After several customer implementations I wanted to discuss about Microsoft Intune MDM automatic enrollment methods and their small caveats related to Multi-Factor Authentication (MFA). We all know the importance of MFA in today’s cloud security and using it with Intune enrollments is a really nice security addition in the process.

You have a lot of options when choosing your Intune MDM strategy and enrollment methods. I recommend you to take a look at the following Microsoft docs when choosing the right strategy for your organization.

The planning guide covers more than just enrollment options but it’s a really good read. You can read my colleague’s posts about setting up Apple DEP, Samsung KME and Google Zero Touch.

The issue I want to discuss is related to the combination of automatic enrollment methods and MFA. As of today Apple DEP with Single App Mode and Android Fully Managed devices using Samsung KME and Google Zero Touch are affected with the issue. I will also explain another known issue with Apple DEP and Single App Mode.

Multi-Factor Authentication and Apple DEP

To empower your users with their new Apple devices you really want to use Single App Mode in your Apple enrollment profile. This configuration basically locks the iOS after the first launch and automatically enrolls the device to Microsoft Intune without any complicated user actions. User is not able to access the phone before the setup is ready.

There is a (slightly confusing) documentation about configuring Apple enrollment profile here. You need to understand the different options and their limitations while choosing the best combination for you.

The documentation tells that if you want to use Multi-Factor Authentication you must authenticate the users in Company Portal instead of Apple Setup Assistant. Fair enough.

Which came first, the MFA or the Single App Mode?

Lets imagine a new employee starts and unlocks their shiny Apple iPhone. He/she is guided through the process and when Single App Mode launches and Company Portal wants you to authenticate using Multi-Factor Authentication; how do you perform the MFA as the user’s device is currently locked in the Single App Mode?

Workarounds

I honestly think you have three options and you need to choose the right one based on what your organization requirements might be regarding security and MFA.

Disable MFA from Microsoft Intune Enrollment

Yes. You could do this for your enrolling users with Azure AD Conditional Access by excluding Microsoft Intune Enrollment from the Cloud apps. This is equivalent to the Intune Company Portal that performs your Apple device’s enrollment. This reduces your security but improves your productivity and allows you to use Single App Mode to make sure your enrollments are consistent around the organization.

Excluding Company Portal from Conditional Access

Disable MFA from the user when enrolling

You could temporarily disable MFA from the enrolling user each time they unlock their new device and enrolls it. This adds a lot of administrative overhead but it could be an option for a smaller organization. In organizations with tens or hundreds of thousand users it could be unacceptable.

Excluding a user or group from Conditional Access

You might also want to consider one time bypass for MFA.

Advice the user to perform MFA from another device

I have done and seen this as well but you surely ain’t making new friends. I consider this for the high security organizations when you can’t make any exceptions to MFA policies. You need to advise the user to perform MFA with their previous device and/or their personal device to enroll the new company device.

Apple DEP and “Guided Access app unavailable”

This one is a bugger. This little informative pop-up should be there for less than a minute during the Single App Mode enrollment. At least according to Microsoft. The thing is that there is a known bug in Intune which can cause this screen to stay there forever. Yes, forever.

Guided Access app unavailable. Please contact your administrator.

I have contacted both Apple and Microsoft about this issue and just recently I found out that this indeed is a bug in Intune and the product group is still trying to find a solution. The fix was supposed to be released in Intune service release 2001 but it’s still there and Microsoft has confirmed this to me 02/2020.

Workarounds

There are couple workarounds for this issue and you can choose between these two.

Reset the phone like you mean it

I’m serious. You can keep resetting the phone until one day it works and the enrollment succeeds. It can require one reset, ten resets or sometimes you’re lucky and you don’t bump in to this issue at all. Experience has shown that if you leave the phone to “Guided Access app unavailable” screen and just wait – it might continue at some point by itself.

Don’t use Single App Mode

This is what Microsoft recommended for me but it’s frustrating because this is the only thing I want to use when enrolling with Apple DEP. The issue appears to be that the application (Company Portal) is unable to get a VPP license in the locked state and the official workaround is to enroll the device without the option enabled. VPP on the other hand is required to download the Company Portal app on behalf of your user.

Multi-Factor Authentication, Samsung KME, Google Zero Touch and Android Fully Managed devices

While in Apple DEP enrollments you have an option to exclude MFA from the enrollment process – with Android Fully Managed this is a whole other story because Intune Company Portal alone isn’t used anymore. There are also applications called Microsoft Intune and MIcrosoft Intune Company Portal which the Android Fully Managed devices use.

Intune enrollment apps in Conditional Access

The issue with the latest Microsoft Intune Company Portal app is that it doesn’t exist in the Conditional Access applications so you can’t exclude it. This brings us to the chicken or the egg problem during the enrollment.

Please note that this issue is relevant only if you have other Conditional Access policies which applies to All cloud apps. Many organization does this instead of creating application specific policies.

Workarounds

There are three workarounds for this which you might want to consider using. These are pretty much the same workarounds than with Apple DEP issue except you can’t currently exclude the cloud app from Conditional Access.

Disable MFA from the user when enrolling

You could temporarily disable MFA from the enrolling user each time they unlock their new device and enrolls it. This adds a lot of administrative overhead but it could be an option for a smaller organization. In organizations with tens or hundreds of thousand users it could be unacceptable.

Excluding a user or group from Conditional Access

You might also want to consider one time bypass for MFA.

Advice the user to perform MFA from another device

I have done and seen this as well but you surely ain’t making new friends. I consider this for the high security organizations when you can’t make any exceptions to MFA policies. You need to advise the user to perform MFA with their previous device and/or their personal device to enroll the new company device.

Re-model your Conditional Access policies

Like said, this only affects you if you have Conditional Access policies that will hit your mobile device users and all cloud apps. If this is the situation you could turn this around and apply the policy to only chosen cloud apps instead of all.

I am positive that we are able to exclude this new app in the near future so you might want to hold your breath before building all the Conditional Access policies from the scratch.

Final words

In overall the automatic enrollment programs are really the way to go especially in a structured large organizations. You need to accept some caveats with the MFA and plan a strategy how to overcome these obstacles. As the Microsoft Intune capabilities and options keep growing really fast we might not have these issues tomorrow, but meanwhile this is how the cookie crumbles.


2 Comments

Colin · 03.09.2020 at 00.02

Thanks for the article. Excluding the Microsoft Intune Enrollment app doesn’t seem to work for me. Do you know if this has changed since your article?

    Joni Nieminen · 17.09.2020 at 09.09

    Hey!

    There are currently two apps available for Intune in Conditional Access. The “old” Microsoft Intune Enrollment and the new Microsoft Intune which is used in Android’s Fully Managed enrollments for example. Can you briefly explain your scenario in which the exclusion doesn’t work? Also it’s worth checking the Azure AD sign-in logs for the user in question to see what Conditional Access policy he/she is being hit.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.