How to Configure Just In Time Registration in Intune for Seamless Device Management

Enable just-in-time registration in Microsoft Intune to allow device users to start and finish device enrollment from a work or school application without the need for the Intune Company Portal. Instead, JIT registration utilizes the Apple single sign-on extension for completing Microsoft Entra registration and compliance checks within a designated app that's configured with SSO. This integration reduces authentication prompts during device user sessions and enables single sign-on across the entire device. The following discusses enabling JIT registration by setting up an SSO app extension policy in the Microsoft Intune admin center.

Best Practices to Follow

• When the user logs in for the first time after reaching the home screen, they should utilize a work or school app that's configured with the SSO extension. This is essential for fulfilling Microsoft Entra registration and compliance checks. Microsoft recommends guiding employees to use the fully integrated Microsoft Teams app, which offers a seamless experience directly from their home screen using the latest identity libraries.
  

• The SSO extension automatically applies to all Microsoft apps, so there is no need to add the bundle IDs for your Microsoft apps to your policy to avoid authentication problems. You only need to add non-Microsoft apps. Additionally, do not add the bundle ID for the Microsoft Authenticator app to your SSO extension policy as it will automatically work with it being a Microsoft app.

Steps to configure just-in-time registration in Intune

Step 1: Log in to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS

Step 2: Select Configuration profiles tap on Create and select New Policy

Step 3: From the profile type select Templates and Device features from the template name and tap on Create. Next, enter a name for the profile, you can enter the description if required, platform and profile type are grayed out these are selected by default, now tap on Next to create the profile

Step 4: Select the Single sign-on app extension option, and select Microsoft Entra ID from the SSO app extension type, under Additional Configuration add the below Required key-value pair

• Key: device_registration

• Type: String

• Value: {{DEVICEREGISTRATION}}

It is recommended to include the following key-value pair to enable SSO in Safari for all apps in the policy.

• Key: browser_sso_interaction_enabled

• Type: Integer

• Value: 1

Make sure to remove any trailing spaces before and after the key and value to enable just-in-time registration

You can add the app bundle IDs for any non-Microsoft apps using single sign-on. It's important to note that the SSO extension automatically applies to all Microsoft apps, so you don't need to add them separately. This will help avoid authentication problems in your policy.

Avoid adding the Microsoft Authenticator app to the SSO extension. This app will be included at a later stage through an app policy.

Step 5: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue

Step 6: Verify the settings and select Create to complete the profile creation.

This blog post will provide you with a clear and concise set of instructions on how to Configure Just In Time Registration in Intune for Seamless Device Management.