BYOD iPhone Onboarding Checklist – Microsoft 365 Business Premium

Introduction
Bring Your Own Device (BYOD) policies allow employees to use personal devices (like iPhones) for work, offering flexibility and productivity benefits. However, every personal device connecting to company data is a potential attack avenue if not properly secured[1]. It’s crucial to onboard iPhones with robust security measures so that company information remains protected. Microsoft 365 Business Premium provides advanced tools (Microsoft Intune for device/app management, Azure AD for identity and Conditional Access, information protection and more) to secure BYOD devices[2][3]. This checklist outlines detailed steps for initial setup of a BYOD iPhone and ongoing management practices to maintain security over time.

Key Terms and Concepts

Term	Definition
BYOD (Bring Your Own Device)	When employees use their personal devices (phones, tablets, laptops) for work purposes. The device is not company-owned, but is granted access to company resources.
Microsoft 365 Business Premium	A subscription service that includes Office 365 apps, cloud services (email, OneDrive, Teams, etc.), and advanced security features (like Intune MDM/MAM, Azure AD Premium P1 for Conditional Access, Defender for Business, information protection with DLP and encryption). Tailored for small-to-midsize organisations, it helps protect user accounts, data, and devices.
Initial Setup	The one-time configuration process during onboarding of a device. For BYOD iPhones, this includes registering the device, applying security settings, and installing required apps so it meets company security requirements from the start.
Ongoing Management	Continuous practices after initial setup to ensure the device remains secure and compliant. This includes regular updates, policy enforcement, monitoring, user training, and incident response over the device’s lifetime in the organisation.

Why Secure BYOD iPhones?
Using personal iPhones for work introduces certain security risks that must be mitigated:

Data Leakage – Personal and business data coexist on BYOD devices, which can lead to accidental sharing or unauthorized access to sensitive company information[4]. For example, a user might inadvertently back up work files to a personal cloud or send corporate data via a personal app.
Lost or Stolen Device – If a BYOD iPhone is lost or stolen, company data on it could be exposed. Without proper controls (like remote wipe), confidential data might fall into the wrong hands[4].
Malware/Phishing Threats – Personal devices may lack the stringent safeguards of managed corporate devices, making them more susceptible to malware or phishing attacks that can compromise corporate data[4]. Users could unknowingly download malicious apps or click phishing links, endangering both personal and work data.
Compliance and Privacy – Regulated industries face challenges ensuring BYOD devices meet data protection standards. Blurred personal/work use can complicate compliance (e.g. with GDPR, HIPAA) and raise privacy concerns if devices are not handled correctly[4].
Human Error – Without adequate training, employees might use their personal iPhones in insecure ways (weak passcodes, connecting to unsafe Wi-Fi, etc.), inadvertently exposing company data[4]. A strong BYOD policy and user awareness are needed to minimize mistakes.

Given these risks, a zero-trust approach should be applied: assume no personal device is secure by default and layer multiple protections (strong authentication, device compliance enforcement, data protection policies, and user education)[1][2]. Microsoft 365 Business Premium equips organisations with the needed capabilities to implement this, such as enforcing multi-factor authentication, using Intune to manage or contain corporate data on the device, and applying data loss prevention. The following checklist is divided into two parts – initial setup and ongoing management – to ensure a BYOD iPhone is onboarded and maintained securely.

Initial Setup Checklist (BYOD iPhone Onboarding)

Preparation – IT Administration (before user enrolls device):

Enable Multi-Factor Authentication (MFA) for User Accounts: Ensure the user’s Office 365/Azure AD account is protected with MFA. Enforce company-wide MFA as a policy so that even if an iPhone is compromised, an attacker cannot access the account without a second factor[1]. Have users install the Microsoft Authenticator app and register it for MFA on their account[5]. This significantly reduces the risk of account compromise.
Configure Mobile Device Management (MDM) and App Management: Set up Microsoft Intune (part of Business Premium) to handle BYOD iPhone enrollments. This involves adding an Apple MDM push certificate to Intune (a prerequisite for managing iOS devices) and defining an enrollment policy for BYOD scenarios. Intune supports Apple User Enrollment (a privacy-friendly mode for BYOD) which creates a managed work partition on the device, or standard device enrollment for full MDM control[6]. Choose the approach that fits your organisation’s BYOD policy (User Enrollment or full MDM). If full device enrollment is not desired, plan to rely on App Protection Policies (MAM) without device enrollment[2].
Set Compliance Policies in Intune: Define compliance requirements that the iPhone must meet to be considered secure. For example, require the device to have a passcode, block jailbroken devices, and enforce a minimum iOS version[7][7]. In Intune’s compliance settings for iOS, you can mark a device as non-compliant if it’s jailbroken[7], require encryption (which is automatic when a passcode is set on iOS)[7], and require the latest iOS updates (you can set a minimum allowed OS or build version)[7]. These policies ensure that only healthy, secure devices can access corporate data.
Configure App Protection Policies (MAM): In Intune, create App Protection Policies for iOS targeting company apps (especially if you allow access without full device enrollment). These policies protect corporate data at the app level even on unmanaged devices[2]. Key settings include preventing backup of work data to iCloud, restricting copy-paste of data from work apps to personal apps, requiring app data to be encrypted, and requiring a PIN or biometric to open company apps[2][2]. For example, you might block saving corporate files to personal storage and only allow saving to OneDrive for Business or SharePoint[2]. Such controls ensure that even on a personal iPhone, company information stays within approved apps and cannot be easily leaked.
Set up Conditional Access Policies: Use Azure AD Conditional Access to tie everything together. Create policies that apply to all BYOD mobile access – for instance, require that users accessing Exchange Online, SharePoint, Teams, etc., from an iOS device must use approved apps with app protection in place[2]. In Conditional Access rules, you can grant access only if the device/app meets conditions: e.g. Require app protection policy and Require approved client app (so that users must use Outlook mobile rather than any mail app)[2]. You can also require device compliance for certain sensitive apps if you choose to mandate full enrollment for those. These controls ensure that even if a user tries to use a personal app or an unsecured device, they will be blocked from company data – only the secured route is allowed.
Communicate BYOD Policies to the User: Before onboarding, inform the employee of the BYOD usage policy. This should include what data the company can manage on their device, their responsibilities (e.g. maintaining a passcode, not disabling security), and privacy assurances. Make sure they consent to any management profiles to be installed and understand the consequences (for example, IT’s right to wipe corporate data if the device is lost or on separation). Clear communication and user buy-in will make the onboarding smoother[4][4].

Onboarding – End User Device Steps (actual device setup process for the user):

Update iPhone to Latest iOS: Before connecting to corporate services, the user should update their iPhone to the latest iOS version. Current iOS updates include important security patches that help protect the device. (Intune’s compliance policy will require a minimum OS or show the device as non-compliant if it’s outdated[7].) Encourage enabling automatic iOS updates to keep the device up to date going forward. Also verify the device is not jailbroken or tampered (jailbroken devices will be blocked as non-compliant by policy[7]).
Set a Strong Device Passcode (and Enable Touch ID/Face ID): The user must secure their iPhone with a strong passcode if not already done. A passcode (or biometric lock) is the first line of defense if the phone is lost. Not only does a passcode prevent unauthorized access, it also encrypts the device storage on modern iPhones – iOS automatically enables full-device encryption when a passcode is set[7]. Company policy may enforce complexity (e.g. no simple “1234”, minimum length, etc.)[7]. Advise the user to set a 6-digit or alphanumeric passcode and configure auto-lock (e.g. 1-5 minutes of inactivity) to reduce exposure.[7].
Install Microsoft 365 Apps: Next, the employee should install the necessary work applications from the Apple App Store. At a minimum, this usually includes Microsoft Outlook (for corporate email/calendar), Teams, OneDrive/SharePoint, Office (Word/Excel/PowerPoint), and possibly Microsoft Edge for a secure browsing experience. Microsoft 365 Business Premium allows the user to sign into these Office mobile apps with their work account. Installing the official Microsoft apps is important – Conditional Access will likely require “approved client apps” for accessing company data[2]. (The organisation may also use Apple’s managed app deployment, but for BYOD it’s common to let users grab apps themselves from the App Store.)[1] Ensure the user has the latest versions of these apps.
Enroll in Intune via Company Portal: The user must register the device with the company’s Intune MDM if required by policy. Have them download the Microsoft Intune Company Portal app from the App Store and sign in with their work Office 365 credentials[6]. The Company Portal will guide them through the enrollment process. This typically involves: granting the app the necessary permissions, downloading an MDM profile from Intune, and going to iOS Settings to install that profile (the user will see a prompt to install a management profile). Once done, the device is marked as enrolled and will show up in the company’s Intune console. At this point, any compliance policies (from step 3 of Preparation) are enforced on the device via Intune. For example, if the policy requires a passcode or certain OS level, the user might be prompted to set those to comply. Note: In some BYOD setups, full device enrollment might be optional – if the organisation is doing app-level management only (MAM), the user may skip full device enrollment. In such cases, simply logging into Outlook or another managed app will trigger application protection policies without installing a device profile. (For instance, upon first run of Outlook, the user might be asked to set a PIN for the app or enable Authenticator as a broker app for policy enforcement.) Ensure the user follows whichever flow your IT has defined.
Sign In and Configure Work Apps: After enrollment, the user should sign into the Microsoft 365 apps using their work account (if they haven’t already during the Company Portal step). Upon login, the device will be evaluated by Conditional Access. If everything is in order (MFA done, device compliant or app protected), the sign-in will succeed and data will start syncing (emails, files, etc.). The user might see a few additional prompts as final configuration: for example, Outlook for iOS might prompt “Your organisation is now protecting its data in this app” and enforce a policy like requiring a separate app PIN or enabling encryption — these stem from the App Protection Policy applied[2]. The user should accept all prompts for permissions and policy enforcement (these are there to protect company info). At this stage, verify that email is working in Outlook (or the native Mail app if your policy allowed a managed email profile). If native Mail is allowed, Intune would have installed a managed email profile during enrollment; otherwise, the user will use Outlook.
Verify Device Compliance and Security Settings: Once setup is complete, both the user and IT admin should double-check that the device is properly secured. On the iPhone, the user can open Company Portal app to see device status – it will show if the device is compliant or if any action is needed. The user should see that all requirements (like having a passcode, encryption, etc.) are met. The IT admin, on the Intune/Endpoint Manager portal, should also see the device listed under the user with a compliant status. This ensures that the iPhone is successfully onboarded under management. Additionally, test that security controls are in effect: e.g., try copy-pasting from a corporate app to a personal app – it should be blocked if App Protection is correctly applied, per policy[2]. Or confirm that if the user tries to use an unapproved email app, access to email is denied[2]. These validations confirm that company data on the BYOD iPhone is fenced off and protected as intended.
Educate the User on Secure Usage: Finally, spend a moment to highlight to the employee how to use their newly set up device securely. Remind them of key points: Only use the approved apps (e.g. Outlook, Teams) for work data[2]; do not save work files to personal apps or personal cloud storage; be cautious of phishing messages or suspicious apps; and never remove the management profile or jailbreak the device. Also let them know what to do if something goes wrong – for instance, if they forget their app PIN or if the device falls out of compliance (Company Portal can show remediation steps – e.g., “update your OS to regain access”). User awareness at onboarding will reduce risky behavior later[4].

With these steps, the iPhone should now be securely integrated into the company’s ecosystem with appropriate protections. The device has MFA on the account, is registered or monitored by Intune, has all necessary apps under policy, and the user is informed of their role. Company data is now confined to secure applications and can be remotely wiped if needed, and the device’s integrity is continuously checked.

Ongoing Management Checklist (Maintaining Security Over Time)

Once a BYOD iPhone is onboarded, security is not a one-time set-and-forget task. Ongoing vigilance is required from both the user and IT to ensure the device continues to protect company information. The following are best practices and actions for ongoing management:

Regular Software Updates: Keep the iPhone OS and apps up to date at all times. New iOS versions often patch security vulnerabilities, so timely updates are critical. Encourage users to enable automatic iOS updates and periodically verify they are on the latest version. The IT team can make OS version part of compliance: Intune can flag devices that fall behind on updates as non-compliant (e.g. if below a minimum iOS or if an important security patch isn’t applied)[7]. Likewise, Microsoft apps (Outlook, Teams, etc.) should be updated via the App Store. Outdated apps or OS could become entry points for attacks. Maintaining up-to-date software ensures the device has the latest defenses.
Device Compliance Monitoring: Continuously monitor device compliance and health status. In the Intune/Endpoint Manager admin center, IT administrators should regularly check reports of device compliance, and remediate issues promptly. For example, if a device becomes non-compliant (perhaps the user disabled their passcode or the OS fell out of date), Intune can be set to send the user a notification or email. IT should follow up on these alerts to help the user fix the issue or to block access until it’s resolved. Microsoft 365 Business Premium also includes Microsoft Defender for Business, which can provide mobile threat detection. Admins can view device risk levels in the security portal – if a BYOD iPhone is flagged with a threat (say malware is detected, or it’s jailbroken), take immediate action (like locking the device from company data)[7][5]. Regular compliance audits ensure no device drifts into an insecure state unnoticed.
Enforce App Protection and Data Loss Prevention: The organisation should maintain and update its data protection policies over time. App Protection Policies (MAM) and Data Loss Prevention (DLP) rules need to stay aligned with evolving business needs. For instance, if new cloud apps are introduced, ensure your Intune app policies cover them or block them appropriately. Microsoft 365 Business Premium includes DLP capabilities to prevent sharing of sensitive info (like credit card numbers, client data) via email or cloud[3] – make sure these policies are enabled in Microsoft Purview Compliance Center. Over time, tune the policies based on incidents: e.g., if users are frequently tripping a policy erroneously, adjust it; if data leaks are observed in a channel not covered, extend the DLP coverage. Also, periodically review which apps are approved for corporate data. Remove any that are no longer needed and add new trusted apps as required, updating your Conditional Access “approved apps” list accordingly[2]. These ongoing adjustments keep your data protection current and effective.
User Training and Awareness: Continue to educate BYOD users about security. Initial training at onboarding isn’t enough; threats evolve and users might forget policies. Conduct periodic security refresher trainings or send out tips for mobile security. Emphasize practices like avoiding public Wi-Fi or using a VPN, not clicking suspicious links on the phone, and maintaining a strong device passcode. Reinforce the importance of not circumventing controls – for example, explain why copying data out of managed apps is restricted, so users don’t try risky workarounds. Keep an open channel for users to ask questions or report concerns about their BYOD device. Cultivating a security-aware culture helps counter the human error factor that is often the weakest link[4].
Periodic Access Review: IT should perform periodic reviews of enrolled BYOD devices and their access. Retire any devices that have not checked in for a long time or belong to users who have since left the company. Azure AD and Intune logs can indicate when a device last successfully met policy. If a device is inactive or the user no longer needs corporate access on it, it’s safer to remove organizational data from it. Also, confirm that only approved users/devices are accessing sensitive apps – use Conditional Access reports to see if any unknown or non-compliant devices attempted access. This regular housekeeping ensures only intended, managed devices retain access.
Lost or Stolen Device Response: Plan and practice an incident response for lost devices. If an employee’s iPhone is lost or stolen, act immediately: the user (or their manager) should notify IT at once as per policy. Using Intune, the administrator should perform a Selective Wipe on the device to remotely remove all corporate data from it. In a BYOD scenario, a selective wipe will delete company app data (email, files, Teams chats, etc.) but leave personal data intact. This ensures that sensitive information doesn’t remain on a device that could be in someone else’s hands. In some cases, if the risk is very high, a full device wipe might be warranted (with user consent as per policy). Additionally, the admin may choose to block or reset the user’s Office 365 sign-in sessions, and require password change, in case the device access could have been compromised. Users should also use Apple’s “Find My iPhone” to put the device in Lost Mode or erase it if possible. The BYOD policy should clearly state the steps for reporting and what actions will be taken[4]. Time is critical in these situations – having a predefined process helps protect data quickly.
Employee Offboarding (Device Separation): When an employee leaves the organisation or no longer needs to use a personal device for work, ensure their device is cleanly offboarded. This means removing corporate access and data: Intune’s Retire or wipe action should be used to remove all company apps, profiles, and data from the BYOD iPhone when the employment or BYOD usage ends. Azure AD device objects for that phone should be disabled/removed as well. The offboarding checklist should be part of HR’s exit process so it isn’t overlooked. Having clear protocols for data retrieval at employee departure is vital to prevent any lingering access to sensitive info[4]. Likewise, if a user replaces their phone or decides to opt out of BYOD, perform the same cleanup. Proper offboarding ensures that company information doesn’t remain on personal hardware indefinitely.
Policy Updates and Continuous Improvement: Finally, treat BYOD security as an ongoing program. Regularly revisit your BYOD policy and technical controls. As new iOS features or M365 features become available (for example, improved device compliance checks or new types of data encryption), consider adopting them. Stay informed on updates in Microsoft 365 Business Premium – Microsoft frequently enhances Intune, Conditional Access, and Defender capabilities. Also review any security incidents or near-misses involving BYOD devices to learn lessons: if, say, a user found a loophole to save corporate data to an unmanaged app, address it through tighter policy or user guidance. Aim to refine the onboarding checklist itself over time. Continuous improvement will keep the organisation one step ahead of threats.

By following this comprehensive checklist, an organisation can confidently allow iPhone BYOD usage while minimizing security risks. The initial setup establishes a secure baseline – enforcing strong authentication, isolating corporate data in managed apps, and ensuring the device meets security standards. The ongoing management then sustains that security posture through updates, monitoring, user awareness, and swift incident handling. This two-phase approach – onboarding + maintenance – is essential for a robust BYOD program. Microsoft 365 Business Premium’s toolset (Intune, Azure AD, Defender, and information protection features) plays a central role in implementing these steps, making it possible to protect company information on personal devices without unduly interfering in the users’ personal data and privacy. With the right configurations and practices in place, employees like those at Your Organisation can enjoy the convenience of using their iPhones for work, and the company’s data remains safe and under control. [2][2]

References

[1] Set up unmanaged devices with Microsoft 365 Business Premium …

[2] Enforce device compliance and app protection policies on BYOD with M365 …

[3] Set up information protection capabilities – Microsoft 365 Business …

[4] BYOD security risks: mitigation strategies for organizations

[5] Secure managed and unmanaged devices – Microsoft 365 Business Premium

[6] iOS/iPadOS device enrollment guide for Microsoft Intune

[7] iOS/iPadOS device compliance settings in Microsoft Intune

iPhone Onboarding into M365 Business Premium: Step-by-Step Guide

Overview:
This guide provides a comprehensive checklist for onboarding an iPhone into Microsoft 365 Business Premium (which includes Microsoft Intune) so that the device is fully managed and protected. It covers initial setup, detailed step-by-step enrollment procedures, specific security configurations, ongoing management tasks, and compliance considerations. By following this checklist, your organisation can ensure iPhones are enrolled in Mobile Device Management (MDM), secured with best-practice policies, and compliant with relevant standards.

Prerequisites and Preparation

Before enrolling an iPhone in M365 Business Premium/Intune, make sure the following prerequisites are in place:

Licenses and Accounts:
- The user must have a valid Microsoft 365 Business Premium license (which includes Intune). Ensure the user’s account has an Intune license assigned[1].
- You must have appropriate admin roles in Intune (e.g. Intune Administrator or Policy and Profile Manager) to perform the setup.
Device Requirements:
- The iPhone should be running a supported iOS version (iOS 14.0 or later is required for Intune enrollment)[1][2]. Newer iOS versions are recommended.
- The device should be factory reset or not previously MDM-enrolled. Remove any existing management profiles or accounts from the iPhone. (On the device, check Settings > General > Device Management; if a management profile is listed, remove it before proceeding[2].)
Network and Apps:
- The iPhone has a reliable Wi-Fi or mobile data connection (maintain connectivity throughout the enrollment)[1].
- The Safari browser (built-in) should be available for profile installation during enrollment[1].
- Install the Intune Company Portal app from the Apple App Store on the iPhone[1]. This app is used for user-driven enrollment and device compliance checks.
MDM Setup in Microsoft 365:
- Set MDM Authority: Verify that Intune is enabled as the Mobile Device Management authority in your tenant (for new M365 tenants this is usually already the case).
- Apple MDM Push Certificate (APNs): Set up an Apple Push Notification Service certificate in Intune before any iOS device enrollment[2]. This certificate allows Intune to manage Apple devices.
- In the Intune admin center, navigate to Devices > Enroll devices > Apple enrollment > Apple MDM Push certificate. Follow the steps to create and download a Certificate Signing Request (CSR), then upload it to Apple’s Push Certificates Portal to obtain the APNs certificate, and finally upload that certificate to Intune[1][1].
- Note: The APNs certificate must be renewed annually. It’s tied to an Apple ID (use a company Apple ID email account for this). Intune will warn you as the expiration approaches; renew the certificate before it expires to avoid losing the ability to manage iOS devices[2].
Apple Business Manager (for Corporate Devices):
If your organisation uses Apple Business Manager (ABM) or Apple School Manager for corporate-owned iPhones, integrate it with Intune for Automated Device Enrollment (formerly DEP). This allows zero-touch setup of devices that are purchased through Apple and makes them supervised (giving greater management control).
- Ensure devices are added to your ABM account (either by purchasing through ABM or via Apple Configurator for existing devices).
- In Intune, go to Devices > iOS/iPadOS > Enrollment Program Tokens and create an ABM token by uploading the key from Intune to Apple and vice versa[3][3].
- Create an enrollment profile in Intune and assign it to the ABM devices (specify supervision, MDM user affinity, etc.)[3][3].
- Outcome: When a new or erased iPhone is turned on, it will automatically enroll into Intune during setup with the defined management profile[3]. (If you are not using ABM, or for BYOD scenarios, you will use the Company Portal method described below.)
Intune Groups and Policies Preparation:
- Set up Azure AD groups for device or user targeting (for example, a group for “Managed iPhone Users”). This will help in assigning policies and apps.
- Draft your Compliance Policy and Configuration Profiles for iOS in Intune ahead of time (detailed in the security configuration section). Having these in place ensures that once the device enrolls, it will automatically receive the required settings and be evaluated for compliance[4].
- Optionally, prepare Company Portal branding and Terms of Use in Intune to show a corporate welcome or usage policy to users during enrollment (this can include an acceptable use policy for mobile devices).
User Communication:
- Plan a communication to the end user (if user-assisted enrollment) explaining the enrollment steps and why device management is needed. End-user guides or an enrollment workshop can improve success rates. Make sure users are aware of what data IT can and cannot see on managed personal devices (privacy notice).
- Training: Be ready to provide help or training on using the Company Portal app, accessing work resources, and any changes in device behavior after enrollment (such as needing a stronger passcode) – this helps user adoption.

With these prerequisites complete, you are ready to onboard the iPhone into Intune (M365 Business Premium) with full management and security.

Initial Onboarding Steps

Follow these steps to enroll the iPhone in Microsoft 365 Business Premium’s management (Intune):

1. Configure Intune for iOS Management (Admin Task)

Intune Portal Access: Sign in to the https://endpoint.microsoft.com with an administrator account.
Verify Prerequisites: Double-check that the Apple MDM Push Certificate is configured in Intune[1] and that the user account is properly licensed for Intune (M365 Business Premium assigned)[1].
Device Enrollment Restrictions: Optionally, review enrollment restrictions under Devices > Enroll devices > Enrollment restrictions. You can restrict which platforms can enroll (ensure iOS is allowed) or limit enrollment to certain OS versions, device ownership types, etc[2][2]. For example, you might block very old iOS versions or limit personal device enrollments if desired.

2. Create Compliance and Configuration Policies (Admin Task)
Before or immediately after enrollment, apply security configurations by creating policies in Intune. This ensures the device will be fully protected as soon as it’s managed. Key policies include:

Device Compliance Policy for iOS: Define the minimum requirements the iPhone must meet to be considered compliant[2]. For instance: require a device passcode, block jailbroken devices, require encryption (on iOS, setting a passcode automatically enables encryption)[2], enforce a minimum OS version, and set other security rules (detailed in the next section). Once created, assign this policy to the relevant user/device group. This policy will evaluate the iPhone after enrollment and mark it as Compliant or Non-compliant according to your rules.
Configuration Profiles: Set up any device configuration profiles needed. Examples:
- Device Restrictions profile: to enforce specific settings (like disallowing backup to iCloud for corporate data, blocking installation of untrusted apps, or preventing removal of the management profile for supervised corporate devices).
- Wi-Fi or Email profiles: to automatically configure company Wi-Fi networks or email accounts on the device[5] (note: for email, Intune can deploy a managed email profile; requiring the device to use that ensures email is accessed securely[5]).
- App Deployment: Prepare required app deployments (e.g., Outlook, Teams, OneDrive) or app protections. In Intune, you can assign Managed Apps to the device or user group so they install during or after enrollment.
App Protection Policies (MAM): (Optional, mostly for BYOD scenarios) If some users won’t fully enroll devices, you could use App Protection Policies to protect company data at the application level[6][6]. However, since this scenario is for fully managed devices, we assume full enrollment. Still, Intune MAM policies can add an extra layer of data protection for corporate apps (e.g. requiring a PIN in Outlook, blocking data transfer to personal apps)[6][6].

