Include Azure DRS in DEP Enrollment
Microsoft Partner here - One of the main reason's business's look to utilize Apple's DEP Programme is to streamline their enrolment into an MDM server. Using the traditional approach as a business requires end users to create an Apple account for the sole purpose of downloading the MDM enrolment app, in our case Intune and then follow a wizard.
Migrating 1000's of iOS devices using the company portal method in this manner is not affective so DEP is a god send to address this issue.
Unfortunately, when used with Intune and user affinity the credentials are passed to the MDM server and the device is enrolled. This method however DOES NOT Azure Device Register the device which means LOB applications, MFA and Conditional Access cannot be used which are crucial to protecting user’s data.
As a work around, business’s then also get their users to download the company portal also and enrol that way also meaning they are essentially enrolling in MDM twice. The pure definition of DEP is to provide a “Zero-touch configuration for IT” this unfortunately is not the case for Intune as enrolment has to happen automatically and manually making DEP enrolment in Intune pointless.
In order to help business’s not only with the migration from a 3rd party MDM such as Airwatch to Intune but also minimise IT manual configuration could you please change the enrolment process so devices using DEP and user affinity device also register in Azure so DEP works with Intune the way it was designed.
Currently it is possible to use DEP without itunes - using sign in via the Apple setup Wizard (Comp Portal doesn't even need to be signed in, unless you need the Company App Store), but with many caveats;
1. Deployments require a dynamic group in Azure, containing the DEP devices
(device.enrollmentProfileName -eq "<DEPProfileName>")
2. Enrol with User Affinity, but Authenticate with Company Portal instead of Apple Setup Wizard = NO
3. MFA isn't set to Enabled for the identity (EG: it is disabled/Conditional Access controlled)
4. ALL Required deployments are VPP and deployed as Device based licence
5. There are NO required deployments to the user only Available ones
This has worked in testing for my organisation on accounts with Conditional access/MFA when CA requires it.
The current sticking point looks to be that so long as you use company portal for the Authentication; intune forces you to sign into itunes to download company portal, thus defeating one of the outstanding features of DEP....
Doing it this way you can sign into company portal later if required. If it is the the VPP version deployed to the device then it doesn't need itunes login.
After about 15 minutes they check in and sync compliance and policies (but you can force sync via console to make it faster)
eric kerkdijk commented
Any updates on this? DEP and Android Zero Touch are must-haves if Microsoft consider itself as a serious MDM solution. Learn some more from the Airwatch guys and implement this please. With hundreds of different devices this process has to be fully automated.
Stewart McLaughlan commented
An update on this, improvements are well under way to resolve this issue. The first round of improvements will be landing in your tenants in the next couple of weeks/months. "User Affinity" enrolment now will enrol the device with no association to the user bypassing the Apple OOBE. The Company Portal app will automatically be pushed to the device using a back end required deployment.
The user can then proceed to open the company portal and enrol tying the user to the device.
This approach also means that MFA can be used in conjunction with enrolment as MFA will be enforced when the user invokes the CP enrolment.
This is the first phase of improvements in this area. Read more about it here > https://docs.microsoft.com/en-us/intune/whats-new
Thanks for a well written problem statement Stewart. DEP +Intune currently is of little to no use.
Lem Harris commented
This is super important for us as we have over 1000 ios and macOS devices
without the option to enroll apple dep devices into Azure AD devices makes this useless
Lasse S. commented
+3 Just recently started using DEP with Intune, thinking I was now the almigthy MDM king of the zero touch deployment land. Then I noticed VPP apps did not install, then LOB apps. Didn't really find the documentation confirming what I belived, so I came looking here. And behold, DEP with Intune is almost useless.
Please make the change. With over 200 iphone users and adding more, this is a problem now and is going to be a problem in the future when it is time to replace the phones.
You can push the Company Portal app automatically without the user having to create an apple id.
When I logged into my DEP registered test device my device was registered in AD which allowed this to happen. I did find in my testing ,however, that MFA being turned on for the test user prevented the initial DEP login from succeeding.
+1 This is uber important and critical to enabling an iOS Enterprise with Intune and Office 365. MFA will be heavily utilized with Office 365 by many orgs here in they very near future. If MSFT Engineers can get this working with Apple Engineers for DEP there would be many very happy and secure* MSFT Enterprise Customers.
This problem absolutely need to be resolved. I can assure you it is counter productive having an IOS device DEP'd and then have to get the user to put an apple id and download Company Portal - then back to normal username and password to enrol device in Company portal. 2 enrolments required when the whole essence of DEP is to make life easy!
Rob Hardman commented
+1 - having to sit with quite a few of my end users to handhold them through the Company Portal set up part. This was precisely the opposite of what I wanted, hence why I enrolled in DEP in the first place. :(
win xp 3
William Bracken commented
Please make this change!
Dan Padgett commented
100 percent a problem , this limitation makes DEP useless