Blog Post

Intune Customer Success

4 MIN READ

New iOS/iPadOS ADE enrollment policies experience

Silver Contributor

Mar 14, 2025

By: Anya Novicheva – Sr. Product Manager | Microsoft Intune

Expected in Q1 CY26, iOS/iPadOS automated device enrollment (ADE) policies will move to a new infrastructure which enables Intune to speed up the delivery of new features. Additionally with this update you’ll notice the authentication methods are better organized, there’ll be no Company Portal authentication method or automatic deployment of the Company Portal application, Apple-deprecated settings have been removed, and there’ll be more granular admin controls for the policies page.

All newly created enrollment policies for iOS/iPadOS will automatically be part of the new experience. Existing enrollment profiles won’t be affected. You’ll be able to delete, edit, and assign existing enrollment profiles but you’ll no longer be able to create them with the old experience. We recommend creating a new enrollment policy and setting it as the default so new enrollments will use the new policy as soon as possible.  

Create a new enrollment policy for iOS/iPadOS ADE

In the Microsoft Intune admin center, navigate to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy. 

A screenshot of the new ADE Enrollment policies location in the Microsoft Intune admin center.

Benefits of the new experience:  

The columns control can be used to select which columns should be default, which one should be the primary column, and which ones to show or hide.

The search bar can be used to search by any column field contents and isn’t case sensitive.

The filters control can be used to filter the policies by platform. We’ll add more filtering for the other columns soon.

Sort each column by the ascending or descending order by clicking on the column header.

No more automatic Company Portal app deployment or Company Portal as an authentication method option in the drop-down setting. We always recommend using Setup Assistant with modern authentication, however, if you still want to send down the Company Portal app to your users or devices, you can do userless authentication (Enroll with no user affinity for authentication) and deploy the application as needed along with the required app configuration policy to the targeted devices.

- The “Install Company Portal”, “Install Company Portal with VPP, and “Run Company Portal in single app mode until authentication” settings aren’t supported and have been removed from the enrollment policy. For more details refer to the blog: Move to Setup Assistant with Modern Authentication for Automated Device Enrollment

Shared iPad has its own authentication method for devices with no user device affinity.

Assigning new enrollment policies to devices

The device assignment flow for ADE policies is the same. Within the policy, navigate to the Devices tab to select a device(s) and select Assign policy. Ensure that you’re assigning a new enrollment policy to the devices.

Existing (old) enrollment profiles

Existing enrollment profiles will remain in Devices > Enrollment > Apple > Enrollment program tokens > select a token > Profiles. New enrollment profiles within Profiles cannot be created.

Existing enrollment profiles can be deleted, edited, and viewed. Their device assignments will not be affected or changed.

We recommend you migrate your ADE devices from being assigned to old enrollment profiles over to new enrollment policies and always have the Await final configuration setting set to Yes.

Important: If you delete an old enrollment profile, the device rename is no longer enforced (that is if someone changes the device name).

Sending the Company Portal app to ADE devices with user device affinity (optional)

Previously within enrollment profiles, the Company Portal app was sent down automatically to devices with the creation of Setup Assistant with modern authentication and Company Portal authentication profiles. With new enrollment policies, the Company Portal application will never be sent down automatically from the creation or assignment of the enrollment policy.

For enrollment policy with user device affinity, we strongly recommend you set the authentication method to Setup Assistant with modern authentication. For Setup Assistant with modern authentication, the Company Portal is no longer required because of Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune | Microsoft Community Hub.

However, if you still want to send down the Company Portal app to your users or devices, you choose to Enroll without user affinity (userless) and then deploy the application as needed, along with the required app configuration policy to the targeted devices. Assigning the correct app configuration policy based on the authentication method is critical if you’re sending the Company Portal app to ADE devices without user device affinity. Otherwise, the Company Portal will cause issues on the device and won’t auto-update correctly.

Based on the Company Portal authentication method you use, send the following XML for the app configuration policy:

If you're using the Company Portal on an ADE device enrolled without user affinity (also known as Device Staging):

<dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict>

If you're using the Company Portal on an ADE device enrolling with user device affinity, such as the Company Portal authentication method:

<dict> <key>IntuneCompanyPortalEnrollmentAfterUDA</key> <dict> <key>IntuneDeviceId</key> <string>{{deviceid}}</string> <key>UserId</key> <string>{{userid}}</string> </dict> </dict>

Stay tuned to What’s new in Intune for the release! If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam and we'll provide updates in the blog on the timing of this release.

Post Updates:
06/26/25: Updated post with a new ETA of Q4 CY25 (previously Q2 CY25). Also revised the content to better clarify the new experiences and authentication scenarios.
09/12/25: Updated post with a new ETA of Q1 CY26 (previously Q4 CY25).

