Move to Setup Assistant with Modern Authentication for Automated Device Enrollment

Published Jul 16 2021 08:53 AM 5,658 Views

Setup Assistant with Modern Authentication for Automated Device Enrollment (ADE) was the planned replacement for the ADE enrollment flow and is the Apple supported path to require auth before ADE enrollment. Using Modern Auth is now an OS provided WebView and thus it should be more consistent, stable, and reliable than the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication path.   

 

We anticipated we’d provide a transition period to move from the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication for ADE to the new enrollment flow for iOS/iPadOS and had planned on providing time and guidance for a staged migration path. However, what we discovered working with Apple on this incident is that Apple removed the functionality in 14.6 that we used for the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication for ADE enrollment path. This break in flow for Single App Mode is described in the incident post and has led to an expedited move.

 

Once you move to Setup Assistant with Modern Auth, outside of the better performance, you’ll find one difference that we have plans to address in an upcoming release. The Azure Active Directory device registration will need to be completed in the Company Portal by the end user. Generally, the user will be prompted to the Company Portal when Conditional Access requires a compliant device. You can also provide users instructions for how to launch the Company Portal manually where they will be prompted to complete the registration after signing in. The device is still managed and secure in this flow; they won’t have access to resources and policy will be applied as expected, including Single App Mode.


To move to Setup Assistant with Modern Auth for Automated Device Enrollment, you can either:

  • Edit your existing ADE policy to use the “Setup Assistant with modern authentication” for authentication. See the screen shot below for where you’ll select this in your exiting profile.

EnrollmentSetupAssistantwithModernAuth.png

  • Alternatively, you can create a new enrollment profile set to us Setup Assistant with Modern Auth.

 

Again, all existing enrollments are not affected as they’ve already authenticated and enrolled. This is a new enrollment flow with modern auth moving forward using ADE and Single App Mode.

 

More information:

 

Prior post content, updated -

 

Here's the scenario: User’s automated device enrollment (ADE) through the Company Portal isn't enforcing Single App Mode for devices running iOS/iPadOS 14.6 and later. What this means is that if you select single app mode, and the device runs into this issue, instead of just showing the Company Portal during enrollment, it’s allowing full access to the device, such as the Home Screen and App Library. Users could go to a browser, for example, and access web resources. Any user-targeted settings will not be applied until the user authenticates using the Company Portal. If devices go to sleep while in this state, they may appear to freeze by no longer accepting input through touch or button press.

 

Devices affected: New enrollments only; existing devices are not impacted. This affects not all, but many models running iOS/iPadOS version 14.6 and later and enrolling through the ADE flow with Single App Mode until authentication enabled.

 

Not affected: Customers using Setup Assistant with Modern Authentication for ADE.

 

Workarounds: There is one workaround – 1) A force restart of the device when it gets stopped in the enrollment process typically returns it to single app mode as expected.

 

Blog post updates

  • 8/20/2021 with additional details.
  • 8/26/2021 with additional clarification on running the Company Portal in Single App Mode until authentication for ADE.
3 Comments
Senior Member

Looks like this is working on iOS 14.7 again.  Wiped and re-enrolled a DEP iPhone which our DEP Profile is set to use "Run Company Portal in Single App Mode until authentication".  Received the "Guided access app unavailable..." message, couldn't do anything on the device except wait until CP installed and finished enrolling.

Haven't tested on iPadOS as 14.7 isn't out for iPadOS yet.

Occasional Visitor

Issue appears to be fully resolved at this time.

Occasional Visitor

.

%3CLINGO-SUB%20id%3D%22lingo-sub-2565567%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Company%20Portal%20Single%20App%20Mode%20is%20not%20enforced%20through%20the%20CP%20during%20ADE%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2565567%22%20slang%3D%22en-US%22%3E%3CP%3ELooks%20like%20this%20is%20working%20on%20iOS%2014.7%20again.%26nbsp%3B%20Wiped%20and%20re-enrolled%20a%20DEP%20iPhone%20which%20our%20DEP%20Profile%20is%20set%20to%20use%20%22%3CSPAN%3ERun%20Company%20Portal%20in%20Single%20App%20Mode%20until%20authentication%22.%26nbsp%3B%20Received%20the%20%22Guided%20access%20app%20unavailable...%22%20message%2C%20couldn't%20do%20anything%20on%20the%20device%20except%20wait%20until%20CP%20installed%20and%20finished%20enrolling.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHaven't%20tested%20on%20iPadOS%20as%2014.7%20isn't%20out%20for%20iPadOS%20yet.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619342%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Company%20Portal%20Single%20App%20Mode%20is%20not%20enforced%20through%20the%20CP%20during%20ADE%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619342%22%20slang%3D%22en-US%22%3E%3CP%3EIssue%20appears%20to%20be%20fully%20resolved%20at%20this%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2665950%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Company%20Portal%20Single%20App%20Mode%20is%20not%20enforced%20through%20the%20CP%20during%20ADE%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2665950%22%20slang%3D%22en-US%22%3E%3CP%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2556536%22%20slang%3D%22en-US%22%3EMove%20to%20Setup%20Assistant%20with%20Modern%20Authentication%20for%20Automated%20Device%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2556536%22%20slang%3D%22en-US%22%3E%3CP%3ESetup%20Assistant%20with%20Modern%20Authentication%20for%20Automated%20Device%20Enrollment%20(ADE)%20was%20the%20planned%20replacement%20for%20the%20ADE%20enrollment%20flow%20and%20is%20the%20Apple%20supported%20path%20to%20require%20auth%20before%20ADE%20enrollment.%20Using%20Modern%20Auth%20is%20now%20an%20OS%20provided%20WebView%20and%20thus%20it%20should%20be%20more%20consistent%2C%20stable%2C%20and%20reliable%20than%20the%26nbsp%3BCompany%20Portal%20authentication%20method%20-%20Running%20the%20Company%20Portal%20in%20Single%20App%20Mode%20until%20authentication%20path.%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20anticipated%20we%E2%80%99d%20provide%20a%20transition%20period%20to%20move%20from%20the%26nbsp%3BCompany%20Portal%20authentication%20method%20-%20Running%20the%20Company%20Portal%20in%20Single%20App%20Mode%20until%20authentication%20for%20ADE%20to%20the%20new%20enrollment%20flow%20for%20iOS%2FiPadOS%20and%20had%20planned%20on%20providing%20time%20and%20guidance%20for%20a%20staged%20migration%20path.%20However%2C%20what%20we%20discovered%20working%20with%20Apple%20on%20this%20incident%20is%20that%20Apple%20removed%20the%20functionality%20in%2014.6%20that%20we%20used%20for%20the%20Company%20Portal%20authentication%20method%20-%20Running%20the%20Company%20Portal%20in%20Single%20App%20Mode%20until%20authentication%20for%20ADE%20enrollment%20path.%20This%20break%20in%20flow%20for%20Single%20App%20Mode%20is%20described%20in%20the%20incident%20post%20and%20has%20led%20to%20an%20expedited%20move.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20move%20to%20Setup%20Assistant%20with%20Modern%20Auth%2C%20outside%20of%20the%20better%20performance%2C%20you%E2%80%99ll%20find%20one%20difference%20that%20we%20have%20plans%20to%20address%20in%20an%20upcoming%20release.%20The%20Azure%20Active%20Directory%20device%20registration%20will%20need%20to%20be%20completed%20in%20the%20Company%20Portal%20by%20the%20end%20user.%20Generally%2C%20the%20user%20will%20be%20prompted%20to%20the%20Company%20Portal%20when%20Conditional%20Access%20requires%20a%20compliant%20device.%20You%20can%20also%20provide%20users%20instructions%20for%20how%20to%20launch%20the%20Company%20Portal%20manually%20where%20they%20will%20be%20prompted%20to%20complete%20the%20registration%20after%20signing%20in.%20The%20device%20is%20still%20managed%20and%20secure%20in%20this%20flow%3B%20they%20won%E2%80%99t%20have%20access%20to%20resources%20and%20policy%20will%20be%20applied%20as%20expected%2C%20including%20Single%20App%20Mode.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ETo%20move%20to%20Setup%20Assistant%20with%20Modern%20Auth%20for%20Automated%20Device%20Enrollment%2C%20you%20can%20either%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEdit%20your%20existing%20ADE%20policy%20to%20use%20the%20%E2%80%9CSetup%20Assistant%20with%20modern%20authentication%E2%80%9D%20for%20authentication.%20See%20the%20screen%20shot%20below%20for%20where%20you%E2%80%99ll%20select%20this%20in%20your%20exiting%20profile.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22EnrollmentSetupAssistantwithModernAuth.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F304803i5B18F439958F08DC%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22EnrollmentSetupAssistantwithModernAuth.png%22%20alt%3D%22EnrollmentSetupAssistantwithModernAuth.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAlternatively%2C%20you%20can%20create%20a%20new%20enrollment%20profile%20set%20to%20us%20Setup%20Assistant%20with%20Modern%20Auth.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAgain%2C%20all%20existing%20enrollments%20are%20not%20affected%20as%20they%E2%80%99ve%20already%20authenticated%20and%20enrolled.%20This%20is%20a%20new%20enrollment%20flow%20with%20modern%20auth%20moving%20forward%20using%20ADE%20and%20Single%20App%20Mode.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMore%20information%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fusing-filters-with-setup-assistant-with-modern-auth-for-ade-for%2Fba-p%2F2670379%22%20target%3D%22_blank%22%3EUsing%20filters%20with%20Setup%20Assistant%20with%20modern%20auth%20for%20ADE%20for%20corporate%20iOS%2FiPadOS%2FmacOS%20devices%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsetup-assistant-with-modern-auth-for-ade-ios-ipados-13-and-macos%2Fba-p%2F2279061%22%20target%3D%22_blank%22%3ESetup%20Assistant%20with%20Modern%20Auth%20for%20ADE%20(iOS%2FiPadOS%2013%2B%20and%20macOS%2010.15%2B)%20-%20Intune%20Public%20Preview%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fdevice-enrollment-program-enroll-ios%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EEnroll%20iOS%2FiPadOS%20devices%20by%20using%20ADE%20-%20Microsoft%20Intune%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPrior%20post%20content%2C%20updated%20-%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHere's%20the%20scenario%3A%3C%2FSTRONG%3E%26nbsp%3BUser%E2%80%99s%20automated%20device%20enrollment%20(ADE)%20through%20the%20Company%20Portal%20isn't%20enforcing%20Single%20App%20Mode%20for%20devices%20running%20iOS%2FiPadOS%2014.6%20and%20later.%20What%20this%20means%20is%20that%20if%20you%20select%20single%20app%20mode%2C%20and%20the%20device%20runs%20into%20this%20issue%2C%20instead%20of%20just%20showing%20the%20Company%20Portal%20during%20enrollment%2C%20it%E2%80%99s%20allowing%20full%20access%20to%20the%20device%2C%20such%20as%20the%20Home%20Screen%20and%20App%20Library.%20Users%20could%20go%20to%20a%20browser%2C%20for%20example%2C%20and%20access%20web%20resources.%20Any%20user-targeted%20settings%20will%20not%20be%20applied%20until%20the%20user%20authenticates%20using%20the%20Company%20Portal.%20If%20devices%20go%20to%20sleep%20while%20in%20this%20state%2C%20they%20may%20appear%20to%20freeze%20by%20no%20longer%20accepting%20input%20through%20touch%20or%20button%20press.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDevices%20affected%3A%3C%2FSTRONG%3E%26nbsp%3BNew%20enrollments%20only%3B%20existing%20devices%20are%20not%20impacted.%20This%20affects%20not%20all%2C%20but%20many%20models%20running%20iOS%2FiPadOS%20version%2014.6%20and%20later%20and%20enrolling%20through%20the%20ADE%20flow%20with%20Single%20App%20Mode%20until%20authentication%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENot%20affected%3C%2FSTRONG%3E%3A%20Customers%20using%20Setup%20Assistant%20with%20Modern%20Authentication%20for%20ADE.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWorkarounds%3A%3C%2FSTRONG%3E%26nbsp%3BThere%20is%20one%20workaround%20%E2%80%93%201)%20A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.apple.com%2Fguide%2Fiphone%2Fforce-restart-iphone-iph8903c3ee6%2Fios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eforce%20restart%3C%2FA%3E%26nbsp%3Bof%20the%20device%20when%20it%20gets%20stopped%20in%20the%20enrollment%20process%20typically%20returns%20it%20to%20single%20app%20mode%20as%20expected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%3CSTRONG%3EBlog%20post%20updates%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-unlink%3D%22true%22%3E8%2F20%2F2021%20with%20additional%20details.%3C%2FLI%3E%0A%3CLI%20data-unlink%3D%22true%22%3E8%2F26%2F2021%20with%20additional%20clarification%20on%20running%20the%20Company%20Portal%20in%20Single%20App%20Mode%20until%20authentication%20for%20ADE.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2556536%22%20slang%3D%22en-US%22%3E%3CP%3EUpdating%20this%20post%20-%20move%20to%20Setup%20Assistant%20with%20Modern%20Auth%20for%20your%20ADE%20enrollments.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2556536%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eios%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EiPadOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKnown%20Issue%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Aug 26 2021 02:19 PM
Updated by: