AppConfig on Intune for iOS

Overview

To use AppConfig on Intune for iOS, there are seven overarching steps you need to accomplish:

1. Setup Apple MDM Push Certificate
2. Enroll an iPad or iPhone
3. App Distribution with App Store
4. Assign App to Group
5. Configurations and Restrictions 
6. Create and Configure VPN Profile
7. Create and Configure VPN Per-App

Setup Apple MDM Push Certificate

Before using Intune to manage iOS devices with AppConfig, an Apple MDM Push certificate is required. 
The Apple MDM push certificate is valid for one year and must be renewed annually. When a push certificate expires, you must renew it. When renewing, please make sure to use the same Apple ID that you used when you first created the push certificate.
For instructions, see Get an Apple MDM push certificate.

Enroll an iPad or iPhone

Intune enables MDM of iPads and iPhones to give users access to company email and apps. Intune supports enrolling personally owned devices, known as "bring your own device" (BYOD) enrollment. Intune also supports enrollment of company-owned devices, with methods like Apple's Device Enrollment Program (DEP), Apple School Manager, Apple Configurator, etc. For more information, see Enroll iOS devices in Intune.
Once you've completed setting up Apple MDM Push certificate and assigned users licenses, users can download the Intune Company Portal app from the App Store and follow enrollment instructions in the app. For instructions, see install and sign in to the Company Portal app.
Note: Before enrolling your device, please make sure your device is not managed by other MDM consoles, such as AirWatch and MobileIron. You can check whether your device is managed by going to Settings > General > Profiles & Device Management. If a Mobile Device Management profile exists, please remove it from management.

App Distribution with App Store

There are two ways you can distribute your app:

• App Distribution with Apple's App Store
  
  Intune can support both public and internal apps. In Intune, a public app is described as iOS store app, which is downloaded from App Store. For instructions, see Add iOS store apps to Microsoft Intune. 
  
  
• App Distribution with an .ipa File
  
  For internal apps (the .ipa build from DMG) is described as an iOS line-of-business app, which is uploaded by an administrator. For instructions, see Add an iOS line-of-business app to Microsoft Intune.
  
  

Assign App to Group

After you've added an app to Microsoft Intune, you can assign the app to users and devices. For instructions, see Assign apps to groups with Microsoft Intune.

Configurations and Restrictions 

In Intune, we can create configurations and restrictions with App configuration policies and assign them to an app and user groups. 
For iOS, the configurations can be set for apps from both the App Store or .ipa file. The configurations can be set either by XML format or by key-value configuration editor, which looks similar as in AirWatch. 
When the app is downloaded on a device, the configurations are loaded from managed configurations in NSUserDefaults, the same as AppConfig with the AirWatch console. These values will pre-configure and control the behavior of the app.
For instructions, see Add app configuration policies for managed iOS devices.
See Integrate with AppConfig-Compliant EMM Providers or more information on the available configuration options.

Create and Configure VPN Profile

To create a VPN profile, see Create VPN profiles in Intune.
To  configure the VPN profile, see Configure VPN settings on iOS devices in Microsoft Intune.

Create and Configure VPN Per-App

To create and configure VPN per-app, see Set up per-app Virtual Private Network (VPN) for iOS devices in Intune.
KB483188