iOS/iPad OS: Enrolling Devices

This article will explain how to enrol Single and Shared iOS devices onto NHSmail Intune.

The enrolment process consists of 2 phases:

  • Phase 1 – This is completed by LAs and the steps are outlined in this article
  • Phase 2 – This is completed by end users (or LAs on behalf of end users) once Phase 1 is successfully completed. Please see the Quick Start End User Guide for step-by-step instructions on how to do this.
Please note:

Both phases will need to be completed to enrol devices

1. Creating User Enrolment Profiles

Once the ABM link has been established, enrolment profiles can then be created. These enrolment profiles define the experience and settings applied to a group of devices during the enrolment phase.

Please note:

Each new enrolment profile will require an AAD Dynamic group to be created, in order to pull devices into their relevant groups. This is required to ensure devices can be managed within the Intune Portal.

If you require a dynamic group to created or amended, please raise a service request via Helpdesk Self-Service.

1. Navigate to: Devices > Apple> iOS/iPadOS > iOS/iPadOS enrolment > Enrolment program tokens to connect your ABM instance to Intune.

 

 

2. Select Profiles.

 

 

 

3. Select Create Profile.

 

 

 

4. Enter the relevant Profile Name.

 

 

 

Please note:

When entering a new profile name please follow the correct standard – ‘Trust ODS Code -Device Type Enrolment Profile’

e.g., <ODS>-Shared Device-iOSEnrolment-Profile (Shared User Devices)

<ODS>-iOS-Enrolment-Profile (Single User Devices)

This is important as the naming standards need to be adhered to so that devices get populated to the correct dynamic AAD groups.

 2. User Enrolment Affinity Options

Intune provides two different enrolment methods for Apple devices. The key differences between the two options are highlighted as follows:

  • Enrol with User Affinity:
    • This option allows users to enrol using their Azure AD nhs.net credentials and is designed for a single user use case.
  • Enrol Without User Affinity
    • This option is shared/kiosk mode device mode and does not require the Company Portal app.

3. iOS Single User Device Enrolment

The following section details the steps to enrol devices with User Affinity.

Please note:

The settings configured in this profile will determine end users’ experience after their device is reset and they progress through the enrolment process.

1. Select Enrol with User Affinity for single user devices and ensure all details are completed as shown on the screenshot below, and then select Review + save.

 

 

Please note:

End users will be required to authenticate via the ‘Company Portal App’ when they are enrolling their devices. It is therefore important that Company Portal VPP licences are assigned to Intune.

Please note:

For the ‘Device Name Template’ Please see the following name standard:

<ODSCode>-{{DEVICETYPE}}-{{SERIAL}}

2. Configure the Apple Setup Assistant.

 

 

 

Critical Note:

It is recommended by the NHSmail Intune team that the Setting ‘Apple ID’ page be set to ‘Hidden’ from the Apple Setup Assistant.  This is to prevent users being prompted to enter Apple ID’s during the enrolment process. As the primary method of authentication to AAD is via Company Portal, it is expected that users sign in with their nhs.net credentials in the Company Portal app.

Users can choose to connect their Apple ID after their enrolment.

3. Next, open the ABM Tenant and select ‘Devices’. Search for the devices you’d like to move.

 

 

4. Once device has been selected, click ‘Assign to the following MDM’ (your MDM token).

 

 

5. Once device has been assigned a completion notification should appear.

 

 

6. Once the device has been assigned to Intune this should update on the MDM servers Page in ABM.

 

 

7. Once you have confirmed that the device has updated (and is showing) on the MDM Servers page, open the Intune Enrolment Program Token page and Sync the devices.

 

 

8. Assign the devices to the profile you have created to complete the link

 

 

Please note:

iOS devices cannot be assigned to specific users only, however, when the user logs in their UPN will be added to the device which will be visible to LAs in Intune.

4. iOS Shared Devices Enrolment

The process for setting up ‘shared mode’ for iOS and iPadOS is similar to that of a user affinity profile. Whilst the same device enrolment process is followed, it is necessary to create a separate Enrolment Profile for Shared Devices.

The process below describes the steps required to enrol a shared iOS/iPadOS device via an Intune Enrolment profile:

1. Select the Enrol without User Affinity option, then enter your ‘<ODS>-SharedDevice-{{DEVICETYPE}}-{{SERIAL}}’

 

 

Please note:

It is important to follow the correct naming standard – ODS CodeSharedDevice-{{DEVICETYPE}}-{{SERIAL}}’.

Example: Trust1SharedDevice-{{DEVICETYPE}}-{{SERIAL}}

2. Please change Passcode, Apple ID, Touch ID, Apple Pay and Device to Migration to ‘Hide’; you can choose to disable more settings if required.

 

 

Please visit the IOS Enrolment and Management document for more details.

Last Reviewed Date 14/03/2024
Updated on 12/08/2024
Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top