User Affinity When you enable "Enroll with User Affinity" then the experience upon first booting a fresh machine is to get the standard remote management screen as below. [!NOTE] Requires that the Company Portal has already been added to the VPP token. If it's not unassigned, it won't be reimported to Intune until the full sync is run. You use the Apple Business Manager or Apple School Manager portal to create a token. Enroll with User Affinity with CP VPP will use the synced token from Apple DEP and for security, we use Company Portal as an authentication method.

If using ADFS and the enrollment profile has Authenticate with Company Portal instead of Setup Assistant set to No, WS-Trust 1.3 Username/Mixed endpoint Learn more is required. This screen gives the user the option to restore or transfer data from iCloud Backup when they set up the device. You may want to provide this access to let users choose which corporate apps they wish to use on their device or to use modern authentication to complete the enrollment process. [!NOTE] There are a few pre-requirements that need to be completed if you want to use co-management, and the most important one is that you need have your MDM authority in Intune set to Intune. Such devices must have the Supervised Management Mode set to Yes. You can now distribute devices to users. This site uses Akismet to reduce spam. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility. To solve this, Microsoft has released a new PowerShell Cmdlet (Switch-MdmDeviceAuthority), that you can use to switch between Configuration Manager and Intune management authority. Learn how to enroll corporate-owned iOS/iPadOS devices using the Device Enrollment Program. When we enrolled the iPads using DEP (with or without user affinity – more on that later on) and assign them to different groups in Intune, the iPads in about 2/3 of the cases end up in either wrong group, the default group or in “Ungrouped devices”. You can specify a template format that includes the device type and serial number. Multi-factor authentication isn't supported on a single device locked in Single App Mode. You'll see the confirmation that the token was renewed. You can use this Apple ID to renew your DEP token. An activated device can't apply an enrollment profile until the device is wiped. Hello everyone, today we have an article from Intune Support Engineer Saurabh Sarkar. Choose Yes for Run Company Portal in Single App Mode until authentication to set this option. You can set up Intune to enroll iOS/iPadOS devices purchased through Apple's Device Enrollment Program (DEP). These aren't supported when authenticating with Apple Setup Assistant. When Select where users must authenticate is to Company Portal, make sure that the device enrollment process is performed within the first 24 hours of the company portal being downloaded to the DEP device. prompt users who need to change their password when they first sign in, prompt users to reset their expired passwords during enrollment. The certificate was. To ensure that the Company Portal app continue to be updated after enrollment, make sure that you have configured an app deployment in Intune (Intune>Client Apps). Just remember that you should have only one default for all devices. My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark.

The following are general prerequisites for you to enable co-management: See all the requirements here: https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview. You signed in with another tab or window. Dedicated device is a Corporate enrolment method for shared devices without user affinity i.e. You can give users access to the Company Portal app on a DEP device. During a full sync, Intune fetches the complete updated list of serial numbers assigned to the Apple MDM server connected to Intune. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Devices with user affinity require each user be assigned an Intune license. The PKCS profile was deployed from Intune to a device group that had the correct information pertaining to Template name, Cert expiry, CA FQDN and CA Friendly Name. Choose if you want locked enrollment for devices using this profile. An iOS/iPadOS device in supervised mode can be managed with more controls, such as block screen capture and block installing apps from App Store. To create a naming template, select Yes under Apply device name template. When the user turns on the device, Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured settings and the device enrolls into management.