Updated Sep 12, 2025

Version 4.0

automated device enrollment (ade)

Intune_Support_Team

Silver Contributor

Joined October 11, 2018

View Profile

Intune Customer Success

Follow this blog board to get notified when there's new activity

29 Comments

jpditbrian
Copper Contributor
Aug 21, 2025
How does this work with App protection policies? Currently in an environment where the user can set up passkeys and conditional access policies are in place requiring app protection policies, the user (on iOS at least) gets stuck in a loop because neither Authenticator or Defender work with app protection policies and so they can't sign in to set up the passkey or authenticator in general. Will this fix that problem?
Intune_Admin
Copper Contributor
Jun 13, 2025
This feature hasn't been rolled out, but it can be tracked in the Roadmap with the ID 469032 https://www.microsoft.com/en-us/microsoft-365/roadmap?id=469032 the current ETA is for August 2025, but it could change so for up-to-date information please refer to the roadmap item.
- Intune_Support_Team
  Silver Contributor
  Jul 30, 2025
  Hi Intune_Admin
  
  CC: chetanshanghvi Stanzoheetik
  
  Indeed that is correct. https://www.microsoft.com/en-us/microsoft-365/roadmap?id=469032 will show you the latest up-to-date info about this feature, and we'll continue to update this blog as and when we have further updates.
  
  For the time being, this feature is expected to be rolling out in Q4 CY25.
  
  Thanks!
  
  Intune Support Team
chetanshanghvi
Copper Contributor
Jun 12, 2025
When is this expected to roll out?
Stanzoheetik
Copper Contributor
May 28, 2025
Is there any update on this topic? Q2Y2025 is nearly coming to an end.

And as someone else already mentioned, this article conflicts with what is stated on https://learn.microsoft.com/en-us/mem/intune-service/enrollment/automated-device-enrollment-authentication#option-2-setup-assistant-with-modern-authentication
Salsabil
Copper Contributor
Apr 10, 2025
Can you advise if Defender zero-touch onboarding works with this enrollment method, without Company Portal, as Company Portal setup is currently a requirement?
The existing Company Portal enrollment method mitigates situations where devices could slip into users' hands without Company Portal being set up.
Please could you also sort out the fact that you can only re-assign enrollment profiles to devices 49 devices at a time in Intune? Thanks.
tseddon
Copper Contributor
Apr 08, 2025
AnyaNovichevaIf we were to move away from deploying the company portal app and only deploy the company portal website via a webclip, how would users collect logs from the device if needed? Also, are there plans to stop the support of the company portal app in the future?
- AnyaNovicheva
  Microsoft
  Apr 08, 2025
  Hi tseddon. The Company Portal app is still needed for log collection. There is no plan to completely move away from the Company Portal app at this time. The key benefit is that the need for the Company Portal app has been removed for for enrollment. This applies to ADE, Account Driven User Enrollment, and Device Enrollment which now don't need the Company Portal app to complete end to end enrollment and Entra ID registration, but the app can play a role on the device after, such as for shake and sending logs.
JedidP2180
Copper Contributor
Mar 26, 2025
Can we already create the new enrollments profiles, and when ETG is rolled out newly created enrollment profile will already consume this? Or should we create the profile after this is rolled out?
- Intune_Support_Team
  Silver Contributor
  Apr 07, 2025
  Hi JedidP2180
  
  To answer the question, yes, all newly created enrollment policies for iOS/iPadOS will automatically be part of the new experience. Existing enrollment profiles won’t be affected, though it's recommended to create a new enrollment policy and setting it as the default so new enrollments will use the new policy as soon as possible. 
  
  Hope this helps!
JedidP2180
Copper Contributor
Mar 26, 2025
hi, Is this already in private preview for the tests?
Shuchi Mehta
Brass Contributor
Mar 20, 2025
Hi, this kind of conflicts with another article https://learn.microsoft.com/en-us/mem/intune-service/enrollment/automated-device-enrollment-authentication#option-2-setup-assistant-with-modern-authenticationit is advised we should not send a separate app configuration policy to the Company Portal for iOS/iPadOS devices after enrolling with Setup Assistant with modern authentication. Doing so will result in an error (setup with Modern auth with user affinity method and CP is deployed as a required VPP app) . However, this new article New iOS/iPadOS ADE enrollment policies experience | Microsoft Community Hub is asking to deploy the app configuration policy if we are deploying the Company portal app (VPP) with Modern Auth and user affinity. Do I have this correct? Which one is applicable here? Can you please advise. Thanks.
- SteffenSchwerdtfeger
  Copper Contributor
  Aug 21, 2025
  AnyaNovicheva Can you answer this? So, when using ADE with Modern Authentication and installing Company Portal afterwards (pushed as normal App), is an App Configuration needed?
  https://learn.microsoft.com/en-us/intune/intune-service/enrollment/automated-device-enrollment-authentication#automatically-install-company-portal-app: "When the user reaches the home screen, Intune automatically applies the correct app configuration policy to the device."
  Apart from JIT, I assume, customers will still use Company Portal for offering available Apps, devices actions like sync and wipe.
- SteffenSchwerdtfeger
  Copper Contributor
  Mar 27, 2025
  Also wondering about this. In addition, this article states that IntuneUDAUserlessDevice is needed for "ADE device enrolled without user affinity (also known as Device Staging)". When using "Setup Assistant with modern authentication" we are having an user affinity...
  https://learn.microsoft.com/en-us/intune/intune-service/apps/app-configuration-policies-use-ios
jpditbrian
Copper Contributor
Mar 20, 2025
Hi,

Could you confirm that if I have a new user that is being required to set up authenticator on the phone, that they will be able to do this as part of signing in?

The reason I am using company portal at the moment is entirely because users were getting stuck being asked to set up authenticator on a phone that hadn't downloaded it yet when using setup assistant with modern authentication....