MFA doesn't work with Apple DEP with Intune
We have Intune included as part of our licensing with O365. Our company requires that MFA is enabled. This however does not work when using Apples Device Enrollment Program with Intune.
When a user has MFA enabled, when they are prompted for the username and password it is returned that the credentials are invalid.
We have tried to use an application password to work around this, however this does not appear to be supported either.
Ideally, as the enrolled DEP device is a known end point, while having MFA enabled, would it be possible to enable a logon to DEP/Intue without having the MFA requirement; or allow support for Application Passwords.
For us, this is a show stopper for using Intune!
As Charles says in the comments, this is solved – sort of. It’s one of those features that is gradually rolling out to tenants, so I’m setting the status to “release in progress”. Watch your Office Message Center (portal.office.com) for a notice from Intune that you’ve been migrated, and then it will work for you. When we’ve migrated everyone, I’ll call this complete, but in the meantime you get your votes back to go tell us what else is high on your list.
Thanks for all your feedback!
Ben Athawes commented
Is there any way of determining when this fix will hit a given tenant? Or at least when we should expect all tenants to be "migrated"?
How long will it take to roll this out to everyone? I've been waiting over a month.
Steve Mitchell commented
We tested this in our test tenant (made post Feb 7) and just got it in our production tenant. It's pretty neat! I can now sleep safer by enabling our enrollment restrictions knowing DEP is feeding Intune.
This is solved now
An update on this, improvements are well under way to resolve this issue. The first round of improvements will be landing in your tenants in the next couple of weeks/months. "User Affinity" enrolment now will enrol the device with no association to the user bypassing the Apple OOBE. The Company Portal app will automatically be pushed to the device using a back end required deployment.
The user can then proceed to open the company portal and enrol tying the user to the device.
This approach also means that MFA can be used in conjunction with enrolment as MFA will be enforced when the user invokes the CP enrolment.
This is the first phase of improvements in this area. Read more about it here > https://docs.microsoft.com/en-us/intune/whats-new
Terry Rose commented
My current MDM airwatch and Lanrev handle this just fine. For now I will not be moving to inTune for any of my DEP devices. This needs to be fixed.
John Sweigart commented
Does anyone have any further updates on this?
We are enabling MFA for our company soon but this will prevent users using the DEP when enrolling unless IT disable MFA temporarily then turn it back on. This kind of defeats the point the DEP if the user still cannot enroll by themselves.
Yes this a no brainer to allow this.
Hi All, Microsoft Partner here.
This is actually by design as the device does not Azure Device Register which means that Conditional Access, MFA and other features cannot be used with DEP devices until the device is then also enrolled via the traditional Company Portal method. At the moment this completely defeats the object of DEP 'Providing a 0 touch MDM enrollment process'
After speaking to Microsoft they have said that they would be happy to look into making the device register in Azure but would like to see the demand for this.
If you would like to see the enrollment process requring DEP only and not needing the Intune Company portal then please vote at the following link
Michael Uribe commented
Is there any hope of this issue being addressed?
Matt Endres commented
We are facing the same issue. Everytime a user goes to enroll a new device in DEP with user affinity required we are currently required to disable MFA on that users account. If they could make it prompt on an existing device or call primary number that would be perfect.
I was happy enough for DEP not to require MFA. As to enrol you technically already have something we know about.
I believe that for DEP to support MFA will require changes from Apple. However Microsoft should provide the function to either:
- Allow DEP enrollment to be excluded from MFA
- Allow DEP enrollment to make use of App Passwords
Either option would work for us.
Tyler Klobassa commented
I have talked to both Microsoft (them saying it doesn't support DEP login with MFA currently), and Apple stating that this is something that Microsoft has to figure out with their system.
When you have DEP enabled, it will push the device to a targeted MDM. Going through the initial setup on an iOS device it will eventually hit a screen saying "Your company is going to take over management of the device", after clicking next it will ask for credentials.
With our Intune setup: A user would enter their AD creds, then since MFA turned on it should ask for a code - however these processes do not currently work together. Both MFA and DEP are ideal security features that we want to retain. However if you want to setup the DEP device for a user, their MFA would have to be turned off currently which is not ideal.
There has to be a way to connect the two so that they can work together. I don't understand how Microsoft can recommend to enforce MFA but then provide DEP where MFA isn't supported.
You might be right - but surely app passwords could be made to work?
Iain Fairbairn commented
The frustrating thing is you can switch on MFA in Hybrid CM2012/Intune but only for Windows 8.1 or greater or Windows 8.1 Mobile or greater, but not iOS or Android. My understanding is that this is more an issue of Apple DEP not being good at supporting MFA rather than something MS can supply.
This is actually quite a complex piece. DEP actually enrolls the device in MDM which is different from the usual company portal Join which is user driven.
This issue also comes up quite a bit when using Conditional Access as it believes the device isn't enrolled. A work around for this is to actually go and also register via the traditional method 'Company Portal'. May be worth a try in the interim to see if that helps you?
Microsoft recommend IT Systems Administrators to enforce Multi Factor Authentication in their latest Password Guidance document here https://www.microsoft.com/en-us/research/publication/password-guidance/. Surely Microsoft's current products should support MFA.