Set up just in time registration in Microsoft Intune

מאמר
01/23/2024

Applies to iOS/iPadOS

Set up just in time (JIT) registration in Microsoft Intune to enable device users to initiate and complete device enrollment from a work or school app. The Intune Company Portal isn't required when using JIT registration. Instead, JIT registration utilizes the Apple single sign-on (SSO) extension to complete Microsoft Entra registration and compliance checks. Registration and compliance checks can be fully integrated in a designated Microsoft or non-Microsoft app that's configured with the Apple single sign-on (SSO) app extension. The extension reduces authentication prompts during the device user's session and establishes SSO across the whole device.

This article describes how to enable JIT registration by creating an SSO app extension policy in the Microsoft Intune admin center.

Prerequisites

JIT registration is supported with the following enrollment types:

Apple user enrollment: Account driven user enrollment
Apple device enrollment: Web-based device enrollment
Apple automated device enrollment: For enrollments that use Setup Assistant with modern authentication as the authentication method.

Best practices for SSO configuration

The user's first sign-in after they reach the home screen has to happen in a work or school app that's configured with the SSO extension. Otherwise, Microsoft Entra registration and compliance checks can't be completed. We recommend that you point employees to the Microsoft Teams app. The app is integrated with the latest identity libraries and provides the most streamlined experience from the user's home screen.
The SSO extension automatically applies to all Microsoft apps, so to avoid authentication problems, don't add the bundle IDs for your Microsoft apps to your policy. You only need to add non-Microsoft apps.
Don't add the bundle ID for the Microsoft Authenticator app to your SSO extension policy. Since it's a Microsoft app, the SSO extension will automatically work with it.

Set up JIT registration

Create a single sign-on app extension policy that uses the Apple SSO extension to enable just-in-time (JIT) registration.

Sign in to the Microsoft Intune admin center.
Create an iOS/iPadOS device configuration policy under Device features > Category > Single sign-on app extension.
For SSO app extension type, select Microsoft Entra ID.
Add the app bundle IDs for any non-Microsoft apps using single sign-on (SSO). The SSO extension automatically applies to all Microsoft apps, so to avoid authentication problems, don't add Microsoft apps to your policy.

Don't add the Microsoft Authenticator app to the SSO extension either. That app is added later in an app policy.
Under Additional configuration, add the required key-value pair. Remove trailing spaces before and after the value and key. Otherwise just-in-time registration won't work.
- Key: device_registration
- Type: String
- Value: {{DEVICEREGISTRATION}}
(Recommended) Add the key-value pair that enables SSO in the Safari browser for all apps in the policy. Remove trailing spaces before and after the value and key. Otherwise just-in-time registration won't work.
- Key: browser_sso_interaction_enabled
- Type: Integer
- Value: 1
Select Next.
For Assignments, assign the profile to all users, or select specific groups.
Select Next.
On the Review + create page, review your choices, and then select Create to finish creating the profile.
Go to Apps > All apps and assign Microsoft Authenticator to groups as a required app. For more information, see Add apps to Microsoft Intune and Assign apps to groups.

Next steps

Create an enrollment profile for enrolling devices. The enrollment profile triggers the device user's enrollment experience, and enables them to initiate enrollment. For information about how to create a profile for supported enrollment types, see the following resources: