Home

Intune for iOS DEP devices with MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-152107%22%20slang%3D%22en-US%22%3EIntune%20for%20iOS%20DEP%20devices%20with%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152107%22%20slang%3D%22en-US%22%3E%3CP%3EI%20well%20imagined%20this%20would%20already%20be%20a%20well%20discussed%20topic%20on%20here%2C%20but%20does%20anyone%20know%20if%20Microsoft%2FApple%20are%20working%20on%20getting%20iOS%20devices%20to%20work%20with%20the%20device%20enrolment%20program%20and%20MFA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewe%20have%20our%20environment%20setup%20to%20prompt%20for%20MFA%20if%20coming%20from%20an%20untrusted%20IP%20atm%2C%20which%20the%20iOS%20devices%20come%20under%20when%20enrolling%2C%20so%20the%20users%20are%20promoted%20for%20credentials%20during%20enrollment%2C%20but%20can%E2%80%99t%20continue%20because%20the%20MFA%20on%20their%20account%20prevents%20the%20authentication%20processes%20continuing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eiv%20read%20on%20MS%20tech%20net%20that%20this%20is%20expected%2C%20and%20they%20advise%20disabling%20MFA%20(dumb%20advise)%20to%20allow%20the%20enrolment%2C%20then%20re-enable%2C%20but%20this%20kinda%20makes%20a%20joke%20of%20trying%20to%20use%20the%20DEP%20program%20to%20simplify%20user%20enrolment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehas%20anyone%20heard%20of%20any%20progress%20being%20made%20on%20a%20solution%20for%20this%20problem%2C%20or%20a%20workaround...%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-152107%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279549%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20for%20iOS%20DEP%20devices%20with%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279549%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Wahe%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWithin%20the%20DEP%20profile%2C%20you%20need%20to%20select%20%3CSTRONG%3EEnrol%20with%20User%20Affinity%3C%2FSTRONG%3E%2C%20but%20then%20enable%20the%20option%20to%20%3CSTRONG%3EAuthenticate%20with%20Company%20Portal%20Instead%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20stop%20Apple%20from%20asking%20for%20the%20user's%20details%20during%20Setup%20Assistant.%20When%20the%20user%20then%20signs%20into%20Company%20Portal%2C%20it%20will%20then%20assign%20the%20device%20to%20the%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20step%205%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-enrollment-program-enroll-ios%23create-an-apple-enrollment-profile%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-enrollment-program-enroll-ios%23create-an-apple-enrollment-profile%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20then%20automatically%20install%20the%20Intune%20Company%20Portal%20on%20the%20device%20for%20the%20user%20using%20a%20VPP%20token%2C%20and%20even%20force%20the%20app%20to%20run%20in%20kiosk%20mode%20until%20registered.%20This%20is%20shown%20in%20steps%206%20and%207.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278660%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20for%20iOS%20DEP%20devices%20with%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278660%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Daniel%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20also%20having%20a%20problem%20registrering%20DEP%20devices%20in%20intune%20icm%20MFA.%3C%2FP%3E%3CP%3EAfter%20reading%20your%20comment%20I%20have%20directly%20browsed%20to%20my%20conditional%20access%20policy%20which%20is%20responsible%20for%20activating%20the%20MFA%20option.%3C%2FP%3E%3CP%3EIn%20the%20application%20selection%20fild%2FExclusions%20i%20can%20Exclude%20Intune%20Enrolment%20(screenshot%20attached).%3C%2FP%3E%3CP%3ESomehow%20I%20am%20can%20not%20get%20that%20not%20working%20at%20this%20moment.%3C%2FP%3E%3CP%3EThe%20workaround%20in%20my%20case%20at%20this%20moment%20is%20disabling%20MFA%2C%20registrering%20and%20the%20enabling%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ekeep%20posting%20if%20you%20got%20news%20from%20MS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EWah%C3%A9%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170274%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20for%20iOS%20DEP%20devices%20with%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170274%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Aaron%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20the%20exact%20same%20problem%20at%20the%20moment.%20I%20have%20spoken%20with%20engineers%20at%20Microsoft%20who%20have%20said%20they%20are%20fully%20aware%20of%20the%20issues%20with%20DEP%20and%20MFA%20and%20are%20working%20on%20resolving%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EApple%20can't%2Fwon't%20support%20MFA%20during%20the%20DEP%20portion%20of%20Setup%20Assistant%20on%20the%20device%2C%20so%20Microsoft%20are%20having%20to%20get%20inventive%20to%20essentially%20work%20around%20this%20limitation%20while%20still%20keeping%20the%20ease%20and%20flexibility%20of%20a%20DEP%20setup%20and%20not%20compromise%20security.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStay%20posted%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fintune%2Fwhats-new%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20New%3C%2FA%3E.%20I've%20heard%20from%20others%20that%20something%20may%20be%20coming%20within%20the%20next%20month%20or%20so%20to%20finally%20resolve%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3ED%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170160%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20for%20iOS%20DEP%20devices%20with%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170160%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20have%20also%20just%20run%20into%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eany%20workarounds%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Aaron Smtih
Frequent Visitor

I well imagined this would already be a well discussed topic on here, but does anyone know if Microsoft/Apple are working on getting iOS devices to work with the device enrolment program and MFA.

 

we have our environment setup to prompt for MFA if coming from an untrusted IP atm, which the iOS devices come under when enrolling, so the users are promoted for credentials during enrollment, but can’t continue because the MFA on their account prevents the authentication processes continuing.

 

iv read on MS tech net that this is expected, and they advise disabling MFA (dumb advise) to allow the enrolment, then re-enable, but this kinda makes a joke of trying to use the DEP program to simplify user enrolment.

 

has anyone heard of any progress being made on a solution for this problem, or a workaround...?

4 Replies

we have also just run into this.

 

any workarounds?

Hi Aaron

 

We have the exact same problem at the moment. I have spoken with engineers at Microsoft who have said they are fully aware of the issues with DEP and MFA and are working on resolving this.

 

Apple can't/won't support MFA during the DEP portion of Setup Assistant on the device, so Microsoft are having to get inventive to essentially work around this limitation while still keeping the ease and flexibility of a DEP setup and not compromise security.

 

Stay posted to the What's New. I've heard from others that something may be coming within the next month or so to finally resolve this.

 

Thanks

D

Hello Daniel,

 

I am also having a problem registrering DEP devices in intune icm MFA.

After reading your comment I have directly browsed to my conditional access policy which is responsible for activating the MFA option.

In the application selection fild/Exclusions i can Exclude Intune Enrolment (screenshot attached).

Somehow I am can not get that not working at this moment.

The workaround in my case at this moment is disabling MFA, registrering and the enabling MFA.

 

keep posting if you got news from MS.

 

Regards,

Wahé

 

Hi Wahe

 

Within the DEP profile, you need to select Enrol with User Affinity, but then enable the option to Authenticate with Company Portal Instead.

 

This will stop Apple from asking for the user's details during Setup Assistant. When the user then signs into Company Portal, it will then assign the device to the user.

 

See step 5 here: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios#create-an-apple-enrollm...

 

You can then automatically install the Intune Company Portal on the device for the user using a VPP token, and even force the app to run in kiosk mode until registered. This is shown in steps 6 and 7.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies