In April, we announced a new authentication method for Automated Device Enrollment (ADE) which is Setup Assistant with modern authentication. This new authentication method is available for iOS/iPadOS devices running 13.0 and later and for macOS devices running 10.15 and later in Microsoft Endpoint Manager. For details on this authentication method, see our previous post: Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview.
After a user enrolls a device with Setup Assistant with modern authentication, the home screen appears and they can freely use the device while apps and policies are delivered. By default, newly enrolled devices automatically checks in with Intune every 15 minutes for 1 hour, and then around every 8 hours, and therefore some policies and apps might not apply/install until that next check-in. To ensure that policies and apps are delivered to a device upon initial post-enrollment check-in, use filters to narrow the assignment scope of a policy.
Depending on the number of apps and policies you deploy to your user groups, not all of them might apply to devices immediately after enrollment. However, filters will significantly speed up the delivery to devices once enrollment is complete, and prior to user authentication in the Company Portal app.
For automated device enrollment scenarios where the authentication method is Setup Assistant with modern authentication, you can create a filter rule based on the enrollment profile name (enrollmentProfileName). You can filter on other properties, such as DeviceName, to include/exclude user groups or devices with device configuration policies, endpoint security policies, and applications, to achieve the same outcome. For information on supported workloads, see List of platforms, policies, and app types supported by filters in Microsoft Endpoint Manager.
Important: Don’t change the name of the enrollment profiles you are using with filters, otherwise the targeting will not apply.
If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.