By setting these policies now, you ensure that as soon as the device is enrolled, Intune will apply all the security requirements automatically. ✅

3. Initiate iPhone Enrollment
Now it’s time to enroll the device. There are two primary enrollment methods depending on ownership:

(A) Corporate-Owned Device – Automated Enrollment via Apple Business Manager:
If the iPhone is company-owned and has been added to Apple Business Manager (ABM):
- Turn on or reset the iPhone. During the initial setup wizard, after choosing language/region and network, the device will contact Apple’s deployment service and recognize that it is assigned to your organisation’s MDM (Intune).
- You will see a screen indicating the device will be automatically configured by your organisation. Continue with the prompts. The device will enroll itself over the air into Intune with the settings from the enrollment profile you assigned (no need to manually download a profile)[3][3].
- Sign in with the user’s work or school (Microsoft Entra/Azure AD) account when prompted. This will register the device to that user in Intune (user affinity) and complete the enrollment.
- Once finished, the iPhone will be in supervised mode (granting enhanced control) and the Company Portal app may be pre-installed as part of the process. The user might still need to open Company Portal to finalize compliance checks.
  
  ABM enrollment streamlines the process – it’s largely automatic after initial setup, and the device is fully managed from the start.
(B) BYOD or Non-ABM Device – User-Driven Enrollment via Company Portal:
For personal or non-ABM devices, use the Intune Company Portal app:
1. On the iPhone, launch the Company Portal app (which was installed earlier).
2. Sign in with the user’s work Microsoft 365 credentials (email and password). The app will identify that the device is not managed and will begin the enrollment process.
3. Follow the on-screen prompts in Company Portal. The user will typically tap Begin or Enroll to start. Privacy information is shown; the user should review what the company can and cannot see.
4. Download Management Profile: The Company Portal will redirect to the Safari browser to download a management configuration profile. When prompted “This website is trying to download a configuration profile”, the user should tap Allow. A message will confirm the profile is downloaded. [2]
5. Install Management Profile: After the profile is downloaded, the user must go to the iPhone Settings app to install it (Apple requires manual installation for profiles on user-enrolled devices). In Settings, a new item “Profile Downloaded” will appear near the top – tap this, or navigate to General > VPN & Device Management, then under “Downloaded Profile” select the Intune management profile.
6. Tap Install. The device may prompt for the phone’s passcode to authorize profile installation. A warning about device management will be shown – the user should confirm by tapping Install again, and then Trust when asked to trust the remote management. Now the Intune MDM profile is installed on the iPhone[2]. Tap Done when finished.
7. Return to the Company Portal app (or the Safari page) to continue any final steps. The Company Portal will complete the enrollment and register the device with Intune.
  
  The device is now enrolled in Intune as a managed device (in a state often called “MDM enrolled”). The Company Portal app will show the device status and any compliance requirements.
(Choose the method above that fits the scenario. Both achieve an enrolled, managed iPhone in Intune, but the user experience differs.) ✅

4. Verify Enrollment and Compliance
After enrollment, verify that the iPhone appears in Intune and meets compliance:

In the Intune Admin Center, go to Devices > iOS/iPadOS > All devices (or Devices > All devices) and confirm the iPhone is listed, assigned to the correct user, and shows as “Compliant” or “Not compliant”. Initial status might be not compliant until policies apply.
Intune will automatically deploy the compliance policy and evaluate the device. If any compliance requirement is not met, the Company Portal will notify the user of what needs to be done. For example, if your policy requires a PIN/passcode or a stronger password, the user will be prompted to set a device passcode to meet the policy[2]. The Company Portal app can guide the user through resolving issues (e.g., setting a new PIN, removing a jailbreak, updating iOS to a required version).
Once all conditions are satisfied, the device status in Intune will update to Compliant, meaning it adheres to your organisation’s security rules and can access resources. The user now has access to corporate email, Teams, OneDrive, etc. on the device (or will shortly, once those apps are installed and the device syncs policies).

Tip: In Intune, you can check Device Compliance > Reports for a compliance overview and drill down into the specific device to see any settings that are not met. Ensure that the device has checked in recently (an initial check-in happens during enrollment).

5. Apply Security Configurations and Policies
Many security settings should already be active thanks to the compliance and configuration profiles applied in Step 2. However, ensure the following configurations are in place (some of these are automatically enforced via the compliance policy, but it’s good to review):

Passcode Policy: The iPhone must have a lock screen passcode that meets your requirements. Intune compliance can require a password to unlock the device[5]. Typically, enforce a strong passcode (e.g. at least 6 digits or an alphanumeric code, no simple sequences). You can block simple PINs like “1234” or “111111”[5] and require a mix of characters if using alphanumeric.
Device Encryption: iOS devices encrypt all data when a passcode is set. By requiring a passcode, you are also ensuring the device storage is encrypted[5]. No additional action is needed for encryption beyond the passcode requirement (there’s no separate encryption setting on iPhone; it’s automatic).
Jailbreak Detection: The compliance policy should mark jailbroken (rooted) devices as noncompliant, effectively blocking them[5][6]. This protects against devices that might be compromised. Intune can’t run on a jailbroken device without being detected – if a device is jailbroken, the user should remove the jailbreak or use a different device.
OS Version Requirements: Enforce a minimum OS version (and optionally block specific older OS builds). For example, if you require at least iOS 16.0 for security features, set that in the compliance policy; any device below that will be noncompliant until updated[2][5]. You can also specify a maximum OS version if needed (usually leave this unset unless a future iOS update is known incompatible with some app).
Threat Level / Defender Integration: If using Microsoft Defender for Endpoint (MDE), integrate it with Intune compliance. In Intune’s compliance policy for iOS, you can require the device to be at or below a certain threat level as reported by a Mobile Threat Defense solution. With Defender for Endpoint on iOS, you could set “Require the device to be at or under the machine risk score” to, say, Low or Medium[5]. Devices with higher risk (malware detected, etc.) would become noncompliant automatically. (This requires Defender for Endpoint to be deployed on the device – see step 6.)
App Configuration: Verify that any necessary managed apps (such as Outlook, Teams, OneDrive, or custom apps) have been installed or are available for the user to install via Company Portal. For email, if you deployed a managed email profile, ensure it’s functioning (the user should see the work email account in Mail app or Outlook configured).
Device Restrictions: If you created a device restrictions profile (for supervised devices), ensure settings like prohibiting USB data transfers when locked (USB restricted mode), disabling the ability to factory reset or enroll in other MDM, etc., are applied according to your needs. These settings help lock down corporate devices further. BYOD devices typically wouldn’t have heavy restrictions beyond compliance requirements, to respect user privacy.

The security configurations above collectively harden the iPhone and align it with corporate policy and compliance standards. Intune will continuously enforce these settings; if the user tries to disable them (for example, removing their passcode), Intune will mark the device noncompliant and can take action.

