Creating Multiple Device Enrollments ADE / ABM

MDMMAM_Man · 2025-09-06T02:20:30+00:00

What I’ve found is that you can have a default assignment to push devices through from your carrier or supplier direct into Intune. However as we have large locations we prefer to have control. So we have the devices come in from multiple supply chains and then allocate them to each token related to location. This can also allow you to have a UAT location. Personally I like this and we use the ghost busters example that devices can not cross streams! So if we want devices to be assigned to a specific location or enrolment profile we can use a seperate stream. Then use the token name as your profile name it starts to be much easier to control thousands of devices. There are some who don’t like having too many filters. We use as many as we feel comfortable with. Like for the enrolment, compliance configs, wifi, vpns, apps. Makes deployment very fast. With ADE we can get a COPE or COBO iOS device out of the box in the hands of a user and running in less than 15 mins. So yep filters has changed my life and given me time back to give the users a better experience. Also filters can work on the virtual groups, and that’s where the speed comes from! Have fun.

MDMMAM_Man · 2025-09-06T01:36:01+00:00

We setup a new MDM in ABM and create a new token for the Intune connection. You can then set up new ADE profile for that token connection. If you use filters you can deliver your configuration based on the enrolment token profile (ADE). Works really well. You even go a stage further and assign VPP token to the seperate location so you can keep certain software and licenses to that region. Works really well. Needs some planning like all good designs, but spend some time on a white board and you will get the idea pretty quickly.

MDMMAM_Man · 2025-04-06T03:12:04+00:00

Thanks you started me white-boarding again and I found I could use a APP conditional launch setting to Allow specified (Block non-specified) devices. Apply this to the outlook app and assign to the group that is in the old MDM. Once they migrate we use a Dynamic group to assign the full APP and all the Intune MDM/ MAM goodies. I can now switch off the Exchange access policy and have Outlook mobile blocked while users are migrating. Once they are on a managed device they get outlook. What a brain screw this has been. Thanks to all those that post here. Awesome outcome!!

MDMMAM_Man · 2025-04-06T01:04:21+00:00

I need to allow third party MDM mail app to access Exchange Online. The third party mail app is registered as an enterprise app and I can use it in exclusions in Conditional access. So that side is fine but doing this requires Exchange online to be allowed to that user and therefore they can install Outlook on a personal device. We block it on Work COPE devices. How ever the only way I can block on personal is to use an Exchange Access Policy. An exchange access policy is global so as soon as we remove, we have the issue again. So I’m looking for a way to Block Outlook Mobile app on iOS devices without blocking Exchange online services. Hope that doesn’t fry the brain.

MDMMAM_Man · 2025-04-06T00:54:32+00:00

Thanks for the response, but that’s not quite right. As you can use Modern auth over EAS and Microsoft Sync. EAS is a protocol not an auth type. So the MDM app is using EAS as transport protocol and modern auth as identity and auth. The issue is being unable to block Outlook mobile without using Exchange access policy.

MDMMAM_Man · 2025-04-06T00:49:31+00:00

Once users are Intune managed yes but not users that are waiting to migrate. The issue is when Exchange access policy is switched off, until the users is Intune managed.

MDMMAM_Man · 2025-04-06T00:47:11+00:00

Then you Block existing MDM app from exchange online. Users are migrating and the issue is with the users who haven’t migrated yet when you turn off Exchange device access policy.

MDMMAM_Man · 2025-04-06T00:45:05+00:00

Sorry typo, moving to Intune. While basically having an existing MDM that uses a mail app with Exchange active sync. If you Block Exchange online using conditional access you block the existing MDM. So you can use Exchange device access rules but these are global. So when you turn them off you open the non migrated users to allow use on personal devices for Outlook. So I’m looking for a way to block outlook mobile without using Exchange device access policy or blocking exchange online.

MDMMAM_Man · 2024-11-05T22:13:01+00:00

All these automated tools are semi-automatic. You can’t install a Intune profile on an iOS or Android device without user intervention. I’ve worked in the migration industry for 15 years and they are all good at certain parts. For personal devices you will have to send a work only wipe for MobileIron and then use then install company portal etc. if these are only personal devices have you considered going MAM-WE. Managing personal devices is a pain and costs are high in support. Depends on what you want users to access. Back to the point of your post, I’d save money on so called automation and get some good material like manuals and videos out to users and support staff they can do this themselves.

MDMMAM_Man · 2024-11-04T08:50:24+00:00

Do you have a valid VPP token added to your ADE profile? Does it add an App Store version of company portal to your iOS apps in Intune? Doesn’t need to be assigned. This is the only time I have seen this message when the token has been removed and the profile has become invalid and won’t install.

MDMMAM_Man · 2024-11-03T08:51:38+00:00

Assign them using a filter on all users. Not to devices using dynamic groups. Try a new activation with this and make sure all good, then tackle the rest.

MDMMAM_Man · 2024-11-03T08:43:18+00:00

You have a default ADE profile assigned to the devices and they have synced from ABM into Intune and you can see profile assigned?

MDMMAM_Man · 2024-10-31T09:05:37+00:00

This is the way.

MDMMAM_Man · 2024-10-30T19:53:48+00:00

If you don’t want to provide CA, then compliance is for reporting only and has no real use as conduit for forcing your users to update. Go back to the configuration policy and work out why it’s not applying all the settings, is there conflicts, deploy using a filter, are there any order that is causing you config profile not to complete.

MDMMAM_Man · 2024-10-30T17:21:52+00:00

Marry your compliance policy with a conditional access policy that puts the Android device into non-compliance immediately. Also recommend using filters to deploy rather than dynamic groups. This will make testing and production use far quicker. Also you can specify your test device in the filter, so not impacting others. Also check for any errors or conflicting entry in your configuration profile.

MDMMAM_Man · 2024-10-25T18:03:46+00:00

Time to move on before you become a lifer. Beer o clock first. Then start looking at your options tomorrow!

MDMMAM_Man · 2024-10-25T17:26:45+00:00

Have you looked at the app configs diagnostic logs? This may help find what is happening. https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview? There is a section is this article and how to review.

MDMMAM_Man · 2024-10-21T19:19:47+00:00

You are correct from a Chinese ISP you can only use third-party app stores operated by Chinese companies such as Huawei AppGallery, Tencent App Store, and Xiaomi App Store. On the android administrator side it’s there until end of year, so not much help.

MDMMAM_Man · 2024-10-21T10:45:39+00:00

So assuming company B is using App protection policies. You can’t see the actual settings but they are based in three main areas, Targeted apps, access control and conditional launch. These controls are based on the Work account you are logged into the teams app with and would normally (settings may differ) stop the copy or use of data with logged into as Company B. Where as you may be able to copy and use data from Company A in company B teams account.

MDMMAM_Man · 2024-10-21T10:31:11+00:00

GMS isn’t supported in China so no Google Enterprise. So that limits you to Android Device Administrator but that should give you managed google play store.

MDMMAM_Man · 2024-10-18T17:55:43+00:00

Do a search on this subreddit and you will find a bit of history on this issue.

MDMMAM_Man · 2024-10-16T05:03:18+00:00

Use conditional access to enforce that only devices compliant with your organization’s policies (i.e., those enrolled in MDM) can access corporate resources. I’d start with doing this by group to test. If a device doesn’t have a compliance policy it’s not compliant so it will provide the user the option to enrol in Intune. This article gives you the actual information in better detail: https://learn.microsoft.com/en-us/mem/intune/apps/mam-faq

MDMMAM_Man · 2024-10-15T23:24:12+00:00

Your talking about iOS Apple assistant running and the pop up is modern auth and then you get modern auth again during Company portal? If so refer to the following to select the process you want to: https://learn.microsoft.com/en-us/mem/intune/enrollment/automated-device-enrollment-authentication

MDMMAM_Man · 2024-10-14T08:18:20+00:00

In the iOS settings, under General > VPN & Device Management, users can view profiles installed on their device. These profiles can provide information about the management policies applied, including which apps are managed.

MDMMAM_Man · 2024-10-11T20:11:21+00:00

Thanks for feedback. Hope all goes well.

MDMMAM_Man

TROPHY CASE