Note – A manually enroled iOS/iPadOS device will automatically be assigned a ‘Personal’ ownership designation. For this reason, Corporate Device Identifiers are used for pre-declaring known Corporate Owned devices, prior to enrolment.

Configure Corporate Device Identifiers

Note – Corporate Identifiers support both IMEI and Serial Numbers as a form of unqiue identifier. Endpoint Manager also provide the function to bulk upload identifiers using a CSV file.

From the home dashboard, navigate to Devices > Enrol Devices > Corporate Device Indentifiers.

Select ‘Add’ button.

Select ‘Enter Manually’.

In this example, Serial Number will be used as the chosen unique identifier.

Select ‘Serial Number’ from the Select identifier type drop down box.

It is possble to locate the serial number for an iOS/iPadOS device from the Settings app:

1. Open the Settings app
2. Select General > About
3. Scroll down to find ‘Serial Number’

Once the serial number has been obatined, input this alphanumeric numerber into the text field in the column designated ‘Identifier’.

Next, provide details about the device, for example:

John Doe – iPhone SE 1st Gen

Select ‘Add’ button to finish.

You will see the Corporate Identifier ready for use.

Add Outlook for iOS

Note – Apps deployed straight from the public app store require an Apple ID account signed in on the device. If an Apple ID account isn’t present, the operating system will prompt the user to sign in before apps can be installed.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Apps > iOS/iPadOS > iOS/iPadOS apps.

Select the ‘Add’ button.

Select ‘iOS store app’ from the App Type drop-down and then press ‘Select’.

Select ‘Search the App Store’.

Ensure the correct locale is selected before search for an app. (United States is the default)

Enter Outlook into the search field.

Select ‘Microsoft Outlook’ from the list and then press ‘Select’.

In the App Information section, observe that Endpoint Manager will conveniently pull all information about the app from the app store.

Select ‘Next’.

Choose the correct type of assignment relevant to your organisation requirements.

For the purpose of this training course, we assign Outlook as ‘Required’.

Select ‘Add Group’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Save’.

Once created, you will see Outlook app appear in the list ready for use.

See in Action

After assigning your chosen application as ‘Required’, Endpoint Manager will automatically prompt the user to install the application. Should the user select, ‘Cancel’, Endpoint Manager will prompt again upon the next scheduled device check-in.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Managed App on the left side menu, we can see the application successfully installed.

Create an iOS Email Profile

Note – The email profile uses the native or built-in email app on the device, and allows users to connect to their work email. This profile will not apply settings for Outlook mobile app.

From the home dashboard, navigate to Devices > Configuration Profiles.

Select the ‘Create Profile’ button.

Select ‘iOS/iPadOS’ as the platform.

Select ‘Email’ as the Profile Type and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Email Profile
Description: Email profile for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example email profile settings will be set:
**Example**
Exchange ActiveSync account settings

• Email server: outlook.office365.com
• Account name: Work Email
• Username attribute from AAD: User Principal Name
• Email address attribute from AAD: Primary SMTP Address
• Authentication method: Username and password
• SSL: Enable

Exchange ActiveSync profile configuration

• Exchange data to sync: All data

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the email profile appear in the list ready for use.

See in Action

Note – Device prompts and their wording may change and present slightly different between iOS versions.

Once the email profile has been successfully installed, the device will automatically prompt the user to complete Exchange ActiveSync authentication by asking for a password.

After authentication is complete, within the settings app under Mail > Accounts, we can see our account listed. Drilling down further into detail by selecting the email profile, we can validate the details match the Endpoint Manager deployed email profile.

Moving over to the native mail app, a test email has been received successfully.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Device Configuration on the left side menu, we can see the email profile we created successfully installed.

Create an iOS Configuration Profile

Note – Apple iOS/iPadOS supervised mode gives administrators more options when managing Apple devices, making it useful for corporate-owned devices deployed at scale. For example, you can restrict AirDrop or prevent users from changing the name of the device. For a list of settings that require supervised mode, see iOS device restriction settings in Intune.

From the home dashboard, navigate to Devices > Configuration Profiles.

Select the ‘Create Profile’ button.

Select ‘iOS/iPadOS’ as the platform.

Select ‘Device Restrictions’ as the Profile Type and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Device Restrictions Profile
Description: Device Restrictions profile for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example baseline configuration profile settings will be tailored to an Unsupervised device:
**Example**
App Store, Doc Viewing, Gaming

• Treat AirDrop as an unmanaged destination: Yes

Cloud and Storage

• Force encrypted backup: Yes

Password

• Require password: Yes
• Block simple passwords: Yes
• Required password type: Numeric
• Number of non-alphanumeric characters in password: 1
• Minimum password length: 6
• Maximum minutes after screen lock before the password is required: Immediately
• Maximum minutes of inactivity until screen locks: 5 minutes

Show or Hide Apps

• Type of apps list: Hidden apps
• Apps list: (Microsoft kindly provide a list of known Apple native app bundle ID’s)
  • App bundle ID: com.apple.gamecenter
  • App Name: Game Center

Wireless

• Block data roaming: Yes

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the configuration profile appear in the list ready for use.

See in Action

Installed configuration can be validated on the device by the user. Observing our enrolled device with the setting app, under General > Device Management > Management Profile, we can see “2 Restrictions” and “Password Policy” listed in the Contains list.

Selecting Restrictions, we can further validate device restriction settings match the Endpoint Manager deployed configuration profile we created.

Drilling down into more detail by selecting the password policy, again, we can validate the password policy being enforced on the device matches the Endpoint Manager deployed configuration profile.

Within the Endpoint Manager portal, we can validate the configuration profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Device Configuration on the left side menu, we can see the configuration profile we created successfully installed.