SOLVED

Change DEP User affinity

Copper Contributor

Hi all,

I've a question about IOS & DEP profiles in Intune.


At a customer, we've a lot of iPhones (with DEP) enrolled in our organization. Now we've implement MFA and it's not possible to enroll the devices because the MFA is showing up.

I found in another blog that it happens because we've set the enroll profile is set on:

"Enroll without User Affinity". That should be changed to "Enroll with User Affinity".


My Question is, when we change this, what will happen with all the devices we've already enrolled? Will they hit by this change? If Yes, what will be happen on the already enrolled devices?


Thanks in advance.

4 Replies
best response confirmed by Dennis Blotenburg (Copper Contributor)
Solution

@Dennis Blotenburg This will only have an impact on new enrollments after factory reset for example. 

 

I would suggest creating a new profile and test your configuration on a single device first.

Switching to "Enroll with User Affinity" will not bypass MFA tho.

 

Check out this blogpost: MFA and other caveats with Intune MDM automatic enrollment methods - Bloggerz.cloud

Thanks Jan, I will give that a try!

@Dennis Blotenburg

 

If you have MFA enforced for your tenant, use the following settings for the enrollment profile:

User Affinity: Enroll with User Affinity

Select where users must authenticate: Company Portal

 

You can have the end-user manually install Company Portal, or you can setup VPP and include it in the enrollment profile as well.

 

There are ways to bypass the enforced MFA using Conditional Access so that you can use Setup Assistant, but it may be different for every organization. HINT: Authentication using Setup Assistant does not reach the Microsoft Intune and Microsoft Intune Enrollment cloud apps first.

Hi @Dennis Blotenburg,

 

As mentioned by @eglockling you can bypass MFA during Setup Assistant enrollment with Conditional Access by excluding Microsoft Intune Enrollment and Microsoft Intune cloud apps.

 

In addition if you have Conditional Access policies where you have selected browser in client apps even if it just points to Windows or any other platform and require MFA you have to exclude the two cloud apps here as well. You have to do that because when authenticating in setup assistant you are doing a browser based authentication.

1 best response

Accepted Solutions
best response confirmed by Dennis Blotenburg (Copper Contributor)
Solution

@Dennis Blotenburg This will only have an impact on new enrollments after factory reset for example. 

 

I would suggest creating a new profile and test your configuration on a single device first.

Switching to "Enroll with User Affinity" will not bypass MFA tho.

 

Check out this blogpost: MFA and other caveats with Intune MDM automatic enrollment methods - Bloggerz.cloud

View solution in original post