Place Chrome Device In User Organization During Manual Enrollment

  1. Place Chrome Device In User Organization During Manual Enrollment Form
-->

Some things I notice, after doing a factory reset to get into the Knox Enrollment state: - When the device has an active 4G connection, no option offered to setup a WiFi connection instead. The Intune app gets installed, but not configured. The user has to start the app and complete some steps manually in order to get it managed by Intune.

Intune supports the enrollment of iOS devices using Apple Configurator running on a Mac computer. Enrolling with Apple Configurator requires that you USB-connect each iOS device to a Mac computer to set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:

  • Feb 13, 2018  Hello all, Back again with another blog post. This time, we'll be diving into Intune enrollment iOS supervised mode via Apple Configurator. Admittedly, this is something I'd heard about sparingly, but never really tinkered with until a customer of mine came to me with a requirement that they needed to be able to disable iMessage on.
  • Nov 22, 2018  The user sign-on. After the device enrollment status page (ESP) completes, you’ll see the lock screen. The process isn’t really complete yet because no user policies from Intune have been applied yet. Ideally, these would be applied immediately after the user.
  • Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
  • Direct enrollment - Does not wipe the device and enrolls the device through iOS settings. This method only supports devices with no user affinity.

Apple Configurator enrollment methods can't be used with the device enrollment manager.

Prerequisites

  • Physical access to iOS devices
  • Device serial numbers (Setup Assistant enrollment only)
  • USB connection cables
  • macOS computer running Apple Configurator 2.0

Create an Apple Configurator profile for devices

A device enrollment profile defines the settings applied during enrollment. These settings are applied only once. Follow these steps to create an enrollment profile to enroll iOS devices with Apple Configurator.

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > Create.

  2. Under Create Enrollment Profile, type a Name and Description for the profile for administrative purposes. Users do not see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.

  3. For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • Enroll with user affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. The device must be affiliated with a user with Setup Assistant and can then access company data and email. Only supported for Setup Assistant enrollment. User affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.

    • Enroll without User Affinity - Choose this option for devices unaffiliated with a single user. Use this for devices that perform tasks without accessing local user data. Apps requiring user affiliation (including the Company Portal app used for installing line-of-business apps) won’t work. Required for direct enrollment.

    Note

    When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup Assistant within the first 24 hours of the device being enrolled. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.

  4. If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.

    Note

    If you want do any of the following, set Authenticate with Company Portal instead of Apple Setup Assistant to Yes.

    • use multifactor authentication
    • prompt users who need to change their password when they first sign in
    • prompt users to reset their expired passwords during enrollment

    These are not supported when authenticating with Apple Setup Assistant.

  5. Choose Create to save the profile.

Setup Assistant enrollment

Add Apple Configurator serial numbers

  1. Create a two-column, comma-separated value (.csv) list without a header. Add the serial number in the left column, and the details in the right column. The current maximum for the list is 5,000 rows. In a text editor, the .csv list looks like this:

    F7TLWCLBX196,device details
    DLXQPCWVGHMJ,device details

    Learn how to find an iOS device serial number.

  2. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Devices > Add.

  3. Select an Enrollment profile to apply to the serial numbers you're importing. If you want the new serial number details to overwrite any existing details, choose Overwrite details for existing identifiers.

  4. Under Import Devices, browse to the csv file of serial numbers, and select Add.

Reassign a profile to device serial numbers

You can assign an enrollment profile when you import iOS serial numbers for Apple Configurator enrollment. You can also assign profiles from two places in the Azure portal:

  • Apple Configurator devices
  • AC profiles

Assign from Apple Configurator devices

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Devices > choose the serial numbers > Assign profile.
  2. Under Assign Profile, choose the New profile you want to assign, and then choose Assign.

Assign from profiles

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > choose a profile.
  2. In the profile, choose Devices assigned, and then choose Assign.
  3. Filter to find device serial numbers you want to assign to the profile, select the devices, and then choose Assign.

Export the profile

After you create the profile and assign serial numbers, you must export the profile from Intune as a URL. You then import it into Apple Configurator on a Mac for deployment to devices.

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > choose the profile to export.

  2. On the profile, select Export Profile.

  3. Copy the Profile URL. You can then add it in Apple Configurator to define the Intune profile used by iOS devices.

    Next you import this profile to Apple Configurator in the following procedure to define the Intune profile used by iOS devices.

Enroll devices with Setup Assistant

  1. On a Mac computer, open Apple Configurator 2. In the menu bar, choose Apple Configurator 2, and then choose Preferences.

    Warning

    Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello screen when you connect the device.If the device was already registered with the Apple ID account, the device must be deleted from the Apple iCloud before starting the enrollment process. The prompt error appears as 'Unable to activate [Device name]'.

  2. In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server wizard. Choose Next.

  3. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant enrollment for iOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment profile URL exported from Intune. Choose Next.
    You can safely disregard a warning stating 'server URL is not verified.' To continue, choose Next until the wizard is finished.

  4. Connect the iOS mobile devices to the Mac computer with a USB adapter.

  5. Select the iOS devices you want to manage, and then choose Prepare. On the Prepare iOS Device pane, select Manual, and then choose Next.

  6. On the Enroll in MDM Server pane, select the server name you created, and then choose Next.

  7. On the Supervise Devices pane, select the level of supervision, and then choose Next.

  8. On the Create an Organization pane, choose the Organization or create a new organization, and then choose Next.

  9. On the Configure iOS Setup Assistant pane, choose the steps to be presented to the user, and then choose Prepare. If prompted, authenticate to update trust settings.

  10. When the iOS device finishes preparing, disconnect the USB cable.

Distribute devices

The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When users turn on their devices, Setup Assistant starts.

After users receive their devices, they must complete Setup Assistant. Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices.

Direct enrollment

When you directly enroll iOS devices with Apple Configurator, you can enroll a device without acquiring the device's serial number. You can also name the device for identification purposes before Intune captures the device name during enrollment. The Company Portal app is not supported for directly enrolled devices. This method does not wipe the device.

Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps, cannot be installed.

Place chrome device in user organization during manual enrollment center

Export the profile as .mobileconfig to iOS devices

Place Chrome Device In User Organization During Manual Enrollment Form

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > choose the profile to export > Export Profile.

  2. Under Direct enrollment, choose Download profile, and save the file. An enrollment profile file is only valid for two weeks at which time you must re-create it.

  3. Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile to iOS devices.

  4. Prepare the device with Apple Configurator by using the following steps:

    1. On a Mac computer, open Apple Configurator 2.0.

    2. Connect the iOS device to the Mac computer with a USB cord. Close Photos, iTunes, and other apps that open for the device when the device is detected.

    3. In Apple Configurator, choose the connected iOS device, and then choose the Add button. Options that can be added to the device appear in the drop-down list. Choose Profiles.

    4. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add. The profile is added to the device. If the device is Unsupervised, the installation requires acceptance on the device.

  5. Use the following steps to install the profile on the iOS device. The device must have already completed the Setup Assistant and be ready to use. If enrollment entails app deployments, the device should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in for the App Store.

    1. Unlock the iOS device.
    2. In the Install profile dialog box for Management profile, choose Install.
    3. Provide the Device Passcode or Apple ID, if necessary.
    4. Accept the Warning, and choose Install.
    5. Accept the Remote Warning, and choose Trust.
    6. When the Profile Installed box confirms the profile as Installed, choose Done.
  6. On the iOS device, open Settings and go to General > Device Management > Management Profile. Confirm that the profile installation is listed, and check the iOS policy restrictions and installed apps. Policy restrictions and apps might take up to 10 minutes to appear on the device.

  7. Distribute devices. The iOS device is now enrolled in Intune and managed.