Intune Web based device enrolment with Just-in-time registration and Defender for Endpoint onboarding for iPadOS - Tips from the field!
I recently worked on a project that required setting up Intune and Defender for Endpoint enrolment policies for iPadOS. While some might say that this is a pretty routine task and in an absolute sense, it may very well be to some extent, I actually went another way.
Let me start by mentioning that the iPadOS devices in scope were existing devices and in some come cases BYO so resetting them was not an option. Therefore, a user based enrolment had to be the choice of enrolment. Now back in the days, one would normally enroll the iOS\iPadOS devices using Company Portal and while this is still supported, with the introduction of support of Single Sign On extensions (SSO) of Apple devices, I chose to configure Web based device enrolment together with Just-in-time (JIT) for iPadOS devices.
Web-based enrolment utilizes just in time (JIT) registration with the Apple single sign-on (SSO) extension to facilitate Microsoft Entra registration within the work apps thus reducing the number of authentication prompts. It doesn't require installation of the Company Portal app and the post-enrollment functionality remains the same as Company portal based enrolment.
Here is a quick comparison provided by Microsoft -
Source: Microsoft
Are there any pre-requisites? Well, there sure are -
- iOS\iPadOS 15.0 or later
- Microsoft Authenticator App
Device Enrolment Type Profile
In order to enrol devices using Web based enrolment method, a deployment enrolment type profile has to be created. Here are the steps -
1. Navigate to Microsoft Intune admin center
2. Go to Devices > Enrollment and select the Apple tab.
3. Under Enrollment Options, choose Enrollment types and select Create profile > iOS/iPadOS.
4. On the Basics page, enter a unique name and provide description as necessary and click Next.
5. On the Settings page, for Enrollment type, select Web based device enrollment as shown below.
6. Commit the settings by clicking on Next and assign the profile to all or a group of users.
Just-in-time or JIT Registration Profile
A single sign-on app extension policy to enable just-in-time (JIT) registration is required. Following are the steps -
1. Navigate to Microsoft Intune admin center
2. Create an iOS/iPadOS device configuration policy under Device features > Category > Single sign-on app extension.
3. Provide the following values -
SSO app extension type, select Microsoft Entra ID
Key: device_registration
Type: String
Value: {{DEVICEREGISTRATION}}
Key: browser_sso_interaction_enabled
Type: Integer
Value: 1
4. Commit the settings by clicking on Next and assign the profile to all or a group of users.
Company Portal Web App
Note: There is a known issue with web-based enrollment and JIT registration that prevents the Company Portal app from recognizing enrolled devices. Therefore, it is highly recommended that the web app version of Intune Company Portal is deployed to the enrolling user devices so that users can have quick access to device status, device actions, and compliance information.
To add the web app, steps are as follows -
1. Navigate to Microsoft Intune admin center
2. Select Apps > All apps > Add.
3. In the Select app type pane, under the Other types, select iOS/iPadOS web clip.
4. Populate the details as shown below. Make a note of the App URL. It should reflect https://portal.manage.microsoft.com/
5. Assign to all or a group of users.
Conditional Access (Optional)
Note: If you aren't utilizing conditional access, you can share the link (portal.manage.microsoft.com/conditionalaccess/enrollment) with the enrolling users to initiate the enrolment process manually. However, implementing Conditional Access policies is highly recommended to align with Zero trust security framework and also automate the process of device enrolment.
Also, for implementing controls to check for device compliance, a device compliance policy will be need to be setup and assigned to the enrolling users or the devices. If you wish to know more about this, then you can head over to the blog posts below where I have covered all the details related to MDE setup for iOS in general (including Application configuration and App Protection Policy) and relevant CA exclusions.
User Experience
On accessing corporate data, user will be asked to install the MS Authenticator app, if not already installed.
After the user installs the app, and has provided the credentials, they will be asked to register their device.
As successful registration can be verified under device registration on the MS Authenticator app which should display organization's domain.
Once the above registration is done, the user will be asked to enrol their device if they wish to continue accessing corporate data.
On clicking Continue, enrolment process will start automatically. portal.manage.microsoft.com/conditionalaccess/enrollment url will open in Safari requiring for the Intune management profile to be downloaded.
The user will need to allow installation of the management profile by going into settings and initiating the process manually.
At this stage, the MS Authenticator app will also show as registered against SSO extension in the management profile.
Once the management profile is installed, Intune device and APP policies will start to apply. At this stage all required applications, including Defender application and Company Portal Web clip will also install.
Once MDE app is installed, user will need to open the app and finish the post installation configuration.
At this stage, the device compliance should get updated, but it can take a 1-2 minutes for this to reflect. To speed up the process, the user can open the Company Portal web app from the home screen which will open https://portal.manage.microsoft.com/ in Safari.
Device should be onboarded onto Defender and report compliant in Intune as well.
Final thoughts
It is not mandatory to use JIT registration with web-based enrollment but highly recommended. Also, due to Apple restrictions, device users going through web based device enrollment must download the management profile in Safari. I am truly intrigued with what JIT and SSO can help accomplish on Apple devices. The application of these features can endless.
Very informative blog! Hospital Management Information Systems
ReplyDelete