 16.0 for security features, set that in the compliance policy; any device below that will be noncompliant until updated[2][5]. You can also specify a maximum OS version if needed (usually leave this unset unless a future iOS update is known incompatible with some app).

  • Threat Level / Defender Integration: If using Microsoft Defender for Endpoint (MDE), integrate it with Intune compliance. In Intune’s compliance policy for iOS, you can require the device to be at or below a certain threat level as reported by a Mobile Threat Defense solution. With Defender for Endpoint on iOS, you could set “Require the device to be at or under the machine risk score” to, say, Low or Medium[5]. Devices with higher risk (malware detected, etc.) would become noncompliant automatically. (This requires Defender for Endpoint to be deployed on the device – see step 6.)

  • App Configuration: Verify that any necessary managed apps (such as Outlook, Teams, OneDrive, or custom apps) have been installed or are available for the user to install via Company Portal. For email, if you deployed a managed email profile, ensure it’s functioning (the user should see the work email account in Mail app or Outlook configured).

  • Device Restrictions: If you created a device restrictions profile (for supervised devices), ensure settings like prohibiting USB data transfers when locked (USB restricted mode), disabling the ability to factory reset or enroll in other MDM, etc., are applied according to your needs. These settings help lock down corporate devices further. BYOD devices typically wouldn’t have heavy restrictions beyond compliance requirements, to respect user privacy.

    The security configurations above collectively harden the iPhone and align it with corporate policy and compliance standards. Intune will continuously enforce these settings; if the user tries to disable them (for example, removing their passcode), Intune will mark the device noncompliant and can take action.

6. Enable Conditional Access (Enforce Compliance)
To protect company data, set up Conditional Access policies in Azure AD (Entra ID) that require device compliance for accessing cloud resources (like Exchange Online email, SharePoint, Teams, etc.)[6][7]. This step ensures that only managed and compliant iPhones can actually use company apps/data:

  • Go to the Azure AD or Microsoft Entra admin center (Azure AD > Security > Conditional Access). Create a policy named, for example, “Require compliant device for mobile access.”

  • Assignments: Target all users or a group of users (e.g., all staff using mobile devices). For cloud apps, select the key services (or “All cloud apps” for a broad policy) that should be protected – typically include Exchange Online, SharePoint Online, Microsoft Teams, etc.[7].

  • Conditions: Scope the policy to apply to mobile platforms (iOS and Android) if you only want to enforce on mobiles[6][6]. You can also include or exclude device states as needed.

  • Controls (Grant): Select “Require device to be marked as compliant” as a requirement for access[6]. You might combine this with “Require multi-factor authentication” or other controls for additional security, but requiring compliance means the device must be Intune-enrolled and meeting all policy rules to get a token to cloud services.

  • Enable the policy. Now, if a user tries to sign into, say, Outlook on an iPhone that is not enrolled or not compliant, they will be blocked and told their device does not meet requirements. This effectively forces users to enroll and adhere to policies to use company data.

  • Note: M365 Business Premium includes Azure AD Premium P1, so Conditional Access is available with this license level. Make sure to exclude any emergency/break-glass admin accounts from CA policies[7] to avoid locking out all admins inadvertently.

    With Conditional Access in place, you have closed the loop: device compliance status (from Intune) is now gating access to company resources. This significantly strengthens security.

7. Deploy Defender for Endpoint on iOS (Optional but Recommended)
Microsoft 365 Business Premium includes Microsoft Defender for Business, which covers Defender for Endpoint (Plan 1) for devices including iOS. Installing Microsoft Defender for Endpoint (MDE) on the iPhone can provide additional threat protection:

  • In Intune (Endpoint Manager), navigate to Apps > iOS/iPadOS and add the Microsoft Defender for Endpoint app (available in the App Store) as a managed app. Assign it to the iPhones/user group for deployment. Alternatively, instruct the user to install Microsoft Defender from the App Store.

  • Once installed, the user should open the Defender app and sign in with their work account to onboard the device. Intune can also deploy a device configuration for Defender if needed (or use an App Configuration policy) to streamline onboarding.

  • Defender for Endpoint on iOS provides anti-phishing, malicious website blocking, and even some MTD capabilities[8]. All threats or alerts from the device will be visible in the Microsoft 365 Defender Security portal alongside other endpoints[8][8].

  • Ensure that in the Defender portal (security.microsoft.com), the device shows up as onboarded. You can also integrate Defender risk signals with Intune compliance (as noted in step 5 for device threat level).

  • This extra layer helps catch things like unsafe network connections or malicious apps/websites on the iPhone, complementing Intune’s device controls[8].

    Caution: Don’t run multiple endpoint protection agents on iOS concurrently (e.g., two MTD apps), as it may cause conflicts[8]. Defender for Endpoint acts as a local VPN on the device to monitor traffic (it’s an on-device VPN, not sending data through an external server)[8]. This is normal and by design for it to function.

8. Finishing Up and User Guidance

  • Make sure the user can access all needed resources and apps on the iPhone now. They should be able to open Outlook for email (or the iOS Mail app if that’s managed), Teams for chat, etc., with no Conditional Access blocks.

  • Educate the user on Company Portal: The Company Portal app will show device compliance status and any pending actions. Encourage users to periodically open it or pay attention to its notifications. For example, if their device falls out of compliance (maybe their OS is outdated), Company Portal will alert them and instruct how to fix it.

  • Advise the user on how to get support if they encounter issues – e.g., whom to contact in IT for device problems or questions.

  • Document that the device has been onboarded (update your asset inventory or MDM device list if you maintain a separate register outside Intune). Especially for corporate-owned devices, record serial numbers and who the device is issued to.

At this stage, the iPhone is successfully onboarded into Microsoft 365 Business Premium’s management. It is receiving policies from Intune, is protected by compliance and conditional access, and (if configured) has additional threat protection. The next section covers ongoing management to keep the device secure and compliant over time.

Security Configurations and Compliance Policies for iPhone

(This section details the key security settings that should be implemented as part of the onboarding, many of which we applied via compliance policy in the steps above. Use it as a reference checklist to ensure nothing is missed.)

Device Compliance Policy – Key Settings: When creating the iOS compliance policy in Intune, consider including these settings to enforce security baselines (in addition to any organisational requirements):

  • Require a Passcode: Ensure “Require a password to unlock mobile devices” is set to Require[5]. This forces the user to have a lock screen passcode. As noted, this also enables device encryption on iPhones. Configure related passcode settings:

    • Block Simple Passwords: Set to Block to disallow easy PINs like 1234[5].

    • Minimum Password Length: Recommend at least 6 digits (or more if using alphanumeric).

    • Password Type: Consider Numeric (which allows numeric or stronger) or Alphanumeric if you want to require letters too[5]. Alphanumeric passwords are more secure but less convenient on phones – many orgs choose Numeric with a length of 6+ as a balance.

    • Password Expiration: You can set passwords to expire after e.g. 90 days to prompt users to change them periodically[5]. (Some organisations skip this on mobile devices, relying on device biometric unlocks and compliance rules.)

    • Auto-Lock: Use “Maximum minutes of inactivity until screen locks” to something like 5 minutes or less[5], so devices auto-lock quickly when not in use. And “Maximum minutes after screen lock before password is required” to Immediately or a few minutes[5]. This ensures the passcode is needed promptly after lock.

  • Device Health:

    • Jailbreak (Rooted) Device Detection: Set “Mark noncompliant if Jailbroken” to Block such devices[5]. This will flag any jailbroken iPhone as noncompliant and Intune/Conditional Access can then prevent it from accessing corporate data[5].

    • Require Device to be Free of Threats: If using a Mobile Threat Defense like Defender, set Maximum Allowed Device Threat Level to Low (or Secured) to only allow devices with no detected threats[5]. This ties into the threat assessment from Defender for Endpoint.

  • Operating System Requirements:

    • Minimum OS Version: Set the least allowed iOS version. For example, if your org supports iOS 16 and above, put 16.0 here[5]. Devices running older iOS will then show as noncompliant until updated. This helps enforce that users apply iOS updates.

    • Maximum OS Version: Generally leave this blank unless you have a specific reason (e.g., a new iOS version is known to break a critical app – then you could temporarily block it by setting max version to one below). If used, be sure to update this when the new OS is vetted, otherwise devices will become noncompliant after upgrading past the max[5].

    • Minimum OS Build: Rarely used, but you could specify a minimum build number if a particular security patch is required.

  • Device Encryption:

    • On iOS, encryption is automatically tied to having a passcode (data at rest is encrypted with hardware AES). Intune doesn’t have a separate “require encryption” toggle for iOS because of this. Just ensure the passcode requirement is in place. (For reference, the compliance policy setting “Encryption of data storage on device” is applicable to Android/Windows; on iOS it’s not separately configurable – it’s fulfilled by having a passcode).

  • System Security and Other Settings:

    • Device Security Compliance: Consider enabling “Microsoft Defender for Endpoint device risk” in compliance if you deploy Defender. For instance, Require the device risk score to be at most Low[5]. This integrates threat evaluation.

    • Block Cloud Backup of Org Data: While not a compliance setting per se, you might enforce via App Protection or device config that certain app data (like Office 365 data) isn’t backed up to iCloud. This can be configured in an App Protection Policy (MAM) by blocking “backup to iCloud”[6] for managed apps. On supervised devices, a Device Restrictions profile can disable iCloud backup entirely, but that may be too restrictive for BYOD.

    • Disable Jailbreak Detection Evasion: (Supervised only) There are settings to prevent the user from turning off features like USB Restricted Mode (which blocks accessory connections if device is locked for an hour) – ensure those are enabled by default on iOS 12+ so that if someone tries to jailbreak via a USB exploit, it’s harder. Intune doesn’t expose every one of these as separate toggles, but keeping device up-to-date and supervised mode helps.

Conditional Access Policy: (As covered in step 6) After configuring compliance, create Conditional Access rules to enforce that devices must be compliant to access corporate cloud apps[6]. This connects the device’s compliance state with real-time access control and is crucial for security. Also consider requiring MFA on new devices or for sensitive apps, even if compliant.

Information Protection Policies: Beyond device config, ensure the rest of M365 security baseline is addressed (though out of scope of device onboarding, it’s worth mentioning): Enable MFA for all users[9], use data loss prevention (DLP) policies for sensitive data in emails/SharePoint, and use sensitivity labels if needed. These complement device security by protecting data at other levels.

Compliance Standards and Regulatory Policies: Intune’s device compliance features help organizations adhere to regulations like HIPAA, GDPR, ISO 27001, etc., by enforcing encryption, access control, and monitoring of devices[10]. For example, HIPAA requires safeguarding of ePHI – by mandating passcodes, encryption, and the ability to wipe a lost device, you are implementing required safeguards. If your organisation has specific regulatory needs, review those and adjust compliance policies accordingly (e.g., shorter device lock times for highly sensitive environments, or specific audit logging requirements). Intune itself is compliant with many standards, and it provides you tools (reports, logs, enforcement) to maintain compliance. Always document your policies and how they map to any regulatory requirement for audit purposes.

Ongoing Management and Maintenance

Onboarding is just the first step. To keep the iPhone managed and protected over time, perform these ongoing tasks and checks:

  • Monitor Device Compliance: Regularly review the device’s compliance status in Intune. Intune provides compliance reports and dashboards – for example, see if any devices are listed as not compliant and why. Common issues might be an expired OS version, or a user who removed their passcode. Use Intune > Devices > Monitor > Compliance status to get an overview. If a device is noncompliant, Intune can be configured with automatic actions (like send the user a notification, or even retire the device after X days of non-compliance). Take appropriate action: contact the user to resolve the issue or remediate from the admin side. Maintaining compliance is an ongoing process, not a one-time set-and-forget[6][6].

  • Update Management: Keep the iPhone’s OS up to date. New iOS releases often contain important security fixes. Intune can manage iOS updates for supervised devices using iOS Update Policies[11]. You can schedule updates to install during off-hours or at next check-in, and even defer or push specific versions[11][11]. For unsupervised BYOD devices, Intune can’t force-install OS updates, but you should encourage users to update promptly. Consider setting “mark device noncompliant if OS is older than X” to prompt them. In Company Portal, users can see if their OS is out of compliance and update. Also update required apps via Intune app deployments (Intune can push app updates for VPP or line-of-business apps; App Store apps update through the App Store automatically unless restricted).

  • Renew Certificates and Tokens: Mark your calendar for important renewals. The Apple MDM Push (APNs) certificate needs renewal every year[2]. Do this in the Intune portal > Tenant Administration > Connectors and Tokens > Apple MDM Push certificate, and also renew the token with Apple. If you integrated Apple Business Manager, the ABM token in Intune (Enrollment Program token) expires every 1–3 years (as set when you created it, up to 5 years max). Ensure it’s renewed via Devices > iOS/iPadOS > Enrollment program tokens before expiry, or devices will fail to enroll. Similarly, if using the Volume Purchase Program (VPP) for deploying apps or Apple Volume Content, renew those tokens annually.

  • Policy and Profile Maintenance: Periodically re-evaluate your Intune compliance and configuration profiles. You might strengthen policies over time (for instance, raising minimum iOS version as older ones become unsupported, or adjusting password length requirements). Intune will automatically prompt devices to comply with any new settings. Remove or update profiles that are no longer needed. Keep an eye on new Intune features or iOS capabilities that you can take advantage of (for example, new settings in Apple’s iOS Security Configuration Framework updates).

  • Conditional Access and Azure AD Monitoring: Check Azure AD sign-in logs for blocked sign-in attempts due to device non-compliance or other conditions. This can reveal if users are attempting to bypass policy (e.g., using an unmanaged device). Adjust conditional access policies if needed (for example, if you onboard additional cloud apps or if certain scenarios require exceptions). Azure AD’s Sign-in logs and Policy failures can be filtered to show failures due to CA, which is useful for troubleshooting.

  • Incident Response – Lost or Stolen Device: Have a process in place for lost or stolen iPhones. In Intune, you can issue a Remote Wipe (factory reset) or a Selective Wipe (corporate data removal) for a managed device. For corporate-owned devices, usually a full wipe (erase) is appropriate to protect data[12]. For BYOD, you might do a selective wipe which removes the Intune management profile and all company data/apps but leaves personal data intact[12]. Train your helpdesk or IT staff how to execute a wipe from the Intune portal (Devices > [select device] > Wipe). Also consider enabling Activation Lock bypass for supervised devices (Intune can display the bypass code if needed to reactivate a wiped device). Ensure users know to report lost devices immediately.

  • Device Lifecycle Management: If the device is replaced or the user leaves the organisation, you should retire the device from Intune. Intune’s Retire action will remove managed apps and data and the management profile. For corporate devices that will be reassigned, you may then wipe and re-enroll them for the new user. Always keep your Intune device inventory up to date—remove or retire devices that are no longer in use or haven’t checked in for a long time, to maintain security hygiene (Intune can have an auto-cleanup rule for devices inactive for X days).

  • Audit and Compliance Reporting: Periodically audit the Intune settings against your compliance requirements. Intune supports logging and reports for changes and device events. The Microsoft 365 compliance center can also show device compliance as part of broader compliance posture. If your organisation needs to demonstrate compliance (for example, for a certification or audit), maintain documentation of your Intune compliance policy settings and results. Intune aligns with data protection and regulatory compliance commitments by offering these controls[10], but you should verify and record that devices are indeed compliant. Use Intune’s compliance reports, or export device compliance data, to have evidence that all devices have encryption, passwords, etc., as required by policy.

  • User Support and Training: Continue to educate users about security best practices on their iPhone. For example, remind them not to install untrusted apps, to beware of phishing texts or emails (which Defender for Endpoint can help mitigate), and to keep their device in their possession. Provide an updated user guide if things change (e.g., if you roll out a new VPN solution or a new required app). Empower users via the Company Portal app to manage certain aspects: they can use it to check compliance, initiate a manual check-in, or even remotely locate or lock their device if you enable those features. Well-informed users are partners in security, not just endpoints to manage.

  • Stay Updated on Intune and iOS Features: Microsoft Intune and iOS both release frequent updates with new capabilities. For instance, Apple might introduce new MDM controls in a future iOS version (like enhanced VPN controls, or new restrictions) – keep an eye on Intune release notes and plan to implement new beneficial settings. Likewise, Apple’s hardware changes (e.g., eSIM management, new authentication methods) could be relevant. Keeping your device management practices current ensures you maintain a strong security posture.

By following this step-by-step checklist, your organisation will have a fully managed iPhone that is protected by Microsoft 365 Business Premium’s security features and compliant with your policies. The device will be under robust management: from initial enrollment with Intune, through enforced security configurations (passcode, encryption, jailbreak protection, etc.), to continuous compliance monitoring and conditional access enforcement.

In summary, M365 Business Premium provides the tools (Intune, Azure AD Conditional Access, Defender for Endpoint) to manage iPhones in a holistic way. Implementing these steps enables you to: protect corporate data on mobile devices, prevent unauthorized access with conditional compliance requirements, and simplify user onboarding while respecting user privacy on personal devices. Regular maintenance and user communication ensure that the iPhone remains secure throughout its lifecycle in your environment.

References

[1] Enroll iOS iPadOS devices in Intune: Complete Guide – Prajwal Desai

[2] Enroll iOS/iPadOS Devices in Intune Step by Step Guide

[3] Tutorial – Use Apple Business Manager to enroll iOS/iPadOS devices in …

[4] Microsoft 365 Device Management / Intune best practices checklist

[5] iOS/iPadOS device compliance settings in Microsoft Intune

[6] Enforce device compliance and app protection policies on BYOD with M365 …

[7] Enforce device compliance with Conditional Access – Microsoft Entra ID

[8] Microsoft Defender for Endpoint on iOS

[9] Microsoft 365 for business security best practices

[10] memdocs/memdocs/intune/fundamentals/compliance-in-intune.md at main …

[11] Use Microsoft Intune to manage software updates for supervised iOS …

[12] Manage devices enrolled in Mobile Device Management in Microsoft 365

Joined devices not appearing in Intune

image

If you have correctly joined your devices to EntraID and you have an Intune license, then these devices should appear in the Intune Management console, as shown above.

image

If they don’t, then go into the Azure Portal and select EntraID. Select the Mobility (MDM and WIP) as shown above. Then select Microsoft Intune.

image

Ensure that both settings are set to All. If they have been set to None, then this will be the issue as EntraID is not handing off device management to Intune.

Once you have set both of these settings to All as shown, ensure you save these settings before exiting the page.

Any device that is now joined to the tenant should appear in Intune, however existing devices that were added prior to this update being made won’t automatically enrol in Intune. They will need to be unjoined and re-joined to EntraID or re-enrolled via a script.