In July of 2021, we announced that Running the Company Portal in Single App Mode until authentication is not a supported flow by Apple for iOS/iPadOS automated device enrollment (ADE). Since then, we’ve been hard at work to improve the ADE experience through the release of Setup Assistant with modern authentication, Just in Time (JIT) registration and compliance remediation, and the "Await until configuration" setting.
Later in the calendar year 2024, we’re removing the ability and functionality for the “Run Company Portal in Single App Mode until authentication” setting. Devices will not be able to enroll through this method and you will not be able to save new enrollment profiles with this setting configured. If you haven’t already, we recommend moving your authentication method to Setup Assistant with modern authentication and leverage the new capabilities.
Stay tuned to this blog for updates on the timing of this change.
Improved and more secure iOS/iPadOS ADE experience
To replace this flow, we’ve been working on three new features to improve the iOS/iPadOS ADE experience for new and existing enrolled devices. Our focus has been on prioritizing security and enhancing both the user and admin experience.
Now that these features are all generally available, we recommend configuring them for the most secure and updated experience for ADE with user device affinity:
- Select Setup Assistant with modern authentication as the authentication method in your enrollment profiles for enrolling devices with user affinity.
- This authentication method allows your organization to require authentication with Entra ID as part of the out-of-box experience (OOBE) during enrollment with Setup Assistant, prior to users accessing the home screen. You’ll also have the option to require multi-factor authentication (MFA) depending on the settings in your Conditional Access policy.
Example of the "Management Settings" profile and User Affinity & Authentication Method settings in the Microsoft Intune admin center.
- This authentication method allows your organization to require authentication with Entra ID as part of the out-of-box experience (OOBE) during enrollment with Setup Assistant, prior to users accessing the home screen. You’ll also have the option to require multi-factor authentication (MFA) depending on the settings in your Conditional Access policy.
- Ensure that the Await final configuration setting is set to Yes within your enrollment profiles.
- Enable a more secure and locked experience at the end of Setup Assistant to ensure your most critical device configuration policies are installed on the device. Before the home screen loads, Setup Assistant pauses and lets Intune check in with the device. The device user experience locks while users await final configurations so that when they land on the home screen, the device is configured based on your organization’s policies.
Example of the "Await final configuration" toggle in the Microsoft Intune admin center.
- Enable a more secure and locked experience at the end of Setup Assistant to ensure your most critical device configuration policies are installed on the device. Before the home screen loads, Setup Assistant pauses and lets Intune check in with the device. The device user experience locks while users await final configurations so that when they land on the home screen, the device is configured based on your organization’s policies.
- Configure JIT registration and compliance remediation for your ADE devices.
- With JIT (just in time) registration, the Company Portal requirement for Entra ID registration or compliance checking is no longer needed. By removing the Company Portal requirement, we eliminated extraneous steps, removed required app downloads that can’t be changed, and put an end to switching between apps to get the device compliant, thereby streamlining the user flow.
Any SSO-enabled (single sign-on) app can be used to complete Entra ID registration now, while seamlessly establishing SSO throughout the device. Additionally, JIT compliance remediation is the new embedded flow for users to see their compliance status and action steps right within the app that they’re completing JIT registration within. Check out the two demos showcasing this in the JIT blog post.
Example of the "Device features" settings for iOS/iPadOS in the Microsoft Intune admin center.
- With JIT (just in time) registration, the Company Portal requirement for Entra ID registration or compliance checking is no longer needed. By removing the Company Portal requirement, we eliminated extraneous steps, removed required app downloads that can’t be changed, and put an end to switching between apps to get the device compliant, thereby streamlining the user flow.
Combining these features provides the following benefits:
- The device fully enrolls within Setup Assistant with optional MFA.
- Critical device configuration policies are already preloaded on the device, so users can immediately access the home screen and become productive without any delays or interruptions.
- Users can quickly start working by opening any single sign-on (SSO)-enabled app, which most users intuitively go to these apps to authenticate. This will complete both Microsoft Entra registration and establish SSO throughout the device. For the best experience, we recommend using the Microsoft Teams app.
- Users can also become compliant with any necessary remediation steps embedded within the app they're using to authenticate. There's no need to switch between apps to complete compliance steps.
Profiles using Company Portal authentication method
As mentioned earlier, with the upcoming change, devices assigned to an existing enrollment profile with the Company Portal authentication method and the “Run Company Portal in Single App Mode until authentication” setting is set to Yes will fail to enroll or re-enroll. They must be assigned an enrollment profile with a supported authentication method.
If the authentication method is Company Portal and the “Run Company Portal in Single App Mode until authentication” setting is set to No, the Company Portal won’t automatically download from the profile. To use this method, you will need to target the Company Portal app as required for ADE devices with the correct app configuration policy attached. Additionally, users will need to manually run the Company Portal and complete the enrollment and Microsoft Entra ID (formerly known as Azure Active Directory) registration steps.
For new profiles you won’t be able to save the enrollment profile if the “Run Company Portal in Single App Mode until authentication” setting is set to Yes. Although not recommended, new profiles can use the Company Portal authentication method by targeting ADE devices with the Company Portal app and an app configuration policy. Note: After support has ended, this setting will eventually be removed from the user interface.
If you have any questions, let us know by leaving a comment below or reaching out to us on X @IntuneSuppTeam.
Post updates:
12/21/23: Updated URLs.
03/07/24: We previously mentioned that the "Run Company Portal in Single App Mode until authentication" setting would be removed in the first half of calendar year 2024. We've since updated the post to indicate that this change is expected to occur this year, and we will continue to keep this post updated with any new developments.