Intune Web based device enrolment with Just-in-time registration and Defender for Endpoint onboarding for iPadOS - Tips from the field!

-
I recently worked on a project that required setting up Intune and Defender for Endpoint enrolment policies for iPadOS. While some might say that this is a pretty routine task and in an absolute sense, it may very well be to some extent, I actually went another way.

Let me start by mentioning that the iPadOS devices in scope were existing devices and in some come cases BYO so resetting them was not an option. Therefore, a user based enrolment had to be the choice of enrolment. Now back in the days, one would normally enroll the iOS\iPadOS devices using Company Portal and while this is still supported, with the introduction of support of Single Sign On extensions (SSO) of Apple devices, I chose to configure Web based device enrolment together with Just-in-time (JIT) for iPadOS devices.

Web-based enrolment utilizes just in time (JIT) registration with the Apple single sign-on (SSO) extension to facilitate Microsoft Entra registration within the work apps thus reducing the number of authentication prompts. It doesn't require installation of the Company Portal app and the post-enrollment functionality remains the same as Company portal based enrolment.

Here is a quick comparison provided by Microsoft -

Source: Microsoft

Are there any pre-requisites? Well, there sure are -

- iOS\iPadOS 15.0 or later
- Microsoft Authenticator App 

Device Enrolment Type Profile

In order to enrol devices using Web based enrolment method, a deployment enrolment type profile has to be created. Here are the steps -

2. Go to Devices > Enrollment and select the Apple tab.
3. Under Enrollment Options, choose Enrollment types and select Create profile > iOS/iPadOS.
4. On the Basics page, enter a unique name and provide description as necessary and click Next.
5. On the Settings page, for Enrollment type, select Web based device enrollment as shown below.


6. Commit the settings by clicking on Next and assign the profile to all or a group of users.

Just-in-time or JIT Registration Profile

A single sign-on app extension policy to enable just-in-time (JIT) registration is required. Following are the steps -

2. Create an iOS/iPadOS device configuration policy under Device features > Category > Single sign-on app extension.
3. Provide the following values -

SSO app extension type, select Microsoft Entra ID

Key: device_registration
Type: String
Value: {{DEVICEREGISTRATION}}

Key: browser_sso_interaction_enabled
Type: Integer
Value: 1


4. Commit the settings by clicking on Next and assign the profile to all or a group of users.

Company Portal Web App

Note: There is a known issue with web-based enrollment and JIT registration that prevents the Company Portal app from recognizing enrolled devices. Therefore, it is highly recommended that the web app version of Intune Company Portal is deployed to the enrolling user devices so that users can have quick access to device status, device actions, and compliance information.

To add the web app, steps are as follows -

2. Select Apps > All apps > Add.
3. In the Select app type pane, under the Other types, select iOS/iPadOS web clip.
4. Populate the details as shown below. Make a note of the App URL. It should reflect https://portal.manage.microsoft.com/




5. Assign to all or a group of users.

Conditional Access (Optional)

Note: If you aren't utilizing conditional access, you can share the link (portal.manage.microsoft.com/conditionalaccess/enrollment) with the enrolling users to initiate the enrolment process manually. However, implementing Conditional Access policies is highly recommended to align with Zero trust security framework and also automate the process of device enrolment. 

Also, for implementing controls to check for device compliance, a device compliance policy will be need to be setup and assigned to the enrolling users or the devices. If you wish to know more about this, then you can head over to the blog posts below where I have covered all the details related to MDE setup for iOS in general (including Application configuration and App Protection Policy) and relevant CA exclusions.


User Experience

On accessing corporate data, user will be asked to install the MS Authenticator app, if not already installed.


After the user installs the app, and has provided the credentials, they will be asked to register their device.


As successful registration can be verified under device registration on the MS Authenticator app which should display organization's domain.


Once the above registration is done, the user will be asked to enrol their device if they wish to continue accessing corporate data.


On clicking Continue, enrolment process will start automatically. portal.manage.microsoft.com/conditionalaccess/enrollment url will open in Safari requiring for the Intune management profile to be downloaded.



The user will need to allow installation of the management profile by going into settings and initiating the process manually.



At this stage, the MS Authenticator app will also show as registered against SSO extension in the management profile.



Once the management profile is installed, Intune device and APP policies will start to apply. At this stage all required applications, including Defender application and Company Portal Web clip will also install.


Once MDE app is installed, user will need to open the app and finish the post installation configuration.



At this stage, the device compliance should get updated, but it can take a 1-2 minutes for this to reflect. To speed up the process, the user can open the Company Portal web app from the home screen which will open https://portal.manage.microsoft.com/ in Safari.




Device should be onboarded onto Defender and report compliant in Intune as well.


Final thoughts

It is not mandatory to use JIT registration with web-based enrollment but highly recommended. Also, due to Apple restrictions, device users going through web based device enrollment must download the management profile in Safari. I am truly intrigued with what JIT and SSO can help accomplish on Apple devices. The application of these features can endless.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more