This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
In April, we announced a new authentication method for Automated Device Enrollment (ADE) which is Setup Assistant with modern authentication. This new authentication method is available for iOS/iPadOS devices running 13.0 and later and for macOS devices running 10.15 and later in Microsoft Endpoint Manager. For details on this authentication method, see our previous post: Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview.
After a user enrolls a device with Setup Assistant with modern authentication, the home screen appears and they can freely use the device while apps and policies are delivered. Dynamic Azure Active Directory (Azure AD) grouping might not complete upon the first check-in after enrollment since all targeted devices or users are evaluated for applicable policies and apps. By default, newly enrolled devices automatically checks in with Intune every 15 minutes for 1 hour, and then around every 8 hours, and therefore some policies and apps might not apply/install until that next check-in. To ensure that policies and apps are delivered to a device upon initial post-enrollment check-in, use filters to narrow the assignment scope of a policy.
Depending on the number of apps and policies you deploy to your user groups, not all of them might apply to devices immediately after enrollment. However, filters will significantly speed up the delivery to devices once enrollment is complete, and prior to user authentication in the Company Portal app.
Apply a filter to an ADE enrollment profile
For automated device enrollment scenarios where the authentication method is Setup Assistant with modern authentication, you can create a filter rule based on the enrollment profile name (enrollmentProfileName). You can filter on other properties, such as DeviceName, to include/exclude user groups or devices with device configuration policies, endpoint security policies, and applications, to achieve the same outcome. For information on supported workloads, see List of platforms, policies, and app types supported by filters in Microsoft Endpoint Manager.
Important: Don’t change the name of the enrollment profiles you are using with filters, otherwise the targeting will not apply.
- Create and configure an enrollment profile for iOS/iPadOS or macOS automated device enrollment with user affinity, and with Setup Assistant with modern authentication as the authentication method. Then, sync your managed devices and assign the enrollment profile as you normally would for ADE. In this example we’ll use the profile name as “SA with modern auth”.
- Complete the applicable steps for ADE enrollment:
- Create a filter for iOS/iPadOS or macOS devices with the property enrollmentProfileName that equals the ADE enrollment profile name you configured with Setup Assistant with modern auth has been configured. See the Intune documentation for detailed information on filter properties.
- As you create policies and app assignments, you can apply the filter to user groups, and include or exclude devices based on the enrollment profile name.
For this example, the filter targets the user group "Contoso Pilot Group” and the mode is set to “Include” only the devices that have an enrollmentProfileName of "SA with modern auth”.
- Once the device completes Setup Assistant and enrollment, the home page appears and the user will see targeted apps installing, including the Company Portal app on iOS/iPadOS.
If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.