Skip to content

Commit

Permalink
Merge pull request #17493 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history 
Published main to live, Wednesday 10:30 AM PST, 03/05
  • Loading branch information
@padmagit77
padmagit77 authored Mar 5, 2025
2 parents 4c9953c + 16f3110 commit affa308
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 47 deletions.
67 changes: 35 additions & 32 deletions .../intune-service/enrollment/tutorial-use-device-enrollment-program-enroll-ios.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
ms.date: 01/09/2023
ms.date: 03/05/2025
ms.topic: tutorial
ms.service: microsoft-intune
ms.subservice: enrollment
Expand Down Expand Up @@ -53,12 +53,13 @@ If you don't have an Intune subscription, [sign up for a free trial account](../
Create an MDM server profile for Microsoft Intune in Apple Business Manager. The token you download in this step will enable the connection between Microsoft Intune and Apple Business Manager in a later step.

1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **By platform** > **iOS/iPadOS** > **Device onboarding** > **Enrollment**.
3. Select **Enrollment program tokens**.
4. Select **Add**.
5. Select **I agree** to grant permission to Microsoft to send user and device information to Apple.
6. Select **Download your public key** to download the server's public key certificate (a .pem file) to your local drive.
7. Select **Create a token via Apple Business Manager** and sign in to Apple Business Manager with your company Apple ID.
2. Go to **Devices** and expand **By platform**. Select **iOS/iPadOS**.
3. Expand **Device onboarding**, and then select **Enrollment**.
4. Select **Enrollment program tokens**.
5. Select **Create**.
6. Select **I agree** to grant permission to Microsoft to send user and device information to Apple.
7. Select **Download your public key** to download the server's public key certificate (a .pem file) to your local drive.
8. Select **Create a token via Apple Business Manager** and sign in to Apple Business Manager with your company Apple ID.

>[!IMPORTANT]
> While you're in Apple Business Manager, don't close the browser tab with Microsoft Intune. You'll return to it later.
Expand All @@ -73,7 +74,7 @@ While you're in Apple Business Manager, assign devices to your new MDM server (*
Return to the Microsoft Intune admin center to upload the MDM server token to Intune. After you upload the token, Microsoft Intune can sync and enroll iOS/iPadOS devices assigned to *TestMDMServer*.

1. For **Apple ID**, enter the Apple ID you used to create the token.
2. Under **Apple token**, upload the server token you saved earlier. The file must be in P7M format.
2. For **Apple token**, upload the server token you saved earlier. The file must be in P7M format.
3. Select **Next**.
4. Optionally, apply scope tags to the enrollment token to limit other admins from accessing or making changes to it. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md).
5. Select **Next**.
Expand All @@ -84,51 +85,53 @@ Microsoft Intune automatically syncs with Apple Business Manager. Devices can ta
## Step 4: Create an Apple enrollment profile
Create an enrollment profile for corporate-owned iOS/iPadOS devices. A device enrollment profile defines the settings applied to a group of devices during enrollment.

1. Select your token in the admin center, and then choose **Profiles** > **Create profile** > **iOS/iPadOS**.
1. Select your token in the admin center, and then choose **Profiles**.

1. Select **Create profile** > **iOS/iPadOS**.

2. On the **Basics** page, enter *TestProfile* for **Name** and *Testing ADE for iOS/iPadOS devices* for **Description**. Users don't see these details.
1. On the **Basics** page, enter *TestProfile* for **Name** and *Testing ADE for iOS/iPadOS devices* for **Description**. Users don't see these details.

3. Select **Next**.
1. Select **Next**.

4. On the **Management Settings** page, decide if you want your devices to enroll with or without **User Affinity**. User Affinity is designed for devices that will be used by particular users. If your users will want to use the Company Portal for services like installing apps, choose **Enroll with User Affinity**. If your users don't need the Company Portal or you want to provision the device for many users, choose **Enroll without User Affinity**.
1. Decide if you want your devices to enroll with or without **User Affinity**. User Affinity is designed for devices that will be used by particular users. If your users will want to use the Company Portal for services like installing apps, choose **Enroll with User Affinity**. If your users don't need the Company Portal or you want to provision the device for many users, choose **Enroll without User Affinity**.

5. If you chose to enroll with User Affinity, the **Select where users must authenticate** option appears. Decide if you want to Authenticate with Company Portal or Apple Setup Assistant.
- **Company Portal**: Select this option to use Multi-Factor Authentication, allow users to change passwords upon first sign-in, or prompt users to reset their expired passwords during enrollment. If you want the Company Portal application to update automatically on end users' devices, separately deploy the Company Portal as a required app to these users through Apple's Volume Purchasing Program (VPP).
- **Setup Assistant**: Select this option to use Apple's provided basic HTTP authentication through Apple Setup Assistant

6. If you chose to enroll with User Affinity and Authenticate with Company Portal, the **Install Company Portal with VPP** option appears. If you install the Company Portal with a VPP token, your user won't have to enter an Apple ID and Password to download the Company Portal from the app store during enrollment. Choose **Use Token:** under **Install Company Portal with VPP** to select a VPP token that has free licenses of the Company Portal available. If you don't want to use VPP to deploy the Company Portal, choose **Don't use VPP**.
* If you chose to enroll with User Affinity, the **Select where users must authenticate** option appears. Decide if you want to Authenticate with Company Portal or Apple Setup Assistant (legacy), or Setup Assistant with modern authentication. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](../enrollment/automated-device-enrollment-authentication.md).

1. If you chose to enroll with User Affinity and Authenticate with Company Portal, the **Install Company Portal with VPP** option appears. If you install the Company Portal with a VPP token, your user won't have to enter an Apple ID and Password to download the Company Portal from the app store during enrollment. Choose **Use Token:** under **Install Company Portal with VPP** to select a VPP token that has free licenses of the Company Portal available. If you don't want to use VPP to deploy the Company Portal, choose **Don't use VPP**.

7. If you chose to enroll with User Affinity, Authenticate with Company Portal, and Install Company Portal with VPP, decide if you want to run the Company Portal in Single App Mode until Authentication. With this setting, you can ensure the user doesn't have access to other apps until they finish the corporate enrollment. If you want to restrict the user to this flow until enrollment is completed, choose **Yes** under **Run Company Portal in Single App Mode until authentication**.
* If you chose to enroll with User Affinity, Authenticate with Company Portal, and Install Company Portal with VPP, decide if you want to run the Company Portal in Single App Mode until Authentication. With this setting, you can ensure the user doesn't have access to other apps until they finish the corporate enrollment. If you want to restrict the user to this flow until enrollment is completed, choose **Yes** under **Run Company Portal in Single App Mode until authentication**.

8. Under **Device Management Settings**, choose **Yes** under **Supervised** (if you chose **Enroll with User Affinity**, this is automatically set to **Yes**). Supervised devices give you the most management options for your corporate iOS/iPadOS devices.
1. Under **Device Management Settings**, choose **Yes** for **Supervised**. Supervision gives you more management options and disables Apple Activation Lock by default. Microsoft recommends using automated device enrollment as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices.

9. Choose **Yes** under **Locked enrollment** to ensure your users can't remove management of the corporate device.
1. Choose **Yes** under **Locked enrollment** to ensure your users can't remove device management from their corporate device.

10. Choose an option under **Sync with Computers** to determine if the iOS/iPadOS devices will be able to sync with computers.
1. Choose an option under **Sync with Computers** to determine if the iOS/iPadOS devices can sync with computers. **Deny All** means that devices using this profile can't sync with any data on any computer.

11. By default, Apple names the device with the device type, such as *iPad*. If you want to provide a different name template, choose **Yes** under **Apply device name template**. Enter the name you want to apply to the devices, where the strings *{{SERIAL}}* and *{{DEVICETYPE}}* will substitute each device's serial number and device type. Otherwise, choose **No** under **Apply device name template**.
1. By default, Apple names the device with the device type, such as *iPad*. If you want to provide a different name template, choose **Yes** under **Apply device name template**. Enter the name you want to apply to the devices, where the strings *{{SERIAL}}* and *{{DEVICETYPE}}* will substitute each device's serial number and device type. Otherwise, choose **No** under **Apply device name template**.

12. Choose **Next**.
1. Choose **Next**.

13. On the **Setup Assistant** page, *Tutorial department* for **Department Name**. This string is what users see when they tap **About configuration** during device activation.
1. On the **Setup Assistant** page, enter *Tutorial department* for **Department Name**. This string is what users see when they tap **About configuration** during device activation.

14. Under **Department Phone**, enter a phone number. This number appears when users tap the **Need help** button during activation.
1. Under **Department Phone**, enter a phone number. This number appears when users tap the **Need help** button during activation.

15. You can **Show** or **Hide** various screens during device activation. For the most seamless enrollment experience, set all screens to **Hide**.
1. You can **Show** or **Hide** various screens during device activation. For the most seamless enrollment experience, set all screens to **Hide**.

16. Choose **Next** to go to the **Review + Create** page. Select **Create**.
1. Choose **Next**.

1. Review the profile settings. To save the profile, select **Create**

## Step 5: Assign an enrollment profile to iOS/iPadOS devices

You must assign an enrollment program profile to devices before they can enroll. These devices are synced to Intune from Apple, and must be assigned to the proper MDM server token in the ABM, ASM, or ADE portal.

1. In the admin center, choose your token from the list.
2. Select **Devices** and choose the devices you want to assign.
3. Select **Assign profile**.
4. Under **Assign profile**, choose a profile for the devices > **Assign**.
1. In the admin center, return to **Enrollment program tokens**. Choose your token from the list.
2. Select **Devices**, and then choose the devices you want to assign.
3. Select **Assign profile**. Then select a profile for the devices.
4. Select **Assign**.

> [!NOTE]
> Ensure that **Device Type Restrictions** under **Enrollment Restrictions** does not have the default **All Users** policy set to block the iOS/iPadOS platform. This setting will cause automated enrollment to fail and your device will show as Invalid Profile, regardless of user attestation. To permit enrollment only by company-managed devices, block only personally owned devices, which will permit corporate devices to enroll. Microsoft defines a corporate device as a device that's enrolled via a Device Enrollment Program or a device that's manually entered under **Corporate device identifiers**.
> Ensure that **Device Type Restrictions**, found within your tenant's **Enrollment Restrictions**, does not have the default **All Users** policy set to block the iOS/iPadOS platform. This setting will cause automated enrollment to fail and your device will show as an *invalid profile*, regardless of user attestation. To permit enrollment only by company-managed devices, block only personally owned devices, which will permit corporate devices to enroll. Microsoft defines a corporate device as a device that's enrolled via a device enrollment program or a device that's manually entered in the admin center under **Corporate device identifiers**.

## Step 6: Distribute devices to users

Expand Down
30 changes: 15 additions & 15 deletions memdocs/intune-service/user-help/retrieve-ios-app-logs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
ms.date: 12/01/2020
ms.date: 03/05/2025
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
Expand All @@ -31,24 +31,24 @@ ms.collection:

# Retrieve iOS app logs from device

Whenever you experience a problem in Company Portal, the details of that problem are recorded and stored on your device in a _diagnostic log_. This article describes how to upload those logs from your device to your computer. This process is useful for when you need troubleshooting help, because you can save the logs in a file and email it to your IT support person.
Whenever you experience a problem in Company Portal, the details of that problem are recorded and stored on your device in a _diagnostic log_. This article describes how to upload those logs from your device to your computer. This process is useful for when you need to troubleshoot, because you can save the logs in a file and email it to your IT support person.

## Retrieve logs via Console app

To retrieve logs via the native Console app, you'll need your iOS device, a USB cable, and a Mac running macOS 10.12 or later.
To retrieve logs via the native Console app, you need your iOS device, a Mac running macOS 10.12 or later, and a cable to connect both devices.

1. Connect your iOS device to your Mac with the USB cable.
2. On your Mac, press **command + Space** and search for Console. You can also find it in **Applications** > **Utilities** > **Console**.
3. On your iOS device, you'll be prompted to trust the computer. Select **Trust**.
3. In Console, select your iOS device from the **Devices** list. Console begins to gather your logs.
4. From the menu, select **Action** > **Include Info Messages** and **Include Debug Messages**.
6. Select **Clear** and remove any search queries you may have in Console.
7. Open Company Portal on your iOS device and try to reproduce the problem by repeating the steps or actions you took leading up to the problem.
8. In the Console toolbar, select **Edit** > **Select All**, and then select **Edit** > **Copy**.
9. Paste the log contents in a text editor.
10. From the menu, select **Format** > **Make Plain Text**.
11. Save the file as a .log file (Example: Contosologs.log)
1. Connect your iOS device to your Mac with the cable.
1. On your Mac, press **command + Space** and search for Console. Open Console.
1. On your iOS device, you'll be prompted to trust the computer. Select **Trust**.
1. In Console, select your iOS device from the **Devices** list > **Start**. Console begins to gather your logs.
1. From the Console menu, select **Action** > **Include Info Messages** and **Include Debug Messages**.
1. Select **Clear** and remove any search queries you may have in Console.
1. Open Company Portal on your iOS device and try to reproduce the problem by repeating the steps or actions you took leading up to the problem.
1. From the Console menu, select **Edit** > **Select All**, and then select **Edit** > **Copy**.
1. Paste the log contents in TextEdit.
1. From the TextEdit menu, select **Format** > **Make Plain Text**.
1. Save the file as a .log file. Example: Contosologs.log

## Next steps

After you save your file, you can send it to your IT support person as an email attachment. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
After you save your file, you can send it to your IT support person as an email attachment. For contact information, check for helpdesk information on the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) or app.

0 comments on commit affa308

Please sign in to comment.