Set Up Ios And Mac Management With Microsoft Intune

08.04.2020
92 Comments
-->
  1. Set Up Ios And Mac Management With Microsoft Intune Download
  2. Set Up Ios And Mac Management With Microsoft Intune Software
  3. Set Up Ios And Mac Management With Microsoft Intune Free
  4. Mac Management Ventura

# Troubleshoot device enrollment in Intune This topic provides suggestions for troubleshooting device enrollment issues. If this information does not solve your problem, see How to get support for Microsoft Intune (how-to-get-support-for-microsoft-intune.md) to find more ways to get help. Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in. Dec 18, 2019 Set up iOS device access to your company resources.; 7 minutes to read; In this article. Enroll your iOS device with the Intune Company Portal app to gain secure access to your organization's email, files, and apps. After your device is enrolled, it becomes managed. Your organization can assign policies and apps to the device through. Review Set up iOS/iPadOS and Mac management with Microsoft Intune and information about how to set up users in Sync Active Directory and add users to Intune and organizing users and devices. MdmAuthorityNotDefined: The mobile device management authority hasn't been defined. The mobile device management authority hasn't been set in Intune. Mar 21, 2017 Video about the setting up iOS/MAC OS MDM management via Intune here. Once Apple MDM push cert setup has completed then, we could proceed with the following configurations related to iOS and MacOS management. As next step, I would configure the Enrollment Restriction rules for iOS devices. If your organization has taken a decision not to allow. 2016-11-6  I am new to Intune in general and specifically with IOS device management. We only have 10 iPad so we are small scale and we are a school so I am using education tools from Apple. I am transitioning from the free Meraki MDM solution so that informs some of my opinions. Thankfully there is a. Hi Brian, '1. You can only assign IOS VPP apps to. You can set up Intune to enroll iOS devices purchased through the Apple School Manager program. Using Intune with Apple School Manager, you can enroll large numbers of iOS devices without ever touching them. When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

Hello all,

Back again with another blog post. This time, we'll be diving into Intune enrollment iOS supervised mode via Apple Configurator. Admittedly, this is something I'd heard about sparingly, but never really tinkered with until a customer of mine came to me with a requirement that they needed to be able to disable iMessage on specific iOS devices in their Intune tenant. I was aware of supervised mode and knew it was attainable with enrollment in Apple's DEP program. However, I wasn't aware that supervised mode is also attainable leveraging Apple Configurator and Setup Assistant. So what is iOS supervised mode? iOS supervised mode is an enrollment state of an iOS device that allows an administrator more control over a device than in traditional BYOD scenarios. The settings that are opened up to an administrator for control in supervised mode are listed in the first link below, one of which being iMessage control. So, our focus for to today is step-by-step instructions on how I did a proof of concept in my Intune tenant before assisting my customer with the implementation. I do have screenshots for the steps below. But for now, I will not include them as to avoid making the blog so long I'd need to break it up into parts. However, If enough people comment they would like screens, I will include them.

So where do we begin? Like any good Microsoft employee, when my customer asked if this were possible, I reviewed our documentation on the topic.

And per usual, I had more questions after reviewing the docs. As such is the purpose of this blog. To lay it all out to make it easier on you if you so decide to implement a similar scenario. First things first, we have some pre-requisites. Ensure you meet the pre-requisites before proceeding any further.

Step 1: Create the Apple Configurator Profile in Intune tenant

  1. Open a web browser and go to http://portal.azure.com
  2. In the left pane, select More Services and type in Intune. Click Intune to open the Microsoft Intune management blade
  3. Within the Intune blade, select Device enrollment
  4. On the Device enrollment blade, select Apple enrollment
  5. In the Manage Apple Configurator Enrollment Settings section, select AC Profiles
  6. On the Apple Configurator Enrollment Profiles blade, click Create to create a profile
  7. On the Create Enrollment Profile blade, type in a name for the profile in the Name field. In the User Affinity dropdown, ensure Enroll with user affinity is selected and click Create
  8. Close all the blades to get back to the Intune management blade

Set Up Ios And Mac Management With Microsoft Intune Download

Step 2: Create an Intune group to populate devices

Set up ios and mac management with microsoft intune freeAnd
  1. In the Intune management blade, in the left pane, click on Groups
  2. In the Groups blade, in the middle pane, click New group
  3. On the Group blade, set the Group Type drop-down to Security. Type in a name for the group in the Group name field. For example, iOS Supervised Devices. Set the Membership type drop-down to Dynamic Device
  4. Click the Add dynamic query box
  5. On the Dynamic membership rules blade, set the first dropdown to enrollmentProfile. Change the second dropdown to Equals. In the third field, type in the name of the enrollment profile you created in step 7 of the previous section and click Add query
  6. Back on the Group blade, click Create to create the group

Step 3: Upload a CSV that contains the serial numbers and details of devices to be enrolled with Apple Configurator and assign the AC profile to the devices

  1. Open Excel and created a 2-columned CSV file that contains the serial number of the device in the first column and details in the second column. For example, in the first column, type in 123456789. In the second column type in Matt's iPad.
  2. Save the file as a CSV file
  3. Within the Intune blade, select Device enrollment
  4. On the Device enrollment blade, select Apple enrollment
  5. In the Manage Apple Configurator Enrollment Settings section, select Apple Configurator Devices
  6. On the Apple Configurator Devices blade, click Add
  7. On the Add Devices blade, in the Select Profile drop-down, select the AC profile
  8. Within the Specify the path to the list you want to import, click the blue folder icon and browse to the CSV you created earlier and click Open
  9. Click Add to import the device list
  10. Close the Add Devices blade. Back on the Apple Configurator Devices blade, you should see the devices from the device list you imported
  11. Click on each device and click Assign Profile
  12. On the Assign Profile blade, select the AC profile from the drop-down and click Assign
  13. Repeat steps 11-12 until all devices are assigned the AC profile
  14. Close all the blades to return to the Intune management blade

Step 4: Export the AC Profile to obtain MDM URL for Intune tenant for Apple Configurator

  1. Within the Intune management blade, select Device enrollment
  2. On the Device enrollment blade, select Apple enrollment
  3. In the Manage Apple Configurator Enrollment Settings section, select AC Profiles
  4. Select the AC profile you created earlier in Step 1
  5. In the AC profile blade, click Export Profile
  6. In the Export Profile blade, copy the value in the Profile URL field to notepad and save as you will need it later
  7. Close all blades to return to the Intune management blade

Step 5: Create Apple Configurator Profile to manage settings

  1. On a supported Mac device, preferably running High Sierra, download and install Apple Configurator 2 from the app store
  2. Open Apple Configurator 2
  3. In top left corner is the Apple Configurator menu, click File and select New Profile. NOTE: A window called All Devices may be in the forefront, move this window to the side for now
  4. This action will open the New Profile window. In this window are several options to configure. Review each tab of settings as you like in the left pane. For the sake of this blog, we'll only configure the required General settings and the iMessage setting under Restrictions . On the General tab, type in a name for the profile in the Name field. There are other optional fields. Fill them out as desired
  5. In the left pane, select the Restrictions tab. In the middle pane, click the Configure button. Find the Allow iMessage setting and uncheck the box
  6. In the Apple Configurator menu, click File and select Save. Save the profile to the desktop of the Mac. Wherever you are working in the Intune management blade, copy the file from the Mac to this device
  7. Leave Apple Configurator open as we will return here shortly to prepare devices

Step 6: Create and Assign iOS device restriction custom policy in Intune management blade

