We are testing with Enrolling new iOS devices in DEP.

We have configured a the DEP with:

1. User Affinity

2. User must authenticate with the company portal

3 And set Run company portal in Single App Mode


We have enabled restore from icloud.

The 2 issues we have are:

1. After the icloud backup is succesfully restored.
   Then Remote management kicks in, configurationsettings are retrieved, when you are prompted the continue. So far so good. The we are prompted to create the Face ID. Upon that the screen is stuck for at least 30 minutes. After a while the screen unfreezes and we are able to create a Face ID.


2. Other issue is when the Face ID is created the company portal setup kicks in.

  User logs on, enters credentials, goes to the screen to install the management profile.

  When the user press to continue the user gets a error that Safari is probably disabled.

The error log show as follows:


Error domain:


Description: Enroll url cannot be opened. Safari

may be disabled

User info: {

   NSlocalizedDescription = "Enroll url cannot be

opened. Safari may be disabled";


Pressing retry does help. Same error is displayed. Again only after while (say 30 minutes, is a guess) retry is successfull a the single app mode is ended. User is now able use the iPhone.


When the user chooses to not restore the icloud but chooses to setup the iPhone is new device, after the remote managent is completed the homescreen appears and the user gets the message "Guided Access app unavailable please contact your administrator" That error stays on the screen for a while (say 30 minutes, is a guess) and then company portal is downloaded and user is able to configure the company portal.


So somehow there seems a big delay in enrolling the device.

So what can cause this delay?


You can try following to fix this issue.

Run Company Portal in Single App Mode until authentication = No. From my experience, this works every time and help you to review the state of the device.

Disable Face ID setup during initial setup to isolate the issue.

iCloud might restore the previous MDM state as result you might not be able to enroll device again part of Comp Portal Authentication. 

@prtkdv I have this issue as well. Could you expand upon what you mean by "Run Company Portal in Single App Mode until authentication = No."

@Manoj Sood We too are experiencing this challenge. Did you ever figure out what was meant by "Run Company Portal in Single App Mode until authentication = No?"

@Nate Jackson this is a property of the DEP enrollment profile in Intune.

Not sure I understand what you mean by "property of DEP enrollment profile". Coul dyou be more specific as to what this is and where to find it?



Old threat but if someone encounters this issue make sure the user has the proper licensing enabled. Intune required EMS.