Skip to content
Support
  • There are no suggestions because the search field is empty.

Mobile Management | Enrollment iOS

This guide explains the differences between MDM and MAM, what IT teams can expect when supporting them, and the types of issues end users are most likely to experience.

Next: Enrolling Android Devices with Intune

Enrolling iOS/iPadOS Devices with Intune

iPhones and iPads can be managed through Microsoft Intune in two different ways: Mobile Device Management (MDM) or Mobile Application Management (MAM). Both protect company data, but the experience for users is very different.

This guide explains what users will see in each scenario and what IT should check to confirm the device is working as expected.

User Experience: MDM vs MAM

  MDM (Device Enrollment) MAM (App Protection Policies)
Scope Whole device is enrolled and managed. Only corporate apps are managed.
Setup Requires installing Company Portal and a management profile. No profile needed — just sign into Microsoft apps.
Controls Passcode, encryption, OS compliance, Wi-Fi/VPN profiles, app deployment. In-app restrictions like copy/paste controls, app PIN, corporate data wipe.
What users notice Prompts to install profile, set passcode, possible restrictions on device features. Microsoft apps ask for extra sign-in, PIN or biometrics; corporate data stays inside apps.

Enrollment Process – MDM

Steps users complete:

  1. Install Company Portal from the App Store.

  2. Sign in with corporate account (MFA may be required).

  3. Approve installation of the management profile in:
    Settings > General > VPN & Device Management > Install Profile.

  4. Set or update device passcode if prompted.

  5. Enable device encryption (usually automatic once passcode is set).

  6. Wait for apps to appear, or open Company Portal to force a sync.

What users will see:

  • Notification that the device is now managed.

  • Prompts to secure the device (passcode, Face ID/Touch ID).

  • Corporate apps pushed to the device, sometimes with restrictions (e.g. App Store or Safari limits).

IT checkpoints:

  • Device shows in Intune under the user’s account.

  • Compliance status updates within a few minutes.

  • Apps assigned to the user appear on the device.

Setup Process – MAM

Steps users complete:

  1. Install required Microsoft apps (Outlook, Teams, OneDrive, etc.) from the App Store.

  2. Sign in with corporate account.

  3. Accept prompts for app PIN/biometric setup.

  4. Use apps normally, with protections applied in the background.

What users will see:

  • Apps asking for PIN or Face ID/Touch ID to open.

  • Data movement restricted (e.g. copy/paste blocked into Notes).

  • Company data wiped from apps if access is removed.

IT checkpoints:

  • Confirm App Protection Policy is assigned to the user.

  • Verify user is signed into supported Microsoft apps.

  • Check Conditional Access rules if user is blocked.

Common Failure Points

  • MDM:

    • User doesn’t approve profile install.

    • Compliance not syncing quickly, blocking access.

    • Apps not appearing until a manual sync is done.

  • MAM:

    • User thinks their personal data was wiped (only corporate data removed).

    • PIN reset prompts causing confusion.

    • User trying to use Apple Mail/Calendar instead of Outlook.

IT Support Focus

  • For MDM, confirm device is enrolled, compliant, and syncing.

  • For MAM, confirm app protection policies are in place and user is on supported apps.

  • Reassure users about what data IT can and can’t see or wipe.

Next: Enrolling Android Devices with Intune