Move to Setup Assistant with Modern Authentication for Automated Device Enrollment

Hi,

We are experimenting with a zero-touch deployment that would force users to register through Company Portal - we think the option 'Run Company Portal in Single App Mode until authentication' within the enrolment profile is perfect for this.

Setup Assistant with Modern Authentication is less desirable, because there is no way to force the user to interact with Company Portal in a zero-touch deployment - we have to guide them to do it.

However the problem we are seeing is that Company Portal does not download fast enough, meaning the device enters single app mode/kiosk mode first.  The only way out of this is to hard reset the device, which is extremely undesirable.

I'm not able to find any information about how to fix this problem.  This article seems to be suggesting EPM administrators move away from single app mode and towards Setup Assistant with Modern Authentication - this results in the user being prompted to log into EPM as well as their Apple ID, and the Primary User field in EPM is populated with their name; if this is enough to pull down their user-specific profiles and apps, that's great, but is that the case?

Unfortunately, they still then need to log into Company Portal and go through the 'Get your device managed' process anyway, so from a user point of view this is not as good as single app mode.  From my point of view - do they need to go through this process for the device to be evaluated against a compliance profile?  In other words, if the end user does not go into Company Portal, will the device be marked as non-compliant in the dash, assuming there's an evaluating profile?

We assume that, in a zero-touch deployment scenario, we can't rely on users to follow instructions to do this voluntarily, nor that they'll be able to do so without issues.

Any advice would be gratefully received.

Robert