Forum Discussion
iOS Profile installation fails on corporate owned devices. Resolution to allow personal ones?
Looks that the best way to enrol and mark devices as corporate is not the Corporate Device Identifiers. They have said this will be the same for Android phones in the near future. Case closed.
Response from Intune support:
Corporate identifiers are used to mark the device as corporate after it gets enrolled. We cannot put device restrictions based on that. The company portal enrollment is considered as personal enrollment which makes us change the enrollment restriction to allow the personal enrollment.
As I have mentioned that if you want the devices to do the corporate enrollment you would have to do the automated device enrollment (Previously called DEP) so that you can have the device restrictions set to allow corporate and block personal.
Here is link with Information on DEP enrollment: https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment-program-enroll-ios
If you allow personal devices and enroll a device which serial number has been identified as a corporate identifier. What is the ownership of this iPhone, Corporate or Personal?
Thanks for the reply.
The ownership of the iPhone is corporate. We only want to allow corporate-owned devices to join Azure and enrol in Intune.
The Microsoft KB article describes the error cause as, "Your Intune tenant is configured to only allow corporate-owned devices." The resolution is to, "Allow for personally owned iOS devices, and then click OK."
But what about the company's like ours that do not want to allow personally owned devices?
We can add the serials to identify corporate-owned devices, and this works for Android all the way through enrolment, but for iOS, it falls over at the profile installation with the error of:
Profile Installation Failed. Connection to the server could not be established.
Seems to be because when trying to contact the Azure or Intune server to acquire the ability (?) to install the profile, the server refuses connection because it is not referencing the corporate device identifiers for the serial at this point.
The knowledgebase article clears this up, but I feel like they should not give the option of blocking these devices if the enrolment cannot reference the corporate device identifiers at every stage of the enrolment for Apple devices.
- I would assume that requiring only company owned devices works aswell for iOS. Or it shouldn't be documented
Have you contacted the support team?Hi ryeurolink,
From what you're describing, the Enrollment restrictions are configured correctly within the Intune Portal, but are still having issues with enrolling corporate devices even though they are allowed and identified via Corporate Device Identifier.
As we'll need to further investigate the device attempting to enroll within the Intune Service, let's get you over to support. Please open a case either through the Intune Portal, or through any of the methods mentioned here: https://docs.microsoft.com/intune/get-support. Once created, please private message us your case, for us to keep an eye on.
Thank you Thijs Lecomte for reaching out to us on our Twitter!
Cheers,
Intune Support Team
^MSThanks guys, will do!
