Forum Discussion

20passist's avatar
20passist
Copper Contributor
Mar 17, 2020

CNAME records

My IT person had used his personal Apple Id to set up my company MDM. He explained it was an oversight - he should have asked me first and he should not have used his personal Apple ID. I accept that explanation but I wondered why he set it up in the first place. I did not want my devices controlled. There was no need. Especially given I had been complaining that I found Google device management policies deployed across my domain. He told me he set up MDM  to allow Microsoft and my apple phones to create a handshake. He argued it was necessary to "harden" my environment.  He said my phone was not being controlled as there was no Intune set up. Given I was not using emails on my phone I queried this reasoning. I never understood why my phone and Microsoft needed to handshake.

 

I have just read the CNAME records below are only needed for MDM 

enterprisereigistation.windows.net

enterpriseenrollment.manage.microsoft.com

 

Is there any reason other than MDM for the above CNAME records? Do the above CNAME records allow apps other than Intune to control my iPhone?

 

 

  • Hi 20passist, an Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. After you add the certificate to Intune, your users can enroll their devices using either the Intune Company Portal, or Apple's bulk enrollment methods. More information can be found here: Get an Apple MDM push certificate.

    If there are BYOD iOS device - They can be enrolled within the Intune service by installing the Intune Company Portal, following though the prompts, and installing a Management profile. Have a look over our iOS enrollment docs on what this process looks like.

    Validating if a device has been enrolled can be confirmed by the Intune Company Portal being installed/signed in on the device, or if a Management profile has been installed.

     

    Steps on manually validating if a device is managed:

    Settings App > General > If a "Device Management" profile exists, then the device is managed by an MDM.

     

    Hope this helps!

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Answer is NO.
    You need this CNAME in Intune for MDM and Auto Enrollment for Windows devices only, not for IPhone & Android.

    Hope this helps!
    Moe
    • 20passist's avatar
      20passist
      Copper Contributor

      Moe_Kinani

       

      Ok thank you all.

       

      Can I please clarify three points?

       

      1. If MDM was not being enabled why would you go to the trouble of creating an Apple Certificate? 

      2. Does the Apple Certificate create a "handshake" between Apple and Microsoft ?

      3. Does Microsoft recommend an Apple Certificate to improve security when using Microsoft on Apple devices?

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        1. Admin might not finished the config for MDM.

        2. The certificate to allow Intune to manage Apple phones, this way goes with all MDM tools not just Intune.

        3. As mentioned, Apple force the certificate for all MDM tools to manage Apple devices, the certificate lasts for one year.

        Hope this helps!
        Moe

Resources