You could temporarily disable MFA from the enrolling user each time they unlock their new device and enrolls it. This reduces your security but improves your productivity and allows you to use Single App Mode to make sure your enrollments are consistent around the organization.Įxcluding Company Portal from Conditional Access Disable MFA from the user when enrolling This is equivalent to the Intune Company Portal that performs your Apple device’s enrollment. You could do this for your enrolling users with Azure AD Conditional Access by excluding Microsoft Intune Enrollment from the Cloud apps. Disable MFA from Microsoft Intune Enrollment I honestly think you have three options and you need to choose the right one based on what your organization requirements might be regarding security and MFA. He/she is guided through the process and when Single App Mode launches and Company Portal wants you to authenticate using Multi-Factor Authentication how do you perform the MFA as the user’s device is currently locked in the Single App Mode? Workarounds Lets imagine a new employee starts and unlocks their shiny Apple iPhone. Which came first, the MFA or the Single App Mode? The documentation tells that if you want to use Multi-Factor Authentication you must authenticate the users in Company Portal instead of Apple Setup Assistant. You need to understand the different options and their limitations while choosing the best combination for you. There is a (slightly confusing) documentation about configuring Apple enrollment profile here. User is not able to access the phone before the setup is ready. This configuration basically locks the iOS after the first launch and automatically enrolls the device to Microsoft Intune without any complicated user actions. To empower your users with their new Apple devices you really want to use Single App Mode in your Apple enrollment profile. Multi-Factor Authentication and Apple DEP I will also explain another known issue with Apple DEP and Single App Mode. As of today Apple DEP with Single App Mode and Android Fully Managed devices using Samsung KME and Google Zero Touch are affected with the issue. The issue I want to discuss is related to the combination of automatic enrollment methods and MFA. You can read my colleague’s posts about setting up Apple DEP, Samsung KME and Google Zero Touch. The planning guide covers more than just enrollment options but it’s a really good read. What is Microsoft Intune device enrollment.I recommend you to take a look at the following Microsoft docs when choosing the right strategy for your organization. You have a lot of options when choosing your Intune MDM strategy and enrollment methods. We all know the importance of MFA in today’s cloud security and using it with Intune enrollments is a really nice security addition in the process. After several customer implementations I wanted to discuss about Microsoft Intune MDM automatic enrollment methods and their small caveats related to Multi-Factor Authentication (MFA).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |