Forum Discussion
iOS - Missing enrollment profile for device added after 1st setup
First off, by design, only devices that go through ABM will get an enrollment profile. Anything not through ABM is considered unsupervised. This will also limit the settings and control on your devices.
To combat this, you will need to use Device Categories. The user will be prompted when they register their device to select a Device Category. You can use this to apply settings, policies, and applications to a device based on a dynamic group. It will also allow reporting of devices.
Secondly, if it is a corporate device, it is best not to allow restore of devices. There are multiple reasons to NOT allow a cloud backup of company data unless your AD is integrated with ABM. You open yourself up to someone restoring the company information on another device after they leave your organization. The users will need to treat any information on the device as 'disposable' and use OneDribve to store their information and things like Contacts will need to only be added to Outlook.
Hi JutManGraham , thanks for the hint, I'll try with the categories and see what I can do.
Do you think I can link the category in some way with the existence in ABM? Or all is just left on users hands?I agree with you about the restore, at least cloud backup do not include any of the corporate app content, access to company data is fully managed thru the conditional access.
The only reason for the backups are the "personal" data like pictures or personal apps, that IN PRINCIPLE do not contain any company data.
I'm aware it's not a perfect solution but changing it will require a strong decision from the top management.
Lucius To link the existence of ABM and use categories in the dynamic query, use the 'ownership' tag for the organization. Any ABM devices when supervised has the ownership set to Company. The Device Category is in the user hands unfortunately for them to select the correct choice. Here is how i ensure they did it correctly.
For BYOD personal device the category is named Personally Owned Device
For all company specific categories i start with LVHN
((device.deviceCategory -startsWith "LVHN") -and (device.deviceOwnership -eq "Personal")) -or ((device.deviceCategory -startsWith "Personally") -and (device.deviceOwnership -eq "Company"))
Based on this query, i apply a policy that looks for the OS to be 99 or higher to be compliant so the device is never compliant.
- Hi,
What is achieved here with the categories I am not really getting it. Categories will not make any difference. The point is that only devices that are enrolled through ABM in Intune will have the Enrollment Profile field filled in otherwise it will be blanc. But this doesn't really make a difference right? Why do you want this field filled?
By the way once a iOS device is registered through ABM (directly through Intune or other MDM and later migrated to Intune without factory reset) the device stays Supervised, and all Supervised settings will apply until the next factory reset. So if you retire a device that was registered through ABM and after this register this device through the Company Portal (manual registration) it is still Supervised.
With backup/restore main issue you run into is when the mdm profile is present in a backup. So when you made the backup of the device when it was registered in MDM. If you restore during ABM enrollment this will fail and you will get an error stating that and mdm profile is already present on the device and will stop enrolment. You can stop managed apps from being part of backups to iCloud by the way: https://techcommunity.microsoft.com/t5/intune-customer-success/changes-to-applications-backup-and-restore-behavior-on-ios/ba-p/3692064
