Forum Discussion

Aaron Smtih's avatar
Aaron Smtih
Copper Contributor
Feb 03, 2018

Intune for iOS DEP devices with MFA

I well imagined this would already be a well discussed topic on here, but does anyone know if Microsoft/Apple are working on getting iOS devices to work with the device enrolment program and MFA.  ...
Intune
Mobile Device Management (MDM)
Wahé Yaghyazaryan's avatar
Wahé Yaghyazaryan
Copper Contributor
Oct 26, 2018

Hello Daniel,

 

I am also having a problem registrering DEP devices in intune icm MFA.

After reading your comment I have directly browsed to my conditional access policy which is responsible for activating the MFA option.

In the application selection fild/Exclusions i can Exclude Intune Enrolment (screenshot attached).

Somehow I am can not get that not working at this moment.

The workaround in my case at this moment is disabling MFA, registrering and the enabling MFA.

 

keep posting if you got news from MS.

 

Regards,

Wahé

 

Daniel Hudson's avatar
Daniel Hudson
Steel Contributor
Oct 30, 2018

Hi Wahe

 

Within the DEP profile, you need to select Enrol with User Affinity, but then enable the option to Authenticate with Company Portal Instead.

 

This will stop Apple from asking for the user's details during Setup Assistant. When the user then signs into Company Portal, it will then assign the device to the user.

 

See step 5 here: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios#create-an-apple-enrollment-profile

 

You can then automatically install the Intune Company Portal on the device for the user using a VPP token, and even force the app to run in kiosk mode until registered. This is shown in steps 6 and 7.

  • mcadamk1's avatar
    mcadamk1
    Copper Contributor
    Jul 21, 2020

    Daniel Hudson  but can they then use the device before logging in?  meaning can they text and make phone calls?  or will the phone brick if they don't log into the company portal?

    • Daniel Hudson's avatar
      Daniel Hudson
      Steel Contributor
      Jul 23, 2020
      If you force the device into kisok mode until they authenticate with Company Portal, no. They can answer received calls, but that's it.
  • Enzoz's avatar
    Enzoz
    Copper Contributor
    Apr 24, 2020

    Daniel Hudson 

     

    I have a customer that does not have any conditional access rules, MFA is not enabled however during enrollment they get an MFA Prompt. There are no rules created anywhere and the only place we get a prompt is during enrollment. 

     

    Why? sounds like a bug

    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Apr 26, 2020
      Could you check Azure Active Directory - Devices - Device Settings - Require multi-factor to join devices

      Is this a new tenant?
      • Enzoz's avatar
        Enzoz
        Copper Contributor
        Apr 26, 2020

        Thijs Lecomte 

         

        would you mind elaborating more? are you talking about the config profiles?

         

        This is an existing tenant with new intune - co-management setup.

        There are zero conditional access rules and the only compliance is for jailbroken devices.

         

        the users do not get MFA challenge for anything other than the company portal enrollment login. (I do not know where this MFA challenge is coming from.)

Resources