Automated Device Enrollment is a process used to streamline the enrollment of devices, typically in enterprise or educational settings, into a mobile device management system. ADE allows organizations to configure and manage devices in a more automated way, reducing the need for manual setup and improving the overall efficiency of device deployment. This blog will concentrate on the Automated Device Enrollment Method. ADE is ideal for organization-owned devices that require enrollment as supervised devices, providing increased control and security.
To learn about the various enrollment methods available in Intune for iOS/iPadOS devices, you can read my blog. I have written a guide on the Different Types of iOS/iPadOS Enrollment in Intune.
Understanding How ADE Functions:
MDM Registration: Organisations enroll their devices with a Mobile Device Management (MDM) server. For Apple, this involves joining Apple's Automated Device Enrollment program.
Device Configuration: Upon activation or reset, a device automatically links to the MDM server, which subsequently enforces preset policies and configurations on the device (such as Wi-Fi settings, app installations, and security policies).
Zero-Touch Setup: The device is configured automatically with the required settings, eliminating the need for manual intervention. This allows IT departments to avoid physically handling each device for configuration, which is especially beneficial when managing a large volume of devices.
A device purchased from a hardware vendor will have its serial number added to Apple Business Manager by the vendor and will be shipped to the end user.
The device will synchronize with Intune and receive the enrollment profile.
When the user turns on the device, the remote management profile will be deployed to the device during activation.
Policies, applications, and configurations created and assigned to the device will be sent to it during the enrollment process.
After enrollment is completed, the device is ready for the user to use.
Advantages of Automated Device Enrollment:
Efficiency: Devices automatically receive the appropriate settings and policies upon activation, minimizing the time needed for manual configuration.
Security: Automated enrollment guarantees that every device is configured with the appropriate security settings, such as encryption and device restrictions, without depending on users to set them up correctly.
Consistency: It guarantees that every device in the organization is set up in a uniform manner, aiding in the prevention of configuration errors or omissions.
Remote Management: After devices are enrolled, IT teams can handle and update them from a distance, reducing the time and effort needed for device maintenance and problem-solving.
Prerequisites
Supported Devices: iOS/iPadOS 16.x and above
Eligible for enrollment: iOS/iPadOS 13.x and above
Require Access to the Apple Business Manager (ABM) portal
An Apple token that is active (.p7m file)
For instructions, refer to https://www.cloudtekspace.com/post/setup-apple-automated-device-enrollment-ade-token-in-intune
Apple MDM push certificate available and currently active in Intune
For instructions, refer to https://www.cloudtekspace.com/post/hoe-to-add-an-apple-mdm-push-certificate-intune#google_vignette
With ADE enrollment, we can now register devices either with a user assigned to them or without a user assigned.
Enroll With User Affinity: if you want to register a device that is linked to a specific user. This means the device is connected to a particular user in the MDM system, allowing personalized settings, apps, and configurations to be automatically applied based on the user’s profile.
I have written a blog that explains how to configure an enrollment profile for devices With user affinity. You can visit this blog to learn more:
Enroll Without User Affinity: This method involves enrolling devices in a Mobile Device Management (MDM) system without associating them with a specific user. Instead, the device is regarded as a shared or generic device. This approach is typically utilized for devices used by multiple users, such as in classrooms, conference rooms, or kiosks, where no single person consistently uses the device.
Use the IntuneUDAUserlessDevice key in an app configuration policy for managed devices to link a primary user with devices enrolled without user affinity via the Company Portal app. The first user to log in becomes the primary user, and remains so even if another user logs in later.I have written a blog that explains how to configure an enrollment profile for devices without user affinity. You can visit this blog to learn more: https://www.cloudtekspace.com/post/enroll-ios-and-ipados-devices-in-microsoft-intune-without-user-affinity
Choose an authentication methode
This is necessary only when you choose Enroll with User Affinity to specify the authentication method for user authentication on their device. It is not required when you select Enroll Without User Affinity as this does not require a user account to enroll the device.
There are three types of authentication methods: Company Portal, Setup Assistant (Legacy), and Setup Assistant with modern authentication.
Let's examine how these three differ from one another.
Company Portal: The admin can select this method if they want users to use MFA, prompt users to change their password upon first sign-in, prompt users to reset their expired password during the enrollment process, register the device in Microsoft Entra ID, and utilize features available with Microsoft Entra ID, such as conditional access. Automatically install the Company Portal app during enrollment. If your company uses the Volume Purchase Program (VPP), you can automatically install the Company Portal app during enrollment without requiring user Apple IDs, and you want to lock the device until the Company Portal app installs.
Note : If a user is targeted with an account driven Apple user enrollment profile type, Intune will block enrollment via this method, resulting in an error message. Users must enroll through the Company Portal website. For successful automated device enrollment, use Option: Setup Assistant with modern authentication for these profile types.Setup Assistance (Legacy): The legacy Setup Assistant is recommended for providing users with the standard, out-of-box experience for Apple products. This option applies pre-configured settings when the device is enrolled in Intune. It can be used for authentication when administrators need to wipe a device. This approach avoids modern authentication features like multifactor authentication, and does not involve registering devices with Microsoft Entra ID. Instead, the Setup Assistant authenticates the user using the Apple .p7m token.
Setup Assistant with modern authentication: This option offers the same security as Intune Company Portal authentication, but differs in allowing device users to access parts of the device even without the Company Portal installed. Use this option for authentication when you need to Wipe the device. Require multifactor authentication. Prompt users to change their passwords on first sign-in. Prompt users to reset expired passwords during enrollment. Register devices in Microsoft Entra ID and leverage Entra ID features like Conditional Access. Automatically install the Company Portal app during enrollment, even if your company uses the Volume Purchase Program, without requiring user Apple IDs. Allow users to use the device when the Company Portal app isn't installed.
Note: Setup Assistant with modern authentication is supported on iOS/iPadOS 13.0 and later devices. Older iOS/iPadOS devices assigned this profile type will fall back to Setup Assistant authentication.Intune offers just-in-time (JIT) registration for Setup Assistant using modern authentication, removing the necessity for the Company Portal app for Microsoft Entra registration and compliance. To implement JIT registration, ensure you create a device configuration policy before setting up the Apple enrollment profile and configuring Setup Assistant with modern authentication. For instructions on creating a JIT configuration profile, read the blog https://www.cloudtekspace.com/post/how-to-configure-just-in-time-registration-in-intune-for-seamless-device-management
What is Supervised Mode ?
Supervised mode enhances control and security for Apple devices, allowing for advanced restrictions such as disabling the camera, enforcing Single App Mode (kiosk), and implementing stronger security measures like remote wipe and lock. With Supervised Mode, IT administrators can manage app distribution more effectively, restrict unauthorized apps, and deploy enterprise apps efficiently. It integrates seamlessly with Apple's Device Enrollment Program (DEP) for a zero-touch setup. Supervised Mode also enforces compliance policies, monitors device usage, and enables location tracking, ensuring stronger control, security, and streamlined device management, making it ideal for organizations requiring tight governance over devices. This can be activated under the management option in the enrollment profile.
Note: If you choose the Company Portal in the authentication method, supervised mode is enabled by default, and supervision is necessary for devices using the Company Portal as their authorization method.Locked enrollment
When enrollment is locked, the iOS/iPadOS settings that enable the removal of the management profile are disabled. Activating locked enrollment conceals the button in the Settings app that allows users to remove a management profile, thereby preventing them from unenrolling their device. If configuring devices in Microsoft Entra ID shared mode, choose Yes.
Initially, locked enrollment operates differently on devices that weren't originally purchased through Apple Business Manager but were later added for automated device enrollment: for the first 30 days after device activation, users can see the remove management option in the Settings app. Once this provisional timeframe expires, the option becomes unavailable.
Sync with computers
If you set Sync with computers to Allow All, then the device can be synchronized with all laptops.
When you set Sync with computers to Deny all, the port on iOS and iPadOS devices will be restricted to charging only. The device will be blocked from using iTunes or Apple Configurator 2.
If you set Sync with computers to Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates. Ensure you have a local copy of the certificate for later use. You cannot make changes to the uploaded copy, so it's important to retain this certificate. To connect to the iOS/iPadOS device from a Mac, the same certificate must be installed on the connecting device.
Limits
Maximum number of enrollment profiles per token: 1,000
Maximum number of Automated Device Enrollment devices per profile: 200,000 (equal to the maximum number of devices per token).
Maximum number of Automated Device Enrollment tokens per Intune account: 2,000
Maximum number of Automated Device Enrollment devices per token: 200,000
Conclusion
Automated Device Enrollment (ADE) in Intune provides an efficient and streamlined approach to managing iOS/iPadOS devices within an organization. By utilizing ADE, IT administrators can ensure devices are consistently and securely configured, reducing the need for manual setup and minimizing potential errors. Whether enrolling devices with or without user affinity, ADE offers the flexibility to accommodate various organizational needs. With features such as supervised mode, locked enrollment, and syncing capabilities with computers, ADE enhances control and security, making it an ideal solution for managing large numbers of devices. By adhering to the guidelines and prerequisites outlined in this blog, organizations can successfully implement ADE and benefit from automated, zero-touch device enrollment and management.
Comments