Device Enrollment
Hi everyone, I need some guidance regarding a device-management scenario in my environment. We currently have Microsoft 365 Business Basic with the Intune Plan 1 add-on. All of our devices (about 150+) are Azure AD Registered, and I’m trying to determine the best method to enroll them into Intune using only our existing licenses. I’m unsure which enrollment method is most appropriate for this setup, and I haven’t been able to find a solid, recommended approach. I want to avoid unnecessary complexity and I cannot upgrade or change our licensing. I would really appreciate a well-structured explanation that covers: The best enrollment method for this scenario Why this method should be used Step-by-step guidance Pros and cons of the proposed method Any insights from those who have handled similar situations would be extremely helpful. Thanks in advance!
Device Registration - Run Company Portal in Single App Mode until authentication
I have having an issue starting today 10/24 - Company Portal update was released 10/23 Any new enrollments are stuck with the Company Portal in Single App mode by design and enrollment policy. After the user completes enrollment, the device remains in Single App mode. The devices are reporting as non-compliant at first with no Compliance Policy. After the compliance policy is set, the device is still locked in single app mode waiting for the Password to be brought into compliance. The password change prompt is hidden being the Single App mode and cannot be accessed. No matter what I do, the Company Portal is locked in single app mode. I have no option but to turn off this feature which prevents my devices from being stolen. Has anyone seen this same issue and been able to get past if without turning off this feature 'Run Company Portal in Single App Mode until authentication' during enrollment?Device registration in Co-Management - Error 0x8018002b
Hi All, I am a bit stumped as we have been experiencing issues getting devices into the co-managed state correctly on several of our machines. We did extensive testing on this several months ago and successfully joined 10-15 machines before refocusing our efforts on building out our policies. Machines are showing up in both EPM(Endpoint Manager) and AAD (Azure Active Directory) but have SCCM listed as the MDM authority in AAD. Image 1, Source AAD Image 2, Source EPM Interestingly on the users devices the co-management status is set to 1 we are unable to push apps such as the company portal down to the machine. This value is managed by the Co-Management sliders in SCCM and increases based on how much of the load is managed by Intune. Therefore currently Intune is not managing the device at all, despite it showing up in Intune as Co-Managed. All test cases of this are part of the Pilot collection in SCCM and all sliders are set to Intune Pilot. I have collected logs on all of the devices that have this issue and have noticed this error is present on all of them and users are not getting the MFA prompt to set up intune in the first instance. "Auto MDM Enroll: Device Credential (0x0). Failed (Unknown Win32 Error code 0x8018002b)" This leads me to believe that devices are using the incorrect credential (Device) to sign up for Microsoft EPM despite the following Policy. I have tried the below solutions to no success: Microsoft Solution https://docs.microsoft.com/en-in/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors One of the following conditions should be the cause UPN Contains an unverified or non-routable domain, such as .local - Checked @edu address used MDM user Scope set to None - Checked, set to Some. User is in included group with licenses assigned Community Solution https://community.spiceworks.com/topic/2278963-intune-with-aadj-cannot-auto-enroll Wait 12 hours… , Waited 48h no change Ensure MDM enrolment Group Policy uses user credential, not device - Checked, See image of Policy above It could be that i am missing something obvious but I would appreciate help finding that component :).
Device Enrollment Manager with MAC OS
Hi all, I've just started to test enrolling a MAC OS device using a device enrollment manager. Everything works as expected when following the process - Create device enrollment manager account - On device download and install the company portal on MAC - enroll the device from the company portal app using the DEM account - create intune profiles and dynamic group membership for MAC devices and assign and deploy to MAC One thing I'm not sure about is how to deploy apps to the device. From what I've read these are made available to the user on the device through the company portal app. I also know that they can be deployed using the LOB app deployment process. If the device has been enrolled through the DEM account though, the user does not have access to the company portal with this account. In fact, when you log into the company portal using a different account on the device it seems to want to enrol again? Anyone got any advice on the above. It may be this is by design and when you use a DEM account then you can no longer use the company portal as a user? Thanks Gerry
Guided Access enrollment issues
We recently switched over our DEP enrollment process to use VPP to download the company portal and then using locked enrollment (guided access) to force the user to enroll their iOS devices into Intune. We are running into a few issues, if the user is on wifi only (majority of our iPads) and for whatever reason leaves the WiFi network, they cannot reconnect to the network as there doesn't seem to be a wayto break out of the guided access mode. They are then presented with a screen that says "Guided Access is unavailable. Please contract an administrator" is there anything we can do at this stage other than connecting to a computer and wipe the device? Another issue we are running into with some devices is they seem to be locked into guided access mode and unable to switch to Safari to download the management profile, the error they are presented with is "Could not add your device. Safari has been disabled, Please contact your administrator." I'm not sure what users are doing to get to this state, but is there any way to troubleshoot these devices other than wiping?Installing Intune for MFA with Airwatch MDM
Hello community, Question: I have a client that is using AirWatch for MDM. (Trying to move to Intune - Long story). Anyways they want Azure MFA because of the integration with PC's and no requirement for ADFS once we go with 3SO and PTA. We have some rather strict policies we are going to enforce when users are going to get an MFA prompt. i.e. never on approved devices. So for the mobile work force I do not see a way to make a device approved unless it is enrolled with Intune. So I pose the question, can we enroll a mobile device with Intune or Azure AD while AirWatch is providing MDM (iOS and Android). If I am missing something obvious here please let me know.
