Account-Driven Enrollment for iPhones in Microsoft Intune

Prerequisites

• A compatible iPhone running iOS 10.0 or later.
• A stable internet connection (Wi-Fi is recommended).
• Having the Microsoft Authenticator installed prior to enrollment may cause the enrollment process to fail. If this happens, please follow the troubleshooting steps at the bottom of the document to back up the authenticator, then uninstall the app prior to attempting enrollment again.

Step 1: Enroll the Device Via Settings

1. Go to the settings app.
2. Select General.
3. Select VPN & Device Management to add your work profile.
4. Tap Sign in to Work or School Account…
   
   Your phone may prompt you to wait one hour prior to enrolling your device. This is because your phone requires you to be in a "known location" (often your home) to verify that it is you setting up the profile. After the hour expires or you return to the known location, the setup process can continue.
   
   
5. You will be prompted to sign in. Enter your CESA 6 email address and tap Next.
   
6. You will be redirected to the CESA 6 sign in portal. Re-enter your CESA 6 email and tap Next.
   
7. You will be prompted to sign in using a password or MFA, typically with a 2-digit code to be entered into the Microsoft Authenticator.
   
   If it redirects you to the authenticator app after the MFA check tap the "<settings" in the top left corner to return to the 2-digit code screen, then wait for the prompt to update. DO NOT HIT CANCEL as that will stop the enrollment process.
   
   
8. After signing in to CESA 6, you will be prompted to sign into your iCloud account. Tap Sign in to iCloud.
   
9. This should redirect you to sign in to your CESA 6 account.
10. After signing in, you will be prompted to set up device remote management. This page will detail the permissions and capabilities for CESA 6 that will be installed on your device. Tap Allow Remote Management.
    
11. You will be prompted to enter your iPhone passcode to confirm the installation of the management profile. Enter your iPhone passcode.
    

Step 2: Configuring the Microsoft Authenticator

The Microsoft authenticator acts as a broker for all SSO (single sign on) to applications on the iPhone. It must be installed and synced to your CESA 6 account in order for the company profile to be fully setup. If you already have the Microsoft Authenticator installed, no further action will be needed, and you may skip to step 3.

1. Open iOS App Store on your device.
2. In the search bar, type Microsoft Authenticator.
3. Tap Install to download and install the app.
4. Open Authenticator and select the plus icon on the top menu bar.
5. Tap Work or school account. Select Sign in.
6. Enter your CESA 6 email and password and follow the prompts.

Step 3: Complete Device Setup

1. Once the MDM profile and VPN settings are applied, the device will be ready for use.
2. If prompted, set up additional features such as Face ID or Touch ID for enhanced security.
3. Complete the setup process, which may include setting a device passcode if your organization requires it.
4. Your device will now be compliant with your organization's security policies, and you will be able to access corporate resources securely.

Step 4: Verify Device Enrollment

You can verify the enrollment status of your device at any time to ensure it is fully enrolled and compliant with your organization’s policies.

Open the Settings app

Tap General > VPN & Device Management.

Under Mobile Device Management, you should see your organization’s name listed.

If you see the profile listed, your device is successfully enrolled in Intune.

Step 5: Access Corporate Resources

Troubleshooting 

• Device Compatibility: Ensure your device is running iOS 11.0 or later.
• Network Connection: Make sure you have a stable Wi-Fi or cellular data connection during the enrollment process.
• Profile Installation: If the MDM profile doesn’t install properly, check Settings > General > VPN & Device Management to ensure the profile is listed. If not, restart your device and try again.
• Compliance Issues: If your device is flagged as non-compliant, follow the on-screen instructions to resolve any policy requirements (e.g., setting a passcode or enabling encryption).
• Enrollment Issues: If the device fails to enroll, ensure that your work or school account is correctly linked to your organization’s Azure AD. Contact IT support for troubleshooting.

Backing up the Microsoft Authenticator

Before you can back up your credentials, you must:

• Have a Microsoft account to act as your recovery account.
• Sign in to your iCloud account. This is where the credentials are stored.

On your iOS device:

1. Tap Settings.
2. Under "Backup", enable the iCloud backup toggle.

"Something went wrong" message when trying to backup

If you see the message "Something went wrong" when trying to backup your credentials, it's because you are not signed in.

1. On your mobile device, open Authenticator, and select the more options ellipsis, then Settings.
2. Under Backup, turn on the Cloud Backup toggle and select Continue or Change account to sign in create a backup.