Changes to MDM enrollment workflow in iOS 12
Published Jan 25 2019 09:38 AM 23.9K Views

4/4/19: iOS Company Portal app version 3.9.0 is now available in the App store.

 

4/2/19: Company Portal app 3.9.0 is still in the process of being released to the store. We'll post here as soon as we have a definite ETA from engineering and Apple.

 

3/26/19 Update: iOS 12.2 has been released by Apple

 

3/25/19 Update: Apple TestFlight is now live with the new enrollment flow. However, changes to iOS Company Portal website will be available in TestFlight after these are shipped with an Intune service update.

 

2/25/19: Follow up post is published here -  Coming soon: Changes in Intune Company portal for iOS enrollment  

 

Apple has announced that there are changes coming in future versions of iOS 12 for manual enrollment into Mobile Device Management (MDM) - https://support.apple.com/en-us/HT209435. We think this change will likely come in the Spring 2019 release of iOS from Apple.

 

Enrollment into Intune currently flows as follows:

  • Login into the Company Portal app, click Begin  
  • Redirection to Company Portal website in Safari
  • Allow prompt stating “This website is trying to open Settings to show you a configuration profile”
  • Redirection to Management Profile details page
  • Select Install on the Management Profile details page and follow prompts to install profile
  • Select Done
  • Automatic Redirection to Company Portal website in Safari
  • Select “Open” on the “Open this page in Comp Portal” prompt
  • Automatic Redirection to Company Portal app to finish workflow

However, starting with iOS 12.1.1 beta, we’ve seen that enrollment has a change in workflow. Installing a management profile now involves additional steps for end users.

  • They will be redirected to the Company Portal website in Safari. Click on Allow to download the configuration profile.

iOS12.2 change 1.JPG

 

  • Manual navigation to Profiles section of Settings app (Settings > General > Profiles) -
  • When in device settings, users should see an Install Downloaded Profile blade with a red circle badge. They have 8 minutes to install the profile or they will stop seeing the badged experience. In our testing, after about 15 minutes the profile is removed from the device and enrollment must be restarted.

iOS 12.2 change 2.JPG

Note: This section of the Settings app may be named differently depending on profiles currently on the device. Once a Management Profile is installed, the name of the section changes to “Device Management”.

  • Select “Install Profile” on the Downloaded Management Profile
  • Select “Install” on the upper right hand of the Management Profile details page and follow prompts to install profile
  • Select “Trust” on the Remote Management prompt
  • Manual navigation back to Company Portal app to finish workflow

Here is a short video of what the new flow looks like in beta versions of iOS 12:

 

 

We’re trying to make changes on the Intune side and will keep you updated so you can be prepared for this change in enrollment workflow.

 

2/27/2019 - updated with new video

2/22/19: Updated with new video and updated screenshots

12 Comments
Copper Contributor

This is absolutely atrocious from a user interface point of view.  Its hard to believe Apple would design something like this?

Steel Contributor

@Amit_Autar, A similar change was made by Apple in macOS High Sierra 10.13.4, with regards to user approved enrollments, so it was only a matter of time before this came to iOS. While it may cause challenges for some, it can be avoided on corporate devices by deploying via DEP or Configurator, as indicated in the Apple article at the top of this blog. Hopefully there will be some sort of trust relationship between Apple and identified MDM providers to mitigate the potential impact.

Steel Contributor

Just to make sure this only applies to BYOD manual enrolled devices but doesn't affect activation of DEP devices?

@Brian Hoyt That's correct, this should not impact DEP enrollments.

Copper Contributor

Any updates?

Copper Contributor

With the release of iOS 12.2 on Mar 25, and the latest Beta release of Company Portal for iOS - 3.9.0 (51.1903003.0), I'm seeing the new app landing page and features, but am still required to manually install the MDM profile via settings.  There was previous discussion that these manual steps would possibly become automated again (like they were in ver3.8).  I don't want to deploy new end user documentation for the new workflow, if Microsoft is going to automate the MDM profile install any time soon.  When Company Portal 3.9.x is released, will the MDM profile install be automated or manual?  When can we expect ver3.9 to be released??

@Shaune_S Unfortunately, we don't have insight at Microsoft on how the MDM installation within Settings will change over the next few months, as this is a process Apple implements. When our next release of the Company Portal comes out (in the new few weeks), the MDM profile installation will be a manual process.

Steel Contributor

@Tiffany SilversteinIs it possible to incorporate a link to the Settings app from the new landing page that is present in the Company Portal 3.9.0 beta? This would improve the client experience while accommodating the iOS 12.2 enrollment change.

@eglockling While we'd love to link directly the the Settings app, Apple doesn't have a public API to do this, since their goal is to ensure users are well aware of the changes they are making to their device when they install a management profile.

Is this a iOS bug or Intune Bug?

Copper Contributor

It's not a bug, it's a ''feature''. It will be the new ''by design'' in order to make users more aware that they are installing a security profile

Thanks for the reply @ChristianLeroux .  In past we were following the same process and it's open the setting automatically after we allow it.

IMG_1363.PNGOld.png  

Version history
Last update:
‎Nov 30 2023 04:03 PM
Updated by: