Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview

Published 04-20-2021 08:00 AM 6,196 Views

We’re excited to announce support for a new authentication method for Automated Device Enrollment (ADE) which is Setup Assistant with Modern Authentication. This new authentication method will be available for iOS/iPadOS devices running 13.0 and later and for macOS devices running 10.15 and later, in public preview in Microsoft Endpoint Manager.

 

Overview

This new authentication method for automated device enrollment will allow your organization to require authentication with Azure AD (required) and multi-factor authentication (optional) in order to successfully enroll the device. The end user will be required to authenticate with their Azure AD credentials during Setup Assistant, with an additional Azure AD login to the Company Portal after enrollment. If the admin has a Conditional Access policy that requires multi-factor authentication (at enrollment only, or enrollment and Company Portal login) then MFA will be required, otherwise it is optional. This will benefit organizations that are looking to require authentication in the out-of-box experience (OOBE) during enrollment in the Setup Assistant screens prior to users accessing the home screen.

 

Enrollment is completed once the user lands on the home screen, and users can freely use the device for resources not protected by Conditional Access. User affinity is established when users land on the home screen after the setup screens, however the device will not be fully registered with Azure AD until the Company Portal login. The device will not show up in a given user's device list in the Azure AD portal until the Company Portal login. That additional Azure AD login to the Company Portal app fully completes Azure AD registration.

 

When creating an Automated Device Enrollment profile, you'll be able to choose a new authentication method: Setup Assistant with modern authentication (preview). This method provides all the security from authenticating with the Company Portal but avoids the issue of leaving end users stuck on a device they can't use while the Company Portal installs on the device. With this new authentication method, the user has to authenticate using Azure AD credentials during the setup assistant screens. This will require an additional Azure AD login post-enrollment in in the Company Portal app to gain access to corporate resources protected by Conditional Access. The correct Company Portal version will automatically be sent down as a required app to the device for iOS/iPadOS, which we recommend choosing a VPP token for the enrollment profile. Otherwise, it will be sent down if the end user completes setting up their Apple ID during the Setup Assistant screens. For macOS, here are the options to get the Company Portal on the device - Add the Company Portal for macOS app - Microsoft Intune | Microsoft Docs.

 

If the admin configures a Conditional Access policy to require multi-factor authentication (MFA), then the end user will need a second device to complete MFA. Multi-factor authentication is optional based on the configuration of the MFA Azure AD settings.

 

Company Portal Redirection

A new improvement we’ve made to our onboarding experience helps guide end users to complete that second Azure AD authentication by automatically redirecting to the iOS/iPadOS Company Portal when the user attempts to access corporate data.


If users open any managed iOS/iPadOS applications that are protected by Conditional Access and they haven't completed the additional Azure AD login into the iOS/iPadOS Company Portal, they will be redirected to the iOS/iPadOS Company Portal from those other apps as part of this new change. This way, users will know exactly where to go to get access to resources protected by Conditional Access and will be guided to complete that last step.


Here is what it will look like if the end user tries to open any app protected by Conditional Access before authenticating in the Company Portal –

 

Conditional Access block screenConditional Access block screen

 

System prompt that opens the iOS/iPadOS Company PortalSystem prompt that opens the iOS/iPadOS Company Portal

 

Configuration in Microsoft Endpoint Manager admin center

Learn how to configure the new Setup Assistant with Modern Authentication for iOS/iPadOS and macOS in the Microsoft Endpoint Manager admin center by reading Enroll iOS/iPadOS devices by using ADE - Microsoft Intune | Microsoft Docs and Enroll macOS devices - Apple Business Manager or Apple School Manager | Microsoft Docs. Within the MEM admin center, you can control where a user is prompted for multi-factor authentication using different cloud apps when creating a Conditional Access policy. The following screenshot provides an example of the prompt locations:

 

MFA Prompt Locations for Microsoft Intune and Microsoft Intune EnrolmentMFA Prompt Locations for Microsoft Intune and Microsoft Intune Enrolment

 

Using the enrolled device with user device affinity but without Azure AD registration

For both iOS/iPadOS and macOS, user device affinity in Intune is established when users land on the home screen after the setup screens. However, the device will not be fully registered with Azure AD until the additional Company Portal login as mentioned above. That is also when device compliance is assessed, and the device shows up as compliant in the Microsoft Endpoint Manager admin center. If you would like to keep the device as fully enrolled with Intune but without Azure AD registration, that is also supported.

 

Once enrollment is completed during Setup Assistant, the end user lands on the home screen and can freely use the device. If there are no resources protected by Conditional Access and if Azure AD registration is not required, then this authentication method can be used to fully enroll the device. Note the following device behavior if you choose this automated device enrollment flow without guiding end users to login to the Company Portal post enrollment:

  • The device will not show up in a given user’s device list in the Azure AD portal (since there is no device identity association within Azure AD).
  • The device will not show up as compliant in the Microsoft Endpoint Manager admin center.

 

Keep in my mind

  • If you choose "Setup assistant with Modern Authentication" as the authentication method when creating a profile for a device not running the correct software version, users will fall back to the legacy setup assistant Automated Device Enrollment flow.
  • For iOS/iPadOS, we recommend selecting to install the Company Portal app from a VPP token in the enrollment profile. When VPP is used, the application can be downloaded and installed without user interaction. When VPP isn't used, an Apple ID is required to install the application. If the user doesn't log into an Apple ID during Setup Assistant they will be prompted to log in when Intune attempts to install the Company Portal.

 

Let us know if you have any questions by commenting on this post or reaching out to @IntuneSuppTeam on Twitter.

7 Comments
Occasional Visitor

I am trying this out on an iPad, the modern auth is working in the setup assistant and the device gets a management profile applied in this process/

 

However, from the launcher using 'comp portal' shows the device as not enrolled and tries to download a new management profile from the workflow, the profile downloads and fails to install and the device doesn't end up compliant as a result.

 

Not sure if it is intentional to have the device try to get a new management profile after it already has one applied from the setup assistant.

Occasional Contributor

Hi all,
I also experienced the same issue and this exprience is similar like when you set-up an enrollment profile without user affinity then try to enroll the device linked to this profile.


I'll describe here the user experience to help everyone understand well.

 

// User experience

Language > Country/Region > Network > Device activation + Getting settings > Remote Management > Gettings settings from "Company Name" > Passcode > ...

Note: Gettings settings from "Company Name" means that the device get ADE settings from Intune so the first Management profile is dowloaded and applied here.

 

After the company portal is installed and the user start the device enrollment, another Management profile is also downloaded and this one cannot be installed due to conflict.

 

I hope all those scenarios will find solutions.

cc: @Intune Support Team 

 

Regards,

AEL

Occasional Visitor

I have made some progress.

 

Under DEP Profile, tenant admin > customization, I changed this setting 'Device enrollment' to 'Available, no prompts' from 'Available, with Prompts'. Additionally, I removed my own account as an enrollment manager.

 

With these two steps removed the additional profile download is no longer occurring. In "Comp Portal" under 'Devices' it displays says "Register this device" for my iPad, but otherwise compliant with policies and the iPad is shown in the endpoint manager and I am able to use functions from there on the device.

 

Let us know if any of this is expected,

 

Thanks,

Hi @kpax-io and @Aldo ELIAS, thank you for your feedback! It's helpful for us while this feature is in public preview and we work through issues that are found. We will take this issue back to the team to investigate. At the point of signing into the Company Portal, the device is already enrolled and there should not be an additional management profile coming down. While we don't have a specific fix right now, please make sure you are not sending down any app config policies targeted at the iOS/iPadOS Company Portal app if enrolling your device with setup assistant with modern authentication for iOS/iPadOS. For iOS/iPadOS, the correct app config is already being applied automatically behind the scenes in the enrollment profile, so no app config is needed for the iOS/iPadOS Company Portal. Sending down an additional app config in this case may result in an error. We’ll keep this post updated as we learn more. Thanks!

New Contributor

@Intune Support Team  Thankyou for sharing the feature update. Definitely this is exciting and adds a lot of benefits. 

 

Would like to share the observations that, once the device lands home screen and Company portal is installed the device checks in automatically and device records is created on MEM console and the device is marked complaint without having to manually login to Company portal .

Note- the articles described that CP login is required once the device lands home screen to access CA protected apps. 

 

When (date) Setup Assistant with Modern Auth will be Generally available?
what is the risk in testing this feature in Production devices.. anything specific we need to be careful of?

Occasional Contributor

Hi @gokulansubramani,

Only your context of your company can help you for this kind of decision.

I recommend to test using spare devices and if you feel confident to try with production devices you accept the risk of enhancement or changes after the product team change something. You also have to consider your rollback capabilities and your business impact for each scenarios.

 

@Intune Support Team  can also advise

 

BR,

AEL 

%3CLINGO-SUB%20id%3D%22lingo-sub-2280473%22%20slang%3D%22en-US%22%3ERe%3A%20Setup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%2B%20and%20macOS%2010.15%2B)%20-%20Intune%20Public%20Previ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280473%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20this%20out%20on%20an%20iPad%2C%20the%20modern%20auth%20is%20working%20in%20the%20setup%20assistant%20and%20the%20device%20gets%20a%20management%20profile%20applied%20in%20this%20process%2F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20from%20the%20launcher%20using%20'comp%20portal'%20shows%20the%20device%20as%20not%20enrolled%20and%20tries%20to%20download%20a%20new%20management%20profile%20from%20the%20workflow%2C%20the%20profile%20downloads%20and%20fails%20to%20install%20and%20the%20device%20doesn't%20end%20up%20compliant%20as%20a%20result.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%20if%20it%20is%20intentional%20to%20have%20the%20device%20try%20to%20get%20a%20new%20management%20profile%20after%20it%20already%20has%20one%20applied%20from%20the%20setup%20assistant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280540%22%20slang%3D%22fr-FR%22%3ERe%3A%20Setup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%20and%20macOS%2010.15)%20-%20Intune%20Public%20Previ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280540%22%20slang%3D%22fr-FR%22%3E%3CP%3EHi%20all%2C%20%3CBR%20%2F%3E%20I%20also%20experienced%20the%20same%20issue%20and%20this%20experience%20is%20similar%20like%20when%20you%20set-up%20an%20enrollment%20profile%20without%20user%20affinity%20then%20try%20to%20enroll%20the%20device%20linked%20to%20this%20profile.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI'll%20describe%20here%20the%20user%20experience%20to%20help%20everyone%20understand%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUser%20experience%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ELanguage%20%26gt%3B%20Country%2FRegion%20%26gt%3B%20Network%20%26gt%3B%20Device%20activation%20-%20Getting%20settings%20%26gt%3B%20Remote%20Management%20%26gt%3B%20Gettings%20settings%20from%20%22Company%20Name%22%20%26gt%3B%20Passcode%20%26gt%3B%20...%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CU%3ENote%3A%3C%2FU%3E%3C%2FSTRONG%3E%20Gettings%20settings%20from%20%22Company%20Name%22%20means%20that%20the%20device%20get%20ADE%20settings%20from%20Intune%20so%20the%20first%20Management%20profile%20is%20dowloaded%20and%20applied%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20the%20company%20portal%20is%20installed%20and%20the%20user%20start%20the%20device%20enrollment%2C%20another%20Management%20profile%20is%20also%20downloaded%20and%20this%20one%20cannot%20be%20installed%20due%20to%20conflict.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20all%20those%20scenarios%20will%20find%20solutions.%3C%2FP%3E%3CP%3Ecc%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%3C%2FP%3E%3CP%3EAEL%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280630%22%20slang%3D%22en-US%22%3ERe%3A%20Setup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%2B%20and%20macOS%2010.15%2B)%20-%20Intune%20Public%20Previ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280630%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1032892%22%20target%3D%22_blank%22%3E%40kpax-io%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65545%22%20target%3D%22_blank%22%3E%40Aldo%20ELIAS%3C%2FA%3E%2C%26nbsp%3Bthank%20you%20for%20your%20feedback!%20It's%20helpful%20for%20us%20while%20this%20feature%20is%20in%20public%20preview%20and%20we%20work%20through%20issues%20that%20are%20found.%20We%20will%20take%20this%20issue%20back%20to%20the%20team%20to%20investigate.%20At%20the%20point%20of%20signing%20into%20the%20Company%20Portal%2C%20the%20device%20is%20already%20enrolled%20and%20there%20should%20not%20be%20an%20additional%20management%20profile%20coming%20down.%20While%20we%20don't%20have%20a%20specific%20fix%20right%20now%2C%20please%20make%20sure%20you%20are%20not%20sending%20down%20any%20app%20config%20policies%20targeted%20at%20the%20iOS%2FiPadOS%20Company%20Portal%20app%20if%20enrolling%20your%20device%20with%20setup%20assistant%20with%20modern%20authentication%20for%20iOS%2FiPadOS.%20For%20iOS%2FiPadOS%2C%20the%20correct%20app%20config%20is%20already%20being%20applied%20automatically%20behind%20the%20scenes%20in%20the%20enrollment%20profile%2C%20so%20no%20app%20config%20is%20needed%20for%20the%20iOS%2FiPadOS%20Company%20Portal.%20Sending%20down%20an%20additional%20app%20config%20in%20this%20case%20may%20result%20in%20an%20error.%20We%E2%80%99ll%20keep%20this%20post%20updated%20as%20we%20learn%20more.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2279061%22%20slang%3D%22en-US%22%3ESetup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%2B%20and%20macOS%2010.15%2B)%20-%20Intune%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279061%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20excited%20to%20announce%20support%20for%20a%20new%20authentication%20method%20for%20Automated%20Device%20Enrollment%20(ADE)%20which%20is%20Setup%20Assistant%20with%20Modern%20Authentication.%20This%20new%20authentication%20method%20will%20be%20available%20for%20iOS%2FiPadOS%20devices%20running%2013.0%20and%20later%20and%20for%20macOS%20devices%20running%2010.15%20and%20later%2C%20in%20public%20preview%20in%20Microsoft%20Endpoint%20Manager.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-2005192789%22%20id%3D%22toc-hId-2005192789%22%20id%3D%22toc-hId-2005192789%22%20id%3D%22toc-hId-2005192789%22%20id%3D%22toc-hId-2004415338%22%3EOverview%3C%2FH3%3E%0A%3CP%3EThis%20new%20authentication%20method%20for%20automated%20device%20enrollment%20will%20allow%20your%20organization%20to%20require%20authentication%20with%20Azure%20AD%20(required)%20and%20multi-factor%20authentication%20(optional)%20in%20order%20to%20successfully%20enroll%20the%20device.%20The%20end%20user%20will%20be%20required%20to%20authenticate%20with%20their%20Azure%20AD%20credentials%20during%20Setup%20Assistant%2C%20with%20an%20additional%20Azure%20AD%20login%20to%20the%20Company%20Portal%20after%20enrollment.%20If%20the%20admin%20has%20a%20Conditional%20Access%20policy%20that%20requires%20multi-factor%20authentication%20(at%20enrollment%20only%2C%20or%20enrollment%20and%20Company%20Portal%20login)%20then%20MFA%20will%20be%20required%2C%20otherwise%20it%20is%20optional.%20This%20will%20benefit%20organizations%20that%20are%20looking%20to%20require%20authentication%20in%20the%20out-of-box%20experience%20(OOBE)%20during%20enrollment%20in%20the%20Setup%20Assistant%20screens%20prior%20to%20users%20accessing%20the%20home%20screen.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnrollment%20is%20completed%20once%20the%20user%20lands%20on%20the%20home%20screen%2C%20and%20users%20can%20freely%20use%20the%20device%20for%20resources%20not%20protected%20by%20Conditional%20Access.%20User%20affinity%20is%20established%20when%20users%20land%20on%20the%20home%20screen%20after%20the%20setup%20screens%2C%20however%20the%20device%20will%20not%20be%20fully%20registered%20with%20Azure%20AD%20until%20the%20Company%20Portal%20login.%20The%20device%20will%20not%20show%20up%20in%20a%20given%20user's%20device%20list%20in%20the%20Azure%20AD%20portal%20until%20the%20Company%20Portal%20login.%20That%20additional%20Azure%20AD%20login%20to%20the%20Company%20Portal%20app%20fully%20completes%20Azure%20AD%20registration.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20creating%20an%20Automated%20Device%20Enrollment%20profile%2C%20you'll%20be%20able%20to%20choose%20a%20new%20authentication%20method%3A%20%3CSTRONG%3ESetup%20Assistant%20with%20modern%20authentication%20(preview)%3C%2FSTRONG%3E.%20This%20method%20provides%20all%20the%20security%20from%20authenticating%20with%20the%20Company%20Portal%20but%20avoids%20the%20issue%20of%20leaving%20end%20users%20stuck%20on%20a%20device%20they%20can't%20use%20while%20the%20Company%20Portal%20installs%20on%20the%20device.%20With%20this%20new%20authentication%20method%2C%20the%20user%20has%20to%20authenticate%20using%20Azure%20AD%20credentials%20during%20the%20setup%20assistant%20screens.%20This%20will%20require%20an%20additional%20Azure%20AD%20login%20post-enrollment%20in%20in%20the%20Company%20Portal%20app%20to%20gain%20access%20to%20corporate%20resources%20protected%20by%20Conditional%20Access.%20The%20correct%20Company%20Portal%20version%20will%20automatically%20be%20sent%20down%20as%20a%20required%20app%20to%20the%20device%20for%20iOS%2FiPadOS%2C%20which%20we%20recommend%20choosing%20a%20VPP%20token%20for%20the%20enrollment%20profile.%20Otherwise%2C%20it%20will%20be%20sent%20down%20if%20the%20end%20user%20completes%20setting%20up%20their%20Apple%20ID%20during%20the%20Setup%20Assistant%20screens.%20For%20macOS%2C%20here%20are%20the%20options%20to%20get%20the%20Company%20Portal%20on%20the%20device%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fapps%2Fapps-company-portal-macos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAdd%20the%20Company%20Portal%20for%20macOS%20app%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20admin%20configures%20a%20Conditional%20Access%20policy%20to%20require%20multi-factor%20authentication%20(MFA)%2C%20then%20the%20end%20user%20will%20need%20a%20second%20device%20to%20complete%20MFA.%20Multi-factor%20authentication%20is%20optional%20based%20on%20the%20configuration%20of%20the%20MFA%20Azure%20AD%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-197738326%22%20id%3D%22toc-hId-197738326%22%20id%3D%22toc-hId-197738326%22%20id%3D%22toc-hId-197738326%22%20id%3D%22toc-hId-196960875%22%3ECompany%20Portal%20Redirection%3C%2FH3%3E%0A%3CP%3EA%20new%20improvement%20we%E2%80%99ve%20made%20to%20our%20onboarding%20experience%20helps%20guide%20end%20users%20to%20complete%20that%20second%20Azure%20AD%20authentication%20by%20automatically%20redirecting%20to%20the%20iOS%2FiPadOS%20Company%20Portal%20when%20the%20user%20attempts%20to%20access%20corporate%20data.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20users%20open%20any%20managed%20iOS%2FiPadOS%20applications%20that%20are%20protected%20by%20Conditional%20Access%20and%20they%20haven't%20completed%20the%20additional%20Azure%20AD%20login%20into%20the%20iOS%2FiPadOS%20Company%20Portal%2C%20they%20will%20be%20redirected%20to%20the%20iOS%2FiPadOS%20Company%20Portal%20from%20those%20other%20apps%20as%20part%20of%20this%20new%20change.%20This%20way%2C%20users%20will%20know%20exactly%20where%20to%20go%20to%20get%20access%20to%20resources%20protected%20by%20Conditional%20Access%20and%20will%20be%20guided%20to%20complete%20that%20last%20step.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EHere%20is%20what%20it%20will%20look%20like%20if%20the%20end%20user%20tries%20to%20open%20any%20app%20protected%20by%20Conditional%20Access%20before%20authenticating%20in%20the%20Company%20Portal%20%E2%80%93%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ModernAuthBlog-1.png%22%20style%3D%22width%3A%20420px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274044iFE263521860D7B15%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ModernAuthBlog-1.png%22%20alt%3D%22Conditional%20Access%20block%20screen%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConditional%20Access%20block%20screen%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ModernAuthBlog-2.png%22%20style%3D%22width%3A%20594px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274045iEF33318710A911F8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ModernAuthBlog-2.png%22%20alt%3D%22System%20prompt%20that%20opens%20the%20iOS%2FiPadOS%20Company%20Portal%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ESystem%20prompt%20that%20opens%20the%20iOS%2FiPadOS%20Company%20Portal%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1609716137%22%20id%3D%22toc-hId--1609716137%22%20id%3D%22toc-hId--1609716137%22%20id%3D%22toc-hId--1609716137%22%20id%3D%22toc-hId--1610493588%22%3EConfiguration%20in%20Microsoft%20Endpoint%20Manager%20admin%20center%3C%2FH3%3E%0A%3CP%3ELearn%20how%20to%20configure%20the%20new%20Setup%20Assistant%20with%20Modern%20Authentication%20for%20iOS%2FiPadOS%20and%20macOS%20in%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%20by%20reading%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fdevice-enrollment-program-enroll-ios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnroll%20iOS%2FiPadOS%20devices%20by%20using%20ADE%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fdevice-enrollment-program-enroll-macos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnroll%20macOS%20devices%20-%20Apple%20Business%20Manager%20or%20Apple%20School%20Manager%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20Within%20the%20MEM%20admin%20center%2C%20you%20can%20control%20where%20a%20user%20is%20prompted%20for%20multi-factor%20authentication%20using%20different%20cloud%20apps%20when%20creating%20a%20Conditional%20Access%20policy.%20The%20following%20screenshot%20provides%20an%20example%20of%20the%20prompt%20locations%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ModernAuthBlog-3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274046i1A396ADC6943E4FA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ModernAuthBlog-3.png%22%20alt%3D%22MFA%20Prompt%20Locations%20for%20Microsoft%20Intune%20and%20Microsoft%20Intune%20Enrolment%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EMFA%20Prompt%20Locations%20for%20Microsoft%20Intune%20and%20Microsoft%20Intune%20Enrolment%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-877796696%22%20id%3D%22toc-hId-877796696%22%20id%3D%22toc-hId-877796696%22%20id%3D%22toc-hId-877796696%22%20id%3D%22toc-hId-877019245%22%3EUsing%20the%20enrolled%20device%20with%20user%20device%20affinity%20but%20without%20Azure%20AD%20registration%3C%2FH3%3E%0A%3CP%3EFor%20both%20iOS%2FiPadOS%20and%20macOS%2C%20user%20device%20affinity%20in%20Intune%20is%20established%20when%20users%20land%20on%20the%20home%20screen%20after%20the%20setup%20screens.%20However%2C%20the%20device%20will%20not%20be%20fully%20registered%20with%20Azure%20AD%20until%20the%20additional%20Company%20Portal%20login%20as%20mentioned%20above.%20That%20is%20also%20when%20device%20compliance%20is%20assessed%2C%20and%20the%20device%20shows%20up%20as%20compliant%20in%20the%20Microsoft%20Endpoint%20Manager%20admin%20center.%20If%20you%20would%20like%20to%20keep%20the%20device%20as%20fully%20enrolled%20with%20Intune%20but%20without%20Azure%20AD%20registration%2C%20that%20is%20also%20supported.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20enrollment%20is%20completed%20during%20Setup%20Assistant%2C%20the%20end%20user%20lands%20on%20the%20home%20screen%20and%20can%20freely%20use%20the%20device.%20If%20there%20are%20no%20resources%20protected%20by%20Conditional%20Access%20and%20if%20Azure%20AD%20registration%20is%20not%20required%2C%20then%20this%20authentication%20method%20can%20be%20used%20to%20fully%20enroll%20the%20device.%20Note%20the%20following%20device%20behavior%20if%20you%20choose%20this%20automated%20device%20enrollment%20flow%20without%20guiding%20end%20users%20to%20login%20to%20the%20Company%20Portal%20post%20enrollment%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20device%20will%20not%20show%20up%20in%20a%20given%20user%E2%80%99s%20device%20list%20in%20the%20Azure%20AD%20portal%20(since%20there%20is%20no%20device%20identity%20association%20within%20Azure%20AD).%3C%2FLI%3E%0A%3CLI%3EThe%20device%20will%20not%20show%20up%20as%20compliant%20in%20the%20Microsoft%20Endpoint%20Manager%20admin%20center.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--929657767%22%20id%3D%22toc-hId--929657767%22%20id%3D%22toc-hId--929657767%22%20id%3D%22toc-hId--929657767%22%20id%3D%22toc-hId--930435218%22%3EKeep%20in%20my%20mind%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3EIf%20you%20choose%20%22Setup%20assistant%20with%20Modern%20Authentication%22%20as%20the%20authentication%20method%20when%20creating%20a%20profile%20for%20a%20device%20not%20running%20the%20correct%20software%20version%2C%20users%20will%20fall%20back%20to%20the%20legacy%20setup%20assistant%20Automated%20Device%20Enrollment%20flow.%3C%2FLI%3E%0A%3CLI%3EFor%20iOS%2FiPadOS%2C%20we%20recommend%20selecting%20to%20install%20the%20Company%20Portal%20app%20from%20a%20VPP%20token%20in%20the%20enrollment%20profile.%20When%20VPP%20is%20used%2C%20the%20application%20can%20be%20downloaded%20and%20installed%20without%20user%20interaction.%20When%20VPP%20isn't%20used%2C%20an%20Apple%20ID%20is%20required%20to%20install%20the%20application.%20If%20the%20user%20doesn't%20log%20into%20an%20Apple%20ID%20during%20Setup%20Assistant%20they%20will%20be%20prompted%20to%20log%20in%20when%20Intune%20attempts%20to%20install%20the%20Company%20Portal.%3CUL%20class%3D%22lia-list-style-type-circle%22%3E%0A%3CLI%3EFor%20more%20information%20about%20connecting%20Intune%20to%20Apple%20Volume%20Purchase%20Program%20(VPP)%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fapps%2Fvpp-apps-ios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Apple%20volume-purchased%20apps%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20Once%20you%20have%20connected%20to%20VPP%20you%20can%20add%20the%20Company%20Portal%20app%20to%20your%20Apple%20Business%20Manager%2FApple%20School%20Manager%20inventory%20so%20it%20can%20be%20assigned%20through%20Intune.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20questions%20by%20commenting%20on%20this%20post%20or%20reaching%20out%20to%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%20on%20Twitter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2279061%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20excited%20to%20announce%20support%20for%20a%20new%20authentication%20method%20for%20Automated%20Device%20Enrollment%20(ADE)%20which%20is%20Setup%20Assistant%20with%20Modern%20Authentication%20in%20public%20preview%20in%20Microsoft%20Endpoint%20Manager!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22BlogDefault.png%22%20style%3D%22width%3A%20295px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274048iF3A9E48F2AD52105%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22BlogDefault.png%22%20alt%3D%22BlogDefault.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2279061%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EiOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EmacOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emodern%20authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPublic%20Preview%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESetup%20Assistant%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2329951%22%20slang%3D%22en-US%22%3ERe%3A%20Setup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%2B%20and%20macOS%2010.15%2B)%20-%20Intune%20Public%20Previ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2329951%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20Thankyou%20for%20sharing%20the%20feature%20update.%20Definitely%20this%20is%20exciting%20and%20adds%20a%20lot%20of%20benefits.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20like%20to%20share%20the%20observations%20that%2C%20once%20the%20device%20lands%20home%20screen%20and%20Company%20portal%20is%20installed%20the%20device%20checks%20in%20automatically%20and%20device%20records%20is%20created%20on%20MEM%20console%20and%20the%20device%20is%20marked%20complaint%20without%20having%20to%20manually%20login%20to%20Company%20portal%20.%3C%2FP%3E%3CP%3ENote-%20the%20articles%20described%20that%20CP%20login%20is%20required%20once%20the%20device%20lands%20home%20screen%20to%20access%20CA%20protected%20apps.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2333229%22%20slang%3D%22en-US%22%3ERe%3A%20Setup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%2B%20and%20macOS%2010.15%2B)%20-%20Intune%20Public%20Previ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2333229%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F999002%22%20target%3D%22_blank%22%3E%40gokulansubramani%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EOnly%20your%20context%20of%20your%20company%20can%20help%20you%20for%20this%20kind%20of%20decision.%3C%2FP%3E%3CP%3EI%20recommend%20to%20test%20using%20spare%20devices%20and%20if%20you%20feel%20confident%20to%20try%20with%20production%20devices%20you%20accept%20the%20risk%20of%20enhancement%20or%20changes%20after%20the%20product%20team%20change%20something.%20You%20also%20have%20to%20consider%20your%20rollback%20capabilities%20and%20your%20business%20impact%20for%20each%20scenarios.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20can%20also%20advise%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBR%2C%3C%2FP%3E%3CP%3EAEL%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Apr 22 2021 10:31 AM
Updated by: