Enrolling corporate iOS devices authenticating with Setup Assistant
Published Feb 01 2019 12:25 PM 13.8K Views

Update 5/17: This change has now been rolled out in the May update to Intune.

 

We’re implementing an improved workflow to enroll corporate iOS devices with user affinity into Intune, specifically when these devices use Setup Assistant for authentication.

 

With this change, we aim to improve enrollment experience and give end users a shortened work flow. We’ll have detailed documentation when this rolls out, but we thought we’d share what’s coming so you can familiarize yourself with the experience and set up policies in your console if needed.

 

Experience for enrolling new devices

When we roll this change out, if you enroll new devices authenticating with Setup Assistant, you can choose whether or not to deploy the Intune Company Portal app automatically in Intune not Azure (not available in hybrid MDM). We’re also doing away with “Identify your device” screen and the “Confirm your device” screen, where end users enter the last 4 digits of the device’s serial number in the Company Portal app. 

 

Experience for existing enrolled devices

After this change is rolled out, if you want to enable Conditional Access for devices already enrolled via Setup Assistant, you’ll have to push the Company Portal down to those devices. Here’s how you would do that:

 

  1. In the Intune on Azure portal,
    • Add the Intune Company Portal if necessary, by going to Intune > Client Apps > Apps > Add
    • Go to Client apps > App configuration policies, to create an app configuration policy for the Company Portal app.

If you use hybrid Mobile Device Management (Hybrid MDM),

  • Create a new app policy in the Configuration Manager console for the Company Portal app.
  • Go to Software Library > Application Management > App Configuration Policies.
  1. Create an app configuration policy with the xml below. More information on how to create an app configuration policy and enter xml data can be found at Add app configuration policies for managed iOS devices or Apply settings to iOS apps with app configuration policies in System Center Configuration Manager for hybrid MDM.

<dict>

    <key>IntuneCompanyPortalEnrollmentAfterUDA</key>

    <dict>

        <key>IntuneDeviceId</key>

        <string>{{deviceid}}</string>

        <key>UserId</key>

        <string>{{userid}}</string>

    </dict>

</dict>

 

  1. Deploy Company Portal to devices with the app configuration policy targeted to desired groups.
  2. Tell end users to sign into the Company Portal app when it is automatically installed.

 

We’ll keep this post updated with documentation links when we roll out this new workflow. You’ll also see announcements in What’s New in Intune, the hybrid What’s New page and in the Office Message Center. Let us know if you have any questions!

13 Comments
Copper Contributor

Thanks for the update.  We use the setup assistant today to enroll users, but we also deploy the company portal app at the same time and ask them to complete the enrollment in the Company Portal app for CA policies.  What I’m not understanding is the point of the XML file.  Would we need to do this to all our existing devices that already have the Company Portal app installed if these used the OS Setup Assistant for the initial login?

Copper Contributor

Question #1:

Intune with Apple DEP: We use the Company Portal for authentication, what is a pushed to the devices using Apple VPP.

The Company Portal is also set as required app, so the phones are "blocked" until it has been pushed to the device and the user has logged in.

 

I wonder if this change will impact us?

 

The majority of our user base has MFA enabled and setup.

 

Question #2:

Is this a general script or does it need to be customized for each individual user?

 

dict>

    <key>IntuneCompanyPortalEnrollmentAfterUDA</key>

    <dict>

        <key>IntuneDeviceId</key> -> Do I manually need to key in the device ID?

        <string>{{deviceid}}</string>

        <key>UserId</key> -> Do I manually need to key in the user ID?

        <string>{{userid}}</string>

    </dict>

</dict>

 

Hope this isn't the case, because we have over 5000 users...

Copper Contributor

Hi,

 

I am currently experiencing issues with the Profile installation by the enrollment. I troubleshooted with all the recommendations from Microsoft but so far it doesn't work...

 

Also some users with iPhone's which were already registered, after the 12.1.4 iOS update lost their Intune Credentials-Connection to the Server automatically... Can you please help? Since I opened last week a ticket with Support but they don't answer...

@Sympathy4Devil the answer to question #1 is no, it will not impact that flow. For #2, no customization required. Just copy/paste the script as is!

Deleted
Not applicable

@Intune_Support_Team 

I´ve trouble with some of my Intune Managed iOS devices.

ex. when I open the Microsoft365 Admin app I get "register now" after password.

I already pushed the Company Portal App with "Client Apps -> Apps -> Company Portal -> required" (for testing just for my account)

 

When I try to make an App configuration policy I get an error after pasting the xml "Key value is missing or does´t match data type tag. See Intune docs for supported data types".

 

Any help suggestions?

Regards, Philip

Copper Contributor

Hi,

 

we have the same problem as @Deleted : "When I try to make an App configuration policy I get an error after pasting the xml "Key value is missing or does´t match data type tag. See Intune docs for supported data types"."

 

I would appreciate any suggestions

Regards, Benedikt

Copper Contributor

Hi @Intune_Support_Team 

 

one of our customers with around 3,500 devices is facing this issue. They are using Apple DEP, Setup Assistant and Conditional Access, so we configured the Company Portal to be pushed in DEP enrollment profile and tried to configure a App Configuration Policy for the Company Portal as well. But as soon as we paste your XML, we got the same error message like @Deleted and @bemo1089 . 

 

Best Regards,

Nico

@Deleted @bemo1089 @DaNiggo can you check again? There was an error accepting the xml in the Intune backend but it's now been fixed.

Copper Contributor

@Intune_Support_Team 
It seems to work - the xml code got accepted now.

 

Thanks and BR

Benedikt

Deleted
Not applicable

@Intune_Support_Team 

Now the XML is accepted.

But there is an Error on this Web page:

When i open this site with Chrome or Edge Browser to get the XML i get this one:

 

<dict>

    <key>IntuneCompanyPortalEnrollmentAfterUDA</key>

    <dict>

        <key>IntuneDeviceId</key>

        <string></string>

        <key>UserId</key>

        <string></string>

    </dict>

</dict>

 

When i use Edge (DEV with chromium) or FireFox i get this one:

 

<dict>

    <key>IntuneCompanyPortalEnrollmentAfterUDA</key>

    <dict>

        <key>IntuneDeviceId</key>

        <string>{{deviceid}}</string>

        <key>UserId</key>

        <string>{{userid}}</string>

    </dict>

</dict>

 

I think the second is the correct one.

No Adblocker active.

 

Regards, Philip

Copper Contributor

@Intune_Support_Team @Deleted 

 

interesting - I haven't even noticed that jet and I also don't see the difference on your post (Using Edge Dev) - I had to open the page with the Internet explorer 11 to see the difference.

I took screenshots so the difference should be visible - would be interesting to know which version we should use.

 

Opened with Edge Dev:                                                                                 

EdgeDev.jpg

 

 

 

 

 

 

 

 

 

 

 

 

Opened with IE 11

IE11.jpg










Thanks and BR

Benedikt

Deleted
Not applicable

@bemo1089 @Intune_Support_Team 

Just saw that the values also missing in my post above.

here is a screenshot from my post when i click "edit comment"

 

2019-05-28 16_40_53-Clipboard.png

 

Regards,

Philip

Copper Contributor

Hi,

 

I'm trying to implement this on DEP devices (non-user affinity profile) running iOS 13.3.  Using the default text, I get the following error:

 

intunerror.jpg

 

 

 

 

 

 

If I change the UserID field to userprincipalname, I am able to log in, but it does not recognize the device as managed.

Has anyone gotten this to work with iOS 13?

Version history
Last update:
‎Nov 30 2023 04:03 PM
Updated by: