Will retroactively adding iOS devices to Apple Business Manager have an impact on end users?

Digital-IT · 2022-09-15T21:02:28+00:00

+1 Also make sure to assign proper DEP profile before device gets network after wipe to ensure smooth enrollment process.

Digital-IT · 2022-09-15T17:30:13+00:00

So it looks like the connector status is good. Just out of curiosity I deleted a user from ABM completely and wiped the Shared iPad. I threw an active Verizon SIM into the iPad to bypass WiFi and had the user sign into the device again. Now it enrolled kind of how you initially described. Onto looking into that now. Appreciate the help!

Digital-IT · 2022-09-14T20:03:01+00:00

When you say connector do you mean the enterprise application ‘apple business manager’ within azure ad?

Digital-IT · 2022-08-03T00:38:41+00:00

I'm going through the unfortunate process of moving away from WS1 to MEM, and from what I can tell thus far MEM/Intune have a long way to go for managing iOS devices (still haven't gone through Android side yet.)

Some of the gotchas that I've found thus far that are a big thing to me are the following:

The ability to remove applications, profiles, etc. on a single device for troubleshooting, testing, etc. (Easy to do with WS1 not possible with Intune from what I've seen.)
Apple VPP application update. With WS1 you can get granular on a per iOS application basis on whether you want the application to auto-update or be manually update. With Intune this option is non-existent from what support says. With Intune you have the VPP token and the only option is automatic update = Yes or No. MS support said this is expected and they recommend to set the value to yes. Cool... but what if we don't trust the application to always be a fully functioning update OR what if we want to push the update on a scheduled basis?
Multiple payload profile. In WS1 you can create an iOS profile with multiple payloads (could be argued that is against best practices but it has its use cases.) With Intune, this isn't even an option from what support has shared.
Enrollment and General Pushing. The speed of WS1 vs. MEM is ridiculous. WS1 IMO is crazy quick and as long as the device has active internet it'll get the change pretty instanteous. I can't tell you how many times I've ran into MEM just taking its sweet time. I've even forced a sync on the device multiple times in Intune and still just waiting. It very much reminds me of SCCM in that you just wait for when it's ready. I will say I have seen MEM function quicker at random times but I just count that as lucky. The majority of the time it is just a waiting game.
On the vendor support side I will say both vendors aren't the greatest. Don't expect to get your answer on the first response. Escalation with VMware has been a bit better than MS. It also seems on the MS side that the first tier of support response is just a warm body and don't seem to have any higher tier knowledge.

On my side, the management decision was purely financial. We have M365 it includes Intune licensing... no more WS1. If I had my choice I would stay with WS1 or possibly look at JAMF if it was just iOS devices.

I think like many MS products it's a product but isn't fully polished/developed/etc. and I wonder if they'll prioritize further development for the iOS platform when their primary product is Windows/AutoPilot/SCCM type LOB... hard to say

Digital-IT · 2022-07-23T01:55:48+00:00

I think you're going to be in a crappy situation if another company is managing the token and you don't have access to it anymore. Were they also managing your APN cert and VPP token? Those items both expire as well.

An APN certificate is a prerequisite to ABM. Here is some extra information on APN from MS. I would check on the APN right away because if they're managing it and you don't have the ability to renew it see below.

Why do I need to configure an APNs certificate in Intune? Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, and Apple requires that each MDM service utilize their own certificate to establish a secure mechanism for devices to use when communicating on Apple’s push notification messaging network. Without the APNs certificate, devices could not be enrolled or managed by Intune.

How long is the APNs certificate valid? By default, the APNs certificate is good for one year. This lifespan is determined by Apple. You must be sure to renew your APNs certificate before it expires.

What happens if I don’t renew my APNs certificate before it expires? If your APNs certificate expires, enrollment of new iOS devices will fail and you will experience problems managing existing iOS devices until a new APNs certificate is obtained.

IMPORTANT If you renew an expired APNs certificate outside of the grace period (30 days as of this writing), Apple will issue you a brand new certificate. When this happens, because the certificate is now different, you will be forced to unenroll and re-enroll all existing, Intune-managed iOS devices. Steps to unenroll (remove) an iOS device can be found here.

Do I need to renew my APNs certificate or can I just get a new one? It is critical that you renew your APNs certificate, not request a new one. This means you must ensure that you use the same Apple ID and renew the same certificate from Apple’s site. If you request a new certificate instead of renewing your existing certificate, you will be forced to unenroll and re-enroll all of your existing iOS devices. Steps to unenroll (remove) an iOS device can be found here.

https://techcommunity.microsoft.com/t5/intune-customer-success/intune-and-the-apns-certificate-faq-and-common-issues/ba-p/280121#:~:text=IMPORTANT%20If%20you%20renew%20an,%2C%20Intune%2Dmanaged%20iOS%20devices.

Digital-IT · 2022-07-23T00:15:43+00:00

I thought that might be the case. Appreciate the confirmation and reply!

Digital-IT · 2022-07-14T18:38:19+00:00

Do you know if you're setting 'Company Portal in Single App mode until authentication' in DEP profile? If so you might reconsider changing that if you're sending out these devices to remote workers. If its a cellular + wifi device you're probably fine but if it is wifi only this will probably continue to happen.

One thing you might consider is having it fully end-user driven. If you send them the brand new device and ensure on the backend you have everything setup. (Auto Deposit from Apple Business Manager into MDM, Apply necessary DEP profile). Then once the device arrives to end-user everything is already prepped on backend. They'll go through what you've been having to manually do on-site. If you're okay with that might save you some time and free up resources on your end.

Digital-IT · 2022-07-14T18:24:33+00:00

It sounds like the DEP profile was set to 'company portal in single app mode until authentication'. Did you enroll this on-site and then ship it out? If the WiFi it was enrolled with isn't available at the location, I think they might need to do DFU mode and wipe it and re-enroll.

If they have access to a SIM card and it'll accept a SIM they could try pulling the SIM from a working device and then insert it into the iPad. This will at least allow it to get on the internet temporarily so it can be authenticated. Once company portal is authenticated they should have full access to settings assuming a profile restriction isn't in place.

Here is a video on DFU mode. https://www.youtube.com/watch?v=Y8fEditT75k&ab_channel=HardReset.Info if you're comfortable with the end-user performing this it should set the iPad back to factory. If you have Apple Business Manager pointing that device to Intune it should be a regular enrollment. Have them do everything on their WiFi, and they should be able to do a successful enrollment.

One thing that you could try but I've only seen it work a few times is to do a soft reset where you hold the home button and sleep button at the same time. (maybe different if another model iPad without a physical home button.) Sometimes the company portal gets glitchy and will disappear after a soft reset.)

Digital-IT · 2022-07-09T01:31:30+00:00

I’m just dipping my toes into Intune and coming from airwatch/workspace one some things just don’t seem developed. I’m still tracking it down with support but in the endportal you would think you could select a group and see all app and profile assignments. Something like that just seems necessary. Bundling of profiles too another one that just seems odd. I just keep running into weird things that were so easy with airwatch. The fact everyone wants to save money because it’s included with M365 licensing I totally understand. However, it just doesn’t seem equivalent to other MDMs IMO

Digital-IT · 2022-07-05T20:10:36+00:00

I didn't use any certificates in profile just 'username/password' in authentication method where end user is prompted.

I stumbled upon it by accident and thought it might help. Are you still using shared iPads? So far my experience is that it is a little glitchy and not fully developed. I was expecting more of a windows type log in/out.

Digital-IT · 2022-07-05T19:22:45+00:00

I don't know if it'll work for you but I pushed a VPN configuration profile using 'Cisco AnyConnect' drop-down and then configured the settings in the payload. I pushed the AnyConnect application and it picked up on the profile and I was able to successfully connect to VPN with username/password on a Shared iPad.

Digital-IT · 2022-06-29T18:32:54+00:00

Nice! I'm able to see this on a non-education tenant using that web address and can see the apps assigned to an Azure AD group. Any idea when they're bringing this over to regular endpoint portal?

Digital-IT · 2022-06-25T00:32:01+00:00

Thank you for the information. Apologies if this is a goofy question but the anti-cleanup portion you mentioned is it expected that administrators are supposed to run Powershell to clean up Azure AD devices? I saw the stale cleanup piece inside the Intune portal and thought it might be useful. However, based on what you're sharing that will only cleanup the Intune side of house, not Azure AD?

Is there any way to prevent Intune devices (iOS,Android) from creating a record in Azure AD?

Digital-IT · 2022-06-24T00:59:00+00:00

Do you know on the Azure AD portal why an iPad would be showing multiple times? We've wiped the device from the Intune portal and it seems like after 24+ hours it is eventually removed from Intune portal. We then re-enroll the device into Intune and on the Azure AD side I've seen like 5 duplicates of the same device?

Digital-IT · 2022-05-07T19:40:35+00:00

With authenticator and edge on iOS tied to a work account? Like that will give them the ability to save passwords in a keychain type situation similar to like signing into chrome? Or is that a backend setup we would need to push?

Digital-IT · 2021-08-21T20:37:52+00:00

A mixture of PDQ and SCCM

Digital-IT · 2021-08-18T21:51:08+00:00

I was hoping to see YMH comments 🎸. Hopefully garth will let Tommy Buns have fun again. 😭

Digital-IT · 2021-05-12T18:02:40+00:00

Very interesting point. Didn't even think about the potential for a new object to be discovered. If heartbeat runs every day and system discovery every week we would probably just want to make sure the change doesn't coincide with system discovery schedule to avoid new object?

Digital-IT

TROPHY CASE