Microsoft Intune Support for iOS 13.1, iPadOS, and macOS Catalina10.15

Published Sep 24 2019 03:04 PM 16.7K Views

Updated 4/20/21 - We’re excited to announce support for Setup Assistant with Modern Authentication for iOS/iPadOS 13+ and macOS 10.15+ now in public preview! See: Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview to learn more.


It’s just been a week since the release of iOS 13, as discussed in this blog post, so with the launch of iOS 13.1, we thought we’d share more of what’s new and coming from Intune. With the release of iOS 13.1, we are previewing User Enrollment alongside Apple’s release of the feature set. This preview is starting to roll out today and we expect it to be live for all customers by early next week so you can try out the new experience. Our workflow allows admins to target User Enrollment to specific users, and also allows other users to have a choice between User and Device enrollment depending on what feels appropriate for them. This enrollment type is associated with a Managed Apple ID which supports Azure AD federation in Apple Business Manager. Note that federated managed Apple ID's are currently only available through the beta of Apple Business Manager. You can look forward to a more extensive blog post and documentation shortly, but here’s a sneak peek at the end user experience for now:


Intune User Enrollment - End User ExperienceIntune User Enrollment - End User Experience


In addition, with this release, iOS and macOS Device Configuration profiles will now support single sign-on (SSO) app extensions. With this new device feature, you can configure an SSO experience so that users can access a whole suite of apps and websites after entering their username and password only one time. You will have the choice of configuring a generic credential SSO app extension or Apple’s new built-in Kerberos app extension, which provides password management and local password sync with your on-premise Active Directory instance. We are still working on adding support for an Azure AD single sign-on app extension that will enable users to access all Microsoft apps with one sign-in, so note that’s coming!


What else is in development?

  • Beyond just Dark Mode for the PIN screen, we’re also bringing Dark Mode to the Company Portal app. We are just doing final testing now, so we anticipate it will ship with the October Company Portal release. Here is a glance of what it looks like in our test environment:

    Dark Mode experience in the Intune Company PortalDark Mode experience in the Intune Company Portal

Update: This feature is available with the 1910 Intune Service Release. See: Introducing dark mode on Microsoft Intune Company Portal for iOS 8) - Microsoft Tech Community to learn more.


  • In the October service release, we’re adding full support within the console for three iOS/iPadOS 13.0 and higher new restrictions applicable to iOS and iPadOS:
    • Access to network drive in Files app  
    • Access to USB drive in Files app
    • Wi-Fi always turned on

While these restrictions will be rolling out with our October release, they can be applied to your managed devices today using custom configuration profiles.


Update: This feature is available with the 1910 Intune Service Release. See: iOS and iPadOS device settings to allow or restrict features using Intune to learn more.


  • We’re adding support for Modern Authentication within Setup Assistant for Automated Device Enrollments on iOS and macOS.

Update: In the 2103 Intune Service Release, support for Modern Authentication within Setup Assistant for Automated Device Enrollments on iOS and macOS is available as a public preview. See our blog post: Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview to learn more.


We are looking forward to getting your feedback on user enrollment, dark mode, and single sign-on. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam. 


Documentation note: If you're in the Apple Business Manager beta and would like the documentation for Intune integration, direct message us through this forum and we can provide those docs.


Known Issue Resolution: We’ve had a report where SCEP certs linked to other profiles reissues a new certificate for Wi-Fi and VPN at every check-in. This behavior only happens if the cert is linked to other profiles. We’ve found updating to iOS 13.1.2 fixes the issue. 


Blog post updates:

  • 9/27/19 Updated information on the Apple Business Manager federated managed Apple ID's and a note on documentation.
  • 10/3/19 Added a note identifying a known issue regarding SCEP certs reissuing at every check-in. Updating to iOS 13.1.2 fixes the issue.
  • 10/8/19 Note about macOS Catalina - Intune also supports the launch of macOS Catalina 10.15 which Apple released 10/7/19.
  • 12/9/19 Update to Modern Authentication within Setup Assistant for Automated Device Enrollments.
  • 5/26/20 Added a note that our engineering folks are working hard on Modern Authentication support and will be available in the coming months.
  • 4/20/20 Updated post that support for a new authentication method for Automated Device Enrollment (ADE) which is Setup Assistant with Modern Authentication is now available in Intune!
New Contributor

Great news that this is landing right around iOS 13.1 release - thanks for always being on top of the ball.

Are there similar plans for User Enrollment on MacOS with the upcoming release of 10.15 Catalina in October?

Great Job :cool: Thanks !

Occasional Contributor
The new user enrollment process let's the user select wether the device is personal or corporate. What are the controls available to prevent a user from selecting personal when the device is truely corporate owned? What is the work flow user is assigned a "User Enrollment" profile and recieves a device configured for Apple Business Manager?

@Manoj Sood If a device is assigned a Automated Device Enrollment (formerly known as DEP) profile as a corporate device added in Apple Business Manager, the user will not be provided with the option to select whether their device is owned by them or their organization and will not have the option to elect to use Device Enrollment or User Enrollment. Users will only see this set of options if the admin explicitly targets them with a policy to require the user to select device type.

New Contributor

Will you update this blog article when documentation is available?

Waiting for the feature rollout is complete. I do see the Enrollment targeting profile section in our Azure Portal but creating a profile is always failing with an error.

New Contributor

@weberda - I am seeing the same behavior.

Occasional Contributor
@Tiffany Silverstein "Users will only see this set of options if the admin explicitly targets them with a policy to require the user to select device type." It is unclear to me what the user experience will be if a user has a user enrollment profile assinged to them (IE for their personal iPad) AND has a Corporate iPhone that is enrollmed in Apple DEP? Would the iPhone still not get prompted to select the device type because it is a DEP device even though a user enrollment policy is explicitly assigned to them?
Occasional Contributor
@weberda In the same position now for the past few days
Senior Member

Has anyone been able to actually create a profile?  I get an error every time like the others have stated.

 @Manoj Sood Devices enrolled via Apple DEP cannot be User Enrolled, so the end user will not see this experience in the Company Portal.


@weberda @Nathan Berger @Robin Griffin Due to the nature of the rollout process, not all service component changes may have reached your tenant yet. All changes should be available across all tenants on Monday.

Occasional Contributor

User and Device enrollment depending on what feels appropriate for them. This enrollment type is associated with a Managed Apple ID which supports Azure AD federation in Apple Business Manager.

Wich of the types is associated with Managed Apple ID? 


We’re adding support for Modern Authentication within Setup Assistant for Automated Device Enrollments on iOS and macOS. Our engineering team is hard at work and this should be available later this year.

Looking forward to seeing how it works on the macOS :)

New Contributor

@Tiffany Silverstein - Thank you! It works now.  Can you send the docs for Managed Apple ID over?

Senior Member

@Nathan Berger  I found this: from Apple on creating them but looking forward to official docs from Microsoft.

New Contributor

@Tiffany Silverstein or @Intune Support Team - How can a company enroll into the Apple Business Manager beta for federated Apple ID's?  Apple support does not know of any beta yet. We can only add Managed ID's manually right now. Thanks!

New Contributor

@Tiffany Silverstein and @Intune Support Team - I've got User Enrollment enabled. When I sign into the device (latest iOS 13.1.2) in the Company Portal, it shows "User Enrollment," but when it gets to the profile, it asks me to sign in twice with my Managed Apple ID and does not add it to Settings. The process stops there, and the management profile never applies.  What should the expected behavior be? Nevermind, one of my tokens had expired. Working now.

Regular Contributor

@Nathan Berger The enrollment works fine for me.
See this for how the enrollment looks like

Occasional Contributor
@Deleted How would you "add Managed ID's manually" ???
New Contributor

@Tiffany Silverstein Thank you. Since Monday everything is working!


Biggest issue for now:

Unable to use Apple VPP with User Enrollment. Support hasn't replied yet.

Error code in Intune blade is "VPP requires iOS 9.0+", however I am using the latest iOS 13.1.2 for sure...

Senior Member

Creating managed apple ID's manually is great for testing, however this new enrollment method will not be useful unless federation is enabled. I have no such option in my business manager nor do I see any information about any beta program.


Looking forward to more information.

@Adeel_mattamy1575 Apple will be able to provide instructions on enabling AAD federation when the feature is released in Apple Business Manager.

Occasional Contributor
Hi, Does anyone know how to request access to the Apple Business Manager beta?
New Contributor

@Jose Castillo Soriano - I reached out to Apple Enterprise support about it twice. First time: "The beta features are already live, no need for beta." Second time: "We're not aware of any beta."

I think this might have to wait for a bit. It is possible to enroll through a link I found but if you already have a tenant, it says the beta is closed. I did find one link (may have been that one) where you could enroll a new company, but that doesn't seem like what we want - we need the beta features for existing enrollments. 

No solutions here yet.

Senior Member

Does intune supports iOS 13.1.2 ? Users on iOS 13.1.2 are unable to get the VPN, Wifi certificates.. 

Hi @Nageshr1845, yes Intune supports Apple iOS and iPadOS 9.0 and later which also includes iOS 13.1.2.


Depending on the error you're seeing within the Intune Portal, have a look at our troubleshooting guide: Troubleshoot policies and profiles and in Intune to see if this resolves your issue.


If you continue facing an issue with iOS policies not deploying as expected, please open a support case via the Intune Admin console's Help and Support or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Also, please direct message us with your support case number for follow up.



Occasional Contributor

We already have devices with 13.1.2 installed but still have the SCEP cert problem.

Regular Contributor
Senior Member

Looks like the federated Authentication option just showed up in my business manager,


Q12020 is done. I am still waiting for modern authentification with Cataline and setup assistant. Is there any section on the roadmap?

Regular Contributor

@Intune Support Team @salihzett we`re also waiting for Modern authentication for macOS so we can start using DEP/ ABM for our Mac devices.

Hi @salihzett and @Peter Klapwijk, Thank you for your patience! Though we don't have any dates to share yet, keep an eye out in our In development and What's new docs in the coming months. Stay tuned, it's coming!


@Intune Support Team  2020 is over. Still waiting for Modern Authentication support... is there any updates?

Senior Member

@salihzett  @Intune Support Team  yes take a look at this. What's new in iOS/macOS management with Microsoft Endpoint Manager - Microsoft Tech Community

I still don't understand why users have to authenticate to company portal separately. unfortunately it doesn't solve much for the end-user its still confusing.


Hopefully they can make it one seamless sign in.


@Adeel_mattamy1575 So the video doesn’t work for me “We're sorry, an error has occurred when playing video (video format is not supported).”


but yes, I read this here and I also don’t understand why the company portal is necessary for this. 
I mean the app installation at all is not working smooth, so (I am sure) this would make a lot of issues during the IT onboarding.


@Intune Support Team Why not easy with web sign in? Apple provides this feature for MDM vendors. One of them (mosyle costs $1 per device) provides this and MS cannot so this? I can’t understand this. 
it could be so easy, check the screenshot below.40FF6711-9D8F-408C-B08D-75BD7D02BCAB.jpeg


@Adeel_mattamy1575 after the azure issue is almost fixed, I can see the video. It is cut for iPad remote management and doesn’t show for macOS. But it seems like web sign in although I don’t understand the reason for login in company portal and the description about.

But I am looking forward to see this feature and hope it is free of bugs.

Hi @salihzett@Adeel_mattamy1575, and @Peter Klapwijk, we're excited to announce that Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) is now available in public preview in Intune. To learn more see our blog post here.


@Intune Support Team 

already saw.

Did your team check, if the user is new and MFA is forced for new user, how this user can setup MFA in Setup Assistant with Modern Auth?
Cuz it looks like, it is not possible to scroll and scan the MFA code.


Version history
Last update:
‎Apr 20 2021 01:57 PM
Updated by: