Updated 10/25/22: Intune released a fix which has completely rolled out to the entire Intune environment by September 18 (completed and devices are remediating); and with Apple's recent release of iOS/iPadOS 16.1, we've confirmed that their fix is in to fully resolve this issue.
As highlighted in the Microsoft simplifies Endpoint Manager enrollment for Apple updates - Microsoft Tech Community post, we’ve been preparing for the iOS 16/iPadOS 16 by testing each beta release. We recently discovered an issue in Apple’s User Enrollment process. Both Intune and Apple are working on updates, but in the interim, if you enroll devices with User Enrollment you’ll want to understand the background and options as iOS/iPadOS 16 releases.
Impacted devices are:
- Enrolled with User Enrollment, and on iOS 15 or iPadOS 15.
- User Enrolled devices into Intune between September 16, 2021, (Intune’s 2109 service release) and the August (2208) Intune releases. You can see the device enrollment date within the Microsoft Endpoint Manager admin center reporting by going Devices > iOS/iPadOS, on the overview page see the Enrollment date column. If you’re looking on an actual iOS device, you can see the enrollment date under Settings > General > VPN & Device management > Management Profile > then look at when the Device Identity Certificate expires – if it’s between September 2022 and September 2023 it’s likely impacted as most customers use a one-year certificate.
If we believe you have devices that meet the criteria above, we also posted Service Health Dashboard post IT428176 under your Service Health dashboard. It's closed now because Intune's changes are complete and have confirmed that Apple's release of iOS/iPadOS 16.1 resolves this issue.
The user experience:
- If the device updates from iOS/iPadOS 15 to iOS/iPadOS 16, the user will be presented with a “new MDM payload does not match the old payload" error. At the device level, the enrolled devices are not able to update their management profile. When management profiles are not updated, the device could lose compliance, which depending on your policies, may block access to company resources.
Update from 9/16:
Immediate mitigation:
A device can be un-enrolled and re-enrolled which will apply a new management profile and the new OS. (We've deployed a mitigation fix in the 2209 Intune service release where you no longer need to take this step.)
Resolution:
- Intune released a fix which will be completely rolled out to the entire Intune environment by September 18 (completed and devices are remediating); and
- With Apple's recent release of iOS/iPadOS 16.1, we've confirmed that the fix is in to fully resolve this issue.
With both fixes deployed, users will not receive the update error and can easily update to iOS 16/iPadOS 16 and higher.
Blog post updated
- 09/16 with mitigation timeline updates.
- 09/19 with mitigation timeline updates.
- 10/15 Updated post with resolution.
We will keep this post updated as we have additional information and as fixes are released. If you have questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.
