Just in Time Registration for iOS/iPadOS with Microsoft Intune
Published Oct 28 2022 11:30 AM 14.7K Views

By Anya Novicheva, Product Manager 2 | Microsoft Intune, and Jaye Ren, Product Manager | Microsoft Intune

 

Updated 11/04/22: JIT registration is not currently supported for US Government GCC High and DoD. Support is coming in a future service release.

 

We are excited to announce Just in Time (JIT) Registration for Setup Assistant with modern authentication for iOS/iPadOS devices that enroll through Apple’s Automated Device Enrollment (iOS/iPadOS 13+). This enrollment flow is an improvement to the Setup Assistant with modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking. By removing the Company Portal requirement, we eliminated extraneous steps, removed required app downloads that can’t be changed, and put an end to switching between apps to get the device compliant, thereby streamlining the user flow.

 

With JIT Registration, once the user completes enrollment during Setup Assistant and lands on the home screen, the user authentication can be completed in any Microsoft Office application or SSO-enabled application to register the device with Azure AD and kick off compliance. The compliance checks are integrated right into the Office app that is used for authentication, so the user doesn’t need to switch between multiple apps to understand the steps that they need to take to become compliant.

 

Check out the non-compliant JIT registration flow in this video, that shows the embedded compliance checks and how they guide the end user to get their device compliance without any app switching. In this demo, the end user lands on the home screen and opens Teams to access their messages. They are blocked by conditional access right within the Teams app with the embedded compliance check. The end user sees that they need to set a device passcode in order to become compliant and gain access to corporate resources. The end user sets a device passcode and goes back to the Teams app to refresh the compliance page, and now they are compliant and the messages flow in.

 

 

We are utilizing Apple's single sign-on (SSO) extension functionality to significantly minimize authentication prompts. The first authentication in Setup Assistant completes enrollment and establishes user device affinity while the next authentication handles Azure AD registration within any Office app or SSO-enabled application that takes in credentials. This ensures that SSO is fully established across the device. These authentications are all that are required to fully enroll the corporate device with Intune, register it with Azure AD, and ensure compliance on the device with a fully integrated compliance experience right within any Office app.

 

To set up JIT registration for ADE on the admin side, refer to the following information.

 

Important: If you want to target Intune app protection policies (APP/MAM) to a managed device, you will need to push the specific app configuration policy, as it was automatically handled with the Company Portal in the flow. We are working on removing that need and providing an automatic option in the future. The app config policy steps for setting the 'IntuneMAMUPN' via MDM app config are documented here: Manage transferring data between iOS apps.

 

Setting up the admin-side configuration for JIT Registration for ADE

Important! Before you begin, make sure you exclude "Microsoft Intune" from any Conditional Access (CA) policy targeted at the devices enrolling with JIT Registration.

    1.  
  1. Create a device configuration policy under the Microsoft Endpoint Manager admin center > Devices | iOS/iPadOS > TemplatesDevice features > Category > Single sign-on app extension. Refer to Single sign-on app extension for more information.
    1. Set the SSO app extension type to Microsoft Azure AD.
    2. Do not add any Microsoft applications to the SSO app extension policy or this may cause additional auth prompts for the end user. All Microsoft applications are automatically part of the iOS/iPadOS Microsoft Azure AD SSO app extension policy. We recommend admins guide their end users to authenticate in the Teams app to kick off the SSO extension for the most seamless experience, since Teams is integrated with the most updated identity library.
      1. Make sure you don’t add the Microsoft Authenticator app to the SSO extension policy, or this will cause issues with JIT registration.
    3. Add all the App bundle IDs for non-Microsoft apps that you want SSO to be established on.
      1. After the end users first sign in, the user will be automatically signed into any Microsoft app and non-Microsoft app that’s part of the SSO extension policy.
    4. Add the required key value pair under the additional configuration. Make sure there are no trailing spaces before or after the key and value pair or JIT registration won’t work.
      1. Key: device_registration
      2. Type: String
      3. Value: {{DEVICEREGISTRATION}}
    5. We recommend adding the key value pair that enables SSO within the Safari browser for all apps in the policy as well. Again here, make sure there are no trailing spaces before or after the key and value pair or JIT registration won’t work.
      1. Key: browser_sso_interaction_enabled
      2. Type: Integer
      3. Value: 1

A screenshot of the iOS/iPadOS Device features configuration screen, highlighting settings for 'Single sign-on app extension' and the key value pairs for additional configuration.A screenshot of the iOS/iPadOS Device features configuration screen, highlighting settings for 'Single sign-on app extension' and the key value pairs for additional configuration.

 

  1. Specify the Microsoft Authenticator app as a required app and then assign it to a group. For instructions read, Add apps to Microsoft Intune and Assign apps to groups with Microsoft Intune . Make sure you don’t add the Microsoft Authenticator app to the SSO app extension policy.
  2. Within an active Intune ADE token from Apple Business Manager (ABM) or Apple School Manager (ASM), create the iOS/iPadOS ADE enrollment profile using the Setup Assistant with modern authentication method. Then, assign this enrollment profile to the devices that synced over from ABM/ASM. Refer to Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment for more information.

 

Once these configuration steps are complete, the user will be able to complete setup and authentication on the device. They simply need to turn on the device, go through the Setup Assistant screens, and authenticate with their Azure AD credentials to fully enroll the device with Intune and establish user device affinity. When the user opens a managed Microsoft Office app, the app automatically establishes SSO. We recommend the end user sign into Teams first for the most updated and streamlined experience.

 

Here’s an example of the experience after a user has completed the enrollment in Setup Assistant and opens Microsoft Teams to start their work:

 

 

Note: The Company Portal is not required for a device to complete Azure AD registration or reach compliance. However, it may need to be installed to collect logs to aid in troubleshooting. We plan to remove this requirement in the future.

 

We hope you’re excited for this new experience and can’t wait to hear how it goes as you begin implementing it! If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post Updates:

10/31/22: updated to clarify the device configuration policy flow based on customer feedback - Thank you!

11/04/22: updated with a note on US Government GCC High and DoD support; support is coming in a future service release.

11/09/22: updated with an important note regarding value and key, otherwise JIT registration won't work.

11/29/22: updated post based on customer feedback. Thank you!

44 Comments
Version history
Last update:
‎Nov 29 2022 01:57 PM
Updated by: