This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
Setup Assistant with Modern Authentication for Automated Device Enrollment (ADE) was the planned replacement for the ADE enrollment flow and is the Apple supported path to require auth before ADE enrollment. Using Modern Auth is now an OS provided WebView and thus it should be more consistent, stable, and reliable than the Setup Assistant (legacy) path.
We anticipated we’d provide a transition period to move from the Setup Assistant (legacy) for ADE to the new enrollment flow for iOS/iPadOS and had planned on providing time and guidance for a staged migration path. However, what we discovered working with Apple on this incident is that Apple removed the functionality in 14.6 that we used for the Setup Assistant (legacy) for ADE enrollment path. This break in flow for Single App Mode is described in the incident post and has led to an expedited move.
Once you move to Setup Assistant with Modern Auth, outside of the better performance, you’ll find one difference that we have plans to address in an upcoming release. The Azure Active Directory device registration will need to be completed in the Company Portal by the end user. Generally, the user will be prompted to the Company Portal when Conditional Access requires a compliant device. You can also provide users instructions for how to launch the Company Portal manually where they will be prompted to complete the registration after signing in. The device is still managed and secure in this flow; they won’t have access to resources and policy will be applied as expected, including Single App Mode.
To move to Setup Assistant with Modern Auth for Automated Device Enrollment, you can either :
- Edit your existing ADE policy to use the “Setup Assistant with modern authentication” for authentication. See the screen shot below for where you’ll select this in your exiting profile.
- Alternatively, you can create a new authentication policy using Setup Assistant with Modern Auth.
Again, all existing enrollments are not affected as they’ve already authenticated and enrolled. This is a new enrollment flow with modern auth moving forward using ADE and Single App Mode.
- Using filters with Setup Assistant with modern auth for ADE for corporate iOS/iPadOS/macOS devices - Microsoft Tech Community
- Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview - Microsoft Tech Community
- Enroll iOS/iPadOS devices by using ADE - Microsoft Intune | Microsoft Docs
Prior post content, updated -
Here's the scenario: User’s automated device enrollment (ADE) through the Company Portal isn't enforcing Single App Mode for devices running iOS/iPadOS 14.6 and later. What this means is that if you select single app mode, and the device runs into this issue, instead of just showing the Company Portal during enrollment, it’s allowing full access to the device, such as the Home Screen and App Library. Users could go to a browser, for example, and access web resources. Any user-targeted settings will not be applied until the user authenticates using the Company Portal. If devices go to sleep while in this state, they may appear to freeze by no longer accepting input through touch or button press.
Devices affected: New enrollments only; existing devices are not impacted. This affects not all, but many models running iOS/iPadOS version 14.6 and later and enrolling through the ADE flow with Single App Mode until authentication enabled.
Not affected: Customers using Setup Assistant with Modern Authentication for ADE.
Workarounds: There is one workaround – 1) A force restart of the device when it gets stopped in the enrollment process typically returns it to single app mode as expected.
Blog post updates
- 8/20/2021 with additional details