Blog Post

Intune Customer Success
6 MIN READ

Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Oct 28, 2022
By Anya Novicheva, Product Manager 2 | Microsoft Intune, and Jaye Ren, Product Manager | Microsoft Intune   We are excited to announce Just in Time (JIT) Registration for Setup Assistant with mod...
Updated Dec 19, 2023
Version 19.0
Just in Time (JIT)
Intuner1987's avatar
Intuner1987
Copper Contributor
Feb 15, 2023

Hello, unfortunately i having massive problems trying to get the JIT registry to work. Since this article was posted online, my previous device registration no longer works.

 

How I have done it so far:
- Register with user affinity
- Authenticate: Company portal
- Launch Copmany portal in single app mode: Yes

Worked great and Company devices were cleanly separated from MAM policy.

 

Since November 2022, shortly after the article went online, this no longer works.

 

What does not work now:
- Register with user affinity (the user input window no longer appears during setup).
- Launch Copmany portal in single app mode: this no longer happens as soon as you are on the homescreen
Why does this no longer launch? Because the lack of user authentication also means that no policies and profiles are passed to the device.

 

How do I currently get my devices registered?

Go all the way from the iOS setup to the home screen, then manually launch the Company Portal, enter your user data, and only then are profiles and other things distributed. It's not funny. :unamused:

 

So now I am trying to switch my test group to JIT. I set it up according to the documentation and tried to register my test device about 50 times and that worked exactly 0 times.

What I have found out so far is that my Company Devices are no longer filtered from my MAM policy. Azure does not recognize my user account on the device as a company account but as a private account and then permanently tries to distribute my app protection policy on the device when I for example start Teams and want to perform the JIT registration there.

And from here, it gets really crazy.:facepalm:

 

On my BYOD test devices, JIT, SSO and my MAM policies work.:suprised: When I open the Athenticator app on the BYOD devices, I immediately see that my account is obtained from "Azure AD". I open any other MS app and my account is immediately found and used.  Great, that's exactly how it should be, on my company devices!:flushed:

If I open the Authenticator app on a company device, it pulls my account from "(My Company) Global" and I have to log into each MS app individually.

Now can anyone explain to me what switching to JIT has to do with filtering the devices in my MAM policy?
I have been sitting in front of my monitors for almost 4 months now trying to register my company devices via JIT. I also just don't know where to even look for the problem here anymore.

 

Despite several tickets, I do not get any help from MS Support on the topic, but am only referred to these articles again and again.