6. Enable Conditional Access (Enforce Compliance)
To protect company data, set up Conditional Access policies in Azure AD (Entra ID) that require device compliance for accessing cloud resources (like Exchange Online email, SharePoint, Teams, etc.)[6][7]. This step ensures that only managed and compliant iPhones can actually use company apps/data:

Go to the Azure AD or Microsoft Entra admin center (Azure AD > Security > Conditional Access). Create a policy named, for example, “Require compliant device for mobile access.”
Assignments: Target all users or a group of users (e.g., all staff using mobile devices). For cloud apps, select the key services (or “All cloud apps” for a broad policy) that should be protected – typically include Exchange Online, SharePoint Online, Microsoft Teams, etc.[7].
Conditions: Scope the policy to apply to mobile platforms (iOS and Android) if you only want to enforce on mobiles[6][6]. You can also include or exclude device states as needed.
Controls (Grant): Select “Require device to be marked as compliant” as a requirement for access[6]. You might combine this with “Require multi-factor authentication” or other controls for additional security, but requiring compliance means the device must be Intune-enrolled and meeting all policy rules to get a token to cloud services.
Enable the policy. Now, if a user tries to sign into, say, Outlook on an iPhone that is not enrolled or not compliant, they will be blocked and told their device does not meet requirements. This effectively forces users to enroll and adhere to policies to use company data.
Note: M365 Business Premium includes Azure AD Premium P1, so Conditional Access is available with this license level. Make sure to exclude any emergency/break-glass admin accounts from CA policies[7] to avoid locking out all admins inadvertently.

With Conditional Access in place, you have closed the loop: device compliance status (from Intune) is now gating access to company resources. This significantly strengthens security.

7. Deploy Defender for Endpoint on iOS (Optional but Recommended)
Microsoft 365 Business Premium includes Microsoft Defender for Business, which covers Defender for Endpoint (Plan 1) for devices including iOS. Installing Microsoft Defender for Endpoint (MDE) on the iPhone can provide additional threat protection:

In Intune (Endpoint Manager), navigate to Apps > iOS/iPadOS and add the Microsoft Defender for Endpoint app (available in the App Store) as a managed app. Assign it to the iPhones/user group for deployment. Alternatively, instruct the user to install Microsoft Defender from the App Store.
Once installed, the user should open the Defender app and sign in with their work account to onboard the device. Intune can also deploy a device configuration for Defender if needed (or use an App Configuration policy) to streamline onboarding.
Defender for Endpoint on iOS provides anti-phishing, malicious website blocking, and even some MTD capabilities[8]. All threats or alerts from the device will be visible in the Microsoft 365 Defender Security portal alongside other endpoints[8][8].
Ensure that in the Defender portal (security.microsoft.com), the device shows up as onboarded. You can also integrate Defender risk signals with Intune compliance (as noted in step 5 for device threat level).
This extra layer helps catch things like unsafe network connections or malicious apps/websites on the iPhone, complementing Intune’s device controls[8].

Caution: Don’t run multiple endpoint protection agents on iOS concurrently (e.g., two MTD apps), as it may cause conflicts[8]. Defender for Endpoint acts as a local VPN on the device to monitor traffic (it’s an on-device VPN, not sending data through an external server)[8]. This is normal and by design for it to function.

8. Finishing Up and User Guidance

Make sure the user can access all needed resources and apps on the iPhone now. They should be able to open Outlook for email (or the iOS Mail app if that’s managed), Teams for chat, etc., with no Conditional Access blocks.
Educate the user on Company Portal: The Company Portal app will show device compliance status and any pending actions. Encourage users to periodically open it or pay attention to its notifications. For example, if their device falls out of compliance (maybe their OS is outdated), Company Portal will alert them and instruct how to fix it.
Advise the user on how to get support if they encounter issues – e.g., whom to contact in IT for device problems or questions.
Document that the device has been onboarded (update your asset inventory or MDM device list if you maintain a separate register outside Intune). Especially for corporate-owned devices, record serial numbers and who the device is issued to.

At this stage, the iPhone is successfully onboarded into Microsoft 365 Business Premium’s management. It is receiving policies from Intune, is protected by compliance and conditional access, and (if configured) has additional threat protection. The next section covers ongoing management to keep the device secure and compliant over time.

Security Configurations and Compliance Policies for iPhone

(This section details the key security settings that should be implemented as part of the onboarding, many of which we applied via compliance policy in the steps above. Use it as a reference checklist to ensure nothing is missed.)

Device Compliance Policy – Key Settings: When creating the iOS compliance policy in Intune, consider including these settings to enforce security baselines (in addition to any organisational requirements):

Require a Passcode: Ensure “Require a password to unlock mobile devices” is set to Require[5]. This forces the user to have a lock screen passcode. As noted, this also enables device encryption on iPhones. Configure related passcode settings:
- Block Simple Passwords: Set to Block to disallow easy PINs like 1234[5].
- Minimum Password Length: Recommend at least 6 digits (or more if using alphanumeric).
- Password Type: Consider Numeric (which allows numeric or stronger) or Alphanumeric if you want to require letters too[5]. Alphanumeric passwords are more secure but less convenient on phones – many orgs choose Numeric with a length of 6+ as a balance.
- Password Expiration: You can set passwords to expire after e.g. 90 days to prompt users to change them periodically[5]. (Some organisations skip this on mobile devices, relying on device biometric unlocks and compliance rules.)
- Auto-Lock: Use “Maximum minutes of inactivity until screen locks” to something like 5 minutes or less[5], so devices auto-lock quickly when not in use. And “Maximum minutes after screen lock before password is required” to Immediately or a few minutes[5]. This ensures the passcode is needed promptly after lock.
Device Health:
- Jailbreak (Rooted) Device Detection: Set “Mark noncompliant if Jailbroken” to Block such devices[5]. This will flag any jailbroken iPhone as noncompliant and Intune/Conditional Access can then prevent it from accessing corporate data[5].
- Require Device to be Free of Threats: If using a Mobile Threat Defense like Defender, set Maximum Allowed Device Threat Level to Low (or Secured) to only allow devices with no detected threats[5]. This ties into the threat assessment from Defender for Endpoint.
Operating System Requirements:
- Minimum OS Version: Set the least allowed iOS version. For example, if your org supports iOS 16 and above, put 16.0 here[5]. Devices running older iOS will then show as noncompliant until updated. This helps enforce that users apply iOS updates.
- Maximum OS Version: Generally leave this blank unless you have a specific reason (e.g., a new iOS version is known to break a critical app – then you could temporarily block it by setting max version to one below). If used, be sure to update this when the new OS is vetted, otherwise devices will become noncompliant after upgrading past the max[5].
- Minimum OS Build: Rarely used, but you could specify a minimum build number if a particular security patch is required.
Device Encryption:
- On iOS, encryption is automatically tied to having a passcode (data at rest is encrypted with hardware AES). Intune doesn’t have a separate “require encryption” toggle for iOS because of this. Just ensure the passcode requirement is in place. (For reference, the compliance policy setting “Encryption of data storage on device” is applicable to Android/Windows; on iOS it’s not separately configurable – it’s fulfilled by having a passcode).
System Security and Other Settings:
- Device Security Compliance: Consider enabling “Microsoft Defender for Endpoint device risk” in compliance if you deploy Defender. For instance, Require the device risk score to be at most Low[5]. This integrates threat evaluation.
- Block Cloud Backup of Org Data: While not a compliance setting per se, you might enforce via App Protection or device config that certain app data (like Office 365 data) isn’t backed up to iCloud. This can be configured in an App Protection Policy (MAM) by blocking “backup to iCloud”[6] for managed apps. On supervised devices, a Device Restrictions profile can disable iCloud backup entirely, but that may be too restrictive for BYOD.
- Disable Jailbreak Detection Evasion: (Supervised only) There are settings to prevent the user from turning off features like USB Restricted Mode (which blocks accessory connections if device is locked for an hour) – ensure those are enabled by default on iOS 12+ so that if someone tries to jailbreak via a USB exploit, it’s harder. Intune doesn’t expose every one of these as separate toggles, but keeping device up-to-date and supervised mode helps.

Conditional Access Policy: (As covered in step 6) After configuring compliance, create Conditional Access rules to enforce that devices must be compliant to access corporate cloud apps[6]. This connects the device’s compliance state with real-time access control and is crucial for security. Also consider requiring MFA on new devices or for sensitive apps, even if compliant.

Information Protection Policies: Beyond device config, ensure the rest of M365 security baseline is addressed (though out of scope of device onboarding, it’s worth mentioning): Enable MFA for all users[9], use data loss prevention (DLP) policies for sensitive data in emails/SharePoint, and use sensitivity labels if needed. These complement device security by protecting data at other levels.

Compliance Standards and Regulatory Policies: Intune’s device compliance features help organizations adhere to regulations like HIPAA, GDPR, ISO 27001, etc., by enforcing encryption, access control, and monitoring of devices[10]. For example, HIPAA requires safeguarding of ePHI – by mandating passcodes, encryption, and the ability to wipe a lost device, you are implementing required safeguards. If your organisation has specific regulatory needs, review those and adjust compliance policies accordingly (e.g., shorter device lock times for highly sensitive environments, or specific audit logging requirements). Intune itself is compliant with many standards, and it provides you tools (reports, logs, enforcement) to maintain compliance. Always document your policies and how they map to any regulatory requirement for audit purposes.

Ongoing Management and Maintenance

Onboarding is just the first step. To keep the iPhone managed and protected over time, perform these ongoing tasks and checks:

Monitor Device Compliance: Regularly review the device’s compliance status in Intune. Intune provides compliance reports and dashboards – for example, see if any devices are listed as not compliant and why. Common issues might be an expired OS version, or a user who removed their passcode. Use Intune > Devices > Monitor > Compliance status to get an overview. If a device is noncompliant, Intune can be configured with automatic actions (like send the user a notification, or even retire the device after X days of non-compliance). Take appropriate action: contact the user to resolve the issue or remediate from the admin side. Maintaining compliance is an ongoing process, not a one-time set-and-forget[6][6].
Update Management: Keep the iPhone’s OS up to date. New iOS releases often contain important security fixes. Intune can manage iOS updates for supervised devices using iOS Update Policies[11]. You can schedule updates to install during off-hours or at next check-in, and even defer or push specific versions[11][11]. For unsupervised BYOD devices, Intune can’t force-install OS updates, but you should encourage users to update promptly. Consider setting “mark device noncompliant if OS is older than X” to prompt them. In Company Portal, users can see if their OS is out of compliance and update. Also update required apps via Intune app deployments (Intune can push app updates for VPP or line-of-business apps; App Store apps update through the App Store automatically unless restricted).
Renew Certificates and Tokens: Mark your calendar for important renewals. The Apple MDM Push (APNs) certificate needs renewal every year[2]. Do this in the Intune portal > Tenant Administration > Connectors and Tokens > Apple MDM Push certificate, and also renew the token with Apple. If you integrated Apple Business Manager, the ABM token in Intune (Enrollment Program token) expires every 1–3 years (as set when you created it, up to 5 years max). Ensure it’s renewed via Devices > iOS/iPadOS > Enrollment program tokens before expiry, or devices will fail to enroll. Similarly, if using the Volume Purchase Program (VPP) for deploying apps or Apple Volume Content, renew those tokens annually.
Policy and Profile Maintenance: Periodically re-evaluate your Intune compliance and configuration profiles. You might strengthen policies over time (for instance, raising minimum iOS version as older ones become unsupported, or adjusting password length requirements). Intune will automatically prompt devices to comply with any new settings. Remove or update profiles that are no longer needed. Keep an eye on new Intune features or iOS capabilities that you can take advantage of (for example, new settings in Apple’s iOS Security Configuration Framework updates).
Conditional Access and Azure AD Monitoring: Check Azure AD sign-in logs for blocked sign-in attempts due to device non-compliance or other conditions. This can reveal if users are attempting to bypass policy (e.g., using an unmanaged device). Adjust conditional access policies if needed (for example, if you onboard additional cloud apps or if certain scenarios require exceptions). Azure AD’s Sign-in logs and Policy failures can be filtered to show failures due to CA, which is useful for troubleshooting.
Incident Response – Lost or Stolen Device: Have a process in place for lost or stolen iPhones. In Intune, you can issue a Remote Wipe (factory reset) or a Selective Wipe (corporate data removal) for a managed device. For corporate-owned devices, usually a full wipe (erase) is appropriate to protect data[12]. For BYOD, you might do a selective wipe which removes the Intune management profile and all company data/apps but leaves personal data intact[12]. Train your helpdesk or IT staff how to execute a wipe from the Intune portal (Devices > [select device] > Wipe). Also consider enabling Activation Lock bypass for supervised devices (Intune can display the bypass code if needed to reactivate a wiped device). Ensure users know to report lost devices immediately.
Device Lifecycle Management: If the device is replaced or the user leaves the organisation, you should retire the device from Intune. Intune’s Retire action will remove managed apps and data and the management profile. For corporate devices that will be reassigned, you may then wipe and re-enroll them for the new user. Always keep your Intune device inventory up to date—remove or retire devices that are no longer in use or haven’t checked in for a long time, to maintain security hygiene (Intune can have an auto-cleanup rule for devices inactive for X days).
Audit and Compliance Reporting: Periodically audit the Intune settings against your compliance requirements. Intune supports logging and reports for changes and device events. The Microsoft 365 compliance center can also show device compliance as part of broader compliance posture. If your organisation needs to demonstrate compliance (for example, for a certification or audit), maintain documentation of your Intune compliance policy settings and results. Intune aligns with data protection and regulatory compliance commitments by offering these controls[10], but you should verify and record that devices are indeed compliant. Use Intune’s compliance reports, or export device compliance data, to have evidence that all devices have encryption, passwords, etc., as required by policy.
User Support and Training: Continue to educate users about security best practices on their iPhone. For example, remind them not to install untrusted apps, to beware of phishing texts or emails (which Defender for Endpoint can help mitigate), and to keep their device in their possession. Provide an updated user guide if things change (e.g., if you roll out a new VPN solution or a new required app). Empower users via the Company Portal app to manage certain aspects: they can use it to check compliance, initiate a manual check-in, or even remotely locate or lock their device if you enable those features. Well-informed users are partners in security, not just endpoints to manage.
Stay Updated on Intune and iOS Features: Microsoft Intune and iOS both release frequent updates with new capabilities. For instance, Apple might introduce new MDM controls in a future iOS version (like enhanced VPN controls, or new restrictions) – keep an eye on Intune release notes and plan to implement new beneficial settings. Likewise, Apple’s hardware changes (e.g., eSIM management, new authentication methods) could be relevant. Keeping your device management practices current ensures you maintain a strong security posture.

