SOLVED

iOS Profile installation fails on corporate owned devices. Resolution to allow personal ones?

Copper Contributor

Hi community

 

We are trying to protect our tenant from users enrolling their personal devices.

This works up to the point where we are enrolling iOS devices. When trying to install the management profile on the Apple device, we receive the following error:

Profile Installation Failed. Connection to the server could not be established.

 

The cause is our tenant is configured to only allow corporate-owned devices. The resolution is to al...

 

Why would they give us the option to block personally owned devices, yet not allow iOS to make contact with the server to install the management profile?

 

At the moment, our workaround is to temporarily allow personal iOS devices when enrolling one, then disabling it. This works, but feels like we need to work around their contradictive setup.

 

We have added the device serial to Corporate device identifiers. It is marked as enrolled status after the above workaround. It's status is "not contacted" if personal devices is blocked.

 

This is not an issue with Android devices.

 

Am I missing something or does Microsoft need to find a way to fix this? Do they even care seeing as it's an issue related to Apple devices?

6 Replies
It should work as you described.
If you allow personal devices and enroll a device which serial number has been identified as a corporate identifier. What is the ownership of this iPhone, Corporate or Personal?

@Thijs Lecomte 

Thanks for the reply.

The ownership of the iPhone is corporate. We only want to allow corporate-owned devices to join Azure and enrol in Intune.

The Microsoft KB article describes the error cause as, "Your Intune tenant is configured to only allow corporate-owned devices." The resolution is to, "Allow for personally owned iOS devices, and then click OK."

 

But what about the company's like ours that do not want to allow personally owned devices?

 

We can add the serials to identify corporate-owned devices, and this works for Android all the way through enrolment, but for iOS, it falls over at the profile installation with the error of:
Profile Installation Failed. Connection to the server could not be established.
Seems to be because when trying to contact the Azure or Intune server to acquire the ability (?) to install the profile, the server refuses connection because it is not referencing the corporate device identifiers for the serial at this point.

 

The knowledgebase article clears this up, but I feel like they should not give the option of blocking these devices if the enrolment cannot reference the corporate device identifiers at every stage of the enrolment for Apple devices.

 
I would assume that requiring only company owned devices works aswell for iOS. Or it shouldn't be documented
Have you contacted the support team?

Hi @ryeurolink,

 

From what you're describing, the Enrollment restrictions are configured correctly within the Intune Portal, but are still having issues with enrolling corporate devices even though they are allowed and identified via Corporate Device Identifier.

 

As we'll need to further investigate the device attempting to enroll within the Intune Service, let's get you over to support. Please open a case either through the Intune Portal, or through any of the methods mentioned here: https://docs.microsoft.com/intune/get-support. Once created, please private message us your case, for us to keep an eye on.

 

Thank you @Thijs Lecomte for reaching out to us on our Twitter!

Cheers,
Intune Support Team
^MS

best response confirmed by ryeurolink (Copper Contributor)
Solution

@ryeurolink 

Looks that the best way to enrol and mark devices as corporate is not the Corporate Device Identifiers. They have said this will be the same for Android phones in the near future. Case closed.

 

Response from Intune support:

 

Corporate identifiers are used to mark the device as corporate after it gets enrolled. We cannot put device restrictions based on that. The company portal enrollment is considered as personal enrollment which makes us change the enrollment restriction to allow the personal enrollment.

 

As I have mentioned that if you want the devices to do the corporate enrollment you would have to do the automated device enrollment (Previously called DEP) so that you can have the device restrictions set to allow corporate and block personal.

 

Here is link with Information on DEP enrollment:  https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment-program-enroll-ios

1 best response

Accepted Solutions
best response confirmed by ryeurolink (Copper Contributor)
Solution

@ryeurolink 

Looks that the best way to enrol and mark devices as corporate is not the Corporate Device Identifiers. They have said this will be the same for Android phones in the near future. Case closed.

 

Response from Intune support:

 

Corporate identifiers are used to mark the device as corporate after it gets enrolled. We cannot put device restrictions based on that. The company portal enrollment is considered as personal enrollment which makes us change the enrollment restriction to allow the personal enrollment.

 

As I have mentioned that if you want the devices to do the corporate enrollment you would have to do the automated device enrollment (Previously called DEP) so that you can have the device restrictions set to allow corporate and block personal.

 

Here is link with Information on DEP enrollment:  https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment-program-enroll-ios

View solution in original post