Using Setup Assistant with modern authentication

This week is all about the support for a new authentication method when using Automated Device Enrollment (ADE). That new authentication method is Setup Assistant with modern authentication and is available for iOS/iPadOS devices running version 13.0 and later and for macOS devices running version 10.15 and later. Setup Assistant with modern authentication enables organizations to require authentication with Azure AD, including the ability to require MFA, and enables users to immediately use their device. This post provides an introduction to this new authentication method, followed with the steps to configure an enrollment profile with this new authentication method. This post ends with a quick look at the enrollment experience when using Setup Assistant with modern authentication.

Note: At the moment of writing Setup Assistant with modern authentication is still in public preview.

Introduction to Setup Assistant with modern authentication

Setup Assistant shapes the out-of-the-box experience of Apple devices. At first start, Setup Assistant will walk the user through the steps of activating, configuring and personalizing their Apple device. When using Apple Business Manager (ABM) – and specifically ADE – in combination with Microsoft Intune, the experience of Setup Assistant can be adjusted. The IT administrator can choose which configuration options and personalization options are shown to the user and can make sure that the device will enroll in Microsoft Intune.

The main challenge, with the legacy options for authentication in Setup Assistant, was that every interaction would break the sign-in of the user. That would happen when requiring MFA, or when prompting the user to change or update their password. As an alternative Microsoft provided the option to authenticate with the Company Portal app and lock the device in the app until that authentication was performed. That was also not always the best experience, as it could take a while for the Company Portal app to be available and the device to be usable.

Setup Assistant with modern authentication should address all those issues. The user will be able to authenticate during the Setup Assistant – including when interaction is required – and the device will be ready for use immediately. The small catch, however, is that the user should also still sign-in to the Company Portal app once it’s installed. Without that sign-in the device will enroll in to Microsoft Intune, but won’t report a compliance state yet. That means that in combination with Conditional Access (CA), the user won’t be able to access company data and resources. The sign-in to the Company Portal app is required to finish the registration and to set the user affinity. After that, the device will show in the list of devices of that specific user.

Configuration of the enrollment profile for the Setup Assistant with modern authentication

Setup Assistant with modern authentication can be configured by using an enrollment profile. An enrollment profile can be assigned to devices that are synchronized via ABM to Microsoft Intune. That means that the ADE configuration should be in place. Once that configuration is in place, the following six steps walk through the process of creating the required enrollment profile for iOS/iPadOS devices.

Note: The process of creating the required enrollment profile for macOS device is very similar. That enrollment profile has fewer settings, but the important configurations are all around the user affinity and the authentication method. And that configuration is the same (see step 4 below).

  1. Open the Microsoft Endpoint Manager admin center portal and navigate Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles
  2. On the {YourEnrollmentToken} | Profiles page, click Create profile > iOS/iPadOS to open the Create profile wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  • PlatformiOS/iPadOS is preconfigured based on the initial start of the wizard
  1. On the Management Settings page, as shown in Figure 1, provide at least the following information and click Next
  • User affinity: Select Enroll with User Affinity as value, as the configuration of the authentication method is only applicable in combination with user affinity
  • Authentication Method: Select Setup Assistant with modern authentication as value, to provide the required modern authentication with the Setup Assistant
  • Install Company Portal with VPP: Select Use Token: {YourToken} as value, to enable the installation of the Company Portal app without the need of a user to first connect a personal Apple Id
  • Supervised: Select Yes, to enable a larger set of configuration options
  • Locked enrollment: Select Yes as value, to make sure that the enrollment is locked on the device
  • Sync with computers: Choose between Allow AllDeny All and Allow Apple Configurator by certificate, to specify if the device is allowed to sync with computers
  • Apply device name template (supervised devices only): Choose between Yes and No, to specify if the device should follow a specific naming standard
  • Device Name Template: Specify a device name template when the requirement (and previous configuration) is to apply a device name template

Note: The variable {{SERIAL}} can be used as serial number in the device name and the variable {{DEVICETYPE}} can be used as the device type in the device name.

  1. On the Setup Assistant page, provide at least the following information and click Next
  • Department: Specify the department name that should be displayed in the Setup Assistant
  • Department Phone: Specify the department phone number that should be displayed in the Setup Assistant
  • Setup Assistant Screens: Specify the screens that should be displayed in the Setup Assistant
  1. On the Review + create page, verify the configuration and click Create

Once the enrollment profile is created, it can be assigned to devices that are synchronized via ABM. That assignment can be achieved by using one of the following methods.

  • Default profile – Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles and use Set default profile to configure the default profile that is automatically assigned to all synchronized iOS/iPadOS devices for that specific enrollment token
  • Assign profile – Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Devices and use Assign profile to manually configure the profile that is assigned to the specifically selected iOS/iPadOS devices that are synchronized for that specific enrollment token

Enrollment experience for the Setup Assistant with modern authentication

Once the enrollment profile is configured and assigned, it’s time have a look at the new enrollment experience. Depending on the number of Setup Assistant screens – as configured in step 5 – the enrollment is simple and leaves little room for error. The most interesting point starts with the Remote Management screen, as when the user clicks next the modern authentication sign-in experience will be triggered. That will ask the user to sign-in and – depending on the MFA-configuration – prompt the user for MFA, as shown below in Figure 2. After that sign-in, the user must walk through any remaining Setup Assistant screens and eventually lands automatically and quickly on the home screen as shown in Figure 3. That also shows the early stages of the device set up, as the apps still need to be provisioned. When the installation of the Company Portal app is pushed by using Apple VPP – as configured in step 4 – the user will see the installation of that app when swiping to the left.

Once the user is up-and-running, the user isn’t done with the device enrollment. When the user would start by using the Outlook app, and a CA policy is in place that requires a managed device, the user will receive a friendly message that will direct the user to the Company Portal app. Also, when the user would start by opening the Company Portal app, the user will see that a sign-in is still required, as shown in Figure 5. The user should sign-in again and walk through finalizing the enrollment process as shown in Figure 6 and 7. After going through that process, the user will be fully up-and-running and have access to company data and resources.

More information

For more information about creating enrollment profiles in Microsoft Intune, refer to the documentation about Automatically enroll iOS/iPadOS devices by using Apple’s Automated Device Enrollment.

34 thoughts on “Using Setup Assistant with modern authentication”

  1. Hello,
    After the figure 4, what happen if there is no CA policy requiring a managed device?
    I guess the user won’t be “forced” to launch company portal app and it will mean even if there is the “locked enrollement” settings set to yes, the device can be used without being trully enrolled. Is that right? Or i’m missing something?

    Thanks !

    Reply
  2. Hoi Peter!

    Awesome blog! I have a question about the ADE macOS enrollment. It works like a charm but the device is not Supervised. Do you know how to enable supervision for macOS?

    Best groetjes,

    Wander

    Reply
  3. Hi Peter, Great Blog btw!
    I’m currently using ABM and Apple Managed IDs (federated) to allow staff to receive a corporate owned iPhone and get an out-of-the-box setup experience by simply using their Azure AD credentials and 2FA. We are using Setup Assistant with Modern Authentication.
    I understand that I need to enable VPP apps in Intune, and have the assignment be “REQUIRED” for any apps I would like these managed IDs and corporate owned iPhones to have installed automatically. (Given that Managed IDs can’t install apps by themselves). This works fine and for this population, I can do this all day. The real question is this —
    Some users have BYOD iphones too. So if they install the Company portal on their personal iPhones, the affinity will be the Azure AD user. At which point, a bunch of “REQUIRED” apps will be pestering the user to be downloaded. (Remember, this is how the managed ID and corporate own devices are getting their apps pushed). Do you have any thoughts around how to better manage the BYOD crowd vs the corporate owned, managed ID crowd for dinstinct behaviors? (Please let me know if I should clarify anything further). Appreciate your thought in advance!

    Reply
  4. Awesome blog Peter!
    We use password less login when registering at Company Portal. We tried to use modern auth with iOS device enrollment in our test environment, however we are stuck with a screen asking for credentials as soon as Remote Management kicks in. Is there any way to use modern auth on InTune iOS enrollement without password / passwordless? (We are normally authenticating through a second device such as a laptop via SSO, but Remote Management does not present an option to login from another device when using modern auth).

    Reply
  5. Hi Peter,

    Your block helped me several times with understanding the quirks of Microsoft Endpoint Management.
    I have a question regarding the MFA authentication in figure 2. If we require MFA to enroll a freshly unpacked iOS device, would this mean that the user enrolling this device would require a second device to perform the MFA approval?
    Or is there a way to set up an MFA app on a Windows device for example?
    Thank you!

    Reply
    • You can authenthication on a Windows machine when unpacking the iOS device, but only if you use Company Portal, it does not work with Modern Auth unfortunately. (Within company portal, you can select “login from another device”, then you will be directed to open microsoft.com/devicelogin on your Windows machine)

      Reply
      • Thank you for sharing your experience Mike! Assuming there is a Windows devices available that could be a scenario. In the end the new user scenario is always challenging and requires some time to figure out what the best process would be for your organization.

        Regards, Peter

        Reply
  6. Hi Peter,

    Amazing article explaining the details of using Setup Assistant with modern authentication. One problem we have with our test iPhone is that when sign-in in to the Company Portal on the phone it displays an error message to “Contact Company Support. There isn’t a device setup for this account yet. Contact support to set up a device.

    Reply
  7. Peter, thank you for your fantastic blog!
    We just enrolled our first Mac in our Intune environment through Apple Business Manager. The enrollment process went very smooth, the machine was entered in ABE, synced to Intune, Setup assistant with modern authentication and MFA.
    The device received configurational profiles and apps. We deployed the Company Portal through a Shell script. The user (me) signed in and started the Company Portal to finish the enrollment process. Here is where we are stuck…
    When trying to install the Remote Management Profile, we get an error:
    ”Profile installation failed. Could not download the identity profile from the Encrypted Profile Service. The credentials within the Device Enrollment profile may have expired.”
    Have you or anyone else reading this blog seen this error?

    Many thanks!

    Reply
  8. Hi Peter, great blog.
    When you said ” Also, when the user would start by opening the Company Portal app, the user will see that a sign-in is still required, as shown in Figure 5. ” that really means the user needs to retype both upn and password right. There is no way to create an app config for the CP to populate that info?

    Reply
  9. Great post and works well. Do you have any good guides in terms of setting up Conditional Access with the Outlook app?

    thanks!

    Reply
  10. With this set up for iOS devices, any idea what to do if the Company Portal app never installs? Install company portal with vpp is set to yes. Recreated the deployment profile several times. Can’t seem to get this working.

    Reply

Leave a Reply to Jonathan Clark Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.