Blog Note – This only impacts the iOS/iPadOS device enrollment using Apple Configurator – Setup Assistant – as documented here: iOS/iPadOS device enrollment - Apple Configurator-Setup Assistant - Microsoft Intune | Microsoft Doc.... Only setup assistant workflow is impacted – all other iOS/iPad enrollment workflows are not affected.
We recently posted IT234239 on the Service Health Dashboard. Unfortunately, as part of this incident, we have confirmed that there is a certificate mismatch between Apple Configurator profiles and the Intune certificate issuing service for iOS/iPadOS enrollment through this setup experience. Existing devices remain enrolled as they have already established trust through the Apple configurator setup assistant workflow. However, if you plan to enroll new devices in the next few weeks there’s one set of steps post incident to enroll new devices, and then when the certificate update is completed, a quick profile update to ensure new enrollments are successful.
How will you know you are affected?
Steps for new enrollments between January 14, 2021- February 10, 2021:
For enrollment in the next few weeks until the new certificates described in MC225591 and also described in this blog post are fully deployed across the entire service, you’ll want to add the Baltimore CyberTrust Root Certificate back to the list of certificates in your profile to ensure that enrollment can complete through setup assistant.
Here are the steps you’ll take on a macOS device per the instructions here: iOS/iPadOS device enrollment - Apple Configurator-Setup Assistant - Microsoft Intune | Microsoft Doc...:
This will ensure for a short period of time enrollment proceeds as necessary.
Steps for new enrollments after February 10, 2021:
Note: Please follow the steps below only if new enrollment fails.
If you’re looking to enroll a device through Apple Configurator after the certificates update is completed, the Apple Configurator profile will need to be updated to point to the new certificate. We expect the new certificate rollout to be completed after February 10, but again check this blog post for additional information on the certificate rotation. For this step, you’ll just need to “touch” (which will get the profile to resync) your profile. Creating a new Apple Configurator profile will have the same effect, so we recommend going with what’s easiest for you.
In Apple Configurator 2, right click the devices and select Re-export the URL and repaste that into your server list in Apple Configurator 2. When you go through the resolution, it will ensure all components involved in your enrollment profile work as expected.
Let us know as if you have any questions on the steps in this post. Tag @IntuneSuppTeam in Twitter for any questions too!
Blog post updates:
3/1: Updated post to clarify the steps as noted under section "Steps for new enrollments after February 10, 2021" are only needed if new enrollment fails.
3/26: Updated the steps for new enrollments after February 10, 2021.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.