This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
I bought a new 2021 iPad Pro with M1 chip. It came out of the box with iPadOS 14.5 pre-installed. After the initial Apple setup (no DEP in use), I directly installed the company portal app and tried to enroll in our Intune instance but after logging into the company portal app, no enrollment prompt is coming and if you go to the Devices or Support tabs, they show light grey placeholder boxes instead of the actual tab content. (See screenshot below, the other tabs like Apps work fine)
I thought maybe it’s a bug with iPadOS 14.5 and upgraded to 14.6 but that didn’t make a difference. I also tried logging out and back into the company portal, deleting and re-installing the app, restarting the iPad and various combinations of those steps - no luck.
Then I unenrolled an older (2018?) iPad Pro from Intune and tried to re-enroll it which was successful. That iPad was still on iPadOS 14.4.2. Upgraded to iPadOS 14.6 and now getting there the same issue. I can’t get the enrollment process to start.
Then asked a colleague who has an iPad Air 4th Gen which has never been enrolled and was on iPadOS 14.4.x as well. He installed the company portal app, logged in and directly was prompted to enroll. He canceled enrollment, upgraded to iPadOS 14.6 and was still able to start the enrollment process.
I opened a ticket with Microsoft support last week but other than 2 hours of trouble shooting and scratching our heads, no pointers to a solution yet.
Has anyone seen this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 30%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
i'm having the same issue with several ipads from a customer, enrolled through DEP in this case, tried wiping them several imes, no luck.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 50%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
We're also having the same problem. Not using DEP.
The problem seams to be on the user account.
One users could not enroll on both a new iphone and a new iPad, but another user could enroll just fine on the same devices.
Yes, my testing from yesterday is also showing that it's related to the user account. Another user account was able to enroll the same devices which are failing for the affected account. Microsoft support did a comparison for the accounts and said there is some user role difference but currently if you go to Azure AD portal -> Users -> role assignment, it shows an error message, that the roles can't be read. So, kind of stuck there and honestly I'm not very confident that this will make a difference.
MS support also had me double check the device count limit per user and remove outdated devices from the affected user account. (didn't make a difference)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 59%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Has anyone had any luck with this? I’m also seeing it on one account.
No luck so far for me.
A ticket to MS support seemed to clear this up for me.
I think i've found the problem, something seems to have changed in the enrollment process, where something is now using the MS Graph API, which forces an MFA prompt, which iOS can't handle during the enrollment process.
The following seems to fix it (at least for the users i tested it with):
Create a conditional access policy (doesn't seem to matter if your users are licensed for this or not) which excludes the following cloud apps (basically any you can find with intune in the name):
Microsoft Intune
Intune Graph Application Export
Microsoft Intune Enrollment
And apply this policy to all iOS devices, excluding all other device types.
ps, the intune graph one is the one that made it work for us, just excluding the enrollment had no effect.
What did they do?
Looks like company portal version 4.17.3 solves the problem. Was released yesterday.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
This is the exact issue I had on one iOS device, except "Intune Graph Application Export" has now vanished from Conditional Access!
I found a few issues (thanks also to @Douwe Riepma for #2)...
So the conditional access policies used were:
I'm not sure if I need to add iOS native mail users to the two groups in sequence - for CA policies #2 and #4 to apply successfully. If we don't do this, I guess this means we might end up with some users where we have not verified MFA but it will be on a per-exception basis.
Cheers,
Nigel