question

ChristianBartels-9322 avatar image
0 Votes"
ChristianBartels-9322 asked nigelss edited

Intune enrollment not starting in company portal app on iPad Pro

Hi,

I bought a new 2021 iPad Pro with M1 chip. It came out of the box with iPadOS 14.5 pre-installed. After the initial Apple setup (no DEP in use), I directly installed the company portal app and tried to enroll in our Intune instance but after logging into the company portal app, no enrollment prompt is coming and if you go to the Devices or Support tabs, they show light grey placeholder boxes instead of the actual tab content. (See screenshot below, the other tabs like Apps work fine)

I thought maybe it’s a bug with iPadOS 14.5 and upgraded to 14.6 but that didn’t make a difference. I also tried logging out and back into the company portal, deleting and re-installing the app, restarting the iPad and various combinations of those steps - no luck.

Then I unenrolled an older (2018?) iPad Pro from Intune and tried to re-enroll it which was successful. That iPad was still on iPadOS 14.4.2. Upgraded to iPadOS 14.6 and now getting there the same issue. I can’t get the enrollment process to start.

Then asked a colleague who has an iPad Air 4th Gen which has never been enrolled and was on iPadOS 14.4.x as well. He installed the company portal app, logged in and directly was prompted to enroll. He canceled enrollment, upgraded to iPadOS 14.6 and was still able to start the enrollment process.

I opened a ticket with Microsoft support last week but other than 2 hours of trouble shooting and scratching our heads, no pointers to a solution yet.

Has anyone seen this issue?

105691-a5dcf935-10f8-455f-a987-3ee5e528c5ad.png


mem-intune-enrollment
· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

i'm having the same issue with several ipads from a customer, enrolled through DEP in this case, tried wiping them several imes, no luck.

1 Vote 1 ·

We're also having the same problem. Not using DEP.
The problem seams to be on the user account.
One users could not enroll on both a new iphone and a new iPad, but another user could enroll just fine on the same devices.

0 Votes 0 ·

Yes, my testing from yesterday is also showing that it's related to the user account. Another user account was able to enroll the same devices which are failing for the affected account. Microsoft support did a comparison for the accounts and said there is some user role difference but currently if you go to Azure AD portal -> Users -> role assignment, it shows an error message, that the roles can't be read. So, kind of stuck there and honestly I'm not very confident that this will make a difference.
MS support also had me double check the device count limit per user and remove outdated devices from the affected user account. (didn't make a difference)

0 Votes 0 ·

I think i've found the problem, something seems to have changed in the enrollment process, where something is now using the MS Graph API, which forces an MFA prompt, which iOS can't handle during the enrollment process.

The following seems to fix it (at least for the users i tested it with):
Create a conditional access policy (doesn't seem to matter if your users are licensed for this or not) which excludes the following cloud apps (basically any you can find with intune in the name):
Microsoft Intune
Intune Graph Application Export
Microsoft Intune Enrollment

And apply this policy to all iOS devices, excluding all other device types.

1 Vote 1 ·

ps, the intune graph one is the one that made it work for us, just excluding the enrollment had no effect.

0 Votes 0 ·

This is the exact issue I had on one iOS device, except "Intune Graph Application Export" has now vanished from Conditional Access!

0 Votes 0 ·

Has anyone had any luck with this? I’m also seeing it on one account.

0 Votes 0 ·

No luck so far for me.

0 Votes 0 ·
DeltaGold-8964 avatar image DeltaGold-8964 MichaelStjernborg-5590 ·

A ticket to MS support seemed to clear this up for me.

0 Votes 0 ·
Show more comments

1 Answer

nigelss avatar image
0 Votes"
nigelss answered nigelss edited

I found a few issues (thanks also to @DouweRiepma-2901 for #2)...

  1. Our federation provider didn't support WS-Trust 1.3 and the MEX endpoints... we had to go back to AzureAD password-only authentication - https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual#set-up-issuance-of-claims

  2. We had to explicitly exclude "Intune" and "Intune Enrolment" apps from MFA requirements so the MDM devices can register successfully in AzureAD via the Graph API

  3. For iOS native mail access: We also had to exclude MFA requirements for our MDM-compliant devices to allow "Apple Internet Accounts" for access to iOS native mail (for approved users)


So the conditional access policies used were:
1. MAM group - require app protection policy and approved client app (exclude MDM iOS native mail users)
2. MDM group - require MFA and compliant devices (exclude MDM iOS native mail users?, and exclude Intune/Enrollment apps)
3. Register or join cloud action requires MFA
4. iOS native mail users (also in MDM group) - require compliant devices for all cloud application access (excluding Intune/Enrollment apps) - "Apple Internet Accounts" only was not sufficient
5. Block all browsers and classic access on iOS and Android devices
6. Geo-block other regions

I'm not sure if I need to add iOS native mail users to the two groups in sequence - for CA policies #2 and #4 to apply successfully. If we don't do this, I guess this means we might end up with some users where we have not verified MFA but it will be on a per-exception basis.

Cheers,
Nigel














5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.