One problem when enrolling mobile devices to mobile device management is that end-user’s must do it themselves. Why that is a problem? Let’s think about it for a minute.
End-user gets a mobile device that she or he opens and inserts a SIM-card. Sometimes this is done already by device supplier or some on-site support. End-user wants to add company e-mail and resources to it for example OneDrive for Business. When end-user tries to sign in to the OneDrive with her or his company credentials, the mobile says that you have to enroll it to use company devices. This is maybe (or hopefully) the most used scenario in Conditional Access. You can read more about Conditional Access from other posts in this blog. If end-user does not want to enroll mobile to management, he or she can leave it without an enrollment and decide not to use company resources. Is this clever to buy expensive mobile devices that are used only for phone calls and SMS? You can guess the answer…
Another point of view is that the enrollment process for mobiles is quite long and end-user must select right choices to achieve enrolled status for the device. This is one way to get managed devices, but is this the only way. No! There is also an easier way to take care about mobile device enrollment. There are three mainly used automatic enrollment programs:
- Device Enrollment Program (DEP) for Apple
- Knox Mobile Enrollment (KME) for Samsung
- Zero-Touch (ZT) for selected Android devices
I will tell in this three part blog series from each of these. How to enroll to the program, how to configure it to Microsoft Intune, when to use these programs and what is the end-user experience. And up to all. These are free programs to join!
Device Enrollment Program
Apple has completed their journey towards automatic enrollment with quite easy but really strict program called DEP – Device Enrollment Program. Why this is strict? You have to buy your devices straight from Apple or DEP approved reseller (not necessary from the same one).
After you have been accepted to DEP program, you just add your reseller to the DEP portal, configure necessary MDM solution connections and that’s pretty much it. Order new device and test the process.
Registration
Start the registration process by going to Apple Business Portal. Click from there Enroll now and start filling the form.
The form requires you to fill also the D-U-N-S Number that is a nine digit business identification number provided by Dun & Bradstreet. It depend by country if you have it already and where you can find it. For Finnish companies, use Bisnode lookup, it’s always created for every business in Finland. For other countries, Bing or Google the way how you can get a D-U-N-S number for your business.
After filling the form you can review the information and Submit it to Apple.
Apple handles the enrollment from couple of days to couple of weeks. They will contact the verification contact by e-mail that you provided in the enrollment form and ensure that the company really wants to join to the program. After clicking Yes in that e-mail you get another e-mail where is a link for completing the registration process. Beaware, the link in second e-mail that is sent for you is valid for 7 days only. If you miss it, the verification contact should verify your company again.
Connecting Intune to Apple Business Manager
To prepare Intune for DEP enrollment you should create an Enrollment Program Token.
Navigate to Intune\Device enrollment\Apple enrollment\Enrollment program tokens\Add enrollment program token.
Download the public key for the Apple token and go to the Apple Business Manager Portal.
In Business Manager Portal navigate to Settings and Device management Settings. Select Add MDM Server from the right hand panel. Import the public key that you just downloaded from Intune to the Apple Business Manager and select Save.
After you have added the MDM Server, you can open the MDM Server from the list and download the token itself that you must import to the Intune.
Import the downloaded token to the Intune and select Create. Now you have established a successfully connection between Intune and Apple Business Manager.
Remember to select Default device assignment settings from Apple Business Manager under Device Management Settings. Select which device types are using your MDM by default.
Deployment Profile
After creating a connection between Apple Business Manager and Intune, you must open it and create a profile for newly added devices.
Set your settings as you wish. I recommend to run company portal in Single App Mode until authentication. It requires the end-user to enroll device before using it. Before you can require the Single App-mode, you must set up Volume Purchase Program (VPP) for Intune. There are several guides in the internet how to do it.
Under Setup Assistant customization there are many selections for Setup Assistant. Hide all screens that you don’t want to show to end-user. Remember to make it really simple and end-user friendly.
You can create several profiles to achieve different profiles for iOS and MacOS and with or without user affinity. Just remember that you should have only one default for all devices.
After you have created your profile, select Set default profile from the ribbon and select your default profile for iOS Enrollments. That’s it.
Connect Apple Business Manager to reseller
Now you are ready to make a connection between you and your reseller. In Apple Business Manager under settings you find Enrollment Information. Take your Organization DEP Customer ID and give it to your reseller. They will give you their Reseller ID that you should add to the Apple Business Manager.
Add the reseller ID under Device Management Settings, Customer Numbers and DEP Reseller IDs.
After this you are able to order new device from your reseller and ask them to upload the device information to the DEP-portal. After the reseller adds it to the program, it appears on Apple Business Manager immediately, but it syncs to the Intune only once in 24h if you don’t initiate extra synchronization from Intune side.
Summary
To summarize this post I’d like to remind that this is not mandatory, but it is recommended to implement. It sounds hard and big process, but it is not. There are only several steps to complete before you can use it. And it is FREE program!!
Find also my other posts about Mobile Device Automatic Enrollment:
3 Comments
Anonymous · 23.03.2019 at 05.34
You recommend to run Company Portal in a single app mode. Have you managed to solve the problem related to enrollment with MFA? In a single app mode you can not access your sms messages.
Markus Lintuala · 25.03.2019 at 20.47
Unfortunately that is a known problem. At the end it’s currently instructions that should be shared to end users while they are changing the phone to the new one, in which section they should leave the SIM-card to the new phone. You can make the enrollment with WiFi and having the SIM attached to the old phone. Another way to achieve this is to remove the single app mode. Do it either way, which is the best for your own environment, organization and situation. We have still end-users that can’t even handle the phone and requires on-site support assistance in phone change. Of course then you don’t need at all the single app mode.
Markus Lintuala · 18.02.2021 at 22.10
Now it’s possible. Check this out! https://bloggerz.cloud/2021/02/18/temporary-access-pass-for-places-where-mfa-is-not-possible/