Enroll Supervised iOS Devices With Modern Authentication With iOS16

Apple will remove the Company Portal authentication method for all new and existing iOS/iPadOS ADE enrollment profiles in November 2022. This will include removing the Run Company Portal in Single App Mode until authentication with Comp Portal. in this post, and I will help you switch to modern authentication in enrollment profiles on the latest iOS build – iOS16.

Why the change:

Impact of this change: If you are currently using a legacy authentication method wherein your users are required to authenticate using the comp portal VPP token, then the devices will not be able to re-enroll until you switch the enrollment authentication method to Setup Assistant with modern authentication.

Plan for Change: The new enrollment profile will have modern authentication configured so that the users will not get a “Guided Access App Unavailable” message. The authentication will occur before the user presses the home screen. This will also reduce the overall time taken to enroll a device.

Assumption

In this post, I assume you are using the legacy authentication method. During the enrolment process, Company Portal runs in a single App Mode with a “Guided Access App Unavailable” message until authentication for ADE is completed.

Prerequisites

Devices purchased in Apple’s ADE
Mobile device management (MDM) authority
An Apple MDM push certificate

Device Enrollment in Intune

Before you start to enroll iOS/iPadOS devices with ADE, there are a series of steps that you need to follow.

Create & Upload Apple MDM Push Certificate
Create & Upload the Apple Automated Device Enrollment token
Assign devices to the Apple token (MDM server)
Create an Apple enrollment profile

A few months back, I wrote a post on automated device enrollment for corporate-owned devices, detailing the first three steps. Now let’s complete the series by creating an enrollment profile and enrolling an iPhone in Intune with brand new iOS 16.

Create an Apple Enrollment Profile

The device enrollment profile helps you configure the setting you would like to apply/configure on devices during the enrollment phase. Follow the steps to create an enrollment profile:

1. From the Microsoft Endpoint Manager portal, navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens.

2. Select a token, and then select Profiles.

3. Select Create profile > iOS/iPadOS or select the existing profile to modify it.

(If you are modifying an existing profile, then you can skip all steps except step 6)

4. If you are creating a new profile, then Provide a Name and Description for the profile
(These details will not be visible to users) and click Next.

5. In the management settings page, select “Enroll with User Affinity” as we will use this profile to enroll devices associated with users.

6. As we selected Enroll with User Affinity for the User Affinity field, we can choose the authentication methods to use when authenticating users.

Let’s check both options:

Company Portal: You can use the Company Portal app to authenticate users if you want to use multi-factor authentication, prompt users to change their passwords after first signing in, or reset their expired passwords during enrollment.
Setup Assistant with modern authentication: This authentication method has two major differences. First, only iOS/iPadOS 13.0 and higher devices are eligible for this method. Second, the user can start using the device immediately rather than wait until the company portal installs on the device.

Irrespective of which option you choose, the Company Portal app will be installed without user interaction; as such, it must be pushed as a “mandatory app“.

7. For locked enrollment, I would recommend using “Yes” for supervised devices, as it disables iOS/iPadOS settings for removing the management profile from the device. The only option to remove the profile is to wipe it.

8. If you allow users to sync their devices with any computer, select “Allow All” from Sync with the Computer option.

9. Configure naming template or cellular data if required and click Next to proceed.

10. On the Setup Assistant page, update settings for “Department” & “Department Phone Number”.

11. Next, you can toggle the options to modify the Setup Assistant screens on the device during user setup.

Sync managed devices

Now that Intune has permission to manage your devices, we have to synchronize Intune with Apple to see your managed devices in Intune portal.

A delta sync runs automatically every 12 hours; however, we can also trigger a delta sync by selecting the Sync button (no more than once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is disabled until a sync is completed.

Assign an enrollment profile to devices

(If you are modifying an existing profile or if you do not want to add new devices to the profile, then you can skip this step)

If you have multiple enrollment profiles or do not have a default profile set, you will need to assign an enrollment program profile to devices before they can be enrolled.

In Intune portal, navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens. Select a token in the list.
Select Devices. Select devices in the list, and then select Assign profile.
Choose a device profile from the Assign profile, then select Assign.

We have everything in place now to distribute devices to users. However, before that, please take note of the following:

User affinity devices require each user to be assigned an Intune license.
An activated device needs to be wiped before it can enroll properly using ADE in
Intune.

End User Experience

Let’s have a look at device enrollment flow with both authentication methods.

1. Company Portal Authentication (old method)

2. Setup Assistant with Modern Authentication (Recommended):

Notice the difference here that authentication with Azure Active Directory (Azure AD) happens in out-of-box experience (OOBE) during enrollment with Setup Assistant before users access the home screen.