Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune
Published Oct 28 2022 11:30 AM 53.2K Views

By Anya Novicheva, Product Manager 2 | Microsoft Intune, and Jaye Ren, Product Manager | Microsoft Intune

 

We are excited to announce Just in Time (JIT) Registration for Setup Assistant with modern authentication and Just in Time compliance remediation. These new features are both for iOS/iPadOS devices that enroll through Apple’s Automated Device Enrollment (iOS/iPadOS 13+) and account driven Apple user enrollment (iOS/iPadOS 15+).

 

Automated device enrollment

Just in Time registration within the enrollment flow is an improvement to the Setup Assistant with modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking. By removing the Company Portal requirement, we eliminated extraneous steps, removed required app downloads that can’t be changed, and put an end to switching between apps to get the device compliant, thereby streamlining the user flow. 

 

Additionally, Just in Time compliance remediation is the new embedded flow for end users to see their compliance status and actions steps right within the app that they are completing Just in Time registration within. 

 

With JIT Registration, once the user completes enrollment during Setup Assistant and lands on the home screen, the user authentication can be completed in any Microsoft Office application or SSO-enabled application to register the device with Azure AD and kick off compliance. The compliance checks are integrated right into the Office app that is used for authentication, so the user doesn’t need to switch between multiple apps to understand the steps that they need to take to become compliant.

 

Check out the Just in Time compliance remediation flow in action in this video. This video shows the embedded compliance checks of a non-compliant device, and how they guide the end user to get their device compliant without any app switching. In this demo, the end user lands on the home screen and opens Teams to access their messages. They are blocked by conditional access right within the Teams app with the embedded compliance check. The end user sees that they need to set a device passcode in order to become compliant and gain access to corporate resources. The end user sets a device passcode and goes back to the Teams app to refresh the compliance page, and now they are compliant and the messages flow in.

 

The new Just in Time compliance remediation feature is automatically a part of all devices that have compliance policies targeted to them, that are utilizing Just in Time registration for iOS/iPadOS Setup Assistant with modern authentication.

 

 

We are utilizing Apple's single sign-on (SSO) extension functionality to significantly minimize authentication prompts. The first authentication in Setup Assistant completes enrollment and establishes user device affinity while the next authentication handles Azure AD registration within any Office app or SSO-enabled application that takes in credentials. This ensures that SSO is fully established across the device. These authentications are all that are required to fully enroll the corporate device with Intune, register it with Azure AD, and ensure compliance on the device with a fully integrated compliance experience right within any Office app.

 

To set up JIT registration for ADE on the admin side, refer to the following information.

 

Important: If you want to target Intune app protection policies (APP/MAM) to a managed device, you will need to push the specific app configuration policy, as it was automatically handled with the Company Portal in the flow. We are working on removing that need and providing an automatic option in the future. The app config policy steps for setting the 'IntuneMAMUPN' via MDM app config are documented here: Manage transferring data between iOS apps.

 

Setting up the admin-side configuration for JIT Registration for ADE

  1. Create a device configuration policy under the Microsoft Endpoint Manager admin center > Devices | iOS/iPadOS > TemplatesDevice features > Category > Single sign-on app extension. Refer to Single sign-on app extension for more information.
    1. Set the SSO app extension type to Microsoft Azure AD.
    2. Do not add any Microsoft applications to the SSO app extension policy or this may cause additional auth prompts for the end user. All Microsoft applications are automatically part of the iOS/iPadOS Microsoft Azure AD SSO app extension policy. We recommend admins guide their end users to authenticate in the Teams app to kick off the SSO extension for the most seamless experience, since Teams is integrated with the most updated identity library.
      1. Make sure you don’t add the Microsoft Authenticator app to the SSO extension policy, or this will cause issues with JIT registration.
    3. Add all the App bundle IDs for non-Microsoft apps that you want SSO to be established on.
      1. After the end users first sign in, the user will be automatically signed into any Microsoft app and non-Microsoft app that’s part of the SSO extension policy.
        Note! If your organization is using Microsoft Defender for Endpoint, please note that it cannot be the very first app that is opened by the user to authenticate at this time.
    4. Add the required key value pair under the additional configuration. Make sure there are no trailing spaces before or after the key and value pair or JIT registration won’t work.
      1. Key: device_registration
      2. Type: String
      3. Value: {{DEVICEREGISTRATION}}
    5. We recommend adding the key value pair that enables SSO within the Safari browser for all apps in the policy as well. Again here, make sure there are no trailing spaces before or after the key and value pair or JIT registration won’t work.
      1. Key: browser_sso_interaction_enabled
      2. Type: Integer
      3. Value: 1

A screenshot of the iOS/iPadOS Device features configuration screen, highlighting settings for 'Single sign-on app extension' and the key value pairs for additional configuration.A screenshot of the iOS/iPadOS Device features configuration screen, highlighting settings for 'Single sign-on app extension' and the key value pairs for additional configuration.

 

  1. Specify the Microsoft Authenticator app as a required app and then assign it to a group. For instructions read, Add apps to Microsoft Intune and Assign apps to groups with Microsoft Intune . Make sure you don’t add the Microsoft Authenticator app to the SSO app extension policy.
  2. Within an active Intune ADE token from Apple Business Manager (ABM) or Apple School Manager (ASM), create the iOS/iPadOS ADE enrollment profile using the Setup Assistant with modern authentication method. Then, assign this enrollment profile to the devices that synced over from ABM/ASM. Refer to Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment for more information.

 

Once these configuration steps are complete, the user will be able to complete setup and authentication on the device. They simply need to turn on the device, go through the Setup Assistant screens, and authenticate with their Azure AD credentials to fully enroll the device with Intune and establish user device affinity. When the user opens a managed Microsoft Office app, the app automatically establishes SSO. We recommend the end user sign into Teams first for the most updated and streamlined experience.

 

Here’s an example of the experience after a user has completed the enrollment in Setup Assistant and opens Microsoft Teams to start their work:

 

 

Note: The Company Portal is not required for a device to complete Azure AD registration or reach compliance. However, it may need to be installed to collect logs to aid in troubleshooting. We plan to remove this requirement in the future.

 

We hope you’re excited for this new experience and can’t wait to hear how it goes as you begin implementing it! If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Account driven Apple user enrollment

Microsoft Intune supports account driven Apple User Enrollment on devices running iOS/iPadOS version 15 or later. Configure Just in time registration and compliance remediation for devices enrolling with account driven user enrollment by following the steps here: Set up account driven Apple User Enrollment.

 

Post Updates:

12/22/22: JIT registration is now supported on US Government GCC High and DoD tenants!

11/29/22: Updated post based on customer feedback. Thank you!

11/09/22: Updated with an important note regarding value and key, otherwise JIT registration won't work.

11/04/22: Updated with a note on US Government GCC High and DoD support; support is coming in a future service release.

10/31/22: Updated to clarify the device configuration policy flow based on customer feedback. Thank you!

01/23/23: Updated post to clarify JIT compliance remediation.

02/01/23: JIT registration issues has been fixed and released; the "Microsoft Intune" app from any Conditional Access (CA) policy no longer needs to be excluded.

07/31/23: Added sections: Automated device enrollment & Account driven Apple user enrollment. Added docs reference to setting up account driven Apple user enrollment.

08/25/23: Updated to clarify that if you're planning to use Microsoft Defender for Endpoint as the first app a user opens, please note it can't currently be used for initial authentication.

96 Comments
Version history
Last update:
‎Dec 19 2023 01:22 PM
Updated by: