Introduction

This post started as a revamp of our Apple certificate for use with InTune devices. But, with all things Microsoft, the more you look into it, the more you get sucked in. The simple "redo the certificate" (don't ask why that's security's job) morphed into a complete overhaul of the MAM and MDM policies. I took some notes, pulled together an internal user guide, and boom: the basic makings of a blog post.

For the majority of this guide, I'll be working exclusively with MAM as MDM is a lot more involved. I plan on making another post about MDM and other OSes at a later date. Before we dive into it, a quick note about MDM and MAM:

  • MDM (Mobile Device Management) -  A service/tool that remotely manages devices. This includes phones, workstations, and desktops. Intune is just one of many MDM solutions and happens to be Microsoft's. MDM's work by protecting the entire device and making decisions about how it should be configured because it's owned by a company.
  • MAM (Mobile Application Management) -  Similar to MDM, this service/tool only manages specific applications deployed to devices. This is most commonly used for BYOD scenarios where the entire device doesn't need to be protected, but corporate resources do. This creates a protected container that houses data from the protected applications, letting administrators manage access and what happens within those applications only.
  • MEM (Microsoft Endpoint Manager) - Microsoft's dashboard to house all things Intune. This is the place to push both MDM and MAM, along with configuration baselines, compliance policies, and more. The dashboard can be found here.

This is a quick and dirty guide, with some insights I found helpful to pushing enrollment policies for iOS devices (Android, and Windows coming soon). Just as you can push one enrollment policy driven by user choice, you can also push policies for BYOD and corporate-owned. If pushing corporate owned, the best practice way is to use Apple Business Manager to allocate devices by serial number to your organisation. This allows IT management of the devices to occur using Automated Device Enrollment for a large number of devices, like pushing applications before a user signs in with an Apple ID (pending configurations). For the processes below, all access to the protected apps starts with the Company Portal provided by Microsoft as the gateway and communications mechanism between the device and Intune.

Starting Point

This is a quick and dirty guide to pushing Enrollment policies for iOS devices (Android, and Windows coming soon). Being such a closed ecosystem, iOS requires additional steps for BYOD. The first step is to create an MDM certificate that gets applied once a user logs into the Company Portal app after download. There's no way to "force" downloads to a BYOD iOS device without Company Portal because of the way Apple works, so installing the MDM certificate will add it as a "trusted source" for forcing downloads outside of the user having to go to the App Store and download against their Apple ID.

Before we get started, there's a couple of caveats provided by Microsoft when applying User Enrollment. Here's a quick summary:

  • User enrollment creates a "work partition" on the devices.
  • If users primarily use Microsoft apps, or use apps created with the Intune App SDK, then users should download these apps from the Apple app store.
  • Application management (MAM) doesn't support LOB apps. So if you need LOB apps, then use User Enrollment. LOB apps are defined as apps added to Intune from an IPA app installation file. Essentially, any app developed in-house.
  • Assign the enrollment profile to user groups only.
  • Once enrolled, you can't go from User Enrollment to Device Enrollment. You also can't force an app from unmanaged to managed. Which, is important because the next point is, like, super key:
  • If you install apps before the User Enrollment profile is applied, those apps are not protected or managed by the user enrollment profile.

For example: Let's say a user downloads Outlook from the App Store for use with their personal account. The app automatically installs to a sort of "user partition" on the device. If their organisation has conditional access policies in place, they'll be blocked by conditional access, and asked to enroll. They enroll, and a user enrollment profile deploys.

In the example above, Outlook was installed before the User Enrollment profile was applied so naturally it fails. Outlook can't be managed because it's installed and configured inside of the user partition, not the work partition. Users must manually uninstall the Outlook app. Once uninstalled, users can either:

  1. Sync the device manually and reapply the user enrollment profile.
  2. Create an app configuration policy for Outlook. Any apps with configuration policies will show within the Company Portal app. There are different ways to configure apps for deployment to users, but more on that later

Enrollment Type Creation

Create a deployment profile first by going to Endpoint Manager > Devices > Enroll Devices > Apple enrollment > Enrollment Types. You can create an overarching policy to push appropriate policies based on the user input (whether to apply protections to the user account (MAM) or to the device account (MDM)). For this post, I'm pushing an Enrollment Policy based on user choice and had to create a "walkthrough guide" for users that may not be as technically savvy to understand what's protected, how to perform enrollment, and the like.

Best practice is to apply this to a group of test users first to iron any kinks that may come up along the way. But you know what? It's your life, you live it the way you want to - just say I didn't warn you.

Application Assignment Profiles

Once you've got the policy created, navigate to Endpoint Manager > Apps > iOS to define which apps you want to push to devices owned by users enrolled in the Enrollment Policy. These apps will populate within the Company Portal app (as noted before) and can be pushed without needing to navigate to the App Store. Which apps to deploy depends on your organisation's requirements, but there's an option to deploy apps with three different scenarios:

  1. Required. As soon as the user completes the steps to enroll in the Company Portal app, these apps will be force downloaded for all users within the assigned group.
  2. Available for enrolled devices. These apps are available for download, but seen as "optional".
  3. Available with or without enrollment. I'm not really sure when you would use this because this kind of defeats the purpose of MAM, but Microsoft says this about it:
Available with or without enrollment: Assign this app to groups of users whose devices are not enrolled with Intune. Users must be assigned an Intune license, see Intune Licenses.

User View

Device Enrollment (or Company-Owned)

As stated earlier, users must download the Company Portal  to receive the MAM policies we've put into place. After installation, the user will prompted to sign into their Microsoft account and be greeted a screen seen in the first picture below. Company Portal will automatically download the MDM certificate we created earlier in the process to the device (second picture) along with the process to install onto the phone (third picture).

Once the Management Profile is installed, users are returned to the Company Portal app and receive notifications about applications that will be installed (based on the assignment type created for each app) as show in the fifth picture. The last picture shows all applications that are installed and available as defined by the app configuration policies.

User Enrollment (or BYOD)

The steps for User Enrollment are almost exactly the same with some minor differences coming in the first picture below where users are prompted with a choice of who owns the device, along with installation of MS Authenticator (dependent of MFA requirements of the organisation) seen in the second picture. Lastly, users are given an overview of what IT can and can't see on their device (third picture).

And that's it! Now would be a good time to revoke the last MDM certificate and force all users who have iOS BYOD devices to re-authenticate with Company Portal. The Company Portal can also be customised to fit specific needs as well.

Troubleshooting

I did have an issue with a user not seeing any applications available within the Company Portal after downloading, regardless of their group membership in the test group. Evidently this can occur when Company Portal can’t determine what device is being used and can’t route applications accordingly. The official fix for this from Microsoft is to have users access https://portal.manage.microsoft.com/ from the affected device, select the device they’re using, and it should be resolved. You can also attempt to make sure they have a valid InTune license or the device limit hasn't been reached for that user either.

The user wasn't able to access the link, but I was able to find a workaround. I assigned an app to another group the user was a member of and navigated to AAD > Devices > All Devices > AFFECTED DEVICE. Once there, I clicked the Manage option and go to Managed Apps. I was able to see applications populated that mirror up with what they were expected to see and confirmed to work within Company Portal. Boom goes the dynamite.