October 30, 2022

Just in Time Registration for iOS/iPadOS

Just in Time Registration for iOS/iPadOS


Just in Time, more commonly referred to as JIT, is a management philosophy used in several industries for decades. “Waste” is taken in its most general sense and includes time, resources, and materials. There are many elements to JIT in production; however, when referring to Mobile Device Management, the key features are:

  • Continuous Improvement
  • Set-up time reduction
  • Automation
  • Eliminating waste

Waste here refers to the total “non-value-addition time” in the device enrollment activity, i.e. from powering on the device to completing its enrollment. And with this new JIT device registration, it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking. Microsoft has removed the Non-VA steps; removed required app downloads that can’t be changed, and put an end to switching between apps to get the device compliant, thereby streamlining the user flow and reducing the overall enrollment time.

So, let us check what has changed and how it will help with device enrollment.

The Move to Modern Authentication

A few months back, we all received a notification that Apple will remove the Company Portal authentication method for all new and existing iOS/iPadOS ADE enrollment profiles in November 2022.

I have also written a post on it with all the steps needed to enrol the device with modern authentication. You can follow the steps in this article to configure the DEP profiles to use Setup Assistant with modern authentication.

Enrol Supervised iOS Devices With Modern Authentication With iOS16 – Intune – In Real Life (intuneirl.com)

Behind the Scene : The Magic of SSO

Single sign-on is a way of communications between services to which end-users want access and an identity providers that can confirm whether or not those end-users are who they say they are. Once enabled, SSO lets users access multiple services after providing their credentials only once—rather than requiring them to sign in to each service individually.

With the new approach, as soon as the user completes enrollment during Setup Assistant and lands on the home screen of the device, the user authentication has to be completed in any Microsoft Office application to register the device with Azure AD and kick off compliance. The compliance checks are integrated into the Office app so as soon as the user authentication is completed the device will be evaluated for complaince. Which removes the unnecessary step of switching between multiple apps to make the device compliant.

The enrollment SSO is based on Apple’s extensible SSO and on account-driven user enrollment, which was introduced in iOS and iPadOS 15.

After the enrollment profile is downloaded, the first authentication happens in Setup Assistant and it completes enrollment with establishing the user device affinity while the next authentication handles Azure AD registration within a pre-authorized Office app. This ensures that SSO is fully established across the device.

Configure JIT Registration for ADE

Create a device configuration policy under Device features > Category > Single sign-on app extension.

  • Set the SSO app extension type to Microsoft Azure AD.
  • Add the App bundle IDs for all the apps including Microsoft Office apps you want the SSO extension to apply to.
The first sign in must go through an app that is configured with the SSO extension so that Azure AD registration can be completed. After that, the user will be signed into any app that’s part of the SSO extension policy.
  • Add the required key value pair under the additional configuration.
    • Key: device_registration
    • Type: String
  • Key: browser_sso_interaction_enabled
    • Type: Integer
    • Value: 1
  • Assign the profile to the required group

Once these configuration steps are complete, the user will be able to complete setup and authentication on the device. They simply need to turn on the device, go through the Setup Assistant screens, and authenticate with their Azure AD credentials to fully enroll the device with Intune and establish user device affinity. When the user opens a managed Microsoft Office app that has an established SSO extension, the app automatically establishes SSO.

Please ensure that Microsoft Authenticator app is deployed as a required app the user group.

Wrapping Up

This new feature of JIT device registration all super cool and you should try it out and implement it as it will change the way we have been enrolling ADE devices till now. And will also make the user productive quickly within minutes.