Microsoft Endpoint Manager support for iOS 14, iPadOS 14 and watchOS 7
Published Sep 16 2020 12:00 PM 37.9K Views

Microsoft Intune is excited to support Apple in their launch of iOS 14, iPadOS 14, and watchOS 7. We are delighted to deliver new functionality alongside Apple’s launch – ensuring you can be at the cutting edge to support your users wherever they are working or learning this fall.

 

Here are the new Apple scenarios we support and updates we’ve made to provide the best MDM and APP experience:

  • In our September release, we support several new configurations for MDM enrolled iOS and iPadOS 14.0+ devices, including:
    • Disable iOS/iPadOS App Clips

    • 4096 bit SCEP certificate keys

    • Custom maximum transmission unit (MTU) values for IKEv2 VPN connections

    • Per-account VPN routing for the native Mail app

    • Prevent users from disabling automatic VPN

    • Associated domains for per-app VPN connections

    • Excluded domains for per-app VPN connections

  • Apple Business Manager and Apple School Manager have been updated with a new view for all devices and Custom Apps functionality for distributing apps internal to your organization. Last year’s integration with Microsoft Azure Active Directory to enable Federated Authentication for Managed Apple IDs now works alongside SCIM (System for Cross-domain Identity Management) to help keep account data in sync.

  • There have been improvements to the Apple Push Notification service (APNs) to improve communication, which Intune supports.

In upcoming releases, we plan to add even more features to support your Apple management journey, including skipping Restore Completed and Update Completed panes during Automated Device Enrollments on iOS and iPadOS 14.0+.

 

With iOS and iPadOS 14, devices will automatically present a randomized MAC address for enhanced privacy when connecting to networks rather than defaulting to physical MAC addresses. If you rely on static MAC addresses in your environment, which may be used for network access control (NAC), you can disable MAC address randomization on a per-network basis in your Wi-Fi profile configuration for iOS and iPadOS 14 in our September release.

 

If you update an assignment from “Required” to “Available for enrolled devices”, new app installations will be installed as removable. Existing apps that are installed originally as “Required” continues to remain non-removable until the user requests to install the app from Company Portal. Then it updates the installed app’s property to removable.

 

Based on the customer feedback, iOS 14 apps deployed as “Required” will become removable when the November update of Intune is released. Managed iOS devices need to sync with Microsoft Endpoint Manager to reflect the change in required apps.

 

In iOS 14, users can set their default mail and browser apps. The latest Outlook version (4.55.1) supports this functionality and Edge is live with the functionality to set their default mail and browser apps as of version 45.8.9.

 

iOS and iPadOS 14 offer the ability for app developers to provide widgets that present key information from apps on users’ home screens. If an app creates a widget, that widget will show up on the user's device. Microsoft Endpoint Manager will not obscure the information displayed in widgets. If a widget from a protected app contains any links, APP will apply to protect that link as links within the app are protected.

 

In iOS and iPadOS 14, there are some updates to how pasteboard works. Here’s what this means for your apps protected with APP:

  • For apps that have not updated to the most recent version of the Intune SDK (12.9.0), managed accounts trigger pasteboard notifications frequently. This is because Intune checks the pasteboard when the app becomes active to ensure data on the pasteboard is being protected correctly. For iOS and iPadOS 14, Intune has made changes to restrict on paste/copy rather than on app launch/resume.
  • Because Intune can no longer read the content without triggering a pasteboard notification, it is not possible to hide the paste button (where we would have blocked the paste action) for accounts with a non-zero paste in exception policy. This paste button will only appear until a paste action has been taken and will paste "Your personal data cannot be pasted here. Only <admin-defined number> characters are allowed." when selected. After the first paste in the managed app, we will know of the contents and can properly hide the button.

In 2021, Apple will update the format of serial numbers for products to a randomized string of 10 characters. This should not impact your Intune enrollments.

