Support for Multi-token DEP and Authentication with Company Portal

Published Oct 30 2018 11:24 AM 2,999 Views

First published on TechNet on Feb 08, 2018
We’ve introduced a new experience to make it easier for you to manage iOS device enrollment through Apple’s Device Enrollment Program (DEP), Apple School Manager (ASM), or Apple Configurator. With Intune support for multi-token DEP, we aim to address scenarios where you would have multiple tokens, for example, when you are purchasing devices from several DEP resellers, have multiple DEP accounts or are migrating devices from other MDM vendors.

This new release will provide a richer experience while basic functionality remains the same. You will be able to assign enrollment profiles, push configurations and enroll devices as before, while being able to manage devices in groups separated by tokens.

As part of this new experience, to support modern authentication like Multi-factor authentication (MFA), admins will be given the option to authenticate with Company Portal instead of Apple Setup Assistant when enrolling devices with user affinity. With this option, end users will be asked to enter their credentials in the Company Portal app that will be automatically installed.

Note: Admins can provision Company Portal during DEP enrollment as a VPP app or an App Store app. AppleID is not required for enrolling devices with user affinity and authenticating with company portal when using VPP. To use VPP upgrade, indicate which VPP token should be used in enrollment profile and users will no longer be prompted for Apple ID. If the token expires or runs out of device licenses for the Company Portal app, Intune will install App Store Company Portal which will prompt for Apple ID. Admins now have the ability to lock Company Portal in Single App mode so users have to sign in to the Company Portal before getting access to the device.

More information about enrolling iOS devices with Apple’s enrollment programs can be found at Enroll iOS devices in Intune . Click on the relevant link on that page to see screenshots of the current and new user interface (UI).

Experience for new customers

Any new trial or paid tenants created on or after February 7 will automatically see the new workflow and UI in their console immediately or after they log out and log in again. For these tenants, when they select ‘Enroll with User Affinity’, the default setting will be to Authenticate with Company Portal, which they can change if needed.

Experience for existing customers

For existing customers, we’ll need to enable this feature in the backend, to make sure there is no impact to your end users. We’ll notify you through Message Center when your tenant is enabled for this feature. Again, there will be no end user impact to currently enrolled devices. After migration, you will see the modified workflow in the console, along with the option to authenticate with Company Portal. If you want to use authentication with Company Portal, you should edit your existing profiles or create a new profile with the feature enabled and assign them to devices.

Note that existing customers who may want to try out the new feature by creating a new tenant will not be able to use an existing token. Using an existing token will cause token upload to fail. In such cases, we recommend that you create a new MDM server on Apple, generate new PEM file with a new account, upload the PEM file to the MDM server, and get a new token. You can then upload this token to the new account.

Beta Graph APIs

Please note that any beta graph APIs you are currently using for DEP will no longer work after you are enabled for the multi-token DEP scenario. Below is a list of beta APIs that will not be available for use:

These beta graph APIs are now available for multi-token DEP:

Onboarding APIs

Enrollment Profile


Please refer to the Changelog for Microsoft Graph for an updated list of changes in Microsoft Graph APIs.

Planned Schedule

We’ll update this section with our schedule to move existing customers to the new experience, so you’ll know when you can expect to see this in the console.

We've started moving customers over to the new experience by scale unit. We'll notify you through the Message Center when the new features have been completely enabled for your account.

Let us know if you have any questions!

Post updates:

2/22/18: Updated to include list of beta APIs that will not be available for use with multiple tokens in DEP.

4/5/18: Updated Planned Schedule section

5/9/18: Updated to include requirement of AppleID when enrolling devices with user affinity

8/27/18: Updated to include requirement of AppleID when enrolling devices with company portal

8/27/18: Updated to indicate AppleID is not required if VPP is set up a certain way

9/10/18: Updated to indicate availability of Single App mode

9/14/18: Updated to indicate the beta graph APIs that are are now available

Version history
Last update:
‎Oct 30 2018 03:40 PM
Updated by: