How to enroll an iOS device in SCCM

Download and own all parts of the blog series in a single PDF file. Use our products page or use the download button below. This blog post won’t be updated, only the document will be.

In Part 1 of this series, we prepared the Intune environment for mobile device management. We also make sure we got the Intune subscription account.

In Part 2, we configured Active Directory and create users in Intune.

In Part 3, we prepared our Configuration Manager server in order to link it to Intune using the SCCM connector.

In Part 4, we will begin device enrollment starting with Apple iOS devices.

Here’s the main steps to enroll an iOS device :

• You need an Apple certificate to establish communication between Apple and Intune
• SCCM must be enabled for iOS enrollment
• Your iOS devices need to download the Company Portal App from the App store.

Create APN Certificate Request

iOS devices needs to be contacted by the Apple Push Notification service (APNs) in order to check for policy. To do so, your company needs an APNs certificate to allow Windows Intune to contact Apple when device ask for new policies. Here’s how to obtain this certificate.

• Go to Administration / Overview / Cloud Services / Windows Intune Subscriptions
• Click the Create APN Certificate Request in the top ribbon

• Enter the path where you want the file to be created and click Download

• You will be prompt with the Intune login page, enter your Intune credential. See part 1 of this blog series if you don’t have an Intune account.

• Confirm that the download is completed
• In the same window, click the Apple Push Certificate Portal link and click Close

• Sign in with your Apple ID on the Apple Push Certificate Portal

• In the Get Started section, click Create a Certificate

• Check the I have read and agree to these terms and conditions check box and click Accept

• Click Browse and select the .CSR file you created previously, click Upload

Your certificate is now created and available for download. The certificate is valid for 1 year. You will need to repeat the process of creating a new certificate each year to continue managing iOS devices.

• Click on Download
• Ensure that the file is a .PEM and save it to a location on your server. If the downloadable file is a .JSON file, use a alternate browser (not IE) to download the file.

On you have saved the file locally, sign out of the Apple Push Certificate Portal. You now have your APN Certificate (.PEM) and we’re ready for the next step.

Enable iOS enrollment

We will now enable iOS enrollment on the SCCM side.

• Open the SCCM Console
• Go to Administration / Overview / Cloud Services / Windows Intune Subscriptions
• Right click Windows Intune Subscriptions
• Click Properties
• Select the iOS tab
• Check Enable iOS enrollment
• Enter your APNs certificate path at the bottom (the file we just downloaded)
• Click OK

Enroll an iOS device

In order to enroll an iOS device, you must install the Microsoft Intune Company Portal App. It can be installed on any iOS device having iOS 6 and later. (Iphone and Ipad)

The Microsoft Intune Company Portal app will allows to perform the following actions:

• Monitor mobile devices with Microsoft Intune
• Enable access to company resources with Microsoft Intune
• Deploy software to mobile devices in Microsoft Intune
• Configure security policy for mobile devices in Microsoft Intune
• Help protect your data with remote wipe, remote lock, or passcode reset using Microsoft Intune

To download the App :

• Open the App Store on your device and search for Microsoft Intune Company Portal. (Or use this direct link)

•  Install the App and open it

• Enter your Intune credentials

• On the Device Enrollment screen select Enroll at the bottom. If you select Cancel, your device won’t be enrolled but you could do it later. (See Troubleshooting section)

• Wait for Intune to be contacted

• You’ll get prompted to install the Management Profile, click on Install. You will be prompt to enter your Iphone passcode.

• Then select Install

• Wait until the process gets completed

• On the Warning page, select Install

• On the Remote Management warning, select Trust

• Once completed, your device will be enrolled. Select Done

• The company Portal will load and you’ll receive the confirmation that the device is enrolled

Verification

In the Company Portal :

• Verify that there’s no I sign beside your device at the bottom of the company portal. The first screenshot is an enrolled device, the second one is a non enrolled device.

In SCCM :

• Open the SCCM Console and browse to Assets and Compliance / Device Collections
• Open the All Mobile Devices collection  and verify that your device is listed

Troubleshooting

At the beginning of the enrollment process, if you click on Cancel you can start it again manually.

• Open the Company Portal, you’ll notice that there’s a I sign beside your device at the bottom. Select your device and the enrollment process will restart. Refer to the above procedure.

If you have any problem with enrollment, you can shake the device to enter diagnostic mode.

You can select to View log file or send it by Email to read it on your computer.

That’s it, you’ve completed the fourth step to manage mobile device with SCCM 2012.

Overview | Mobile Device Management with Intune and SCCM 2012

Next Part | How to enroll an Android device in SCCM

SCCM ios device enrollment