Microsoft Intune 11 – Enrol and configure iOS and iPadOS – Part 2

In the previous guide we created our Apple MDM certificate, and our enrolment profile. Next we need to create our compliance and configuration profiles.

When creating our configuration profiles we need to pay attention to which ones apply to our enrolment method, as some settings are only available when using Apple School Manager or Apple Business Manager with automated device enrolment (formerly DEP). This includes devices supervised through Apple Configurator.

As with all Intune configuration policies we can either use a template which contains a group of settings related to a specific area as shown below.

Or we can use the settings catalogue to create our own profile by picking only the settings we want.

For this guide we are going to be using a template based around device restrictions. To get started we head over to the Intune portal at https://intune.microsoft.com > “Devices” > “iOS/iPadOS” > “Configuration profiles” > “Create” > “New Policy”.

Select “Templates” > “Device restrictions”.

Provide a name and a description.

The next page contains the configuration settings, and you can see the items list below.

We can see this template covers settings for passwords, wireless, and locked screen experience to mention a few.

We configure our template as per the screen shots below. Don’t forget these are just suggestions and may not be suitable for your environment. As we have mentioned in previous guides, it’s better to implement small changes immediately that won’t break or impact business operations, then gradually increment towards tighter controls, rather than try to fix everything in one go and get bogged down in an endless testing phase which results in no changes being made after an extended period of time.

Restricted app lists can be a powerful security control, we will not be setting anything in this guide, however this is something that should definitely be investigated as we mature our security posture.