Blog Note – This only impacts the iOS/iPadOS device enrollment using Apple Configurator – Setup Assistant – as documented here: iOS/iPadOS device enrollment - Apple Configurator-Setup Assistant - Microsoft Intune | Microsoft Docs. Only setup assistant workflow is impacted – all other iOS/iPad enrollment workflows are not affected.
We recently posted IT234239 on the Service Health Dashboard. Unfortunately, as part of this incident, we have confirmed that there is a certificate mismatch between Apple Configurator profiles and the Intune certificate issuing service for iOS/iPadOS enrollment through this setup experience. Existing devices remain enrolled as they have already established trust through the Apple configurator setup assistant workflow. However, if you plan to enroll new devices in the next few weeks there’s one set of steps post incident to enroll new devices, and then when the certificate update is completed, a quick profile update to ensure new enrollments are successful.
How will you know you are affected?
- You use Apple configurator – setup assistant – for enrollment.
- You have an enrollment profile that has worked historically to enroll new devices, but now those new devices (userless or user-based) fail enrollment. The error in device logs either indicates there’s no service response or enrollment can’t succeed so no errors are logged.
Steps for new enrollments between January 14, 2021- February 10, 2021:
For enrollment in the next few weeks until the new certificates described in MC225591 and also described in this blog post are fully deployed across the entire service, you’ll want to add the Baltimore CyberTrust Root Certificate back to the list of certificates in your profile to ensure that enrollment can complete through setup assistant.
Here are the steps you’ll take on a macOS device per the instructions here: iOS/iPadOS device enrollment - Apple Configurator-Setup Assistant - Microsoft Intune | Microsoft Docs:
- Navigate to https://enrollment.manage.microsoft.com/EnrollmentServer/Discovery.svc/iOS/ESProxy. This will load an empty page.
- Download the Baltimore CyberTrust Root certificate. You can read more about getting the Baltimore Cybertrust root certificate here: Configure Trusted Roots and Disallowed Certificates | Microsoft Docs. NOTE: In Microsoft Edge or Chrome, this can be done by clicking the padlock next to the URL, clicking "Certificate", selecting Baltimore CyberTrust Root certificate and then dragging the large icon to the Desktop. In Safari, this can be done by clicking the padlock next to the URL, clicking "Show Certificate", selecting Baltimore CyberTrust Root certificate and then dragging the large icon to the Desktop.
- In the Microsoft Endpoint Manager admin center, under Home > Devices > iOS/iPadOS > Apple Configurator, select the profile, and then "Export Profile"
- Copy the Profile URL from the blade.
- In Apple Configurator 2, right click the device and select "Prepare".
- Choose "Manual Configuration" in the "Prepare with:" drop down.
- Select "New Server" and paste the URL from step 4 into the "Host name or URL" text box.
- On the "Define an MDM Server" click the + icon and select the Baltimore CyberTrust Root from where you downloaded it.
- Click "Next" and proceed as usual.
This will ensure for a short period of time enrollment proceeds as necessary.
Steps for new enrollments after February 10, 2021:
Note: Please follow the steps below only if new enrollment fails.
If you’re looking to enroll a device through Apple Configurator after the certificates update is completed, the Apple Configurator profile will need to be updated to point to the new certificate. We expect the new certificate rollout to be completed after February 10, but again check this blog post for additional information on the certificate rotation. For this step, you’ll just need to “touch” (which will get the profile to resync) your profile. Creating a new Apple Configurator profile will have the same effect, so we recommend going with what’s easiest for you.
In Apple Configurator 2, right click the devices and select Re-export the URL and repaste that into your server list in Apple Configurator 2. When you go through the resolution, it will ensure all components involved in your enrollment profile work as expected.
- In the Microsoft Endpoint Manager admin center, under Home > Devices > iOS/iPadOS > Apple Configurator, select the profile, and then "Export Profile"
- Copy the Profile URL from the blade.
- In Apple Configurator 2, right click the device and select "Prepare."
- Choose "Manual Configuration" in the "Prepare with:" drop down.
- Select "New Server" and paste the URL from step 3 into the "Host name or URL" text box.
- Click "Next" and proceed as usual.
Let us know as if you have any questions on the steps in this post. Tag @IntuneSuppTeam in Twitter for any questions too!
Blog post updates:
3/1: Updated post to clarify the steps as noted under section "Steps for new enrollments after February 10, 2021" are only needed if new enrollment fails.
3/26: Updated the steps for new enrollments after February 10, 2021.