Working with public sector customers, i'm seeing more requirements to enrol BYOD devices to meet the requirements of e.g. Cyber Essentials. Whilst full mobile device management of Bring Your Own Devices (BYOD) is still uncommon, given the capabilities of App Protection (MAM) and Defender for Cloud Apps etc, it's important to think about what it actually means from a organisation and end user perspective if you indeed require enrolment.
It's easy with Android
Since the birth of Android Enterprise Work Profiles, Google have done a pretty good job with it's "minimum" management capabilities, allowing an organisation to manage just a work profile on a personally-owned device without interfering with a users personal area. Additionally, the capabilities of making apps Available from the Managed Google Play Store and installing those apps in the work profile makes everything seem nicely disconnected. When a device is retired from Intune, these managed apps are removed.
Not so easy with iOS/iPadOS
Currently, the only generally available BYOD MDM option for iOS/iPadOS devices is Device Enrolment (i know i'm getting to User Enrolment which is in Public Preview don't worry).
EDIT 16/02/2023: User Enrolment looks to be generally available now
Which provides admins with a wide range of management options including Compliance, App Configuration, Device Restrictions and application deployment either via the Apple Store or an Apple VVP. Any Supervised settings is not supported for iOS/iPadOS Device Enrolment.
The concern with Device Enrolment, is that an admin can wipe said device from Intune, unlike an Android Enterprise Work Profile device. Which of course, from an end user perspective is quite alarming.
Also, if an admin deploys an app to a Device Enrolment device e.g. Outlook. Microsoft Intune takes authority of the management of that app. An admin then has the permission to remove the app using device removal settings. Which again from an end user perspective may not be applicable if they already installed Outlook prior to enrolling their device.
What is right for you
With the introduction of User Enrolment in Microsoft Intune for iOS/iPadOS devices (which is still technically in Public Preview), we now have a choice of BYOD management, so understanding what both do and can't do is crucial before proceeding.
User Enrolment
Sounds a lot like a Android Enterprise Work Profile no??
One prerequisite for the use of User Enrolment is Managed Apple IDs. Which is quite frustrating because for customers who have not federated between Apple Business Manager and Azure AD, this piece of work will likely need to be done to catch username conflicts before rolling out to production. You could of course, manually create managed Apple IDs in Apple Business Manager but it's not recommended for large organisations due to the overhead of managing these accounts, especially if a user leaves the organisation.
Note: for Education customers, Managed Apple IDs do come with some restrictions, which again needs to be thought about before using a Managed Apple ID.
So you want User Enrolment?
Let's assume you have Managed Apple IDs and require enrolment of BYOD iOS/iPadOS devices.
The real benefits of using User Enrolment is the minimum management options an admin has particularly around device commands in Intune.
Admins can perform the following actions and options on User Enrolment devices:
Retire
Delete
Remote Lock
Sync
All other actions aren't supported including Wiping the device.
For application deployment, Intune does not take authority of existing apps that may have been installed e.g. Outlook because there is a separate "work profile" now on the device. Meaning, there is a clear separation between App Store (personal) apps and managed apps via an Apple VPP.
Note: You must use your Apple VPP to deploy managed apps to User Enrolment devices. If you've not configured an Apple VPP Connector in Microsoft Intune, please do this.
MDM control of applications outside of the managed APFS volume.
Application Protection Policies will still apply to these apps. However, you won't be able to take over management or deploy a managed version of these apps unless the user deletes them from their device.
So essentially what this means is you can deploy managed apps (if the user doesn't have them installed e.g. Outlook which is annoying) to the APFS volume (work profile) and control device removal settings without having to worry about unintentionally affecting the device on device removal. Perfect!
User Enrolment considerations
There are some actions/restrictions that are not supported with User Enrolment which should be considered before using this profile as you may require this for legal/security reasons:
Collect app inventory for apps outside of the managed APFS volume.
Collect inventory of certificates and provisioning profiles outside of the managed APFS volume.
Collect UDID and other persistent device identifiers, such as phone number, serial number, and IMEI
User Enrolment supports a unique enrolment ID for each device enrolled, but this ID doesn't persist after unenrolment.
SCEP User profiles with Subject Name Format of Serial Number.
Device-level VPN.
Device-licensed VPP app deployment.
Install App Store apps as managed apps.
Actions, configurations, settings, and commands requiring supervision.
Customised privacy text in the Company Portal. If the admin has customized the text indicating what organizations can/can't see, then users will see the same text indicating what organizations can/can't see for User and Device Enrolment in the Company Portal.
Devices running iOS 15.5 cannot enrol with User Enrolment if MFA text or call is needed on the same device during enrolment.
Devices running iOS 15.7 through iOS 16.3 cannot enrol with User Enrolment with MFA text. MFA call must be used in order to enrol with User Enrolment if MFA is needed on the same device during enrolment.
Application reporting for app types unsupported with User Enrolment.
ref - Intune actions and options supported with Apple User Enrollment - Microsoft Intune | Microsoft Learn
Create a User Enrolment profile
To create a User Enrolment profile you can follow Microsoft's guide here: Enable Apple User Enrollment for iOS/iPadOS in Microsoft Intune - Microsoft Intune | Microsoft Learn
From an user end user perspective, the enrolment experience is very similar to Device Enrolment. You still use the Company Portal app to enrol a iOS/iPadOS device into Microsoft Intune.
My experience
One issue i noticed when rolling out User Enrolment was Outlook does not have the option to select User licenses in the app deployment settings. Which meant i couldn't make Outlook available in the company portal app.
EDIT 16/02/2023: Assigning a Dynamic User Group allows User Based licensing instead of All Users which I originally tested with.
For data security, i created an unmanaged App Protection for only Outlook to support my Conditional Access policies requiring App Protection and Approved Client Apps and allow users to install Outlook for the native app store.
Migrate from Device Enrolment to User Enrolment
If you are planning on migrating away from Device Enrolment to User Enrolment, it's likely the existing device in Microsoft Intune will need to be retired and Available or Required Apps from Microsoft Intune should use your Apple VPP using user-based licensing.
Disclaimer: It's worth mentioning I've not had any experience migrating from device enrolment to user enrolment yet.
Wrap Up
I hope this blog helps you decide what enrolment method to go with for your iOS/iPadOS BYOD devices. Again, BYOD enrolment is uncommon, but not impossible.