If youโve ever watched a user try to enroll their personal iPhone into Intune and completely freeze at the sign-in screen โ youโre not alone. Account-Driven User Enrollment trips people up more than almost any other Intune feature, and most of the time it comes down to a few very fixable issues.
Letโs break it down.
What Even Is Account-Driven User Enrollment?
Starting with iOS/iPadOS 15, Apple introduced a more privacy-focused way for personal devices to enroll in MDM. Instead of downloading a management profile through Safari (the old way), everything now happens inside the Settings app itself.
When a user opens the Company Portal and taps to enroll, they get directed here:
Settings โ General โ VPN & Device Management โ Sign In to Work or School Account
Sounds simple enough โ but thatโs where the confusion starts.
The #1 Thing That Trips Users Up
That sign-in screen looks exactly like an Apple ID login. So what do users do? They try their Apple ID. Or they think they need a special Managed Apple ID from Apple Business Manager.
They donโt.
All they need is their work email address (UPN). Once entered, the device does a background lookup to find your Intune enrollment endpoint. If your domain is federated with Entra ID, itโll redirect them to your organizationโs login page automatically.
The Discovery URL โ Donโt Skip This
Hereโs the part most admins miss on first setup: for that background lookup to work, your domain needs to host a JSON file at a specific path:
https:///.well-known/com.apple.remotemanagement
No discovery URL = no enrollment. The Settings app just returns a vague โProfile Not Foundโ or โConnection Failedโ error and leaves the user completely stuck.
Quick Admin Checklist
Before you go further, verify these in the Intune admin center under Devices โ iOS/iPadOS โ Enrollment Types:
- โ Your enrollment type profile is set to Account-Driven User Enrollment (not Web Enrollment)
- โ
The
.well-knowndiscovery URL is live and returning a valid response - โ Just-in-Time (JIT) Registration is enabled โ this uses the Apple SSO extension to automatically register the device in Entra ID during enrollment, cutting down on repeated sign-in prompts
- โ The Microsoft Authenticator app is deployed to the device (required for JIT)
Common Errors and What They Actually Mean
| Error | Whatโs Really Happening |
|---|---|
| โNo profile foundโ | The .well-known discovery URL is missing or misconfigured |
| Redirect to Safari loop | Enrollment Type profile mismatch โ check your profile assignment |
| Authentication failed | Entra ID federation issue โ verify your domain federation status |
| Compliance errors after enrollment | JIT not configured, or Authenticator isnโt deployed |
The Bottom Line
Account-Driven User Enrollment is genuinely better than the old Safari-based method โ itโs cleaner for users and more private by design. But it requires a bit more backend setup to get right. Nail the discovery URL, set your enrollment type profile correctly, and turn on JIT registration, and the experience becomes almost seamless.