By following this step-by-step checklist, your organisation will have a fully managed iPhone that is protected by Microsoft 365 Business Premium’s security features and compliant with your policies. The device will be under robust management: from initial enrollment with Intune, through enforced security configurations (passcode, encryption, jailbreak protection, etc.), to continuous compliance monitoring and conditional access enforcement.

In summary, M365 Business Premium provides the tools (Intune, Azure AD Conditional Access, Defender for Endpoint) to manage iPhones in a holistic way. Implementing these steps enables you to: protect corporate data on mobile devices, prevent unauthorized access with conditional compliance requirements, and simplify user onboarding while respecting user privacy on personal devices. Regular maintenance and user communication ensure that the iPhone remains secure throughout its lifecycle in your environment.

References

[1] Enroll iOS iPadOS devices in Intune: Complete Guide – Prajwal Desai

[2] Enroll iOS/iPadOS Devices in Intune Step by Step Guide

[3] Tutorial – Use Apple Business Manager to enroll iOS/iPadOS devices in …

[4] Microsoft 365 Device Management / Intune best practices checklist

[5] iOS/iPadOS device compliance settings in Microsoft Intune

[6] Enforce device compliance and app protection policies on BYOD with M365 …

[7] Enforce device compliance with Conditional Access – Microsoft Entra ID

[8] Microsoft Defender for Endpoint on iOS

[9] Microsoft 365 for business security best practices

[10] memdocs/memdocs/intune/fundamentals/compliance-in-intune.md at main …

[11] Use Microsoft Intune to manage software updates for supervised iOS …

[12] Manage devices enrolled in Mobile Device Management in Microsoft 365

Issues with Microsoft Defender on iOS

I’m having issues with Microsoft Defender for iOS that I’m sharing here in case this may benefit others.

I think the root cause of the issue is that I have an EntraID account (production) and a Microsoft account (consumer) that are identical. One suggested solution is simply to rename the consumer account but I’d prefer not to do that if it can be avoided.

Here’s what typically happens:

My iOS device has Intune Company Portal App installed and I install Microsoft Defender manually from the iOS store. When I run Microsoft Defender I’m greeted by the screen above, which in this case only shows my consumer account.

The only option available is to sign up for a trial. This indicates that it doesn’t accept my production account which includes a license of Defender for Endpoint.

In other cases, I’ve see both my production and consumer account listed but it never seems to accept my production account when my consumer account is also present.

Interestingly, I get different results depending on whether I use an iPad or a iPhone.

On my iPad, I noted that I had both my production and consumer credentials in the Microsoft Authenticator app. I removed all the credentials so there was none. I reboot device, added ONLY my production credentials to the Microsoft Authenticator and then I was able to login to Microsoft Defender with my production account. Interestingly, this worked for a few days and then I had to repeat the process to get Microsoft Defender on my iPad logged back into my production credentials again.

The story is a little different on my iPhone. I didn’t want to remove my Microsoft Authenticator app but I did remove my consumer credentials from the Authenticator app, leaving just my production credential there. Even after a few reboots, I still wasn’t able to login to Microsoft Defender with my production account. Instead I logged into Microsoft Defender using a demo M365 E5 account I had. That allowed access and Defender was working.

A few days later, on my iPhone, Defender was asking for a login. I was now able to login with my production account and enable Defender correctly. However, I do notice that when I run Defender on the iPhone I see it switch out to Microsoft Authenticator and then switch back, as though it is checking my account. Since I have just managed to get Defender logged in on my iPhone with my production account I’ll need to see whether it ‘sticks’ or whether it prompts me to login again in the future.

In summary, as I said initially, the root of these issue come down to the fact that I have the same consumer and production identity and it seems Defender on iOS can’t differentiate. It also seems that Defender on iOS also interacts with Microsoft Authenticator in some way, also in different ways on an iPhone and iPad.

I’ll post more when I have done further testing.

Enabling Play my emails on iOS

Play your emails on iOS has been with us for a while now. My experience is however that most documentation doesn’t tell you how to actually enable this if it is not already on.

To do so, ensure you have a Bluetooth connection to your iOS device. That could be a wireless headset or in your car.

Click the icon in the very top right of you Outlook app once it is open as shown above.

That should display the ‘back stage’ as shown above. Select the Play button on the left hand side towards the bottom as shown.

If the setting is Off then switch it On.

You can now make any adjustments to your configuration.

If you return to ‘back stage’ of the app and press the same Play button Cortana will appear and you’ll be able to have your emails read to you.

You can get back to the Play My Email configuration at anytime now via the app settings as shown above.

For more details on Play My Email in Outlook see:

Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here – http://bit.ly/whereisbj

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-211-azure-storage/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marckean

@directorcia