Forum Discussion

Dennis Blotenburg's avatar
Dennis Blotenburg
Copper Contributor
Sep 29, 2020

Change DEP User affinity

Hi all,

I've a question about IOS & DEP profiles in Intune.


At a customer, we've a lot of iPhones (with DEP) enrolled in our organization. Now we've implement MFA and it's not possible to enroll the devices because the MFA is showing up.

I found in another blog that it happens because we've set the enroll profile is set on:

"Enroll without User Affinity". That should be changed to "Enroll with User Affinity".


My Question is, when we change this, what will happen with all the devices we've already enrolled? Will they hit by this change? If Yes, what will be happen on the already enrolled devices?


Thanks in advance.

  • eglockling's avatar
    eglockling
    Steel Contributor

    Dennis Blotenburg

     

    If you have MFA enforced for your tenant, use the following settings for the enrollment profile:

    User Affinity: Enroll with User Affinity

    Select where users must authenticate: Company Portal

     

    You can have the end-user manually install Company Portal, or you can setup VPP and include it in the enrollment profile as well.

     

    There are ways to bypass the enforced MFA using Conditional Access so that you can use Setup Assistant, but it may be different for every organization. HINT: Authentication using Setup Assistant does not reach the Microsoft Intune and Microsoft Intune Enrollment cloud apps first.

  • almennn's avatar
    almennn
    Brass Contributor

    Hi Dennis Blotenburg,

     

    As mentioned by eglockling you can bypass MFA during Setup Assistant enrollment with Conditional Access by excluding Microsoft Intune Enrollment and Microsoft Intune cloud apps.

     

    In addition if you have Conditional Access policies where you have selected browser in client apps even if it just points to Windows or any other platform and require MFA you have to exclude the two cloud apps here as well. You have to do that because when authenticating in setup assistant you are doing a browser based authentication.

Resources