You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/configuration/vpn-settings-ios.md
+13-11Lines changed: 13 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -284,17 +284,19 @@ These settings apply when you choose **Connection type** > **IKEv2**.
284
284
285
285
-**When users try to access these domains**: Enter one or more DNS domains, like `contoso.com`. If users try to connect to a domain in this list, then the device uses DNS to resolve the domains you enter. If the domain doesn't resolve, meaning it doesn't have access to internal resources, then it connects to the VPN on-demand. If the domain does resolve, meaning it already has access to internal resources, then it doesn't connect to the VPN.
286
286
287
-
- If the **When users try to access these domains** setting is empty, then the device uses the DNS servers configured on the network connection service (Wi-Fi/ethernet) to resolve the domain. The idea is that these DNS servers are public servers.
288
-
289
-
The domains in the **When users try to access these domains** list are internal resources. Internal resources aren’t on public DNS servers and can't be resolved. So, the device connects to the VPN. Now, the domain is resolved using the VPN connection’s DNS servers and the internal resource is available.
290
-
291
-
If the device is on the internal network, then the domain resolves, and a VPN connection isn't created because the internal domain is already available. You don't want to waste VPN resources on devices already on the internal network.
292
-
293
-
- If the **When users try to access these domains** setting is populated, then the DNS servers on this list are used to resolve the domains in the list.
294
-
295
-
The idea is the opposite of the first bullet (**When users try to access these domains** setting is empty). For instance, the **When users try to access these domains** list has internal DNS servers. A device on an external network can't route to the internal DNS servers. The name resolution times out, and the device connects to the VPN on-demand. Now the internal resources are available.
296
-
297
-
Remember this only applies to domains in the **When users try to access these domains** list. All other domains are resolved with public DNS servers. When the device is connected to the internal network, the DNS servers in the list are accessible, and there's no need to create a VPN connection.
287
+
> [!NOTE]
288
+
>
289
+
> - If the **When users try to access these domains** setting is empty, then the device uses the DNS servers configured on the network connection service (Wi-Fi/ethernet) to resolve the domain. The idea is that these DNS servers are public servers.
290
+
>
291
+
> The domains in the **When users try to access these domains** list are internal resources. Internal resources aren’t on public DNS servers and can't be resolved. So, the device connects to the VPN. Now, the domain is resolved using the VPN connection’s DNS servers and the internal resource is available.
292
+
>
293
+
> If the device is on the internal network, then the domain resolves, and a VPN connection isn't created because the internal domain is already available. You don't want to waste VPN resources on devices already on the internal network.
294
+
>
295
+
> - If the **When users try to access these domains** setting is populated, then the DNS servers on this list are used to resolve the domains in the list.
296
+
>
297
+
> The idea is the opposite of the first bullet (**When users try to access these domains** setting is empty). For instance, the **When users try to access these domains** list has internal DNS servers. A device on an external network can't route to the internal DNS servers. The name resolution times out, and the device connects to the VPN on-demand. Now the internal resources are available.
298
+
>
299
+
> Remember this information only applies to domains in the **When users try to access these domains** list. All other domains are resolved with public DNS servers. When the device is connected to the internal network, the DNS servers in the list are accessible, and there's no need to connect to the VPN.
298
300
299
301
-**Use the following DNS servers to resolve these domains (optional)**: Enter one or more DNS server IP addresses, like `10.0.0.22`. The DNS servers you enter are used to resolve the domains in the **When users try to access these domains** setting.
-[BYOD: User and Device enrollment](#byod-user-and-device-enrollment)
38
38
39
-
This article provides recommendations on the iOS/iPadOS enrollment method to use. It also includes an overview of the administrator and user tasks for each enrollment type. For more specific information, see [Enroll macOS devices](../enrollment/ios-enroll.md).
39
+
This article provides recommendations on the iOS/iPadOS enrollment method to use. It also includes an overview of the administrator and user tasks for each enrollment type. For more specific information, see [Enroll iOS/iPadOS devices](../enrollment/ios-enroll.md).
@@ -223,7 +223,7 @@ When you create an enrollment profile in the [Endpoint Manager admin center](htt
223
223
224
224
## Apple Configurator enrollment
225
225
226
-
Use on devices owned by your organization, and includes [Direct Enrollment](../enrollment/device-enrollment-direct-enroll-macos.md). This option requires you to physically connect macOS devices to a Mac computer using the USB port.
226
+
Use on devices owned by your organization, and includes [Direct Enrollment](../enrollment/apple-configurator-enroll-ios.md#direct-enrollment). This option requires you to physically connect iOS/iPadOS devices to a Mac computer using the USB port.
227
227
228
228
For more specific information on this enrollment type, see [Apple Configurator enrollment](../enrollment/apple-configurator-enroll-ios.md).
> Enrollment through Apple Configurator is available for iOS/iPadOS devices. It's not available for macOS devices. When you create a macOS enrollment profile, it appears that Apple Configurator is an option. This behavior is a known issue, and will be fixed in a future release (no ETA). Do not create a macOS enrollment profile with Apple Configurator. It doesn't work.
39
+
-[Direct enrollment](#direct-enrollment)
42
40
43
41
This article:
44
42
@@ -195,6 +193,52 @@ For more specific information on the end user steps, see [Enroll your macOS devi
Use on devices owned by your organization that don't need user device affinity.
199
+
200
+
These devices are organization-owned, and use Apple Configurator. The only purpose is to be a kiosk-style device. They aren't associated with a single or specific user. These devices are commonly used to scan items, print tickets, get digital signatures, manage inventory, and more.
201
+
202
+
For more specific information on this enrollment type, see [Use Direct Enrollment for macOS devices](../enrollment/device-enrollment-direct-enroll-macos.md).
203
+
204
+
---
205
+
| Feature | Use this enrollment option when |
206
+
| --- | --- |
207
+
| You need a wired connection, or are having a network issue. | ✔️ |
208
+
| Your organization doesn't want administrators to use the ABM or ASM portals, or doesn't want to set up all the requirements. | ✔️ <br/><br/> The idea of *not* using the ABM or ASM portals is to give administrators less control.|
209
+
| A country doesn't support Apple Business Manager (ABM) or Apple School Manager (ASM). | ✔️ <br/><br/> If your country supports ABS or ASM, then devices should be enrolled using [Automated Device Enrollment](#automated-device-enrollment-ade-supervised) (in this article). |
210
+
| Devices are owned by the organization or school. | ✔️ |
211
+
| You have new or existing devices. | ✔️ |
212
+
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | ✔️ <br/><br/> If you have a large number of devices, then this method will take some time. |
213
+
| Devices are associated with a single user. | ❌ <br/><br/> Not recommended. Devices that need user affinity should be enrolled using [Automated device enrollment (ADE)](#automated-device-enrollment-ade-supervised). |
214
+
| Devices are user-less, such as kiosk or dedicated device. | ✔️ |
215
+
| Devices are personal or BYOD. | ❌ <br/><br/> Not recommended. BYOD or personal devices should be enrolled using [MAM-WE](deployment-guide-enrollment-mamwe.md) (opens another Microsoft article), or [BYOD: Device enrollment](#byod-device-enrollment) (in this article). |
216
+
| Devices are managed by another MDM provider. | ❌ <br/><br/> To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. Or, you can use MAM-WE to manage specifics apps on the device. Since these devices are organization-owned, we recommend enrolling in Intune. |
217
+
| You use the device enrollment manager (DEM) account. | ❌ <br/><br/> The DEM account isn't supported. |
218
+
219
+
---
220
+
221
+
### Direct enrollment administrator tasks
222
+
223
+
This task list provides an overview. For more specific information, see [macOS Direct Enrollment](../enrollment/device-enrollment-direct-enroll-macos.md).
224
+
225
+
- Be sure your devices are [supported](supported-devices-browsers.md).
226
+
- Be sure the [Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md) is added to Endpoint Manager, and is active. This certificate is required to enroll macOS devices. For more information, see [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md).
227
+
- In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), create an enrollment profile. Select **Enroll without user affinity** (user-less devices or shared devices). With user-less devices:
228
+
229
+
- Users can't use apps that require a user, including the Company Portal app. The Company Portal app isn't used, needed, or supported on enrollments without user affinity. Be sure users don't install the Company Portal app from the Apple app store.
230
+
-**Enroll with user affinity** is available in the UI, but it won't work. Don't select this option. If you need user affinity, then use [Automated Device Enrollment](#automated-device-enrollment-ade-supervised) (in this article).
231
+
232
+
- When the enrollment profile is ready, export the policy, and copy the file to the macOS device. Double-click the file to install the enrollment policy.
233
+
234
+
For more information on this enrollment option, and its prerequisites, see [macOS Direct Enrollment](../enrollment/device-enrollment-direct-enroll-macos.md).
235
+
236
+
### Direct enrollment end user tasks
237
+
238
+
-**Enroll without user affinity**: No actions. Be sure they don't install the Company Portal app from the Apple app store.
239
+
240
+
:::image type="content" source="./media/deployment-guide-enrollment-ios-ipados/configurator-enroll-without-user-affinity.png" alt-text="In the Endpoint Manager admin center and Microsoft Intune, enroll macOS devices using Direct enrollment. Select enroll without user affinity.":::
0 commit comments