So, the day was finally there, my next visit to my customer with the DEP enrolled iPads that had been causing a lot of fuss, time loss and frustration. This time, we had gathered our forces, me and one of my Apple-technicians, the customer, Microsoft Premier Intune support and we also had a “real” technician from Apple available. The goal actually wasn’t to solve anything, but to gather enough information to submit a bug-ticket to Microsoft. But the day had only started.
First of all, a quick recap (for the full background story, please review my other post Part 1 and Part 2). This customer had, due to licensing challenges in Sweden, set up a second Intune environment (Cloud-only). They already had one hybrid installation but saw the Cloud-only as a better way to handle 400 newly bought iPads (today there are a lot more than that). They connected this environment to Apples DEP services to manage the enrollment and we started creating policies and managing applications. At first everything seemed to work as it should, but the more iPads we enrolled, the more issues we got. After following several advices from Microsoft (most of them undocumented at the time) we came down to basically three different issues, but all of them related:
- When we enrolled the iPads using DEP (with or without user affinity – more on that later on) and assign them to different groups in Intune, the iPads in about 2/3 of the cases end up in either wrong group, the default group or in “Ungrouped devices”.
- Many of the assigned policies are not getting applied or we see a huge difference in what’s getting and applied and what’s not.
- Because of Nr.2 we have a very hard time to get our apps deployed – and also – we were not able to use apps that required MAM-policies due the difference in DEP enrollment and enrollment using the company portal. So, for example, Office was proving almost impossible to get down to the iPads.
So, we decided to start with the policy assignment and deployment. Some interesting facts, from Microsoft – and by experience of the case, that you may need to think about when using DEP and Intune:
- Always use user-affinity, it’s a lot easier, but you may need to worry about the management of Apple IDs in some cases, but after iOS 9, at least in a few less. And “everything” works as expected. You also get “real” names on the iPads – instead of just getting a few thousand “iPad”.
- Some Configuration Policies do not apply to DEP-enrolled devices. I’m still awaiting the final report from MS, but apparently, some isn’t valid. MAM-policies is not officially supported either (but may have changed or being changed soon).
- The enrollment process with DEP or iOS in general works a bit different from Windows and Android. The iOS devices will try to “mend” a failed enrollment, and that could lead to some issues. This is still being investigated and I’ll come back with more info.
So, first we verified that everything – still – was in good order and everything done according to best practice. We send some more xcode-logs to MS and when they had examined them we got the following link from MS – that pretty much solved, almost, everything:
We had been trying to use the Company Portal before, and this, in a way worked. But the device was in fact not DEP-enrolled at this stage, we basically re-enrolled the device using the Company portal and this was not ideal and demanded a lot of work. But now its supported to register the device in the portal without the need of re-enrolling it, and voila! Everything started to work as expected. The policies got assigned instantly, almost, and if not we could force them to sync. This made the apps install etc…
So, why did this work and why did we not try this before?
Previously when you enrolled an iOS device using DEP the enrollment process was different from the company portal. In short, a workplace join didn’t occur. This created a lot of problems, some have been fixed and some fixes are rolling out to Intune and will be keeping rolling out during the spring. The workplace join is an important step in the enrollment process, and essential for several of Intunes functions. As I said, previously, it wasn’t supported to use the Company portal – and you actually did a new enrollment and workplace join if you tried.
On the 28th December last year, Microsoft released the above article about supporting the portal for DEP-enrolled “company owned” devices. This basically workplace joins the device (as far as I know) without re-enrolling it. Therefore, you get all the nice stuff from the Company Portal enrollment, without losing the functions and benefits of DEP.
In short, everything now works. The customer is rebuilding some of the policies and are working more with AD-groups for their users than what our original wish were, but we also have more functionality now then we were expecting. In short, they are very happy and pleased with Intune.
The only thing that we still need to solve is the enrollment issues with the devices ending up in the wrong group. But because we now apply EVERYTHING to the users this isn’t a problem at the moment. But for future use, we need a fix for this. And I also believe that there will be cases were we don’t have the option of using User-affinity. I’ll continue to work on this and report back as soon as I know more.
And a few last words:
This became a much longer post than expected. But we have been working on this for months, and finally we are “done”. To be honest, most (if not all) issues were related to bugs, issues and lack of functionality that were, in most cases, undocumented or unknown. And they all got solved by Microsoft being able to combine the great functionality of DEP with workplace join and the company portal. I want to thank Dom and Don at MS support, Daniel from Apple, my Apple-techs and of course the customer. Everything basically works better if you work together. To some things up, remember this when working with DEP:
- User Affinity
- Use the Company Portal
- Keep a flat group structure
- Deploy policies and apps to users if possible
- User Activation Lock
And one last thing: The error code 0x87d103e8 when deploying an app usually means that you, during the wizard, entered an Apple ID. Wait for the apps to get deployed before entering it – if you use one. This for some reason mess things up, when the Apple ID already is entered when the apps get deployed.
If you have any questions, please let me know.