Blog Post

Intune Customer Success
5 MIN READ

New iOS/iPadOS and macOS ADE enrollment policies experience

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Mar 14, 2025

By: Anya Novicheva – Sr. Product Manager | Microsoft Intune

Expected in Q2 CY26, iOS/iPadOS and macOS automated device enrollment (ADE) profiles will move to a new infrastructure which enables Intune to speed up the delivery of new features. These will be the new enrollment policies experience for Apple devices enrolling through ADE. With this update, you’ll notice the authentication methods are better organized, there’ll be no Company Portal authentication method or automatic deployment of the Company Portal application, Apple-deprecated settings have been removed, and there’ll be more granular admin controls for the policies page.

All newly created enrollment policies for iOS/iPadOS/macOS will automatically be part of the new experience. Existing enrollment profiles won’t be affected. You’ll be able to delete, edit, and assign existing enrollment profiles but you’ll no longer be able to create them with the old experience. We recommend creating a new enrollment policy and setting it as the default as soon as this feature releases so new enrollments will use the new policy as soon as possible. All new features releasing after will be part of the new enrollment policies experience moving forward and will not be added to the old enrollment profiles.

Create a new enrollment policy for iOS/iPadOS and macOS ADE

In the Microsoft Intune admin center, navigate to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy.  

A screenshot of the new ADE Enrollment policies location in the Microsoft Intune admin center.

 Benefits of the new experience:   

  • Enrollment time grouping support - Enrollment time grouping in Microsoft Intune
  • The columns control can be used to select which columns should be default, which one should be the primary column, and which ones to show or hide. 
  • The search bar can be used to search by any column field contents and isn’t case sensitive.
  • The filters control can be used to filter the policies by platform. We’ll add more filtering for the other columns soon.
  • Sort each column by the ascending or descending order by clicking on the column header.
  • No more automatic Company Portal app deployment from the enrollment policy itself or Company Portal as an authentication method option in the drop-down setting. The Company Portal app can still be used and sent down as a required or available app to the device depending on your organization’s needs.
    • We always recommend using Setup Assistant with modern authentication for ADE policies with user affinity as it is the most secure method. However, if you still want to deploy the Company Portal authentication method your users or devices, you can do userless authentication (Enroll with no user affinity for authentication) and deploy the application as needed along with the required app configuration policy to the targeted devices. Note that this is not recommended.
    • The “Install Company Portal”, “Install Company Portal with VPP, and “Run Company Portal in single app mode until authentication” settings aren’t supported and have been removed from the enrollment policy for iOS/iPadOS ADE. For more details refer to the blog: Move to Setup Assistant with Modern Authentication for Automated Device Enrollment
  • Shared iPad for iPadOS ADE has its own authentication method for devices with no user device affinity. 
  • Setup Assistant with modern authentication is the default and recommended authentication method for ADE enrollment policies.  

Assigning new enrollment policies to devices 

The device assignment flow for ADE policies is the same. Within the policy, navigate to the Devices tab to select a device(s) and select Assign policy. Ensure that you’re assigning a new enrollment policy to the devices. 

Existing (old) enrollment profiles 

  • Existing enrollment profiles will remain inDevices >Enrollment >Apple > Enrollment program tokens > select a token >Profiles. New enrollment profiles within Profiles cannot and should not be created.

  • Existing enrollment profiles can be deleted, edited, assigned to devices, and viewed. Their device assignments will not be affected or changed.

  • We recommend you migrate your ADE devices from being assigned to old enrollment profiles over to new enrollment policies and always have the Await final configuration setting set to Yes. Additionally, we recommend you set your default enrollment policy to one of your newly created ones from the Enrollment policies tab.

  • Important: If you delete an old enrollment profile, the device rename is no longer enforced (that is if someone changes the device name). 

Sending the Company Portal app to ADE devices with user device affinity (optional) - iOS/iPadOS only

Previously within enrollment profiles, the Company Portal app was sent down automatically to devices with the creation of Setup Assistant with modern authentication and Company Portal authentication profiles. With new enrollment policies, the Company Portal application will never be sent down automatically from the creation or assignment of the enrollment policy.

For enrollment policy with user device affinity, we strongly recommend you set the authentication method to Setup Assistant with modern authentication as the most secure and seamless method. For Setup Assistant with modern authentication, the Company Portal is no longer required because of Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune.

However, if you still want to send replicate the Company Portal authentication method for your users or devices, you can choose to Enroll without user affinity (userless) and then deploy the application as needed, along with the required app configuration policy to the targeted devices. Assigning the correct app configuration policy based on the authentication method is critical if you’re sending the Company Portal app to ADE devices without user device affinity. Otherwise, the Company Portal will cause issues on the device and won’t auto-update correctly. However, we highly recommend Setup Assistant with modern authentication as the ADE authentication method for your Apple devices with user affinity.

Based on the Company Portal authentication method you use, send the following XML for the app configuration policy:

  • If you're using the Company Portal on an ADE device enrolled without user affinity (also known as Device Staging):
<dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict>
  • If you're using the Company Portal on an ADE device enrolling with user device affinity, such as the Company Portal authentication method:  
<dict> <key>IntuneCompanyPortalEnrollmentAfterUDA</key> <dict> <key>IntuneDeviceId</key> <string>{{deviceid}}</string> <key>UserId</key> <string>{{userid}}</string> </dict> </dict>

 

Stay tuned to What’s new in Intune for the release! If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam and we'll provide updates in the blog on the timing of this release.

 

Post Updates:
06/26/25: Updated post with a new ETA of Q4 CY25 (previously Q2 CY25). Also revised the content to better clarify the new experiences and authentication scenarios.
09/12/25: Updated post with a new ETA of Q1 CY26 (previously Q4 CY25).
02/26/26: Updated post with a new ETA of Q2 CY26 (previously Q1 CY26) and expanded scope to include macOS ADE alongside iOS/iPadOS.

Updated Mar 02, 2026
Version 6.0
apple
automated device enrollment (ade)
ios
macos

29 Comments

Show More
  • caiobonamin's avatar
    caiobonamin
    Copper Contributor
    Mar 19, 2025

    Ok, now if I need to create a new enrollment profile and reassign it to my 150K ADE devices across multiple ABM tenants, how can I do that if enrollment profiles can only be assigned in batches of 100 devices?

    I had to go through this process once, and it took me days to complete the updates

    • AnyaNovicheva's avatar
      AnyaNovicheva
      Icon for Microsoft rankMicrosoft
      Mar 20, 2025

      Hi LeecurBIL67, this change is expected to release during Q2CY25. Please check back to this blog post for more specific timeline updates later on.

  • TimWaTech's avatar
    TimWaTech
    Copper Contributor
    Mar 18, 2025

    This change is fine for enrollment, but as another stated, Company Portal is also used to push available apps. We don't allow the iTunes store at all and apps are either pushed as required, or available....and available requires the Company Portal app. This feels like a change that is caused by an assumption that no one manages devices in this manner anymore.

  • Inntune's avatar
    Inntune
    Copper Contributor
    Mar 18, 2025

    This is not welcome news considering the amount of time I have spent configuring enrollment for lots of different devices and use enrollment profiles to dynamically assign devices to dynamic device groups.  This is going to break a lot of my stuff.  Thanks.

  • hgjoe's avatar
    hgjoe
    Brass Contributor
    Mar 16, 2025

    One more thing: I understand you are moving away from Company Portal because it is not needed anymore for device registration and compliance check, but CP still has some important features like publishing corporate apps in available state, sending custom notifications and log sharing.

     

    Until there are no alternatives for these additional features (and web version of CP does not provide push notification or log collection), I do not understand why you remove the automatic installation and background configuration of CP from the new enrolment policies.

    And why we have to set this up manually?

    (Now we do not have to send separate configuration for CP.)

    • Shuchi Mehta's avatar
      Shuchi Mehta
      Brass Contributor
      Mar 27, 2025

      I agree, moving away from native CP experience is such a bad idea. Native experience and features cannot be replaced by web version of CP.  A hybrid version of CP would make sense and CP acts as an App Store, deploying a web version in a company - everyone has to remember or type the URL (first time login) - MS should make the web version available in Public App Stores if they want to provide a seamless experience for end users. 

    • AnyaNovicheva's avatar
      AnyaNovicheva
      Icon for Microsoft rankMicrosoft
      Mar 17, 2025

      Hi hgjoe, that's correct that the Company Portal app is no longer needed for ADE, and the Company Portal website (optional) with JIT registration and compliance should be used instead for a more secure, seamless, and quick provisioning experience. If you still need to use the Company Portal app, that is ok and can be configured manually to replicate the same experience as before. With this change, customers will be able to have the Company Portal app auto-update, allowing for more granular targeted admin control sending down the Company Portal app if they choose to.

      • Serendipity96's avatar
        Serendipity96
        Copper Contributor
        Mar 18, 2025

        What other issues exactly are you referring to? Do you have a list of these issues that we currently have as a result of the automatic deployment? 

  • hgjoe's avatar
    hgjoe
    Brass Contributor
    Mar 15, 2025

    After creating the new enrolment policy, do we have to manually assign old devices to the new enrolment policy, or it is enough to set the new enrolment policy as default.

    In other words, if an old device is factory reset and re-enrolls, does this device get the new enrolment policy if it is the default enrolment policy, or once a device is assigned to an old enrolment profile this has to be assigned manually to the new enrolment policy?

    • AnyaNovicheva's avatar
      AnyaNovicheva
      Icon for Microsoft rankMicrosoft
      Mar 17, 2025

      Hi hgjoe and JedidP2180, you should re-assign your existing enrolled devices to a newly created iOS/iPadOS enrollment policy so when/if they re-enroll, they will enroll with the new policy and configured settings like device name template and eSIM will take effect without re-enrollment. The enrollment method and most settings for existing enrolled devices assigned to old profiles will not be affected until they are assigned to a new policy and they re-enroll with that policy. You should also set a new enrollment policy as the default policy once this experience goes live, and devices coming in from ABM/ASM will get assigned the new policy automatically. Note that if an existing device gets reset and re-enrolls, unless it is manually re-assigned to a new enrollment policy, it will continue to enroll with the originally assigned enrollment profile. Default enrollment policies only get assigned to new devices that synced over from ABM/ASM and need an enrollment policy assignment before they are powered on. Thank you!

    • JedidP2180's avatar
      JedidP2180
      Copper Contributor
      Mar 17, 2025

      I believe enrollment policy is not required for the devices which are already enrolled, and for the new enrollments we are setting a default policy already which should cover re-enrollment.