In July of 2021, we announced that Running the Company Portal in Single App Mode until authentication is not a supported flow by Apple for iOS/iPadOS automated device enrollment (ADE). Since then, we’ve been hard at work to improve the ADE experience through the release of Setup Assistant with modern authentication, Just in Time (JIT) registration and compliance remediation, and the "Await until configuration" setting.
Later in the calendar year 2024, we’re removing the ability and functionality for the “Run Company Portal in Single App Mode until authentication” setting. Devices will not be able to enroll through this method and you will not be able to save new enrollment profiles with this setting configured. If you haven’t already, we recommend moving your authentication method to Setup Assistant with modern authentication and leverage the new capabilities.
Stay tuned to this blog for updates on the timing of this change.
To replace this flow, we’ve been working on three new features to improve the iOS/iPadOS ADE experience for new and existing enrolled devices. Our focus has been on prioritizing security and enhancing both the user and admin experience.
Now that these features are all generally available, we recommend configuring them for the most secure and updated experience for ADE with user device affinity:
Any SSO-enabled (single sign-on) app can be used to complete Entra ID registration now, while seamlessly establishing SSO throughout the device. Additionally, JIT compliance remediation is the new embedded flow for users to see their compliance status and action steps right within the app that they’re completing JIT registration within. Check out the two demos showcasing this in the JIT blog post.
Combining these features provides the following benefits:
As mentioned earlier, with the upcoming change, devices assigned to an existing enrollment profile with the Company Portal authentication method and the “Run Company Portal in Single App Mode until authentication” setting is set to Yes will fail to enroll or re-enroll. They must be assigned an enrollment profile with a supported authentication method.
If the authentication method is Company Portal and the “Run Company Portal in Single App Mode until authentication” setting is set to No, the Company Portal won’t automatically download from the profile. To use this method, you will need to target the Company Portal app as required for ADE devices with the correct app configuration policy attached. Additionally, users will need to manually run the Company Portal and complete the enrollment and Microsoft Entra ID (formerly known as Azure Active Directory) registration steps.
For new profiles you won’t be able to save the enrollment profile if the “Run Company Portal in Single App Mode until authentication” setting is set to Yes. Although not recommended, new profiles can use the Company Portal authentication method by targeting ADE devices with the Company Portal app and an app configuration policy. Note: After support has ended, this setting will eventually be removed from the user interface.
If you have any questions, let us know by leaving a comment below or reaching out to us on X @IntuneSuppTeam.
Post updates:
12/21/23: Updated URLs.
03/07/24: We previously mentioned that the "Run Company Portal in Single App Mode until authentication" setting would be removed in the first half of calendar year 2024. We've since updated the post to indicate that this change is expected to occur this year, and we will continue to keep this post updated with any new developments.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.