Adding users to Mobile Device Management Issue - Enrollment Problems
We are in the process of setting up Office 365 Mobile Device Management. We've created a MDM policy, created a security group and associated this group with the newly created MDM policy. We have added about 10 users to run as a pilot test.
There has been a number of scenarios which have occurred whilst setting end user devices up.
- Add the user to the security group associated against MDM policy. The user receives the enrollment email, and email stos syncing with Office 365 mailbox on device until they successfully complete the enrollment process
This is what you expect to happen
- Add user to the security group associated against the MDM policy. The user does not receive enrollment email straight away. Enrollment email is received days later. Then follow the process in step 1
Q. Why such a delay in receiving enrollment email?
- Add user to the security group associated against the MDM policy. The user does not receive enrollment email into current mail setup i.e. iOS built in mail app. I then remove the mailbox from device, setup again, enrollment email arrives as 1st email, no email sync until successful completion of enrollment process
Q. Why did i have to re-setup the mailbox on the device to receive enrollment email?
- Add user to the security group associated against the MDM policy. The user does not receive enrollment email, re-setting up mailbox on device does not receive the enrollment email. Though if i setup a new email profile for that user on another device, which is the same model. The enrollment email is there, but whatever i do on the users existing device. No enrollment email is received.
The only way i have got round this, is by downloading the company app and following the enrollment process manually.
Step 1 in this ticket is what i would expect to happen.
There seems to be a couple of bugs in the system.
Robin Makkus commented
I have this same situation where users don't receive the enrollment e-mail. Remove and reinstall e-mail account on the device does prompt them to enroll, but it's not clear what'll happen with users that have their e-mail configured and get added to the MDM policy.
Chris Bannister commented
Exactly what is happening over here as well.
Same here. Added security group to the policy. User can receive mail without the policy actually being applied.
I’m curious as to whether you got any feedback outside of this forum or managed to work it out yourself as I am experiencing similar problems. It's so hit and miss as to whether the device actually enrols that in its current state there's no way I can deploy this out into a production environment.
A 5th scenario I frequently experience goes like this: Solid broadband connection tested in multiple locations. Clean device (IOS 9.2). Download company portal. Login successfully, install policy and get confirmation that device is enrolled. No email profile is configured. Go into O365 MDM management portal (intune) and check for enrolled devices but none exist. Sometimes the device will appear as enrolled within a few hours but on occasion I have left it overnight and it’s still not registered.
More concerning than inconsistent device enrolment and activation is removal, full wipe and selective Wipe. Sometimes after doing a wipe (selective or full) I can continue to use the device for hours / days before the action is applied. On a couple of occasions the security policy has been removed, the company portal application shows as no longer enrolled, and the device is not listed in O365 portal yet the device is still able to send and receive email . This is a security and compliance nightmare. Unmanaged insecure devices that are invisible to the administrator.