iOS or iPadOS device is stuck on an enrollment screen
This article fixes an issue where iOS/iPadOS devices are stuck on a Microsoft Intune enrollment screen for more than 10 minutes. An enrolling device may get stuck in either of two screens:
- Awaiting final configuration from "Microsoft"
- Guided Access app unavailable. Please contact your administrator.
There are two potential causes for this issue:
- There's a temporary outage with Apple services.
- iOS/iPadOS enrollment is set to use VPP tokens (as shown in the table below) but there's something wrong with the VPP token.
|User Affinity||Enroll with User Affinity|
|Authenticate with Company Portal instead of Apple Setup Assistant||Yes|
|Install Company Portal with VPP||Use token: token address|
|Run Company Portal in Single App Mode until authentication||Yes|
To fix the problem, complete the procedures in this section:
- Determine if there's something wrong with the VPP token and fix it.
- Identify which devices are blocked.
- Wipe the affected devices.
- Tell the user to restart the enrollment process.
Determine if there's something wrong with the VPP token
- In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment > Enrollment program tokens > token name > Profiles > profile name > Manage > Properties.
- Review the properties to see if any errors similar to the following appear:
- This token has expired.
- This token is out of Company Portal licenses.
- This token is being used by another service.
- This token is being used by another tenant.
- This token was deleted.
- Fix the issues for the token.
Identify which devices are blocked by the VPP token
- In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOSk > iOS enrollment > Enrollment program tokens > token name > Devices.
- Filter the Profile status column by Blocked.
- Make a note of the serial numbers for all the devices that are Blocked.
Remotely wipe the blocked devices
After you've fixed the issues with the VPP token, you must wipe the devices that are blocked.
- In the Microsoft Endpoint Manager admin center, choose Devices > All devices > Columns > Serial number > Apply.
- For each blocked device, choose it in the All devices list and then choose Wipe > Yes.
Tell the users to restart the enrollment process
After you've wiped the blocked devices, you can tell the users to restart the enrollment process.