Updated January 17, 2023: The change has been delayed. We will update this post when it's time to replan for this future change.
Updated December 19 2023: We’ve been hard at work to improve the ADE experience through the release of Setup Assistant with modern authentication, Just in Time (JIT) registration and compliance remediation, and the "Await until configuration" setting. Learn more in our blog here: aka.ms/Intune/Improved-ADE.
Based on customer feedback and the upcoming Just in Time (JIT) Registration feature, we're planning to remove automatic deployment of the iOS/iPadOS Company Portal app as a required app for Automated Device Enrollment (ADE) Setup Assistant with modern authentication enrollment profiles in a future Intune service release.
With JIT Registration, the Company Portal app will no longer be required for Azure Active Directory (Azure AD) registration or compliance. The new feature allows admins to tailor the Company Portal app with the desired customizations to fit their organization’s needs.
This change will occur in two phases. The first phase will remove the automatic deployment from new profiles and introduce a new configuration option for existing enrollment profiles to stop automatic deployment. The second phase will remove automatic deployment from existing enrollment profiles. We'll keep you updated on the expected timeline and any additional information for the change in this post.
Existing ADE profiles with Setup Assistant with modern authentication
To prepare for this change, we will be adding a new option for all existing ADE Setup Assistant with modern authentication enrollment profiles that will allow you to stop the automatic deployment of the iOS/iPadOS Company Portal as a required app from the enrollment profile. The new option will be available in the “Install Company Portal with VPP” drop-down menu. Stay tuned to In development and What’s new in Intune for the release.
If you have existing ADE profiles with Setup Assistant with modern authentication, once it's available, enable the new drop-down configuration to stop the automatic deployment of the Company Portal app. After updating the configuration of the setting, use an app configuration policy and app targeting to push the Company Portal app as an available or required Volume Purchase Program (VPP) app (this is optional because of JIT Registration, which will be released at that time). VPP is not required but is recommended. A few months after the new drop-down is released, we will be removing the automatic deployment of the Company Portal app from the modern authentication enrollment profile regardless of the VPP setting configuration.
After updating your existing profile, complete the following steps:
- Create an app configuration policy, specifically sending the app configuration XML file called “Use the Company Portal on an Automated Device Enrollment (ADE) device enrolled with user affinity” see Add app configuration policies for managed iOS/iPadOS devices for instructions.
- Deploy the Company Portal app to the device, there are two options for this:
- (Recommended) Set up VPP for iOS/iPadOS and assign the Company Portal app as required. For instructions see How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune. You're highly encouraged to set “Automatic app updates” to Yes.
- Add the Company Portal to Intune, see Add apps to Microsoft Intune and then assign the app as required by following these instructions: Assign apps to groups with Microsoft Intune.
The correct app configuration policy must be assigned to the devices regardless of whether VPP is configured for the Company Portal. The Company Portal is required on the device.
Note: Later, we'll remove the automatic deployment of the Company Portal app from the modern authentication enrollment profile regardless of the “Install Company Portal with VPP” setting configuration. However, you'll continue to see the setting in the enrollment profile. No changes are needed if you’ve already taken the steps above.
New ADE profiles with Setup Assistant with modern authentication
Once automatic deployment of the Company Portal app has been removed, you'll no longer see the “Install Company Portal with VPP” setting when creating new ADE profiles. You'll need to use an app configuration policy and app targeting to deliver the Company Portal app. Here’s what to do:
- Create an app configuration policy, specifically sending the app configuration XML file called “Use the Company Portal on an Automated Device Enrollment (ADE) device enrolled with user affinity” see Add app configuration policies for managed iOS/iPadOS devices for instructions.
- Deploy the Company Portal app to the device as a required app, there are two options for this:
- (Recommended) Set up VPP for iOS/iPadOS and assign the Company Portal app. For instructions see How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune. You're highly encouraged to set “Automatic app updates” to Yes.
- Add the Company Portal to Intune, see Add apps to Microsoft Intune and then assign the app as required by following these instructions: Assign apps to groups with Microsoft Intune.
The correct app configuration policy must be assigned to the devices regardless of VPP being configured for the Company Portal or not.
Key takeaways
- This change only affects the Setup Assistant with modern authentication for iOS/iPadOS.
- At the time of this change, if you choose to utilize JIT Registration:
- We will not be blocking the Company Portal app deployment for Setup Assistant with modern authentication but, rather, making it optional.
- Company Portal will not be required for Azure AD registration or compliance.
- There are no changes to multi-factor authentication (MFA). If MFA is configured and required by the organization, a second device is still required for authentication.
- The Company Portal app on existing enrolled devices will not be affected by the enrollment profile changes until the devices are re-enrolled.
We’ll continue to update this post with additional details, as needed, including when the new drop-down option becomes available and expected timelines for this change. More documentation will be available once the new option has been released. If you have any questions, please comment below or reach out to us on Twitter @IntuneSuppTeam.
Post updates:
10/10/22: Updated the content above to provide additional clarity.
10/31/22: Updated to clarify the timeline of Q1 CY2023 (was Q1 2023).
01/17/23: Change has been delayed. We will update this post when it's time to replan for this future change.
12/19/23: Added blog: aka.ms/Intune/Improved-ADE.
