There is a new Apple Enrollment admin experience along with some new features. This was announced at the What’s new in Microsoft Intune Week of February 19, 2018 https://docs.microsoft.com/en-us/intune/whats-new it is stated that this new Apple Enrollment features only are enabled in new created tenants and will be there for the rest of us this feature is being rolled out through April.
What is new in the Apple Enrollment?
You can find the new features in:
- Device enrollement
- Apple enrollment
- Apple MDM Push certificate
In the Apple MDM Push certificate there is no news:
The same applies for the Apple Configurator settings – the only news here is a design facelift
All the real news is in the Enrollment program tokens, also known as Apple DEP program
Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple School Manager accounts. Each token uploaded can be managed separately for enrollment profiles and devices. A different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. If multiple School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.
The first change is:
- Click Enrollment program tokens
- Select the DEP token where you what to make the changes – settings and features is per DEP token
Under profiles you can now set Default Profile
This is the same feature that was in the Silverlight Portal of Intune before Microsoft migrated the feature to Azure Portal.
Select Set Default Profile
Now you can select the DEP profile you want to set as default when new devices is synced to Intune from Apple’s DEP program.
The second change is:
When using User Affinity you can change from authenticate with Apple Setup Assistant to authenticate with Company Portal – when you do this then, Intune will skips user authentication in IOS Setup Assistant and you are enabled modern authenticate, this means that the end user can use Azure Active Directory multi-factor authentication when can be enforced without blocking Apple DEP enrollment methods.
Happy testing and deployment 🙂
Mobile-First Cloud-First 
Great find. Can you please do a write up on the Apple Configurator and one on DEP? Last question. If we currently have 100 iPad bought on amazon how can we use DEP on these? Do we need use Apple Configurator to enroll?
Thanks for this
If we have already handed out the devices and they are in use, do we have to reset them and setup as new for the profile to take effect ?
After the next sync on the device – you can always see it in the log on the devive
Thanks Per. So if users already have the device and the devices have been added to the Enrollment Program, as IT admins do we need to touch the device again ? We can successfully add a Profile to the device without it having to be reset ?
Yes – just assign it to a user or device group. You can wait for th sync schedule or do a manuel sync from the Intune portal
As I can’t seem to get the State to change to Enrolled. It seems to stay listed as Not Contacted
Thank you seems like the Enrollment Program profile has been assigned but the Status is still on Ready to Enroll
I am having the same problem, I have 17 devices ready to be enrolled but only 2 of them have enrolled after several days
Hi,
First of all. I appreciate your effort with this blog, Tweets and work in general – helped me more than once! 🙂
My questions are – Is it possible to authenticate with Company Portal on iOS 11.4.1 from Apple Assistant, therefore, performing automatic iOS enrollment to Intune?
We are using DEP and our goal would be to give devices to the end user, he/she turns it on, select keyboard layout, enter Azure AD credentials and that’s it. FYI. Currently, Company Portal is installing automatically without the requirement for Apple ID (using Device Licensing) – I was wondering – can we install other apps like this? – assigning them to All Devices and adding this Device license?
Maybe this auto-enrollment is done differently all-together?
Please let me know what is the best practice for auto-enrolling iOS devices.
Thanks!
Yes – you can authenticate with apple setup assistent if you are not using MFA.
Yes – you can install other apps as well.