iOS - Missing enrollment profile for device added after 1st setup

Question

Hi all,&nbsp;I'm trying to fix a small issue, I've all the devices that are coming from Apple Business manager that are newly enrolled in Intune that are showing the enrollment profile, but when an end user have his device replaced and restore the backup from the previous device or for some reasone had the device removed and readded with no factory reset the field is empty.The field is empty also for devices not included in ABM, that might be private ones or coming from countries where we've not agreed services with local vendors.Do you know if there's a way for have an enrollment profile applied to those devices too, at least the ones connected in ABM but not enrolled from scratch?Here how the same device (ABM-connected) appear if enrolled in two different waysThanks in advance for your support&nbsp;/Lucius

jutmangraham · Answer

Lucius&nbsp;First off, by design, only devices that go through ABM will get an enrollment profile.&nbsp; Anything not through ABM is considered unsupervised.&nbsp; This will also limit the settings and control on your devices.&nbsp;To combat this, you will need to use Device Categories.&nbsp; The user will be prompted when they register their device to select a Device Category.&nbsp; You can use this to apply settings, policies, and applications to a device based on a dynamic group. It will also allow reporting of devices.&nbsp;Secondly, if it is a corporate device, it is best not to allow restore of devices.&nbsp; There are multiple reasons to NOT allow a cloud backup of company data unless your AD is integrated with ABM.&nbsp; You open yourself up to someone restoring the company information on another device after they leave your organization.&nbsp; The users will need to treat any information on the device as 'disposable' and use OneDribve to store their information and things like Contacts will need to only be added to Outlook.

lucius · Answer

Hi&nbsp;JutManGraham&nbsp;, thanks for the hint, I'll try with the categories and see what I can do.Do you think I can link the category in some way with the existence in ABM? Or all is just left on users hands?&nbsp;I agree with you about the restore, at least cloud backup do not include any of the corporate app content, access to company data is fully managed thru the conditional access.The only reason for the backups are the "personal" data like pictures or personal apps, that IN PRINCIPLE do not contain any company data.I'm aware it's not a perfect solution but changing it will require a strong decision from the top management.

jutmangraham · Answer

Lucius&nbsp;To link the existence of ABM and use categories in the dynamic query, use the 'ownership' tag for the organization. Any ABM devices when supervised has the ownership set to Company. The Device Category is in the user hands unfortunately for them to select the correct choice.&nbsp; Here is how i ensure they did it correctly.&nbsp;For BYOD personal device the category is named Personally Owned DeviceFor all company specific categories i start with LVHN&nbsp;((device.deviceCategory -startsWith "LVHN") -and (device.deviceOwnership -eq "Personal")) -or ((device.deviceCategory -startsWith "Personally") -and (device.deviceOwnership -eq "Company"))&nbsp;Based on this query, i apply a policy that looks for the OS to be 99 or higher to be compliant so the device is never compliant.&nbsp;

sebastiaansmits · Answer

Hi,What is achieved here with the categories I am not really getting it. Categories will not make any difference. The point is that only devices that are enrolled through ABM in Intune will have the Enrollment Profile field filled in otherwise it will be blanc. But this doesn't really make a difference right? Why do you want this field filled?By the way once a iOS device is registered through ABM (directly through Intune or other MDM and later migrated to Intune without factory reset) the device stays Supervised, and all Supervised settings will apply until the next factory reset. So if you retire a device that was registered through ABM and after this register this device through the Company Portal (manual registration) it is still Supervised.With backup/restore main issue you run into is when the mdm profile is present in a backup. So when you made the backup of the device when it was registered in MDM. If you restore during ABM enrollment this will fail and you will get an error stating that and mdm profile is already present on the device and will stop enrolment. You can stop managed apps from being part of backups to iCloud by the way: https://techcommunity.microsoft.com/t5/intune-customer-success/changes-to-applications-backup-and-restore-behavior-on-ios/ba-p/3692064

jutmangraham · Answer

SebastiaanSmits&nbsp;If you happen to read part of the initial issue, it included how to deal with personal devices.&nbsp; If you want to assign profiles to BYOD devices, how are you going to determine what those devices are?&nbsp; That is the reason that Categories resolves that problem.&nbsp; The only other way is lumping them into a single group based on them not being Corporate devices which limits you to a single group.&nbsp; This is great if you have 20 devices, but when you scale it up, it falls short later.

Forum Discussion

iOS - Missing enrollment profile for device added after 1st setup

7 Replies

Resources