Intune - Issues with Account-Driven User Enrollment Issues on iOS 18.5
Hello everyone, Since the release of iOS 18, Apple has deprecated profile-based user enrollment via the Company Portal app, requiring the use of Account-Driven User Enrollment. While this change enhances user experience, I'm encountering challenges in implementing it. Steps Taken: Apple Business Manager (ABM) Account: Created and linked the ABM account to Intune using the token. Corporate devices are successfully appearing in Intune. MDM Server Configuration: Set Intune as the default MDM server for all devices in ABM. Domain Federation: Established Entra ID federation in ABM to synchronize all users. Intune Enrollment Profile: Created an 'Enrollment Type Profile' of type 'Account-Driven User Enrollment.' MDM Push Certificate: Configured and validated the MDM Push certificate. Issue Encountered: According to https://support.apple.com/guide/deployment/account-driven-enrollment-methods-dep4d9e9cd26/web, starting with iOS 18.2, hosting a service discovery file on a web server is no longer mandatory. The device should automatically contact the ABM organization associated with the Managed Apple ID if no web server is found. On an iOS 18.5 device, I navigate to: Settings > General > VPN & Device Management > Sign in to Work or School Account After entering my Microsoft email address (which matches my Managed Apple ID due to federation), I consistently receive the error: "Your Apple ID does not support the expected services on this device." In ABM, under "Access Management" > "Apple Services," all services are activated. Could I be missing a crucial step in the configuration? Any guidance or insights would be greatly appreciated. Thank you in advance for your help. Best regards,
New Window feature : safe BOYD for desktop dividing windows OS in environments
Hi, I was thinking we are more and more pushing BOYD at office, but bring your own computer brings a lot of troubles to IT because it is not easy to secure. What if in the next windows version we could have spaces, completely separated running seemlessly on the same computer. We could have one space for our personnal usage with our own softwares, games, browser, vpn if any, and so on with complete freedom, and on the other a professional space with total control from the company on software and security settings. If done well, like containers the OS could share resources without duplicating all the hardware usage. Would required some work on drivers to allow to divide memory space or a storage drive into different spaces to have different security applied for example. That would help a lot reducing the number of computers people own, companies could propose to provide a computer or money to support employee own equipment, and no longer requiring multiple computers. For consultants working for clients could also avoid providing a computer for each client they work on, could all be just more professional spaces of the same computer. Of course you cannot start 10 spaces at the same time on a small laptop, but usually you would have maybe 2 at the same time, max 3 and not one running a game... What do you think ? Regards, Marc-Antoine
AVD security for BYOD use cases
Is there any study/article/blog/forum out there exploring the AVD or remote desktop security from user personal devices? E.g., consider a user accessing AVD from a virus riddled device. What are the risks to data and infrastructure security. One thing that come to mind is where a key logging virus recording users key strokes or even sending commends to remote desktop.Securing windows for BYOD
Is there a way to properly secure data on Windows BYOD devices? We are doing solution analysis for BYOD at our organisation and one thing that has come up is the Windows does not support the containerization that iOS and Android do where personal data is separated from business data. Furthermore, there is a risk that data e.g., the outlook data files can be exported out of windows. Does it mean the virtual desktop is the only viable BYOD option?BYOD security for desktops - Windows/Mac
What is the best method to secure a Windows or Mac BYOD device without enrolment? Can Intune App Protection policies be applied to desktop client applications - Teams/Outlook/Word/Excel/PowerPoint? E.g., If a user is allowed to use Outlook or Teams desktop app on their personal Windows laptop, can that user be prevented from downloading an attachment or a file from within teams. How about stopping the user from taking a screenshot? Or true BYOD security can only be achieved with enrolment of the device in Intune? If yes, it will be problematic as end users will not be happy to enrol their personal devices into Intune.Android Enterprise COPE Device Restrictions lacking basics (compared with (Personal) Work Profile)
I've noticed that the available options in Device Restrictions configuration profiles for COPE devices do not include the "Work profile settings" set, like the Personally-owned Work Profile Device Restriction configuration profiles do. Things like blocking copy/paste between Personal and Work profiles, essentially all the settings that are available and described here - https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work#personally-owned-devices-with-a-work-profile-settings Does anyone know, is there a detour-like solution to get these controls available for COPE devices?
What BYOD options of deployment do I have with Intune
Hi all, We are in the process of looking at allowing users using their own laptops, mobile phones and/or tablets. I am unsure what options in Intune I have to allow access to company data and/or apps. We do currently use Intune MDM for iOS devices and a small number of Android mobile phones. (both are company owned devices). I am aware of MDM and MAM but unsure which one I want to use for personal devices. Those devices could be Windows 10 home laptops, Personal Android mobiles, Android tablets, iPhones or iPads. Can I use MDM and MAM simultaneously or do we have to pick one or the other? MAM as I understand it allows me to protect apps/data on devices that are not managed via Intune in supported applications where i can do rules such as do not allow to save or copy files from Onedrive to the local device. MDM is mobile device management where they can either be corporately enrolled or a user can enroll his/her own device.Securing data on BYOD
I am looking for some advice on best practice for protecting corporate data on personal Windows devices. All data is residing in O365 and and we already have App Protection Policies in place to protect data on iOS and Android devices. All users are licensed for O365 E5 EMS and AD P1. Our requirements are to only allow devices to access O365 data from Windows 10 devices with antivirus and disk encryption. We also want to restrict the ability to date data locally, outside of enterprise apps. We have tested with App Protection Policies and Conditional Access however are unable to get the policies to take effect. Any advice on the best approach to achieve this would be greatly appreciated!
