Forum Discussion
Remove iOS device from assigned enrollment profile
nhtkid This is by design. Devices synced from Apple Business Manager must have an enrollment profile assigned in Intune to enable functional automated enrollment. If you do not want an enrollment profile assigned, then the device should have the MDM profile assignment removed from Apple Business Manager and not be assigned to your Intune tenant in the first place. Is there a reason why you are configuring the device for automated enrollment, then trying to disable it in Intune?
Thanks eglockling, I think I was a bit confused myself. The question I asked didn't make much sense either lol.
I am now quite cleared that for iPads that are in the Apple's Device Enrollment Program, either in ABM or ASM, they will be synced to Intune as Automatic Device Enrollment. I need to have one ADE enrollment profiles for each device enrollment and user enrollment.
What I am still not clear about, is the Enrollment targeting - Enrollment types (preview). What kind of enrollment profile that is for if I create one under that node?
Cheers,
nhtkid Enrollment targeting is for configuring the user experience for non-automated device enrollment. You can choose between the standard Device Enrollment, or the new User Enrollment that was introduced by Apple with iOS/iPadOS 13 (similar to Android Enterprise Work Profile). This will be applicable to iOS/iPadOS devices that are not part of Apple ADE and do not have an MDM profile assigned in Apple Business Manager. Hope this helps.
I have a similar issue, with MDM enrollment and I am trying to work through this because our intune is syncing with new iPhone devices through Apple DEP at the time of activation and it is downloading the Intune MDM profile and puts the phone in our business name and supervise mode... that said when we try to enroll the device we use the app Company Portal for the specific user... This is where the issue lies.
When the user logs in to company portal, the portal goes to Intune, requests to download the Intune profile, tries to apply the profile but it fails because it says it is unable to reach the server, yet it just download the profile from the Intune server??? Ultimately, we can't enroll these phones to the individual user or assign them to their department. We have limited 'supervision' because while they are under supervision, they are not enrolled in our Intune MDM because it won't enroll through company portal.
We've tried resetting these devices... These devices are all set as default MDM intune in Apple DEP... the Tokens have been verified, I've removed and recreated our policies twice following Microsoft's baseline step by step to ensure its exact... just can't get these things to cooperate. Using the 2nd Gen iPhone SE's... any direction would be great. I've tried removing Intune from Apple DEP and unassigning, then erasing, then reconfiguring and opening portal, the phone will enroll, but it isn't in supervise mode because it wasn't managed by an MDM during Apple's activation... Been working through this for weeks. UGH! HELP??
- Did you find a solution to this?
Daniel Kharman Have a look at the section titled "Use the Company Portal on a DEP device enrolled without user affinity (also known as Device Staging)" on Add app configuration policies for managed iOS/iPadOS devices - Microsoft Intune | Microsoft Docs
Sounds like you are enrolling the devices without a user, and will need to assign an app policy for the Company Portal app that targets the enrolled devices (we use a dynamic device group based on enrollment profile name) and tells Company Portal to use the existing enrollment profile when a user signs in. That should allow user affinity association to take place.
XML configuration should look like:<dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict>
