A year ago, Apple announced a new method of iOS/iPad device enrolment which is called User Enrollment. This enrolment method is available in iOS 13 and macOS 10.15 Catalina and later OS.
with user enrollment, we can use federated authentication to link Apple Business Manager to your instance of Microsoft Azure Active Directory (Azure AD). As a result, your users can leverage their Azure AD usernames (User Principal Name) and passwords as Managed Apple IDs. They can then use their Azure AD credentials to sign in to their assigned iPad or Mac and even to iCloud on the web. Users can also use it to sign in on Shared iPad.
For more information, please refer https://support.apple.com/en-gb/guide/apple-business-manager/apdb19317543/web
With the availability of user enrolment from Apple, we can use Intune to enroll iOS and iPadOS devices using Apple's User Enrolment process.
Following are the 3 device enrolment types available.
For more information about user enrollment in Intune, please refer to https://docs.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment?
After you create an enrolment profile, assign to a user group and enroll the devices, you may need to identify the list of devices that use a specific enrolment profile for reporting purpose.
In my tenant, I have created 3 different enrollment types and assigned them to various user groups based on the requirement.
Now how do we know devices that are are enrolled using particular enrollment type?
We can use Azure Active Directory dynamic membership group with an enrollment profile name.
Azure Active Directory (Azure AD) helps you to create complex attribute-based rules to enable dynamic memberships for groups.
To create dynamic Azure AD group for specific enrollment profile, follow the steps below.
- Login to https://aad.portal.azure.com/ or https://endpoint.microsoft.com/
- Click on Azure Active Directory, click on Groups
- Click on create a new group, give it a name, description and for membership rule, choose Dynamic Device, click on add dynamic query
4. Configure the values as per below.
Value should be the enrollment type name that you created above.
5. Click on save and create
The group will now start processing the changes and fetch the devices that match the specific enrollment type.
Like wise, you can create several azure AD dynamic groups based on the attributes available and used in intune.
For a list of pre-defined rules and device attributes that can be used in dynamic groups, please refer
3 Comments
I believe i am hacked with the hacker using a Microsoft cloud based MDM program. This is my personal device. I’m retired and do not work. But my device is telling me that my email is enrolled in this program. it was also telling me my computer is enrolled in Windows hello for business. Can you please check my email address on these programs. I have already check with apple. Please help i have been hacked for 3 years. Have 5 police reports have lost thousands. Every file i find on phone relates to azure and on computer relates to windows hello for business. I been through hell. I know who is targeting me.
Hello Easwar,
This is a generic query on group creation
Would it be possible to create dynamic device group in Intune based on iOS serial numbers ?
Hi,
Serial number is not listed as an attribute in the dynamic group creation. You will have to use powershell to query the data to create the group based on the devices.
Thanks,
Eswar