  1. The file you just created in the last step. Rename the file extension to .XML
  2. Going back to Intune, within the Intune blade, select Device configuration
  3. On the Device configuration blade, select Profiles
  4. On the Profiles blade, select Create Profile
  5. On the Create Profile blade, type in a name for the profile in the Name field. For example, iOS Disable iMessage. In the Platform drop down, select iOS. In the Profile type dropdown, select Custom
  6. The Custom Configuration Profile blade will open. Type in a name for the custom configuration in the Custom configuration profile name field
  7. In the Configuration profile file field, click the blue folder icon and browse to where you copied the Apple Configurator profile in the previous step. Select the file and click Open. The File contents field will populate with the data from the file you selected.
  8. Click OK to return to the Create profile blade
  9. On the Create profile blade, click Create
  10. On the Profiles blade, click the profile you just created. The profile settings blade will appear. On this blade, select Assignments
  11. On the Assignments blade, in the Assign to dropdown, select Selected Groups. Below that, click on Select groups to include
  12. On the Select groups to include blade, in the Select field, type in the name of the group created in Step 2 earlier. Click on the group and click the Select button at the bottom of the blade
  13. Back on the Assignments blade, click the Save button

Step 7: Use Apple Configurator to prepare device

  1. Before doing anything, on the device you wish to prepare, open up Settings > Click on your Name > iCloud
  2. If an iPhone, turn off Find my iPhone. If an iPad, turn off Find my iPad
  3. Connect the device to the Mac device with a USB cord
  4. In the All Devices windows of Apple Configurator, the device will show up. Select the device and then click the Prepare button in the toolbar above
  5. This action will step you through a wizard. On the Prepare Devices screen, in the Prepare with dropdown, ensure Manual Configuration is selected. Also check the Supervise devices and Allow devices to pair with other computers checkboxes are selected and click Next
  6. On the Enroll in MDM Server screen, click Next
  7. On the Define an MDM Server, type in a name for the MDM server in the Name field. In the Host name or URL field, paste in the URL you exported in Step 4 above and click Next. On the next screen, you will be prompted to add trust anchor certificates for the MDM server. Select the certificate appleconfigurator2.manage.microsoft.com and then click Next
  8. On the Assign to Organization screen, click Next
  9. On the Sign in to the Device Enrollment Program screen, click Skip
  10. On the Create an Organization screen, type in the details of your organization and click Next
  11. On the Configure iOS Setup Assistance screen, click Prepare.NOTE: This screen contains options that dictate the user experience after the device is prepared. If you select boxes here, the user will be presented to configure those settings during the device setup. Review each setting and determine if you organization requires that you allow users to configure these settings
  12. You'll be prompted that preparing the device requires it to be erased. Click Erase on the prompt. The device will now be prepared. Wait for the preparation to complete. After the device has completed preparing, you can complete the setup of the device yourself and give to the user. Or, you can allow the user to complete the Setup Assistant to complete the device setup

Step 8: Use Setup Assistant to complete enrollment of device

  1. Once the device has finished preparing, you or the user must complete Setup Assistant on the device so it is enrolled and policy applied to the device
  2. On the device, press the home button. Depending on how you configured Setup Assistant in the previous step, you or the user will be prompted to configure the items selected in the previous section for step 11.
  3. Select a Wifi network and connect. Alternatively, connect to a cellular network if no Wifi. Once connected, click Next
  4. You will see a Remote Management screen for your organization. Click Apply Configuration
  5. Type in the user credentials to enroll and click Next
  6. You'll see a screen stating the configuration from your organization is being installed. Once this is complete, click Get Started
  7. On the device, click on Settings > Device Management and you will see your organization's management profile on the device. This means the device has successfully enrolled and is now applying policy to the device. It may take some time for the custom device restriction policy to come and apply. Give it at least 30 minutes for the custom policy to be applied

Step 9: Validate the iOS device restriction custom policy successfully applied

If you complete the Setup Assistant prior to giving the user the device. You can validate the policy is applied to the device. If you do not, you can view the data in the Intune blade for success/fail of the custom policy assignment after some time.

  1. On the device, open Settings > Device Management > Management Profile > Restrictions
  2. On the Restrictions screen, you will see that iMessage is not allowed on the device

And there you have it! Another adventure in Intune and the many ways we have to enroll and configure devices. Please feel free to comment and share. Until next time!

titletitleSuffixdescriptionkeywordsauthorms.authormanagerms.datems.topicms.servicems.subservicems.localizationpriorityms.technologyms.assetidms.reviewerms.suitesearch.appveridms.customms.collection
iOS device enrollment - Apple Configurator-Setup Assistant
Learn how to use the Apple Configurator to enroll corporate-owned iOS devices with Setup Assistant.
ErikjeMS
dougeby
conceptual
enrollment
tisilver
MET150
M365-identity-device-management

[!INCLUDE azure_portal]

Intune supports the enrollment of iOS devices using Apple Configurator running on a Mac computer. Enrolling with Apple Configurator requires that you USB-connect each iOS device to a Mac computer to set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:

  • Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
  • Direct enrollment - Does not wipe the device and enrolls the device through iOS settings. This method only supports devices with no user affinity.

Apple Configurator enrollment methods can't be used with the device enrollment manager.

Set Up Ios And Mac Management With Microsoft Intune Software

Prerequisites

  • Physical access to iOS devices
  • Device serial numbers (Setup Assistant enrollment only)
  • USB connection cables
  • macOS computer running Apple Configurator 2.0

Create an Apple Configurator profile for devices

A device enrollment profile defines the settings applied during enrollment. These settings are applied only once. Follow these steps to create an enrollment profile to enroll iOS devices with Apple Configurator.

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > Create.

  2. Under Create Enrollment Profile, type a Name and Description for the profile for administrative purposes. Users do not see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.

  3. For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • Enroll with user affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. The device must be affiliated with a user with Setup Assistant and can then access company data and email. Only supported for Setup Assistant enrollment. User affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.

    • Enroll without User Affinity - Choose this option for devices unaffiliated with a single user. Use this for devices that perform tasks without accessing local user data. Apps requiring user affiliation (including the Company Portal app used for installing line-of-business apps) won’t work. Required for direct enrollment.

    [!NOTE]When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup Assistant within the first 24 hours of the device being enrolled. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.

  4. If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.

    [!NOTE]If you want do any of the following, set Authenticate with Company Portal instead of Apple Setup Assistant to Yes.

    • use multifactor authentication
    • prompt users who need to change their password when they first sign in
    • prompt users to reset their expired passwords during enrollment

    These are not supported when authenticating with Apple Setup Assistant.

  5. Choose Create to save the profile.

Setup Assistant enrollment

Add Apple Configurator serial numbers

  1. Create a two-column, comma-separated value (.csv) list without a header. Add the serial number in the left column, and the details in the right column. The current maximum for the list is 5,000 rows. In a text editor, the .csv list looks like this:

    F7TLWCLBX196,device details
    DLXQPCWVGHMJ,device details

    Learn how to find an iOS device serial number.

  2. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Devices > Add.

  3. Select an Enrollment profile to apply to the serial numbers you're importing. If you want the new serial number details to overwrite any existing details, choose Overwrite details for existing identifiers.

  4. Under Import Devices, browse to the csv file of serial numbers, and select Add.

Set Up Ios And Mac Management With Microsoft Intune Free

Reassign a profile to device serial numbers

You can assign an enrollment profile when you import iOS serial numbers for Apple Configurator enrollment. You can also assign profiles from two places in the Azure portal:

  • Apple Configurator devices
  • AC profiles

Mac Management Ventura

Assign from Apple Configurator devices

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Devices > choose the serial numbers > Assign profile.
  2. Under Assign Profile, choose the New profile you want to assign, and then choose Assign.

Assign from profiles

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > choose a profile.
  2. In the profile, choose Devices assigned, and then choose Assign.
  3. Filter to find device serial numbers you want to assign to the profile, select the devices, and then choose Assign.

Export the profile

After you create the profile and assign serial numbers, you must export the profile from Intune as a URL. You then import it into Apple Configurator on a Mac for deployment to devices.

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > choose the profile to export.

