Move to Setup Assistant with Modern Authentication for Automated Device Enrollment
Published Jul 16 2021 08:53 AM 34.2K Views

Updated December 19 2023: We’ve been hard at work to improve the ADE experience through the release of Setup Assistant with modern authentication, Just in Time (JIT) registration and compliance remediation, and the "Await until configuration" setting. Learn more in our blog here: aka.ms/Intune/Improved-ADE.

 

Setup Assistant with Modern Authentication for Automated Device Enrollment (ADE) was the planned replacement for the ADE enrollment flow and is the Apple supported path to require auth before ADE enrollment. Using Modern Auth is now an OS provided WebView and thus it should be more consistent, stable, and reliable than the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication path.   

 

We anticipated we’d provide a transition period to move from the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication for ADE to the new enrollment flow for iOS/iPadOS and had planned on providing time and guidance for a staged migration path. However, what we discovered working with Apple on this incident is that Apple removed the functionality in 14.6 that we used for the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication for ADE enrollment path. This break in flow for Single App Mode is described in the incident post and has led to an expedited move.

 

Once you move to Setup Assistant with Modern Auth, outside of the better performance, you’ll find one difference that we have plans to address in an upcoming release. The Azure Active Directory device registration will need to be completed in the Company Portal by the end user. Generally, the user will be prompted to the Company Portal when Conditional Access requires a compliant device. You can also provide users instructions for how to launch the Company Portal manually where they will be prompted to complete the registration after signing in. The device is still managed and secure in this flow; they won’t have access to resources and policy will be applied as expected, including Single App Mode.


To move to Setup Assistant with Modern Auth for Automated Device Enrollment, you can either:

  • Edit your existing ADE policy to use the “Setup Assistant with modern authentication” for authentication. See the screen shot below for where you’ll select this in your exiting profile.

EnrollmentSetupAssistantwithModernAuth.png

  • Alternatively, you can create a new enrollment profile set to us Setup Assistant with Modern Auth.

 

Again, all existing enrollments are not affected as they’ve already authenticated and enrolled. This is a new enrollment flow with modern auth moving forward using ADE and Single App Mode.

 

More information:

 

Prior post content, updated -

 

Here's the scenario: User’s automated device enrollment (ADE) through the Company Portal isn't enforcing Single App Mode for devices running iOS/iPadOS 14.6 and later. What this means is that if you select single app mode, and the device runs into this issue, instead of just showing the Company Portal during enrollment, it’s allowing full access to the device, such as the Home Screen and App Library. Users could go to a browser, for example, and access web resources. Any user-targeted settings will not be applied until the user authenticates using the Company Portal. If devices go to sleep while in this state, they may appear to freeze by no longer accepting input through touch or button press.

 

Devices affected: New enrollments only; existing devices are not impacted. This affects not all, but many models running iOS/iPadOS version 14.6 and later and enrolling through the ADE flow with Single App Mode until authentication enabled.

 

Not affected: Customers using Setup Assistant with Modern Authentication for ADE.

 

Workarounds: If a device goes into sleep mode/freezes during the enrollment process, a force restart typically returns it to Single App Mode as expected.

 

Post updates:

8/20/2021 with additional details.

8/26/2021 with additional clarification on running the Company Portal in Single App Mode until authentication for ADE.

9/24/2021 with additional clarification on the workaround.

12/19/23: Added blog: aka.ms/Intune/Improved-ADE.

28 Comments
Brass Contributor

Looks like this is working on iOS 14.7 again.  Wiped and re-enrolled a DEP iPhone which our DEP Profile is set to use "Run Company Portal in Single App Mode until authentication".  Received the "Guided access app unavailable..." message, couldn't do anything on the device except wait until CP installed and finished enrolling.

Haven't tested on iPadOS as 14.7 isn't out for iPadOS yet.

Copper Contributor

Issue appears to be fully resolved at this time.

Copper Contributor

.

Iron Contributor

Thank you for this update. Will the Setup assistant with modern authentication eliminate the Guided Access app installation step?

Iron Contributor

From this article Upcoming changes to Custom Controls - Microsoft Tech Community, the "Setup Assistant with modern auth" is not compatible with third party MFA services. Will only work with M365 MFA for now. 

Copper Contributor

Once you move to Setup Assistant with Modern Auth, outside of the better performance, you’ll find one difference that we have plans to address in an upcoming release. The Azure Active Directory device registration will need to be completed in the Company Portal by the end user. Generally, the user will be prompted to the Company Portal when Conditional Access requires a compliant device. You can also provide users instructions for how to launch the Company Portal manually where they will be prompted to complete the registration after signing in. The device is still managed and secure in this flow; they won’t have access to resources and policy will be applied as expected, including Single App Mode.


@Intune_Support_Team , What is the plan to address the issue referenced? Per the guidance in this post, we have modified our enrollment process for ADE devices to use Setup Assistant with Modern Auth. We migrated to Intune, at great cost to our organization, for the simpler enrollment process that the Company Portal model provided. The process was very straightforward, and we could ship new devices directly to users. The enrollment process was intuitive and did not require instructions beyond "follow the prompts". With the move to Setup Assistant with Modern Auth, the enrollment process is incredibly inconsistent due to Apple's setup process stepping in, and sometimes on top of, the MS enrollment process; thus requiring an IT resource to help new users set up the new device properly. The time it takes for the company portal app to install, configure itself, then check in, then download apps, then finally configure the apps (specifically authenticator) causes significant confusion oftentimes even when IT resources are involved. 

I understand that this may not have come on Microsoft's timeline, but in the meantime your users are suffering. Please help us. 

Hello @MattShaferthanks for the feedback. We've followed up with you over a private message to talk though your scenario.

Copper Contributor

Copy paste but we have the exact issue and would like someone to reach out

 

@Intune_Support_Team , What is the plan to address the issue referenced? Per the guidance in this post, we have modified our enrollment process for ADE devices to use Setup Assistant with Modern Auth. The enrollment process was intuitive and did not require instructions beyond "follow the prompts". With the move to Setup Assistant with Modern Auth, the enrollment process is incredibly inconsistent due to Apple's setup process stepping in, and sometimes on top of, the MS enrollment process; thus requiring an IT resource to help new users set up the new device properly. The time it takes for the company portal app to install, configure itself, then check in, then download apps, then finally configure the apps (specifically authenticator) causes significant confusion oftentimes even when IT resources are involved. 

I understand that this may not have come on Microsoft's timeline, but in the meantime your users are suffering. Please help us. 

Hi @Charlie1965, sorry to hear that you are also experiencing this issue. To help assist better, we have also reached out to you over a private message to talk though your scenario and understand more.

Iron Contributor

What we see is that after the Remote managent screen you get prompted to fill in your credentials.

After a about a minute de conditional access kicks in and the screen appears that requires the device to be registered where you have to download the company portal app. This process ask to download and install a managementprofile.

When you go to settings you see 2 management profiles. One is already installed and with the other one you have the option to install the profile. But that fails because there is already a profile installed. Result is that you cannot register the device with the company portal.

Iron Contributor

I just noticed that after i ignore the iphone for a couple of minutes the companyportal screen did not show the options to download a management profile but just the same setup screen you see in the company portal app when use the Company Portal app as authentication method instead of de setup assistant with modern athentication. So it seems there is a delay in recognizing that there is already a managementprofile installed.

 

Hi @RonaldvdMeer, thanks for the feedback. We've followed up with you over a private message to talk though your scenario.

 

Copper Contributor

Hey there, 

@Intune_Support_Team Can you  clarify perhaps what action specifically triggers device registration on Intune? 

I'm currently testing the modern auth and I noticed that I'm not quite sure at which point the device is registered to Intune as a record.

 

I am able to sign in during setup, I receive appropriate configuration (apps that I assigned myself and everything), but I don't see the device record in Intune.

I'm not sure if there's a big delay or if I need to sign in to one of Microsoft apps to kick off the registration process.  

Copper Contributor

@Cezary_Horbal 

Logging into the Company Portal app post-enrollment is the final trigger for full device registration using ADE Modern enrollment.

The only way is for users to manually open the Company Portal to trigger this step, or if they try to open another LoB app that is protected by Conditional Access.

 

Which is why this method is much less robust than Single App config mode was unless all your LoB apps are behind conditional access.

As long as you have any LoB apps that do not support Conditional Access, they will just become available and usable on the device after the Setup Assistant completes, regardless of the registration status of the device.

 

@Intune_Support_Team 

After all this time what we are really missing for ADE Modern enrollment is a way to Filter devices that are partially enrolled. By that I mean devices that have finished the Setup Assistant, but have not yet logged onto the Company Portal.

Currently we are doing this manually using a very complicated Power Automate flow, so we can make sure we can:

- Only push Company Portal + Authenticator after Setup Assistant finishes

- Only push other LoB apps + policies after the User is signed into the company portal.

This is a really unreliable workaround for something that should be a standard option with this enrollment method.

Copper Contributor

"Once you move to Setup Assistant with Modern Auth, outside of the better performance, you’ll find one difference that we have plans to address in an upcoming release. The Azure Active Directory device registration will need to be completed in the Company Portal by the end user."

 

@Intune_Support_Team We're very much in need of a solution that forces full enrollment, Single App Mode was our plan but it sounds like that is no longer viable.  In the text above, are you're saying that a future release of "modern authentication" will no longer require the user to use the Company Portal app?  The function currently fulfilled by the Company Portal app will then be part of the new web app?  If so, any targets on when that might be released for preview?

 

Thank you

Copper Contributor

Agreed with most of the above. The move to modern auth enrollment is confusing to users and took our config from a single ADFS logon with Okta MFA to 3 ADFS logons with 3 Okta MFA verifications. One for setup, one for company portal and one for Outlook. With single app mode they only need to ADFS auth once. I dont see how this can work for us.

 

regards

Copper Contributor

Hi,

 

We are experimenting with a zero-touch deployment that would force users to register through Company Portal - we think the option 'Run Company Portal in Single App Mode until authentication' within the enrolment profile is perfect for this.

 

Setup Assistant with Modern Authentication is less desirable, because there is no way to force the user to interact with Company Portal in a zero-touch deployment - we have to guide them to do it.

 

However the problem we are seeing is that Company Portal does not download fast enough, meaning the device enters single app mode/kiosk mode first.  The only way out of this is to hard reset the device, which is extremely undesirable.

 

I'm not able to find any information about how to fix this problem.  This article seems to be suggesting EPM administrators move away from single app mode and towards Setup Assistant with Modern Authentication - this results in the user being prompted to log into EPM as well as their Apple ID, and the Primary User field in EPM is populated with their name; if this is enough to pull down their user-specific profiles and apps, that's great, but is that the case?

 

Unfortunately, they still then need to log into Company Portal and go through the 'Get your device managed' process anyway, so from a user point of view this is not as good as single app mode.  From my point of view - do they need to go through this process for the device to be evaluated against a compliance profile?  In other words, if the end user does not go into Company Portal, will the device be marked as non-compliant in the dash, assuming there's an evaluating profile?

 

We assume that, in a zero-touch deployment scenario, we can't rely on users to follow instructions to do this voluntarily, nor that they'll be able to do so without issues.

 

Any advice would be gratefully received.

 

Robert

Copper Contributor

@kidtrebor , Unfortunately the seamless process you envision did exist, then Apple broke it. Microsoft responded with this post, and has done nothing to improve the experience in the year since. The impression I get from multiple posts and outreach to our enterprise support team is: Setup Assistant with Modern Auth approach works for them in their lab, so it's fixed in their view. When you press them via the product channels the response seems like they are shocked that the clunky Setup Assistant process doesn't satisfy. I wish I had better news for you, but at some point we all need to demand more from Microsoft than the 80% completeness that their solutions represent. 

Copper Contributor

Thanks for your swift reply @MattShafer - I've done a bit more research and the following seems to be the case:

 

Until Company Policy app login, compliance can't be evaluated (device is non-compliant)

Setup Assistant with Modern Authentication will set the Primary User value, without interacting with Company Portal

 

I'm right in saying that, so long as the end user's account is registered under Primary User in the device object, they will get their user-specific apps and settings, correct?

 

If so we can probably live with this, and will just have to frame the Company Policy login as useful from an end user point of view (e.g. they can download a desirable app, or something or other).

 

Many thanks.

Robert

Copper Contributor

@kidtrebor , It depends on how you are configured. We enforce conditional access for all company access, so if the phone is not enrolled and compliant it doesn't get any access or company apps. In our case, until they authenticate and enroll via Company Portal (which is now a user-driven process) they can't get anything. After Company Portal is installed, logged in, and device enrollment takes place, the company configuration profiles begin to apply and company-issued apps install. After this, they need to authenticate to Authenticator, and log into at least one other Office app (sharepoint, onedrive, etc) for the setup to be stable. Further in our case, becasue the contacts sync through ActiveSync because Outlook for iOS is so unstable, we use an ActiveSync configuration profile to push contacts and calendar items to the native apps that use them. That requires additional authentication for a grand total of 5 to configure a phone.

  1. initial remote management profile during ios setup
  2.  company portal
  3. authenticator
  4. office apps
  5. active sync profile
Copper Contributor

this is great for brand new phones as Company Portal installs shortly after.

However if this is coming from a back up and restore option, Company Portal never installs.

As the restore takes 2-3 hours, I believe Company Portal is timing out and even after the restore finishes it doesn't attempt to install on the iOS.

 

As a result the user needs to download company portal from the app store but when they sign in, it attempts to enrol the device again but there is already a management profile on there. Therefore users cannnot access the app store in company portal.

 

Is there a fix for this?

Copper Contributor

What about enrolling Windows 10 Devices (Hybrid AzureAD Joined) in Intune after enabling Modern Authentication? We're seeing issues. Anything we need to change in Intune to get these devices to enroll successfully?

Brass Contributor

We have been handling BYOD devices using an optional download of the Company Portal app by our staff members. If they choose, they go into the app store on their devices and download the Company Portal app and run it, all on their own. The Company Portal app then facilitated the secure connection. We are a HIPAA covered entity. We need to be able to push certain configuration polices to BYOD devices.  If the Company Portal app is no longer going to be an option, how are we to facilitate BYOD devices via Intune? 

Copper Contributor

I am trying to setup a new iOS test enrollment profile using Setup Assistant with Modern Authentication but it keeps reverting to Company Portal. I have tried it on a couple of different profiles they all save as Company portal authentication. Any ideas on what I am missing?

Iron Contributor

Setup assistant with modern authentication is not work as expected for us.
The management profile is automatic downloaded and installed in the background before the company portal is installed. But when the company portal app is installed automatically (Install company portal with VPP) and started the user is prompted to download the management profile again and has to be installed manually. So it doesn't detect the already installed management profile. 

Does anyone know how to fix that.?

 

And it only happens when i setup a new device and restore a icloud backup that comes from another device.
Setup a new iphone without restoring an icloud backup works fine.

Copper Contributor

Here's the scenario: User’s automated device enrollment (ADE) through the Company Portal isn't enforcing Single App Mode for devices running iOS/iPadOS 14.6 and later. What this means is that if you select single app mode, and the device runs into this issue, instead of just showing the Company Portal during enrollment, it’s allowing full access to the device, such as the Home Screen and App Library. Users could go to a browser, for example, and access web resources. Any user-targeted settings will not be applied until the user authenticates using the Company Portal. If devices go to sleep while in this state, they may appear to freeze by no longer accepting input through touch or button press.

 

@Intune_Support_Team I am currently experiencing this exact issue even though people say it has been fixed with later iOS version. Running iOS 16.4.1 and still getting the freezing / single app mode not automatically running unless force restart. Is there something that needs to be configured in order for this to work?

I am torn because the 'Setup Assistant w/modern auth' method works great, but Zero-touch onboarding of MS Defender app does not work with this authentication method. So if I can get the Company Portal method working properly I will switch back so I can have Defender onboard silently. Please let me know if how to fix this freezing/single app mode issue.

Copper Contributor

@Intune_Support_Team When will dies Feature work again? We're also using ADE/DEP Devices and like to use the Companyportal in combination while rolling out a iOS Device. iOS Version 16.4 used with iPhone 12 Pro.

Copper Contributor

Dear Team,

 

I'm also facing this issue while enrolling supervised device with single app mode for forcing user to sign in with their credentials. But getting error message in Home screen as " Guided Access app unavailable. Please contact your administrator". @Intune_Support_Team 

Version history
Last update:
‎Dec 19 2023 04:37 PM
Updated by: