First published on TechNet on Mar 13, 2018 Microsoft Intune and Mobile Device Management (MDM) for O365 both use certificates to ensure there’s a secure communication channel to send mobile device management policies between the service and managed end user devices. As part of enrollment into the service, an end user’s device will be issued a certificate for secure connection. After enrollment, an end user’s device will check back into the service to renew a certificate through the Company Portal app. Typically, this renewal is silent, and is not seen by the end user. However, if the end user is enrolled and has copies of Outlook or OneDrive that do not have Intune App Protection Policies (also known as MAM) associated with them, they may receive a prompt recommending that they open the company portal app.
Here's what the prompt looks like today:
Once the user selects “OK”, and the end user manually opens the Company Portal, the cert is silently renewed. If the end user defers taking any action, they will continue to get prompted several times or until the certificate expires. The device will continue to try renewing the certificate to ensure communication does not get cut off between Intune/MDM for Office 365 and the managed device. In the end, though, if the device does not renew the certificate, it will no longer be able to communicate with the service and your end user will need to launch the CP again for company-managed app access. We leave a long window for the certificate renewal since we know employees take vacation or travel for work and a managed device may be offline for a period of time.
There’s a few ways you can help ease this pop-up experience for your end users:
Please ask your end users to accept this prompt and ask them to open the Company Portal app.
If you’ve got a support team internally, you may want to let them know that end users could see the above company portal message.
Finally, know that Intune does not read your end user’s call history or text messages. You can read up more on what Intune can and can’t access through the site’s below:
We’re taking feedback on what type of warning you would expect and one you think your end users would appreciate. Feel free to leave comments on this post of what your end users would expect. We’ve got work underway to update that message and then ask Outlook and OneDrive to adopt the app SDK. Please keep in mind this does not affect users with App protection policies (also known as MAM) that are not enrolled in the Intune MDM or MDM for Office 365 service.