 

We have fixed an issue on iPadOS 14, where Shared iPads could not complete enrollment and continue to show “awaiting final configuration from company”. The fix will be available in the October update of Microsoft Intune enabling you to successfully enroll Shared iPads running iPadOS 14.

 

We’re investigating an issue with iOS and iPadOS 14 and OneDrive where users cannot access OneDrive files through the Files app or FileProvider API when the device is enrolled with the following device restrictions:

  • “Viewing corporate documents in unmanaged apps” is blocked.
  • “Viewing non-corporate documents in corporate apps” is not configured.

We have recently made changes to our iPadOS enrollment service that are live for public cloud tenants already. These changes are rolling out to the government cloud in the next week. In the meantime, if you would like to enroll a device running iPadOS 14 through the Company Portal, you can follow a few simple steps:

  1. Go to iOS Settings > Safari > Request Desktop Websites and turn off “Request Desktop Website on All Websites”
  2. Go to iOS Settings > Safari and select the Clear History and Website Data option
  3. Log into the Company Portal app and enroll your device

Apple has posted updated versions of operating system software license agreements for both Apple Business Manager and Apple School Manager on September 16, 2020. Your organization won’t be able to enroll devices or deploy new apps until an administrator has signed into either Apple Business Manager or Apple School Manager and have accepted the new terms.

 

For more information see the Apple Support article If Apple Business Manager or Apple School Manager asks you to approve new terms and conditions.

 

Known Issues:

MAC address randomization is on by default for both iOS 14 and iPadOS 14 which breaks network access control (NAC) for Wi-Fi where MAC address is being used as the lookup key.

We’re releasing the ability to turn this feature off within the 2009 service release. As this feature will be rolling out gradually over the next few days, there will be a gap where these devices won’t be able to connect to NAC-enabled Wi-Fi until the user turns off MAC address randomization.

As a workaround, impacted users will need to manually turn off "Private Address" for the Wi-Fi Network they are connected to within the Settings app after they upgrade to iOS 14 and iPadOS 14. Note that this is a per-network setting and will need to be applied to each impacted Wi-Fi network on the device.

 

What should you do now?

  • If you haven’t been testing with the public beta releases, be sure to test your scenarios now that iOS and iPadOS 14 are releasing.
  • Test out new Endpoint Manager functionality and see how it might apply to scenarios in your organization.
  • Accept Apple’s new versions of operating system software license agreements in Apple Business Manager.

Keep us posted on your favorite new feature and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam.

Thank you for all the feedback you have been providing regarding how you want to use the new app property in iOS and iPadOS 14 to mark an app as non-removable. We are actively investigating how we can best address your feedback. Stay tuned to In development and What’s New in Microsoft Intune to see future updates regarding this.

 

Blog post updates:

9/16/20: Included a known issue section.

9/17/20: With an update to clarify the Known Issue section, and an update to note that both Apple Business Manager and Apple School Manager administrators will need to accept the updated versions of operating system software license agreements to be able to enroll devices or update new apps.

9/24/20: With an update to clarify the “Required” assignment type scenario for apps on iOS and iPadOS 14 devices where apps are marked as non-removable.

10/6/20: With an update to to Shared iPads - We have fixed an issue on iPadOS 14, where Shared iPads could not complete enrollment and continue to show “awaiting final configuration from company”. The fix will be available in the October update of Microsoft Intune enabling you to successfully enroll Shared iPads running iPadOS 14.

10/21/20: We previously communicated that when using the “Required” assignment type for apps on iOS 14 devices, apps are marked as non-removable. As communicated in MC224749, based on the customer feedback, iOS 14 apps deployed as “Required” will become removable when the November update of Intune is released. Managed iOS devices need to sync with Microsoft Endpoint Manager to reflect the change in required apps. We are currently working on the ability for admins to toggle the setting in the UI and expect that feature to release in December.

47 Comments
Copper Contributor

With regards to setting Outlook and Edge as the default mail app and browser, is that something we can set with Endpoint Manager?

@Victor Solis There is not currently a setting in Apple's MDM protocol to set this functionality via MDM. If Apple adds one in the future, we will definitely add support!

Copper Contributor

Random users are now (edit - with iOS/iPadOS v14) encountering a problem with iOS native Email app being unable to sync with EXO account.

 

Noteworthy symptoms:

 

1) Error displayed on devices states 'Apple Internet Accounts' not granted admin consent.

2) AAD sign-in details show CA failing due to devices not managed and/or not in compliance. Per Endpoint Manager (f.k.a. Intune) data the respective devices are in compliance.

 

Hence these questions:

 

1) did we overlook an announcement that for 'modern auth' method with iOS 14 a different app needs to be authorized for access (previously it was called iOS Accounts)

2) why CA fails to recognize the device state when client is iOS 14?

3) why is the issue affecting only some users, while others after update to iOS 14 can continue to work 'as before' (that includes myself with 2 devices even)?

 

Brass Contributor

We have heavily locked down DEP devices and every app is pushed and "required".  Our first line of troubleshooting an application which is not behaving properly on our iOS devices is to have them delete the app and do a company portal sync to have the app automatically re-install.  This can't be done now.

If you long press and app > remove app > only option is "move to app library".  You then need to go to the app library and long press it, choose delete app, "uninstall not allowed because it is required".

This is going to present a huge issue for applications which are not behaving, crashing, etc.

Copper Contributor

Any idea when the Update Complete screen disablement will be available? This is huge for our iPads in Kiosk Mode, and would love to get that policy in place so we can stop manually patching.

Iron Contributor

I have noticed a pretty large bug w/ iOS 14, specifically: Microsoft Outlook app "E-Mail" notifications.  "New Message - Open Outlook to read your message" is the new Notification, instead of a Message preview.  We are currently running the latest version of Outlook 4.55.1. Hopefully an update is released ASAP. 


I did raise a case w/ Microsoft Premier Support to get some more info. Pending response. 


Buena Suerte!

Copper Contributor

@JoseSetienMDM I've got 4.55.1 running on few devices and have not seen that issue with notifications. They appear as they did prior to iOS 14. Is this the notification that appears at the top of your screen?

Copper Contributor

@Jason Salgado I see the same issue with my devices. 

Copper Contributor

Please allow users to reinstall apps from Company Portal. It is the first thing we do for troubleshooting...

Brass Contributor

We also are experiencing the notification issue and have a ticket open on it as well.  The inability to remove a required app now with iOS 14 only makes this worse since users can't do a reinstall.  I much prefer the prior behavior that let a user remove a required app reinstalled it for them automatically later.

Copper Contributor

@JoseSetienMDM I see the same even though the latest version is 4.56.0 !

 

I believe it’s something to do with Outlook being installed via the Company Portal. Come on Microsoft sort it out please!

Steel Contributor

Not being able to remove apps that are set as required creates an issue for IT admins for troubleshooting common issues.

 

https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command/attribu...

Please update Intune so that the Removable property is set to true (default) and allow IT admins to define the behaviour instead.

@Normunds Karklins, thanks for the feedback! We’ve passed along your feedback to the team for #1. For #2 and #3 - If you have users that are still in a blocked state, let’s get you over to our support folks for further investigation. Please open a support request via the MEM admin console or any of the steps mentioned here: aka.ms/IntuneSupport. Thanks!

@Jason Salgado@glennmnz@eglockling - Thank you all for the feedback! We've passed this along to the appropriate folks.

@CurtisWSmith, thanks for the comment! The Update Completed feature is something we’re looking forward to as well. Stay tuned to our In development docs for an announcement. It's coming!

@JoseSetienMDM@Victor Solis@Brandon Hughes@steve47a - Thank you all for the reports. Confirming this is a current known issue and engineering is investigating.

Copper Contributor

Anyone has issues with Dep enrollment? When im trying to enroll a new iPad that's on IOS 14, its stuck on "awaiting final configuration from "company"" 

Tried to reinstall the iPad already, also tested with another iPad I have updated to IOS 14. Still same issue.. 


Tried on our Wifi and with a mobile data connection, doesn't make a difference..

@Jason Salgado@glennmnz@eglockling - Following up, thanks again for all the feedback! We are actively investigating how we can best address your feedback. Stay tuned to our In development and What’s New in Microsoft Intune to see future updates regarding this. Thanks!

@Yme_Stechweij, thanks for the comment. We removed the screenshot you've shared as it contained PII. If you're receiving this error, here are a couple of things you can do to check:

If you chose to configure your devices to be Apple Shared iPads, it may take a while for your user’s data to come down to the device after sign-in. To validate your current configuration, see Step #12 under our Create an Apple enrollment profile doc.

 

If you continue to run into any issues, feel free to reach out to us over a message to talk through this scenario.

Copper Contributor

@Intune_Support_Team , I know that, I have more then 1000+ devices enrolled, everything is working fine on iOS 13..

 

I made a new ticket: Re: IOS 14 - DEP enrollment stuck, some else tested and has the same issue.

 

 

Copper Contributor

@Yme_Stechweij We are having the same issue with our iPad's on 14.0 and even today with 14.0.1. Factory reset 13.7 iPad is still able to pull the profile down no problem. Seems to be an issue with 14.0.

Hi @Yme_Stechweij and @x7zifle963, thank you both for the reports! At this point, let's get you over to our support folks for further investigation and troubleshooting. Please open a case either through the MEM admin console or any of the methods mentioned here. Once created, please message us your support case number, so that we can keep an eye on the case. Thanks!

Brass Contributor

Having the same issue. iPad, iOS 14.0.1 stuck at "Awaiting final configuration" Shared iPad = Yes

Copper Contributor

I updated iPhone to 14.01 last week and saw the Company Portal app got updated to 4.10.0 today. However, when I looked at aka.ms/intuneupdates, it doesn't mention anything iOS related. 

Bronze Contributor

@Intune_Support_Team  Hi, will there be any updates regarding the Home Screen Layout options? Specifically I'd like to set the icons on the Dock and the Home Screen only once, and then let the user decide if the want to keep the layout. Though I'm not sure if this is a setting possible with the current MDM options from Apple.

Another way would be an options for a whole policy to be set just once and not enforced.

Also will there be an option to place widgets via Intune?

Copper Contributor

iOS14.0.1, Company Portal 4.10.0 and Outlook 4.57.0. All 3 updated within the last 24-48 hours on a test iPhone 6s and still the "New Message - Open Outlook to read your message". I was hopeful that one or more of these updates would have solved the notification preview issue!

 

Copper Contributor

IOS 14 Required app - reinstallation method needed!

 

Instead of changing the defaults, add the possibility, as mentioned by @eglockling  "Please update Intune so that the Removable property is set to true (default) and allow IT admins to define the behaviour instead."

Copper Contributor

I do not understand how it can come to this point, Microsoft have access to iOS 14 months prior to it being released.

We set our apps to required as it installs automatically once the device has been signed into via the account.

Not being able to uninstall the apps have also caused an issue for required apps as we cannot leave auto updates turned on due to the option being either turned off or on...ontop of all of this Company Portal now tries to enroll the devices twice.

 

The MDM profile is already installed but Company portal does not recognize this and keeps trying to reinstall the profile.

 

This has been very poor on Microsoft's end as the perfect process we had in place is now ruined.

 

Copper Contributor

Checking to see if anyone is having issues with a device in DEP not yet assigned to a user updating to 14.0.1 and then not being allowed to enroll into Intune by the user. Users are receiving this error when attempting to enroll: 

 

“Couldn’t map device record with user.  Your IT support only allows iOS 14.0 or earlier to access company resources.  Your current version is 14.0.1. Report this to your IT support if you have questions.” 

 

Current Max OS is set to 14.5 and doesn't occur on 14.0 devices, just 14.0.1.

Copper Contributor

"This ensures that these mission-critical apps cannot be uninstalled by the user."

 

That sounds great on the planning board but in reality apps breaks. Data directories gets corrupted and the only way to reset them is trough an uninstallation of the app and wait for the app to be reinstalled again.

 

Make this at least configurable since this change will cause a lot of extra helpdesk work and unnecessary factory resets of devices!

Hi @Yme_Stechweij@x7zifle963, @AlphaSeb, thanks again for all of your reports. We have fixed an issue on iPadOS 14, where Shared iPads could not complete enrollment and continue to show “awaiting final configuration from company”. The fix will be available in the October update of Microsoft Intune enabling you to successfully enroll Shared iPads running iPadOS 14.

Copper Contributor

@Intune_Support_Team Thanks for the update! May I ask one question about the iPad "awaiting final configuration" issue please? How about lower OS version? We are having this "awaiting final configuration" issue in different OS such as 12, 13, 14 and in different iPad models, iPad air 1 and 2, iPad 7, etc. Also, is there any specific date of this fix to be available? Thanks! 

Brass Contributor

For me, I am able to register iPhones but not iPads running iOS 14.0.1.  The error is Company Portal temporarily unavailable.  I have removed and re-installed the app as suggested by the troubleshooting guide, but the error persists.

 

IMG_0004.PNG

Hi @a2c91g5s, if you're experiencing the "Company Portal Temporarily Unavailable" error, have a look at this possible solution to see if it resolves your issue. If you're continuing to experience the same, let’s get you over to our support folks for further investigation. Please open a new support request via the MEM admin console or any of the steps mentioned here: aka.ms/IntuneSupport. Thanks!

We previously communicated that when using the “Required” assignment type for apps on iOS 14 devices, apps are marked as non-removable.

Based on the customer feedback, iOS 14 apps deployed as “Required” will become removable when the November update of Intune is released. Managed iOS devices need to sync with Microsoft Endpoint Manager to reflect the change in required apps. We are currently working on the ability for admins to toggle the setting in the UI and expect that feature to release in December. You can also refer to: MC224749 under the Service health and message center for more information. Thank you all for the feedback!

Copper Contributor

@Intune_Support_Team Thank you for listening and making it happen!

Brass Contributor

@Intune_Support_Team Thank you for making required apps removable again.

Copper Contributor

There seems to be a workaround, where Shared iPads could not complete enrollment and continue to show “awaiting final configuration from company”.

 

Ref article below

https://discussions.apple.com/thread/7653108

Hi @JoseSetienMDM@Victor Solis@Brandon Hughes@steve47a, following up to the issue where users received the "Open Outlook to read this message" notification message, this issue has been resolved with the latest release of iOS 14.1. If you're continuing to experience the same, please open a new support request via the MEM admin console or any of the steps mentioned here: aka.ms/IntuneSupport. Thanks!

Copper Contributor

Hello Team, I'm trying to integrate an iPhone 12 Pro with iOS14.1 into our company network, but I always get the message that registration is not possible with the following error Do you have a solution? I have already reset the iPhone and tried without an image, i.e. built up as a new iPhone, no difference.

 

Modell: iPhone

Betriebssystem: iOS 14.1

App Store-Version: 4.11.1

Buildversion: 51.2010006.000

Authenticator-Protokolle hochgeladen: True

 

Fehler:

Error domain: com.microsoft.workplacejoin.errordomain

Code: -200

Description: Received an error response from the server

User info: {

    NSLocalizedDescription = "Received an error response from the server";

    NSUnderlyingError = "Error domain: com.microsoft.workplacejoin.errordomain\nCode: 400\nDescription: {\"ErrorType\":\"AuthorizationError\",\"Message\":\"User '4b6*****-****-****-****-d93*********' is not eligible to enroll a device of type 'Ios'. Reason 'DeviceCapReached'.\",\"TraceId\":\"23a*****-****-****-****-1d7*********\",\"Time\":\"10-26-2020 16:26:26Z\"}\nUser info: {\n    NSLocalizedDescription = \"{\\\"ErrorType\\\":\\\"AuthorizationError\\\",\\\"Message\\\":\\\"User '4b6*****-****-****-****-d93*********' is not eligible to enroll a device of type 'Ios'. Reason 'DeviceCapReached'.\\\",\\\"TraceId\\\":\\\"23a*****-****-****-****-1d7*********\\\",\\\"Time\\\":\\\"10-26-2020 16:26:26Z\\\"}\";\n}";

}

Copper Contributor

@Danico you need to remove some devices from user 4b6*****-****-****-****-d93*********.
As stated there are too many registered.
Reason 'DeviceCapReached'.

 

P.S. - It's a good idea to remove or obfuscate user id's when posting to public forums.

Copper Contributor

@Danico "User '4b6*****-****-****-****-d93*********' is not eligible to enroll a device of type 'Ios'. Reason 'DeviceCapReached

 

 

sounds like your user has enrolled max. number of devices.

You can up that from 5 to 15 i think it is.

Or better use different users for each device

Copper Contributor

Hi All,

I had in my prof actually still older devices which were active, these I have now reduced to 3. On the iPhone I have deleted the app and reinstalled it, but I still get the error message? How can I solve this?

Thx

KR D.

 

Modell: iPhone

Betriebssystem: iOS 14.1

App Store-Version: 4.11.1

Buildversion: 51.2010006.000

Authenticator-Protokolle hochgeladen: True

 

Fehler:

Error domain: com.microsoft.workplacejoin.errordomain

Code: -200

Description: Received an error response from the server

User info: {

    NSLocalizedDescription = "Received an error response from the server";

    NSUnderlyingError = "Error domain: com.microsoft.workplacejoin.errordomain\nCode: 400\nDescription: {\"ErrorType\":\"AuthorizationError\",\"Message\":\"User '4b6*****-****-****-****-d93*********' is not eligible to enroll a device of type 'Ios'. Reason 'DeviceCapReached'.\",\"TraceId\":\"bdc*****-****-****-****-375*********\",\"Time\":\"10-27-2020 7:36:25Z\"}\nUser info: {\n    NSLocalizedDescription = \"{\\\"ErrorType\\\":\\\"AuthorizationError\\\",\\\"Message\\\":\\\"User '4b6*****-****-****-****-d93*********' is not eligible to enroll a device of type 'Ios'. Reason 'DeviceCapReached'.\\\",\\\"TraceId\\\":\\\"bdc*****-****-****-****-375*********\\\",\\\"Time\\\":\\\"10-27-2020 7:36:25Z\\\"}\";\n}";

}

Copper Contributor

@Danico I'd have a look in Endpoint Manager to see what your device limit is and also what the iOS version enrolment restrictions are if any.
If that's okay, jump into Azure AD and clean up the users devices there too.

Copper Contributor

It worked!!! Thanks a lot!!!

Copper Contributor

@Intune Support Team,

 

Thank you, yes I can confirm updating to iOS 14.1 does solve the Outlook notifications issue without having to resort to the uninstall/manual reinstall workarounds.

Copper Contributor

Has there been any reported issue with 4.12.0 on iOS 14.3? I've been seeing issue where the app crashes without warning. I've even gone as far as factory resetting the device and still the app crashes. We are trying to switching from Jamf to Intune to for our iPhones, but this is making it difficult to do so. 

Version history
Last update:
‎Dec 19 2023 01:24 PM
Updated by: