Enrolling iOS Devices Using Federated Enrollment

Before you begin

Federated enrollment requires Microsoft Entra ID for federation. Only Managed Apple IDs federated through the integrated Microsoft Entra ID can enroll.

Part 1: Creating a Federated Enrollment Policy

About this task

Create your enrollment policy to enroll Apple Bring Your Own Device (BYOD) device users federated through Microsoft Entra ID.

Procedure

  1. From the main menu, select Policies > Enrollment. The Enrollment Policies view appears.
  2. Select Add Enrollment Policy. The Enrollment Policy wizard opens.
  3. Under the Apple icon, select iOS / iPadOS. The General view appears.
  4. In the General view, enter a brief, descriptive name for the enrollment policy and optionally add a description. Then select Next.
  5. In the Enrollment Type window, select User as the enrollment type.
  6. Optional: Toggle on Enable Account-driven enrollment. See Using Account-driven User Enrollment for more information.
  7. Under User Enrollment, select Federated Account.
  8. Select the Microsoft Entra ID that federates your Managed Apple IDs.
    Important: The selected Microsoft Entra ID must match the Entra ID configured in your Apple Business Manager.

Part 2: Enrolling an iOS Device

About this task

After creating a federated enrollment policy, follow these steps to enroll an iOS device.
Important: These steps do not apply to devices running iOS 18 or later and iPadOS 18 or later. For those devices, you must configure account-driven user enrollment. See Using Account-driven User Enrollment for more details.
  1. Part One: Downloading the Trust Profile
  2. Part Two: Installing the Trust Profile
  3. Part Three: Enabling Full Trust for the Root Certificate
  4. Part Four: Performing SOTI MobiControl Device Enrollment