Include Azure DRS in DEP Enrollment
Microsoft Partner here - One of the main reason's business's look to utilize Apple's DEP Programme is to streamline their enrolment into an MDM server. Using the traditional approach as a business requires end users to create an Apple account for the sole purpose of downloading the MDM enrolment app, in our case Intune and then follow a wizard.
Migrating 1000's of iOS devices using the company portal method in this manner is not affective so DEP is a god send to address this issue.
Unfortunately, when used with Intune and user affinity the credentials are passed to the MDM server and the device is enrolled. This method however DOES NOT Azure Device Register the device which means LOB applications, MFA and Conditional Access cannot be used which are crucial to protecting user’s data.
As a work around, business’s then also get their users to download the company portal also and enrol that way also meaning they are essentially enrolling in MDM twice. The pure definition of DEP is to provide a “Zero-touch configuration for IT” this unfortunately is not the case for Intune as enrolment has to happen automatically and manually making DEP enrolment in Intune pointless.
In order to help business’s not only with the migration from a 3rd party MDM such as Airwatch to Intune but also minimise IT manual configuration could you please change the enrolment process so devices using DEP and user affinity device also register in Azure so DEP works with Intune the way it was designed.
Stewart McLaughlan commented
An update on this, improvements are well under way to resolve this issue. The first round of improvements will be landing in your tenants in the next couple of weeks/months. "User Affinity" enrolment now will enrol the device with no association to the user bypassing the Apple OOBE. The Company Portal app will automatically be pushed to the device using a back end required deployment.
The user can then proceed to open the company portal and enrol tying the user to the device.
This approach also means that MFA can be used in conjunction with enrolment as MFA will be enforced when the user invokes the CP enrolment.
This is the first phase of improvements in this area. Read more about it here > https://docs.microsoft.com/en-us/intune/whats-new
Thanks for a well written problem statement Stewart. DEP +Intune currently is of little to no use.
Lem Harris commented
This is super important for us as we have over 1000 ios and macOS devices
without the option to enroll apple dep devices into Azure AD devices makes this useless
Lasse S. commented
+3 Just recently started using DEP with Intune, thinking I was now the almigthy MDM king of the zero touch deployment land. Then I noticed VPP apps did not install, then LOB apps. Didn't really find the documentation confirming what I belived, so I came looking here. And behold, DEP with Intune is almost useless.
Please make the change. With over 200 iphone users and adding more, this is a problem now and is going to be a problem in the future when it is time to replace the phones.
You can push the Company Portal app automatically without the user having to create an apple id.
When I logged into my DEP registered test device my device was registered in AD which allowed this to happen. I did find in my testing ,however, that MFA being turned on for the test user prevented the initial DEP login from succeeding.
+1 This is uber important and critical to enabling an iOS Enterprise with Intune and Office 365. MFA will be heavily utilized with Office 365 by many orgs here in they very near future. If MSFT Engineers can get this working with Apple Engineers for DEP there would be many very happy and secure* MSFT Enterprise Customers.
This problem absolutely need to be resolved. I can assure you it is counter productive having an IOS device DEP'd and then have to get the user to put an apple id and download Company Portal - then back to normal username and password to enrol device in Company portal. 2 enrolments required when the whole essence of DEP is to make life easy!
Rob Hardman commented
+1 - having to sit with quite a few of my end users to handhold them through the Company Portal set up part. This was precisely the opposite of what I wanted, hence why I enrolled in DEP in the first place. :(
win xp 3
William Bracken commented
Please make this change!
Dan Padgett commented
100 percent a problem , this limitation makes DEP useless