Intune for iOS DEP devices with MFA

Copper Contributor

I well imagined this would already be a well discussed topic on here, but does anyone know if Microsoft/Apple are working on getting iOS devices to work with the device enrolment program and MFA.

 

we have our environment setup to prompt for MFA if coming from an untrusted IP atm, which the iOS devices come under when enrolling, so the users are promoted for credentials during enrollment, but can’t continue because the MFA on their account prevents the authentication processes continuing.

 

iv read on MS tech net that this is expected, and they advise disabling MFA (dumb advise) to allow the enrolment, then re-enable, but this kinda makes a joke of trying to use the DEP program to simplify user enrolment.

 

has anyone heard of any progress being made on a solution for this problem, or a workaround...?

14 Replies

we have also just run into this.

 

any workarounds?

Hi Aaron

 

We have the exact same problem at the moment. I have spoken with engineers at Microsoft who have said they are fully aware of the issues with DEP and MFA and are working on resolving this.

 

Apple can't/won't support MFA during the DEP portion of Setup Assistant on the device, so Microsoft are having to get inventive to essentially work around this limitation while still keeping the ease and flexibility of a DEP setup and not compromise security.

 

Stay posted to the What's New. I've heard from others that something may be coming within the next month or so to finally resolve this.

 

Thanks

D

Hello Daniel,

 

I am also having a problem registrering DEP devices in intune icm MFA.

After reading your comment I have directly browsed to my conditional access policy which is responsible for activating the MFA option.

In the application selection fild/Exclusions i can Exclude Intune Enrolment (screenshot attached).

Somehow I am can not get that not working at this moment.

The workaround in my case at this moment is disabling MFA, registrering and the enabling MFA.

 

keep posting if you got news from MS.

 

Regards,

Wahé

 

Hi Wahe

 

Within the DEP profile, you need to select Enrol with User Affinity, but then enable the option to Authenticate with Company Portal Instead.

 

This will stop Apple from asking for the user's details during Setup Assistant. When the user then signs into Company Portal, it will then assign the device to the user.

 

See step 5 here: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios#create-an-apple-enrollm...

 

You can then automatically install the Intune Company Portal on the device for the user using a VPP token, and even force the app to run in kiosk mode until registered. This is shown in steps 6 and 7.

@Daniel Hudson 

 

I have a customer that does not have any conditional access rules, MFA is not enabled however during enrollment they get an MFA Prompt. There are no rules created anywhere and the only place we get a prompt is during enrollment. 

 

Why? sounds like a bug

Could you check Azure Active Directory - Devices - Device Settings - Require multi-factor to join devices

Is this a new tenant?

@Thijs Lecomte 

 

would you mind elaborating more? are you talking about the config profiles?

 

This is an existing tenant with new intune - co-management setup.

There are zero conditional access rules and the only compliance is for jailbroken devices.

 

the users do not get MFA challenge for anything other than the company portal enrollment login. (I do not know where this MFA challenge is coming from.)

Please navigate to portal.azure.com.

Open 'Azure Active Directory', click devices, then 'Device Settings' and check which value 'Require multi-factor to join devices' has

@Thijs Lecomte 

 

I think you nailed it! it must be a setting my customer did not realize they setup. 

 

its greyed out for me but Ill have my customer test. I sure that is it!

 

Thanks sooooo much!

It's enabled by default, so probably something they overlooked :)

@Thijs Lecomte 

 

Hmmm.. interesting. I setup Intune for this customer however I never read anything about this setting before. I just assumed it was all handled by conditional access policies.

in fact I looked at my recent tenant I created and the Default is turned off for Require MFA.

@Daniel Hudson  but can they then use the device before logging in?  meaning can they text and make phone calls?  or will the phone brick if they don't log into the company portal?

If you force the device into kisok mode until they authenticate with Company Portal, no. They can answer received calls, but that's it.