Blog Post

Intune Customer Success

4 MIN READ

New iOS/iPadOS ADE enrollment policies experience

Silver Contributor

Mar 14, 2025

By: Anya Novicheva – Sr. Product Manager | Microsoft Intune

Expected in Q1 CY26, iOS/iPadOS automated device enrollment (ADE) policies will move to a new infrastructure which enables Intune to speed up the delivery of new features. Additionally with this update you’ll notice the authentication methods are better organized, there’ll be no Company Portal authentication method or automatic deployment of the Company Portal application, Apple-deprecated settings have been removed, and there’ll be more granular admin controls for the policies page.

All newly created enrollment policies for iOS/iPadOS will automatically be part of the new experience. Existing enrollment profiles won’t be affected. You’ll be able to delete, edit, and assign existing enrollment profiles but you’ll no longer be able to create them with the old experience. We recommend creating a new enrollment policy and setting it as the default so new enrollments will use the new policy as soon as possible.  

Create a new enrollment policy for iOS/iPadOS ADE

In the Microsoft Intune admin center, navigate to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy. 

A screenshot of the new ADE Enrollment policies location in the Microsoft Intune admin center.

Benefits of the new experience:  

The columns control can be used to select which columns should be default, which one should be the primary column, and which ones to show or hide.

The search bar can be used to search by any column field contents and isn’t case sensitive.

The filters control can be used to filter the policies by platform. We’ll add more filtering for the other columns soon.

Sort each column by the ascending or descending order by clicking on the column header.

No more automatic Company Portal app deployment or Company Portal as an authentication method option in the drop-down setting. We always recommend using Setup Assistant with modern authentication, however, if you still want to send down the Company Portal app to your users or devices, you can do userless authentication (Enroll with no user affinity for authentication) and deploy the application as needed along with the required app configuration policy to the targeted devices.

- The “Install Company Portal”, “Install Company Portal with VPP, and “Run Company Portal in single app mode until authentication” settings aren’t supported and have been removed from the enrollment policy. For more details refer to the blog: Move to Setup Assistant with Modern Authentication for Automated Device Enrollment

Shared iPad has its own authentication method for devices with no user device affinity.

Assigning new enrollment policies to devices

The device assignment flow for ADE policies is the same. Within the policy, navigate to the Devices tab to select a device(s) and select Assign policy. Ensure that you’re assigning a new enrollment policy to the devices.

Existing (old) enrollment profiles

Existing enrollment profiles will remain in Devices > Enrollment > Apple > Enrollment program tokens > select a token > Profiles. New enrollment profiles within Profiles cannot be created.

Existing enrollment profiles can be deleted, edited, and viewed. Their device assignments will not be affected or changed.

We recommend you migrate your ADE devices from being assigned to old enrollment profiles over to new enrollment policies and always have the Await final configuration setting set to Yes.

Important: If you delete an old enrollment profile, the device rename is no longer enforced (that is if someone changes the device name).

Sending the Company Portal app to ADE devices with user device affinity (optional)

Previously within enrollment profiles, the Company Portal app was sent down automatically to devices with the creation of Setup Assistant with modern authentication and Company Portal authentication profiles. With new enrollment policies, the Company Portal application will never be sent down automatically from the creation or assignment of the enrollment policy.

For enrollment policy with user device affinity, we strongly recommend you set the authentication method to Setup Assistant with modern authentication. For Setup Assistant with modern authentication, the Company Portal is no longer required because of Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune | Microsoft Community Hub.

However, if you still want to send down the Company Portal app to your users or devices, you choose to Enroll without user affinity (userless) and then deploy the application as needed, along with the required app configuration policy to the targeted devices. Assigning the correct app configuration policy based on the authentication method is critical if you’re sending the Company Portal app to ADE devices without user device affinity. Otherwise, the Company Portal will cause issues on the device and won’t auto-update correctly.

Based on the Company Portal authentication method you use, send the following XML for the app configuration policy:

If you're using the Company Portal on an ADE device enrolled without user affinity (also known as Device Staging):

<dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict>

If you're using the Company Portal on an ADE device enrolling with user device affinity, such as the Company Portal authentication method:

<dict> <key>IntuneCompanyPortalEnrollmentAfterUDA</key> <dict> <key>IntuneDeviceId</key> <string>{{deviceid}}</string> <key>UserId</key> <string>{{userid}}</string> </dict> </dict>

Stay tuned to What’s new in Intune for the release! If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam and we'll provide updates in the blog on the timing of this release.

Post Updates:
06/26/25: Updated post with a new ETA of Q4 CY25 (previously Q2 CY25). Also revised the content to better clarify the new experiences and authentication scenarios.
09/12/25: Updated post with a new ETA of Q1 CY26 (previously Q4 CY25).

Updated Sep 12, 2025

Version 4.0

automated device enrollment (ade)

Intune_Support_Team

Silver Contributor

Joined October 11, 2018

View Profile

Intune Customer Success

Follow this blog board to get notified when there's new activity

29 Comments

caiobonamin
Copper Contributor
Mar 19, 2025
Ok, now if I need to create a new enrollment profile and reassign it to my 150K ADE devices across multiple ABM tenants, how can I do that if enrollment profiles can only be assigned in batches of 100 devices?
I had to go through this process once, and it took me days to complete the updates
LeecurBIL67
Copper Contributor
Mar 19, 2025
Actually, I do not see any changes on my new enrolment policy.
- AnyaNovicheva
  Microsoft
  Mar 20, 2025
  Hi LeecurBIL67, this change is expected to release during Q2CY25. Please check back to this blog post for more specific timeline updates later on.
TimWaTech
Copper Contributor
Mar 18, 2025
This change is fine for enrollment, but as another stated, Company Portal is also used to push available apps. We don't allow the iTunes store at all and apps are either pushed as required, or available....and available requires the Company Portal app. This feels like a change that is caused by an assumption that no one manages devices in this manner anymore.
Inntune
Copper Contributor
Mar 18, 2025
This is not welcome news considering the amount of time I have spent configuring enrollment for lots of different devices and use enrollment profiles to dynamically assign devices to dynamic device groups. This is going to break a lot of my stuff. Thanks.
hgjoe
Brass Contributor
Mar 16, 2025
One more thing: I understand you are moving away from Company Portal because it is not needed anymore for device registration and compliance check, but CP still has some important features like publishing corporate apps in available state, sending custom notifications and log sharing.

Until there are no alternatives for these additional features (and web version of CP does not provide push notification or log collection), I do not understand why you remove the automatic installation and background configuration of CP from the new enrolment policies.
And why we have to set this up manually?
(Now we do not have to send separate configuration for CP.)
- Shuchi Mehta
  Brass Contributor
  Mar 27, 2025
  I agree, moving away from native CP experience is such a bad idea. Native experience and features cannot be replaced by web version of CP. A hybrid version of CP would make sense and CP acts as an App Store, deploying a web version in a company - everyone has to remember or type the URL (first time login) - MS should make the web version available in Public App Stores if they want to provide a seamless experience for end users.
- AnyaNovicheva
  Microsoft
  Mar 17, 2025
  Hi hgjoe, that's correct that the Company Portal app is no longer needed for ADE, and the Company Portal website (optional) with JIT registration and compliance should be used instead for a more secure, seamless, and quick provisioning experience. If you still need to use the Company Portal app, that is ok and can be configured manually to replicate the same experience as before. With this change, customers will be able to have the Company Portal app auto-update, allowing for more granular targeted admin control sending down the Company Portal app if they choose to.
  - Serendipity96
    Copper Contributor
    Mar 18, 2025
    What other issues exactly are you referring to? Do you have a list of these issues that we currently have as a result of the automatic deployment?
hgjoe
Brass Contributor
Mar 15, 2025
After creating the new enrolment policy, do we have to manually assign old devices to the new enrolment policy, or it is enough to set the new enrolment policy as default.
In other words, if an old device is factory reset and re-enrolls, does this device get the new enrolment policy if it is the default enrolment policy, or once a device is assigned to an old enrolment profile this has to be assigned manually to the new enrolment policy?
- AnyaNovicheva
  Microsoft
  Mar 17, 2025
  Hi hgjoe and JedidP2180, you should re-assign your existing enrolled devices to a newly created iOS/iPadOS enrollment policy so when/if they re-enroll, they will enroll with the new policy and configured settings like device name template and eSIM will take effect without re-enrollment. The enrollment method and most settings for existing enrolled devices assigned to old profiles will not be affected until they are assigned to a new policy and they re-enroll with that policy. You should also set a new enrollment policy as the default policy once this experience goes live, and devices coming in from ABM/ASM will get assigned the new policy automatically. Note that if an existing device gets reset and re-enrolls, unless it is manually re-assigned to a new enrollment policy, it will continue to enroll with the originally assigned enrollment profile. Default enrollment policies only get assigned to new devices that synced over from ABM/ASM and need an enrollment policy assignment before they are powered on. Thank you!
- JedidP2180
  Copper Contributor
  Mar 17, 2025
  I believe enrollment policy is not required for the devices which are already enrolled, and for the new enrollments we are setting a default policy already which should cover re-enrollment.