Home

4/19/19 Update: This change has now been rolled out with 1904 or the April update to Intune

 

We’re implementing an improved workflow to enroll corporate iOS devices with user affinity into Intune, specifically when these devices use Setup Assistant for authentication.

 

With this change, we aim to improve enrollment experience and give end users a shortened work flow. We’ll have detailed documentation when this rolls out, but we thought we’d share what’s coming so you can familiarize yourself with the experience and set up policies in your console if needed.

 

Experience for enrolling new devices

When we roll this change out, if you enroll new devices authenticating with Setup Assistant, you can choose whether or not to deploy the Intune Company Portal app automatically in Intune not Azure (not available in hybrid MDM). We’re also doing away with “Identify your device” screen and the “Confirm your device” screen, where end users enter the last 4 digits of the device’s serial number in the Company Portal app. 

 

Experience for existing enrolled devices

After this change is rolled out, if you want to enable Conditional Access for devices already enrolled via Setup Assistant, you’ll have to push the Company Portal down to those devices. Here’s how you would do that:

 

  1. In the Intune on Azure portal,
    • Add the Intune Company Portal if necessary, by going to Intune > Client Apps > Apps > Add
    • Go to Client apps > App configuration policies, to create an app configuration policy for the Company Portal app.

If you use hybrid Mobile Device Management (Hybrid MDM),

  • Create a new app policy in the Configuration Manager console for the Company Portal app.
  • Go to Software Library > Application Management > App Configuration Policies.
  1. Create an app configuration policy with the xml below. More information on how to create an app configuration policy and enter xml data can be found at Add app configuration policies for managed iOS devices or Apply settings to iOS apps with app configuration policies in System Center Configuration Manager for hybrid MDM.

<dict>

    <key>IntuneCompanyPortalEnrollmentAfterUDA</key>

    <dict>

        <key>IntuneDeviceId</key>

        <string>{{deviceid}}</string>

        <key>UserId</key>

        <string>{{userid}}</string>

    </dict>

</dict>

 

  1. Deploy Company Portal to devices with the app configuration policy targeted to desired groups.
  2. Tell end users to sign into the Company Portal app when it is automatically installed.

 

We’ll keep this post updated with documentation links when we roll out this new workflow. You’ll also see announcements in What’s New in Intune, the hybrid What’s New page and in the Office Message Center. Let us know if you have any questions!

4 Comments
Occasional Visitor

Thanks for the update.  We use the setup assistant today to enroll users, but we also deploy the company portal app at the same time and ask them to complete the enrollment in the Company Portal app for CA policies.  What I’m not understanding is the point of the XML file.  Would we need to do this to all our existing devices that already have the Company Portal app installed if these used the OS Setup Assistant for the initial login?

Occasional Visitor

Question #1:

Intune with Apple DEP: We use the Company Portal for authentication, what is a pushed to the devices using Apple VPP.

The Company Portal is also set as required app, so the phones are "blocked" until it has been pushed to the device and the user has logged in.

 

I wonder if this change will impact us?

 

The majority of our user base has MFA enabled and setup.

 

Question #2:

Is this a general script or does it need to be customized for each individual user?

 

dict>

    <key>IntuneCompanyPortalEnrollmentAfterUDA</key>

    <dict>

        <key>IntuneDeviceId</key> -> Do I manually need to key in the device ID?

        <string>{{deviceid}}</string>

        <key>UserId</key> -> Do I manually need to key in the user ID?

        <string>{{userid}}</string>

    </dict>

</dict>

 

Hope this isn't the case, because we have over 5000 users...

Occasional Visitor

Hi,

 

I am currently experiencing issues with the Profile installation by the enrollment. I troubleshooted with all the recommendations from Microsoft but so far it doesn't work...

 

Also some users with iPhone's which were already registered, after the 12.1.4 iOS update lost their Intune Credentials-Connection to the Server automatically... Can you please help? Since I opened last week a ticket with Support but they don't answer...

@0rku5 the answer to question #1 is no, it will not impact that flow. For #2, no customization required. Just copy/paste the script as is!