cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS
By
Intune_Support_Team
Published Jun 01 2020 12:37 PM 12.2K Views
Intune_Support_Team
Microsoft
‎Jun 01 2020 12:37 PM

Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS

‎Jun 01 2020 12:37 PM

Today, we have posted Message Center post: MC214914 with the text below. This post provides screen shots of what’s being removed in the enrollment flow.

 

Plan for Change: Intune Enrollment Flow Update for Apple’s Automated Device Enrollment for iOS/iPadOS 

In the August Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the "Enroll with User Affinity" flow when the "Select where users must authenticate" setting is set to "Setup Assistant" and "Install Company Portal" is set to "No". Previously, if you set the “Install Company Portal” to “No” as part of your configuration, users could still install the Company Portal app from the store which would then trigger enrollment where the user would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company Portal” to “Yes” as part of your configuration.

 

How does this affect me? 

Our telemetry indicates you’ve got iOS/iPadOS devices enrolled with Apple’s Automated Device Enrollment.

 

If you have set the "Select where users must authenticate" authentication option to "Company Portal" and have set the “Install Company Portal” to “Yes”, then this does not affect you, as the appropriate Company Portal app is on the device.


If you have set the “Select where users must authenticate” authentication option to “Setup Assistant”, this affects you:

 

Photo01.png

 

If you have set the “Install Company Portal” to “No”, then be aware that devices will be unable to complete enrollment unless you have created a corresponding configuration policy to assign the serial number through XML. Existing enrolled devices will not be affected by this change if your end user has already opened the Company Portal and gone through the serial number flow or if you already have a corresponding configuration policy created. If the device is already enrolled, but the Company Portal hasn’t been opened, then you will also need the corresponding configuration policy.

 

Photo02.png

 

Note: That macOS devices are not affected; this just affects iOS/iPadOS devices enrolled through Apple’s Automated Device Enrollment.

 

What do I need to do? 

Check your settings for Automated Device Enrollment. If you currently have the “Install Company Portal” set to “No”, we recommend you update it to “Yes”, or as a workaround for this upcoming change, create the configuration profile as documented. We recommend for all future Automated Device Enrollment profiles that you say “Yes” to “Install the Company Portal” from the profile create page since it will have the correct app configuration policy applied. Update your end user guidance and notify your helpdesk.

 

These are the enrollment screens we are referring to that are being removed:

ADE iPadOS.png

 

As always let us know if you have any questions or concerns on this customer-requested change!

Blog post updates:

  • 6/3/20: With an update and a screenshot to clarify the "Select where users must authenticate" Setup Assistant and Company Portal scenarios.
  • 8/4/20: With an update that the new iOS Company Portal update will be released in August.
9 Comments
MalG
Copper Contributor
‎Jun 02 2020 01:42 AM
‎Jun 02 2020 01:42 AM

Hello,

I believe I'm correct in saying that this article would be clearer to understand if you highlight the fact that this related to when you have "Select where users must authenticate" user authenticate option set to "Setup Assistant".  It is only with this AppleDE (aka DEP) authenticate option that the option to set  “Install Company Portal” to “no” or "yes" exists.   If you have the authentication option as "Company Portal" the install option(s) are different. 

larsrigonan
Copper Contributor
‎Jun 02 2020 09:21 AM
‎Jun 02 2020 09:21 AM

Ok, we have devices already enrolled through DEP/Apple Business manager, and don't have company portal installed on the devices, so now I have to deploy the company portal, with the xml configuration policy and let end users know how to go trough the company portal app.

 

So my question is, where can I see this "Install Company Portal" option and set to yes? Do I need to create a new enrollment profile with this set to yes?

0 Likes
Like
AnyaNovicheva
Microsoft
‎Jun 02 2020 01:26 PM
‎Jun 02 2020 01:26 PM

@MalG Thank you for your feedback! That's a great point and we will edit the blog to highlight what you mention. For new profiles when selecting where users must authenticate during profile creation for an Automated Device Enrollment token, if Setup Assistant is chosen, it is recommended to Install the Company Portal. If choosing to authenticate with the Company Portal, nothing else needs to be done. 

 

@larsrigonan Thank you for your feedback. For new Automated Device Enrolled devices when creating a profile, if you choose to enroll with user affinity, we recommend you use the Company Portal for authentication. If using Setup Assistant, we recommend you install the Company Portal from the profile creation, and this is where you can set the 'Install Company Portal' setting to 'yes'. However for your existing profiles, we recommend you send down the Company Portal as a required app and target the same group(s) you have for your Automated Device Enrollment profile. In addition, send down the app configuration policy that is linked here - https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios#configure-the-co... to the same group(s). 

 

 

trebelow
Brass Contributor
‎Jun 03 2020 02:42 PM
‎Jun 03 2020 02:42 PM

@AnyaNovicheva  we are using "Setup Assistant" and "Install Company Portal" is set to "Yes" but the user is not forced to sign into the Company Portal App. Will it be an issue in the future?

0 Likes
Like
AnyaNovicheva
Microsoft
‎Jun 03 2020 03:07 PM
‎Jun 03 2020 03:07 PM

@trebelow In order for the device to Workplace join (AAD device registration) successfully, and for all Intune features to work as expected, the sign-in process needs to be completed in the Company Portal by the users. 

0 Likes
Like
trebelow
Brass Contributor
‎Jun 04 2020 07:17 AM
‎Jun 04 2020 07:17 AM

@AnyaNovicheva Thanks for you response. Please be so kind and get more into detail. What exactly will not work without the sign in. Everything is working as it should be for us right now.

 

Configuration  profile

compliance

certificates

apps

aad join / register 

 

even if you sign in, the app is showing everything is enrolled and running.

 

Thank you in advance

Tim

 

0 Likes
Like
AnyaNovicheva
Microsoft
‎Jun 04 2020 10:47 AM
‎Jun 04 2020 10:47 AM

@trebelow I will reach out to you via a message so we can talk through your scenario. Thank you for the feedback!

0 Likes
Like
larsrigonan
Copper Contributor
‎Jun 29 2020 08:26 AM
‎Jun 29 2020 08:26 AM

@AnyaNovicheva Hi Anya, what if we used a profile with user affinity set to "Enroll without User affinity" are we also affected? If so, what should we expect to break/not work if left be?

0 Likes
Like
AnyaNovicheva
Microsoft
‎Jun 29 2020 08:56 AM
‎Jun 29 2020 08:56 AM

@larsrigonan Hi! Any profile with user affinity set to "Enroll without user affinity" will not be affected. 

0 Likes
Like
Version history
Last update:
‎Nov 30 2023 04:08 PM
Updated by: