Intune Enrollment and App mgt for company iOS devices even if user is not in Active Directory

Copper Contributor

We are migrating from one MDM, which was device based, to Endpoint/Intune. Everything seems to be going okay for all users who have an Azure AD account, but we have many users who are not in AD. Is there a way to manage the devices AND push apps out to the iPhones / iPads by Serial number ONLY? So the user never actually needs to sign in?

 

Also, in our previous MDM, we pushed apps using tags and were able to differentiate between iPhones (only got two required apps) and iPads (two required and eight default apps) to automatically push when the device enrolled. Everything I'm seeing just says iOS/iPad and we'd like different things to happen for iPhones than for iPads.

 

Thank you, in advance.

~ H

4 Replies
Hi, you can absolutely mange device without user affinity. How are you currently enrolling device? I would suggest using Apple Business (or School) manager, combined with ADE(DEP) and device assigned VPP apps.

Depending on your Azure AD licensing level, you can also configure dynamic groups for devices so all iPads fall onto one group and all iPhones fall into another.

Let me know if this sounds like something that would be of interest and we can chat further

Thank you, @r0bu, for the reply. We are using ABM + ADE + device assigned VPP (well, we are using VPP...and I choose 'license type = device' when I add groups to them in Intune). Setting up AD groups specifically for iPad and iPhone was a thought I had, as well, but wasn't sure if that was the only way to go.

 

I've tried to set up 'dynamic' security groups for the purpose of pushing apps to devices for users who are unable to use the portal due to not having an AD account, but wasn't able to get it going. I am unable to figure out how to put devices into the group.

Hi @Hollis255 

 

To use dynamic groups you need Azure AD P1 (or a qualifying license such as M365 Business Premium, M365 E3 or EMS E3 - best to check https://github.com/AaronDinnage/Licensing as this will give you a great idea of where licenses sit).

 

MS documentation on rules for devices is here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#r...

 

This is what my dynamic device group (Azure AD, Groups, New Group) looks like;image.png

 

and the query would be;

 

image.png

iPhones would simply be (device.deviceOSType -eq "iPhone")

 

Hope this helps?

@r0bu  - thank you SO much, It totally helps. Sorry for my delayed response, I've been busy getting everything set up in there. Dynamic groups seems to have done the trick for most of my needs, but now I just need to figure out the best way to handle users without an AD account. I was running Company Portal in ASAM and, of course, this isn't going to work unless the user is in AD. I created a DEM user account, group and profile to get around that for now, but that isn't ideal. We were really hoping to be able to track the devices by user logged in, but if they can't log in, we really don't have a good and simple way to see who has what. (I know, logging in isn't 100% accurate, either, since someone could log in, then pass the device to someone else and we'd never know).

 

I also ran into several issues with Company Portal (gets stuck in CP even after user has logged in and been working. If they open CP for any reason, the app just stays open and can't close it or go to home screen until hard reset. Also, if the device is not connected via cellular or wifi, the CP opens up to the sign on screen and you can't close it or even log in (because no connection to verify creds) and the device is basically bricked until reset unless you get to a wifi that is already set up to 'autoconnect'.

 

Those issues have made it so I no longer have it running in ASAM, but it is a required app on all devices. Now I need to find a way to lock the device until the user signs into CP. Again, the device can be anywhere and used by anyone (inside or outside the company) without our knowledge because the enrollment would not be complete until CP was logged into.

 

The journey continues.

Thanks, again!

~ Hollis255