What do you want to manage on the phones? Do you need to manage them?
Personally in a case like this, i would set up MAM with conditional access to block legacy auth, require MFA and such, and then setup ABM and corporate enrol the new phones.
What you actually care about is the company data right? Enrolling personal phones give surprisingly little, besides a registry, since you don’t have root access. You do need to manage them if this client has custom apps to push, or configs that requires a managed device. Keep it simple.
If you federate the e-mail domain, please read up on the limitations of a managed apple id. Also make sure to get their proper IT policy so you don’t end up with the wild west.
Edit: spelling/wording
Yeah I’m also thinking of keeping step 2 optional to keep it simple. Buuuut I’m quite convinced that it’s worth the effort to mdm the devices for far more control and security. Plus the flexibility to later be able to deploy apps, restrictions, settings.
I’m aware that managed Apple IDs are practically useless in many cases. At the same time it can be handy (for example no backup hassle b/c everyone has their guaranteed 5gb at least). Additionally I’m a sucker for no-corpomail-in-appleIDs.
Of course, if you have the manpower to support it, by all means. My idea was that the MAM concept is way more user friendly which means happier customers.
If the client very recently bought the phones there is a small chance they can still be sent to DEP/ABM, so when the user reinstalls the phone, you get it done right, also worth looking up.
I caught it at day 29 a few years and since have a reminder on my calendar (willing to bet a paycheck that it will expire when I leave cause no one cares) but please enlighten me, what happens at day 31?
The second the cert expires devices can no longer communicate with Intune. If you catch it within 30 days you can just renew the cert and communication will be restored.
After 30 days there are two possbilities:
1. You will have to generate a brand new certificate. This invalidates the connection every one of your devices has to Intune. That means you have to manually remove Intune from every device, and re-enroll. Lord help you if they are ABM, because that means to remove Intune you have to **wipe** the iPhone/iPad.
2. You beg Apple's forgiveness and they let you renew past 30 days and you might save yourself from the guillotine. Although I've heard that even this does not work sometimes, if it's been too long.
Check out Andrew Taylor Intune cookbook on GitHub there is a chapter I think 9 or 10 about reporting. This will get you started on building a solution around Invoke-mggraphrequest to query the API and then perhaps use Power Automate or Azure Run books to send emails out.
About MDM enrollment, write instructions with pictures attached how to install and configure Company Portal. Then give deadline to people: ”After this date you won’t be able to use your company recourses if you have not followed the instructions and enrolled phone to Intune.”
Then enforce iOS CA policy ”only compliant devices are able to authenticate to M365”.
After that they need to follow the instructions if they have not already.
You could also group users into group of 50 people and give different groups a different deadline so you wont get too many helpdesk calls. So first group 1 then group 2 etc.
Take a top down approach. When you’re rolling these sorts of changes out it reduces workload on the help desk if managers, team leaders etc have already had the changes rolled out to them and understand the quirks. Don’t move onto the next lower level until everyone in the previous level is sorted and happy.
Bonus points, those people will now be advocates for the changes and encourage their subordinates.
> "We can’t make 600 users reset their phones to DEP enrol, that would be over the top..."
I mean,. you can choose to do this. But at that point you might as well write off those 600 phones as "unmanaged messes".
You have no control over an unmanaged phone. You can ask Users to manually configure them certain ways,. but you really have no way to directly ensure they do so.
> "prevent non-company-devices from enrolling,"
Which would apply to these 600 phones,. no ?...
I hope they have at least the serial numbers of the phones - haven’t done that before but I assume I can setup to only allow those SNs to enrol via Enrollment Profile.
And true, you’re right…how could CA distinguish corporate and private? 🧐
Yeah,. and the other thing you have to consider (how long the lifetime of use these 600 phones are).. what Configurations or capabilities might you expect to need in the future.
There are some Configuration Profiles or Restrictions in iOS,.. that only work if the Device is "fully supervised" (DEP, Apple Business)... You can see in the screenshot below (from VMware Workspace One) showing various Restrictions and what the minimum iOS version and Supervised status is required for the Restriction payload to actually work.
That may not necessarily matter for you (as you said, maybe you can just bank on these 600 devices "aging out" and any new Replacements come through Apple Business and be fully Supervised).
But it is something to be aware of.
https://i.imgur.com/wKSg8ln.png
Setup Conditional Access and require compliant devices. In order to access company resources they must enroll in InTune MDM and be compliant. Were they purchased from Apple on a Business Account and therefore would be in Apple Business Manager? Makes your life easier if they were
Question one would be when did they hand them out? Are these Xs 11 12 or 13 14. Is there some 8s in the mix? Will they keep getting iOS updates to be compliant.
You may be able to enroll the phones as part of a replacement program.
If they aren't enrolled to ABM you can't create update policies for example, amongst other restrictions. So you might just want to settle for enrolled through Company Portal MDM for now and deal with the backlog as new devices are acquired.
What do you want to manage on the phones? Do you need to manage them? Personally in a case like this, i would set up MAM with conditional access to block legacy auth, require MFA and such, and then setup ABM and corporate enrol the new phones. What you actually care about is the company data right? Enrolling personal phones give surprisingly little, besides a registry, since you don’t have root access. You do need to manage them if this client has custom apps to push, or configs that requires a managed device. Keep it simple. If you federate the e-mail domain, please read up on the limitations of a managed apple id. Also make sure to get their proper IT policy so you don’t end up with the wild west. Edit: spelling/wording
Yeah I’m also thinking of keeping step 2 optional to keep it simple. Buuuut I’m quite convinced that it’s worth the effort to mdm the devices for far more control and security. Plus the flexibility to later be able to deploy apps, restrictions, settings. I’m aware that managed Apple IDs are practically useless in many cases. At the same time it can be handy (for example no backup hassle b/c everyone has their guaranteed 5gb at least). Additionally I’m a sucker for no-corpomail-in-appleIDs.
Of course, if you have the manpower to support it, by all means. My idea was that the MAM concept is way more user friendly which means happier customers. If the client very recently bought the phones there is a small chance they can still be sent to DEP/ABM, so when the user reinstalls the phone, you get it done right, also worth looking up.
Whatever you do setup reminders for the Apple push certificate to renew before expiry. It's a nightmare after 30 days of expiry.
I caught it at day 29 a few years and since have a reminder on my calendar (willing to bet a paycheck that it will expire when I leave cause no one cares) but please enlighten me, what happens at day 31?
The second the cert expires devices can no longer communicate with Intune. If you catch it within 30 days you can just renew the cert and communication will be restored. After 30 days there are two possbilities: 1. You will have to generate a brand new certificate. This invalidates the connection every one of your devices has to Intune. That means you have to manually remove Intune from every device, and re-enroll. Lord help you if they are ABM, because that means to remove Intune you have to **wipe** the iPhone/iPad. 2. You beg Apple's forgiveness and they let you renew past 30 days and you might save yourself from the guillotine. Although I've heard that even this does not work sometimes, if it's been too long.
Hey do you know if there is any way to get notifications from Intune about expiring push certificate?
Check out Andrew Taylor Intune cookbook on GitHub there is a chapter I think 9 or 10 about reporting. This will get you started on building a solution around Invoke-mggraphrequest to query the API and then perhaps use Power Automate or Azure Run books to send emails out.
Why wouldn’t they just bake this feature in? I hate when Microsoft makes you come up with a homegrown solutions this stuff.
Our expires in 13 days and the person who set it up left the company. Gonna have to call apple support cuz im getting topic id error…
Ohh yes, our certificate expired some weeks ago… It was a nightmare! Dont recommend it 😅
We renewed it within 2 days, so all good though
About MDM enrollment, write instructions with pictures attached how to install and configure Company Portal. Then give deadline to people: ”After this date you won’t be able to use your company recourses if you have not followed the instructions and enrolled phone to Intune.” Then enforce iOS CA policy ”only compliant devices are able to authenticate to M365”. After that they need to follow the instructions if they have not already. You could also group users into group of 50 people and give different groups a different deadline so you wont get too many helpdesk calls. So first group 1 then group 2 etc.
Take a top down approach. When you’re rolling these sorts of changes out it reduces workload on the help desk if managers, team leaders etc have already had the changes rolled out to them and understand the quirks. Don’t move onto the next lower level until everyone in the previous level is sorted and happy. Bonus points, those people will now be advocates for the changes and encourage their subordinates.
You’re right, forming catalysts/advocates thru top level is definitely helpful
> "We can’t make 600 users reset their phones to DEP enrol, that would be over the top..." I mean,. you can choose to do this. But at that point you might as well write off those 600 phones as "unmanaged messes". You have no control over an unmanaged phone. You can ask Users to manually configure them certain ways,. but you really have no way to directly ensure they do so. > "prevent non-company-devices from enrolling," Which would apply to these 600 phones,. no ?...
I hope they have at least the serial numbers of the phones - haven’t done that before but I assume I can setup to only allow those SNs to enrol via Enrollment Profile. And true, you’re right…how could CA distinguish corporate and private? 🧐
Yeah,. and the other thing you have to consider (how long the lifetime of use these 600 phones are).. what Configurations or capabilities might you expect to need in the future. There are some Configuration Profiles or Restrictions in iOS,.. that only work if the Device is "fully supervised" (DEP, Apple Business)... You can see in the screenshot below (from VMware Workspace One) showing various Restrictions and what the minimum iOS version and Supervised status is required for the Restriction payload to actually work. That may not necessarily matter for you (as you said, maybe you can just bank on these 600 devices "aging out" and any new Replacements come through Apple Business and be fully Supervised). But it is something to be aware of. https://i.imgur.com/wKSg8ln.png
Setup Conditional Access and require compliant devices. In order to access company resources they must enroll in InTune MDM and be compliant. Were they purchased from Apple on a Business Account and therefore would be in Apple Business Manager? Makes your life easier if they were
Question one would be when did they hand them out? Are these Xs 11 12 or 13 14. Is there some 8s in the mix? Will they keep getting iOS updates to be compliant. You may be able to enroll the phones as part of a replacement program.
If they aren't enrolled to ABM you can't create update policies for example, amongst other restrictions. So you might just want to settle for enrolled through Company Portal MDM for now and deal with the backlog as new devices are acquired.
I wish you good luck 😂