Get a list of devices based on iOS enrolment type – dynamic groups in Azure Active Directory

A year ago, Apple announced a new method of iOS/iPad device enrolment which is called User Enrollment. This enrolment method is available in iOS 13 and macOS 10.15 Catalina and later OS.

with user enrollment, we can use federated authentication to link Apple Business Manager to your instance of Microsoft Azure Active Directory (Azure AD). As a result, your users can leverage their Azure AD usernames (User Principal Name) and passwords as Managed Apple IDs. They can then use their Azure AD credentials to sign in to their assigned iPad or Mac and even to iCloud on the web. Users can also use it to sign in on Shared iPad.

For more information, please refer https://support.apple.com/en-gb/guide/apple-business-manager/apdb19317543/web

With the availability of user enrolment from Apple, we can use Intune to enroll iOS and iPadOS devices using Apple's User Enrolment process.

Following are the 3 device enrolment types available.

image

For more information about user enrollment in Intune, please refer to https://docs.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment?

After you create an enrolment profile, assign to a user group and enroll the devices, you may need to identify the list of devices that use a specific enrolment profile for reporting purpose.

In my tenant, I have created 3 different enrollment types and assigned them to various user groups based on the requirement.

image

Now how do we know devices that are are enrolled using particular enrollment type?

We can use Azure Active Directory dynamic membership group with an enrollment profile name.

Azure Active Directory (Azure AD) helps you to create complex attribute-based rules to enable dynamic memberships for groups.

To create dynamic Azure AD group for specific enrollment profile, follow the steps below.

  1. Login to https://aad.portal.azure.com/ or https://endpoint.microsoft.com/
  2. Click on Azure Active Directory, click on Groups
  3. Click on create a new group, give it a name, description and for membership rule, choose Dynamic Device, click on add dynamic query

image

4. Configure the values as per below.

Value should be the enrollment type name that you created above.

image

5. Click on save and create

The group will now start processing the changes and fetch the devices that match the specific enrollment type.

Like wise, you can create several azure AD dynamic groups based on the attributes available and used in intune.

For a list of pre-defined rules and device attributes that can be used in dynamic groups, please refer

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#rules-for-devices

Leave a Reply