Forum Discussion
Intune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone,
Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it.
Steps Taken:
- Apple Business Manager (ABM) Account:
Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. - MDM Server Configuration:
Set Intune as the default MDM server for all devices in ABM. - Domain Federation:
Established Entra ID federation in ABM to synchronize all users. - Intune Enrollment Profile:
Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' - MDM Push Certificate:
Configured and validated the MDM Push certificate.
Issue Encountered:
According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found.
On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account
After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device."
In ABM, under "Access Management" > "Apple Services," all services are activated.
Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated.
Thank you in advance for your help.
Best regards,
8 Replies
I ran into a similar issue at my org, it was due to stale MAM policies from a previous employer.
Delete Company Portal if it exists on the device (you will need to use a webclip for Account Driven User Enrollment rather than the company portal app, also, delete Microsoft Authenticator as well as any other Microsoft Apps that are possibly caching MAM policies from a previous employer.
Also, make sure that you're able to access the .well-known config for your org, had users in a different country that were being blocked by their ISP to our domain, we had them connect via a VPN and their device enrolled properly.
if you added a .JSON extension to the well known file you'll need to remove that.Maybe Web Based device enrollment helps?
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/web-based-device-enrollment-ios
Have you tried Web based device enrollment?
Hello,
if i understood it right you have BYOD. Have you tried Web base device enrollment?
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/web-based-device-enrollment-ios
Hello,
its not clear if you have BYOD or company phones. It looks like BYOD.
Have you ever tested "Web based enrollment"? It works fine for me.BR
The problem is that I'd like to make a separation between work and personal profiles, which only this type of wrapping allows for BYOD.
Hello,
now i understand. Have you tried a different federated user? Maybe you see some Logs in Intune or AMB with failed authentication.
