Forum Discussion
iOS - Missing enrollment profile for device added after 1st setup
Hi JutManGraham , thanks for the hint, I'll try with the categories and see what I can do.
Do you think I can link the category in some way with the existence in ABM? Or all is just left on users hands?
I agree with you about the restore, at least cloud backup do not include any of the corporate app content, access to company data is fully managed thru the conditional access.
The only reason for the backups are the "personal" data like pictures or personal apps, that IN PRINCIPLE do not contain any company data.
I'm aware it's not a perfect solution but changing it will require a strong decision from the top management.
Lucius To link the existence of ABM and use categories in the dynamic query, use the 'ownership' tag for the organization. Any ABM devices when supervised has the ownership set to Company. The Device Category is in the user hands unfortunately for them to select the correct choice. Here is how i ensure they did it correctly.
For BYOD personal device the category is named Personally Owned Device
For all company specific categories i start with LVHN
((device.deviceCategory -startsWith "LVHN") -and (device.deviceOwnership -eq "Personal")) -or ((device.deviceCategory -startsWith "Personally") -and (device.deviceOwnership -eq "Company"))
Based on this query, i apply a policy that looks for the OS to be 99 or higher to be compliant so the device is never compliant.
- Hi,
What is achieved here with the categories I am not really getting it. Categories will not make any difference. The point is that only devices that are enrolled through ABM in Intune will have the Enrollment Profile field filled in otherwise it will be blanc. But this doesn't really make a difference right? Why do you want this field filled?
By the way once a iOS device is registered through ABM (directly through Intune or other MDM and later migrated to Intune without factory reset) the device stays Supervised, and all Supervised settings will apply until the next factory reset. So if you retire a device that was registered through ABM and after this register this device through the Company Portal (manual registration) it is still Supervised.
With backup/restore main issue you run into is when the mdm profile is present in a backup. So when you made the backup of the device when it was registered in MDM. If you restore during ABM enrollment this will fail and you will get an error stating that and mdm profile is already present on the device and will stop enrolment. You can stop managed apps from being part of backups to iCloud by the way: https://techcommunity.microsoft.com/t5/intune-customer-success/changes-to-applications-backup-and-restore-behavior-on-ios/ba-p/3692064If you happen to read part of the initial issue, it included how to deal with personal devices. If you want to assign profiles to BYOD devices, how are you going to determine what those devices are? That is the reason that Categories resolves that problem. The only other way is lumping them into a single group based on them not being Corporate devices which limits you to a single group. This is great if you have 20 devices, but when you scale it up, it falls short later.
Hi SebastiaanSmits , thanks for your answer,
Maybe I made the wrong question, but I found some differences between devices enrolled from scratch and restored from a backup, and I though was due to something related to the enrollment profile.
And the devices enrolled later are not really supervised. Ownership is Corporate but it's all.
As example user have the possibility to remove the device and the management profile for devices manually enrolled, no matter if they're included in ABM or not, where they have not this option available for ABM devices enrolled from scratch that show the enrollment profile.
Also the behavior of the Wipe function act differently, devices manually enrolled are wiped but they're still linked to the user AppleID.
Another example, I apply a name template to all the ABM-enrolled devices, this is not applied to others.About the backup with an existing MDM profile we're aware of that, I'll anyhow have a look on the link you posted.
JutManGraham , I had a look on the categories but looks like they're not used in our environment.
And when I created a test one it was immediately asked to pick up one on any kind of devices, not iPhones only. So it's not a suitable options at the moment.
I also tried enabling the enrollment based on user choice but if user choose to indicate a private device and ask to protect company app only it start asking to use a managed AppleID, and it's not our case.
