Using filters with Setup Assistant with modern auth for ADE for corporate iOS/iPadOS/macOS devices

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

In April, we announced a new authentication method for Automated Device Enrollment (ADE) which is Setup Assistant with modern authentication. This new authentication method is available for iOS/iPadOS devices running 13.0 and later and for macOS devices running 10.15 and later in Microsoft Endpoint Manager. For details on this authentication method, see our previous post: Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview.

 

After a user enrolls a device with Setup Assistant with modern authentication, the home screen appears and they can freely use the device while apps and policies are delivered. Dynamic Azure Active Directory (Azure AD) grouping might not complete upon the first check-in after enrollment since all targeted devices or users are evaluated for applicable policies and apps. By default, newly enrolled devices automatically checks in with Intune every 15 minutes for 1 hour, and then around every 8 hours, and therefore some policies and apps might not apply/install until that next check-in. To ensure that policies and apps are delivered to a device upon initial post-enrollment check-in, use filters to narrow the assignment scope of a policy.

 

Depending on the number of apps and policies you deploy to your user groups, not all of them might apply to devices immediately after enrollment. However, filters will significantly speed up the delivery to devices once enrollment is complete, and prior to user authentication in the Company Portal app.

 

Apply a filter to an ADE enrollment profile

For automated device enrollment scenarios where the authentication method is Setup Assistant with modern authentication, you can create a filter rule based on the enrollment profile name (enrollmentProfileName). You can filter on other properties, such as DeviceName, to include/exclude user groups or devices with device configuration policies, endpoint security policies, and applications, to achieve the same outcome. For information on supported workloads, see List of platforms, policies, and app types supported by filters in Microsoft Endpoint Manager.

 

Important: Don’t change the name of the enrollment profiles you are using with filters, otherwise the targeting will not apply.

 

  1. Create and configure an enrollment profile for iOS/iPadOS or macOS automated device enrollment with user affinity, and with Setup Assistant with modern authentication as the authentication method. Then, sync your managed devices and assign the enrollment profile as you normally would for ADE. In this example we’ll use the profile name as “SA with modern auth”.

    Enrollment and management settings for iOS/iPadOS devices.Enrollment and management settings for iOS/iPadOS devices.

  2. Complete the applicable steps for ADE enrollment:
  3. Create a filter for iOS/iPadOS or macOS devices with the property enrollmentProfileName that equals the ADE enrollment profile name you configured with Setup Assistant with modern auth has been configured. See the Intune documentation for detailed information on filter properties.

    Example of Filter property and value settings.Example of Filter property and value settings.

  4. As you create policies and app assignments, you can apply the filter to user groups, and include or exclude devices based on the enrollment profile name.

    For this example, the filter targets the user group "Contoso Pilot Group” and the mode is set to “Include” only the devices that have an enrollmentProfileName of "SA with modern auth”.

    Example policy setting of applying a user group with a filter applied.Example policy setting of applying a user group with a filter applied.

  5. Once the device completes Setup Assistant and enrollment, the home page appears and the user will see targeted apps installing, including the Company Portal app on iOS/iPadOS.

 

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.