%3CLINGO-SUB%20id%3D%22lingo-sub-2066841%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20tip%20%E2%80%93%20Update%20your%20Apple%20Configurator%20if%20Enrollments%20are%20Failing%20with%20Setup%20Assistant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2066841%22%20slang%3D%22en-US%22%3E%3CP%3EUseful%20information%20for%20customers%20with%20IOS%20enrollment%20and%20TS%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2073383%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20tip%20%E2%80%93%20Update%20your%20Apple%20Configurator%20if%20Enrollments%20are%20Failing%20with%20Setup%20Assistant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2073383%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20help%20%26amp%3B%20investigate!%20(I%20asked%20your%20support%20team%20about%20this%20issue%20on%20December%202020.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2065290%22%20slang%3D%22en-US%22%3ESupport%20Tip%20%E2%80%93%20Update%20your%20Apple%20Configurator%20if%20Enrollments%20are%20Failing%20with%20Setup%20Assistant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2065290%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3E%3CSTRONG%3EBlog%20Note%20%E2%80%93%20This%20only%20impacts%20the%20iOS%2FiPadOS%20device%20enrollment%20using%20Apple%20Configurator%20%E2%80%93%20Setup%20Assistant%20%E2%80%93%20as%20documented%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fapple-configurator-enroll-ios%23enroll-devices-with-setup-assistant%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EiOS%2FiPadOS%20device%20enrollment%20-%20Apple%20Configurator-Setup%20Assistant%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20Only%20setup%20assistant%20workflow%20is%20impacted%20%E2%80%93%20all%20other%20iOS%2FiPad%20enrollment%20workflows%20are%20not%20affected.%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20recently%20posted%20IT234239%20on%20the%20Service%20Health%20Dashboard.%20Unfortunately%2C%20as%20part%20of%20this%20incident%2C%20we%20have%20confirmed%20that%20there%20is%20a%20certificate%20mismatch%20between%20Apple%20Configurator%20profiles%20and%20the%20Intune%20certificate%20issuing%20service%20for%20iOS%2FiPadOS%20enrollment%20through%20this%20setup%20experience.%20Existing%20devices%20remain%20enrolled%20as%20they%20have%20already%20established%20trust%20through%20the%20Apple%20configurator%20setup%20assistant%20workflow.%20However%2C%20if%20you%20plan%20to%20enroll%20new%20devices%20in%20the%20next%20few%20weeks%20there%E2%80%99s%20one%20set%20of%20steps%20post%20incident%20to%20enroll%20new%20devices%2C%20and%20then%20when%20the%20certificate%20update%20is%20completed%2C%20a%20quick%20profile%20update%20to%20ensure%20new%20enrollments%20are%20successful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20will%20you%20know%20you%20are%20affected%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20use%20Apple%20configurator%20%E2%80%93%20setup%20assistant%20%E2%80%93%20for%20enrollment.%3C%2FLI%3E%0A%3CLI%3EYou%20have%20an%20enrollment%20profile%20that%20has%20worked%20historically%20to%20enroll%20new%20devices%2C%20but%20now%20those%20new%20devices%20(userless%20or%20user-based)%20fail%20enrollment.%20The%20error%20in%20device%20logs%20either%20indicates%20there%E2%80%99s%20no%20service%20response%20or%20enrollment%20can%E2%80%99t%20succeed%20so%20no%20errors%20are%20logged.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESteps%20for%20new%20enrollments%20between%20January%2014%2C%202021-%20February%2010%2C%202021%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFor%20enrollment%20in%20the%20next%20few%20weeks%20until%20the%20new%20certificates%20described%20in%20MC225591%20and%20also%20described%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fintune-certificate-updates-action-may-be-required-for-continued%2Fba-p%2F1839655%22%20target%3D%22_self%22%3Ethis%20blog%20post%3C%2FA%3E%20are%20fully%20deployed%20across%20the%20entire%20service%2C%20you%E2%80%99ll%20want%20to%20add%20the%20Baltimore%20CyberTrust%20Root%20Certificate%20back%20to%20the%20list%20of%20certificates%20in%20your%20profile%20to%20ensure%20that%20enrollment%20can%20complete%20through%20setup%20assistant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20the%20steps%20you%E2%80%99ll%20take%20on%20a%20macOS%20device%20per%20the%20instructions%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fapple-configurator-enroll-ios%23enroll-devices-with-setup-assistant%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EiOS%2FiPadOS%20device%20enrollment%20-%20Apple%20Configurator-Setup%20Assistant%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20%3CA%20href%3D%22https%3A%2F%2Fenrollment.manage.microsoft.com%2FEnrollmentServer%2FDiscovery.svc%2FiOS%2FESProxy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenrollment.manage.microsoft.com%2FEnrollmentServer%2FDiscovery.svc%2FiOS%2FESProxy%3C%2FA%3E.%20This%20will%20load%20an%20empty%20page.%3C%2FLI%3E%0A%3CLI%3EDownload%20the%20Baltimore%20CyberTrust%20Root%20certificate.%20You%20can%20read%20more%20about%20getting%20the%20Baltimore%20Cybertrust%20root%20certificate%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-R2-and-2012%2Fdn265983(v%3Dws.11)%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Trusted%20Roots%20and%20Disallowed%20Certificates%20%7C%20Microsoft%20Docs.%3C%2FA%3E%3CEM%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B%20NOTE%3A%20In%20Microsoft%20Edge%20or%20Chrome%2C%20this%20can%20be%20done%20by%20clicking%20the%20padlock%20next%20to%20the%20URL%2C%20clicking%20%22Certificate%22%2C%20selecting%20Baltimore%20CyberTrust%20Root%20certificate%20and%20then%20dragging%20the%20large%20icon%20to%20the%20Desktop.%20In%20Safari%2C%20this%20can%20be%20done%20by%3CSPAN%20class%3D%22cf0%22%3E%26nbsp%3Bclicking%20the%20padlock%20next%20to%20the%20URL%2C%20clicking%20%22Show%20Certificate%22%2C%20selecting%20Baltimore%20CyberTrust%20Root%20certificate%20and%20then%20dragging%20the%20large%20icon%20to%20the%20Desktop.%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3EIn%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%2C%20under%20%3CSTRONG%3EHome%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EDevices%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EiOS%2FiPadOS%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EApple%20Configurator%3C%2FSTRONG%3E%2C%20select%20the%20profile%2C%20and%20then%20%22Export%20Profile%22%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20Profile%20URL%20from%20the%20blade.%3C%2FLI%3E%0A%3CLI%3EIn%20Apple%20Configurator%202%2C%20right%20click%20the%20device%20and%20select%20%22Prepare%22.%3C%2FLI%3E%0A%3CLI%3EChoose%20%22Manual%20Configuration%22%20in%20the%20%22Prepare%20with%3A%22%20drop%20down.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22New%20Server%22%20and%20paste%20the%20URL%20from%20step%204%20into%20the%20%22Host%20name%20or%20URL%22%20text%20box.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20%22Define%20an%20MDM%20Server%22%20click%20the%20%2B%20icon%20and%20select%20the%20Baltimore%20CyberTrust%20Root%20from%20where%20you%20downloaded%20it.%3C%2FLI%3E%0A%3CLI%3EClick%20%22Next%22%20and%20proceed%20as%20usual.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20will%20ensure%20for%20a%20short%20period%20of%20time%20enrollment%20proceeds%20as%20necessary.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESteps%20for%20new%20enrollments%20after%20February%2010%2C%202021%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20you%E2%80%99re%20looking%20to%20enroll%20a%20device%20through%20Apple%20Configurator%20after%20the%20certificates%20update%20is%20completed%2C%20the%20Apple%20Configurator%20profile%20will%20need%20to%20be%20updated%20to%20point%20to%20the%20new%20certificate.%20We%20expect%20the%20new%20certificate%20rollout%20to%20be%20completed%20after%20February%2010%2C%20but%20again%20check%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fintune-certificate-updates-action-may-be-required-for-continued%2Fba-p%2F1839655%22%20target%3D%22_self%22%3Ethis%20blog%20post%3C%2FA%3E%20for%20additional%20information%20on%20the%20certificate%20rotation.%20For%20this%20step%2C%20you%E2%80%99ll%20just%20need%20to%20%E2%80%9Ctouch%E2%80%9D%20(which%20will%20get%20the%20profile%20to%20resync)%20your%20profile.%20Creating%20a%20new%20Apple%20Configurator%20profile%20will%20have%20the%20same%20effect%2C%20so%20we%20recommend%20going%20with%20what%E2%80%99s%20easiest%20for%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Apple%20Configurator%202%2C%20right%20click%20the%20devices%20and%20select%20Re-export%20the%20URL%20and%20repaste%20that%20into%20your%20server%20list%20in%20Apple%20Configurator%202.%20When%20you%20go%20through%20the%20resolution%2C%20it%20will%20ensure%20all%20components%20involved%20in%20your%20enrollment%20profile%20work%20as%20expected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20%3CA%20href%3D%22https%3A%2F%2Fenrollment.manage.microsoft.com%2FEnrollmentServer%2FDiscovery.svc%2FiOS%2FESProxy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenrollment.manage.microsoft.com%2FEnrollmentServer%2FDiscovery.svc%2FiOS%2FESProxy.%3C%2FA%3E%26nbsp%3BThis%20will%20load%20an%20empty%20page.%3C%2FLI%3E%0A%3CLI%3EIn%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%2C%20under%20%3CSTRONG%3EHome%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EDevices%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EiOS%2FiPadOS%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EApple%20Configurator%3C%2FSTRONG%3E%2C%20select%20the%20profile%2C%20and%20then%20%22Export%20Profile%22%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20Profile%20URL%20from%20the%20blade.%3C%2FLI%3E%0A%3CLI%3EIn%20Apple%20Configurator%202%2C%20right%20click%20the%20device%20and%20select%20%22Prepare.%22%3C%2FLI%3E%0A%3CLI%3EChoose%20%22Manual%20Configuration%22%20in%20the%20%22Prepare%20with%3A%22%20drop%20down.%3C%2FLI%3E%0A%3CLI%3ESelect%20%22New%20Server%22%20and%20paste%20the%20URL%20from%20step%203%20into%20the%20%22Host%20name%20or%20URL%22%20text%20box.%3C%2FLI%3E%0A%3CLI%3EClick%20%22Next%22%20and%20proceed%20as%20usual.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20as%20if%20you%20have%20any%20questions%20on%20the%20steps%20in%20this%20post.%20Tag%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%20in%20Twitter%20for%20any%20questions%20too!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2065290%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20recently%20had%20a%20case%20escalation%20on%20this%20scenario%20and%20have%20provided%20the%20steps%20to%20workaround%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2065290%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApple%20Configurator%202%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2083618%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%20%E2%80%93%20Update%20your%20Apple%20Configurator%20if%20Enrollments%20are%20Failing%20with%20Setup%20Assistant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2083618%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20has%20been%20battling%20this%20since%20November%20of%20last%20year%20-%20our%20new%20IOS%20devices%20would%20not%20enroll%20in%20Intune%20MDM%20using%20Apple%20Configurator%202.%26nbsp%3B%20Started%20with%20Apple%20of%20course%2C%20and%20they%20could%20not%20figure%20it%20out%2C%20essentially%20gave%20up%20and%20and%20said%20all%20I%20could%20do%20was%20pay%20for%20an%20engineering%20consulting%20engagement%20(starting%20at%20%24800%20per%20incident).%26nbsp%3B%20Seriously%3F%26nbsp%3B%20Totally%20unimpressed%20with%20Apple%20-%20they%20would%20not%20even%20look%20at%20the%20log%20files%20being%20generated%20by%20the%20iPad%20that%20clearly%20showed%20it%20was%20a%20connection%20issue%20caused%20by%20an%20untrusted%20certificate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpened%20a%20Microsoft%20ticket%20and%20provided%20them%20the%20iPad%26nbsp%3B%20log%20file.%26nbsp%3B%20Took%20a%20few%20weeks%20and%20escalation%26nbsp%3B%20but%20they%20figured%20it%20out%20and%20provided%20me%20this%20link%20and%20walked%20me%20through%20the%20workaround.%26nbsp%3B%20Someone%20at%20Microsoft%20needs%20to%20send%20this%20information%20over%20to%20Apple%20support.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

Blog Note – This only impacts the iOS/iPadOS device enrollment using Apple Configurator – Setup Assistant – as documented here: iOS/iPadOS device enrollment - Apple Configurator-Setup Assistant - Microsoft Intune | Microsoft Doc.... Only setup assistant workflow is impacted – all other iOS/iPad enrollment workflows are not affected.

 

We recently posted IT234239 on the Service Health Dashboard. Unfortunately, as part of this incident, we have confirmed that there is a certificate mismatch between Apple Configurator profiles and the Intune certificate issuing service for iOS/iPadOS enrollment through this setup experience. Existing devices remain enrolled as they have already established trust through the Apple configurator setup assistant workflow. However, if you plan to enroll new devices in the next few weeks there’s one set of steps post incident to enroll new devices, and then when the certificate update is completed, a quick profile update to ensure new enrollments are successful.

 

How will you know you are affected?

  • You use Apple configurator – setup assistant – for enrollment.
  • You have an enrollment profile that has worked historically to enroll new devices, but now those new devices (userless or user-based) fail enrollment. The error in device logs either indicates there’s no service response or enrollment can’t succeed so no errors are logged.

 

Steps for new enrollments between January 14, 2021- February 10, 2021: 

For enrollment in the next few weeks until the new certificates described in MC225591 and also described in this blog post are fully deployed across the entire service, you’ll want to add the Baltimore CyberTrust Root Certificate back to the list of certificates in your profile to ensure that enrollment can complete through setup assistant.

 

Here are the steps you’ll take on a macOS device per the instructions here: iOS/iPadOS device enrollment - Apple Configurator-Setup Assistant - Microsoft Intune | Microsoft Doc...:

  1. Navigate to https://enrollment.manage.microsoft.com/EnrollmentServer/Discovery.svc/iOS/ESProxy. This will load an empty page.
  2. Download the Baltimore CyberTrust Root certificate. You can read more about getting the Baltimore Cybertrust root certificate here: Configure Trusted Roots and Disallowed Certificates | Microsoft Docs.  NOTE: In Microsoft Edge or Chrome, this can be done by clicking the padlock next to the URL, clicking "Certificate", selecting Baltimore CyberTrust Root certificate and then dragging the large icon to the Desktop. In Safari, this can be done by clicking the padlock next to the URL, clicking "Show Certificate", selecting Baltimore CyberTrust Root certificate and then dragging the large icon to the Desktop.
  3. In the Microsoft Endpoint Manager admin center, under Home > Devices > iOS/iPadOS > Apple Configurator, select the profile, and then "Export Profile"
  4. Copy the Profile URL from the blade.
  5. In Apple Configurator 2, right click the device and select "Prepare".
  6. Choose "Manual Configuration" in the "Prepare with:" drop down.
  7. Select "New Server" and paste the URL from step 4 into the "Host name or URL" text box.
  8. On the "Define an MDM Server" click the + icon and select the Baltimore CyberTrust Root from where you downloaded it.
  9. Click "Next" and proceed as usual.

 

This will ensure for a short period of time enrollment proceeds as necessary.

 

Steps for new enrollments after February 10, 2021:

If you’re looking to enroll a device through Apple Configurator after the certificates update is completed, the Apple Configurator profile will need to be updated to point to the new certificate. We expect the new certificate rollout to be completed after February 10, but again check this blog post for additional information on the certificate rotation. For this step, you’ll just need to “touch” (which will get the profile to resync) your profile. Creating a new Apple Configurator profile will have the same effect, so we recommend going with what’s easiest for you.

 

In Apple Configurator 2, right click the devices and select Re-export the URL and repaste that into your server list in Apple Configurator 2. When you go through the resolution, it will ensure all components involved in your enrollment profile work as expected.

 

  1. Navigate to https://enrollment.manage.microsoft.com/EnrollmentServer/Discovery.svc/iOS/ESProxy. This will load an empty page.
  2. In the Microsoft Endpoint Manager admin center, under Home > Devices > iOS/iPadOS > Apple Configurator, select the profile, and then "Export Profile"
  3. Copy the Profile URL from the blade.
  4. In Apple Configurator 2, right click the device and select "Prepare."
  5. Choose "Manual Configuration" in the "Prepare with:" drop down.
  6. Select "New Server" and paste the URL from step 3 into the "Host name or URL" text box.
  7. Click "Next" and proceed as usual.

 

Let us know as if you have any questions on the steps in this post. Tag @IntuneSuppTeam in Twitter for any questions too!

3 Comments
Microsoft

Useful information for customers with IOS enrollment and TS

Senior Member

Thank you for your help & investigate! (I asked your support team about this issue on December 2020.)

Occasional Visitor

Our organization has been battling this since November of last year - our new IOS devices would not enroll in Intune MDM using Apple Configurator 2.  Started with Apple of course, and they could not figure it out, essentially gave up and and said all I could do was pay for an engineering consulting engagement (starting at $800 per incident).  Seriously?  Totally unimpressed with Apple - they would not even look at the log files being generated by the iPad that clearly showed it was a connection issue caused by an untrusted certificate.

 

Opened a Microsoft ticket and provided them the iPad  log file.  Took a few weeks and escalation  but they figured it out and provided me this link and walked me through the workaround.  Someone at Microsoft needs to send this information over to Apple support.