  2. On the profile, select Export Profile.

  3. Copy the Profile URL. You can then add it in Apple Configurator to define the Intune profile used by iOS devices.

    Next you import this profile to Apple Configurator in the following procedure to define the Intune profile used by iOS devices.

Enroll devices with Setup Assistant

  1. On a Mac computer, open Apple Configurator 2. In the menu bar, choose Apple Configurator 2, and then choose Preferences.

    [!WARNING]Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello screen when you connect the device.If the device was already registered with the Apple ID account, the device must be deleted from the Apple iCloud before starting the enrollment process. The prompt error appears as 'Unable to activate [Device name]'.

  2. In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server wizard. Choose Next.

  3. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant enrollment for iOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment profile URL exported from Intune. Choose Next.
    You can safely disregard a warning stating 'server URL is not verified.' To continue, choose Next until the wizard is finished.

  4. Connect the iOS mobile devices to the Mac computer with a USB adapter.

  5. Select the iOS devices you want to manage, and then choose Prepare. On the Prepare iOS Device pane, select Manual, and then choose Next.

  6. On the Enroll in MDM Server pane, select the server name you created, and then choose Next.

  7. On the Supervise Devices pane, select the level of supervision, and then choose Next.

  8. On the Create an Organization pane, choose the Organization or create a new organization, and then choose Next.

  9. On the Configure iOS Setup Assistant pane, choose the steps to be presented to the user, and then choose Prepare. If prompted, authenticate to update trust settings.

  10. When the iOS device finishes preparing, disconnect the USB cable.

Distribute devices

The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When users turn on their devices, Setup Assistant starts.

After users receive their devices, they must complete Setup Assistant. Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices.

Direct enrollment

When you directly enroll iOS devices with Apple Configurator, you can enroll a device without acquiring the device's serial number. You can also name the device for identification purposes before Intune captures the device name during enrollment. The Company Portal app is not supported for directly enrolled devices. This method does not wipe the device.

I have the same issue.My microsoft Arc Touch Mouse SE was working absolutely fine. Microsoft arc mouse mac driver. After a Windows and Lenovo update, the mouse no longer pairs or connects.Afterwards, my laptop will 'SEE' the mouse but will not connect to it.

Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps, cannot be installed.

Export the profile as .mobileconfig to iOS devices

  1. In the Microsoft Endpoint Manager Admin Center, choose Devices > iOS > iOS enrollment > Apple Configurator > Profiles > choose the profile to export > Export Profile.

  2. Under Direct enrollment, choose Download profile, and save the file. An enrollment profile file is only valid for two weeks at which time you must re-create it.

  3. Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile to iOS devices.

  4. Prepare the device with Apple Configurator by using the following steps:

    1. On a Mac computer, open Apple Configurator 2.0.

    2. Connect the iOS device to the Mac computer with a USB cord. Close Photos, iTunes, and other apps that open for the device when the device is detected.

    3. In Apple Configurator, choose the connected iOS device, and then choose the Add button. Options that can be added to the device appear in the drop-down list. Choose Profiles.

    4. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add. The profile is added to the device. If the device is Unsupervised, the installation requires acceptance on the device.

  5. Use the following steps to install the profile on the iOS device. The device must have already completed the Setup Assistant and be ready to use. If enrollment entails app deployments, the device should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in for the App Store.

    1. Unlock the iOS device.
    2. In the Install profile dialog box for Management profile, choose Install.
    3. Provide the Device Passcode or Apple ID, if necessary.
    4. Accept the Warning, and choose Install.
    5. Accept the Remote Warning, and choose Trust.
    6. When the Profile Installed box confirms the profile as Installed, choose Done.

  6. On the iOS device, open Settings and go to General > Device Management > Management Profile. Confirm that the profile installation is listed, and check the iOS policy restrictions and installed apps. Policy restrictions and apps might take up to 10 minutes to appear on the device.

  7. Distribute devices. The iOS device is now enrolled in Intune and managed.