Troubleshooting DEP Deployments in Intune

In this blog I am outlining a list of common issues organisations can experience depending on their DEP configuration and how to resolve them. Have you found an issue which isn’t listed below? Add your issue in the comment section below and we will aim to get it added below.

Authentication with Company Portal Instead of Apple Setup Assistant


Issue: Devices are enrolling into Intune as Personal devices and your users are experiencing an altered/unexpected enrolment setup.

Explanation:
The Company portal application (VPP or store application) should never be deployed from the admin console. The Intune service will automatically distribute the application (as long as you have it listed as an app in your tenant) along with an Application Configuration policy for the iOS Company Portal. Creating a deployment from the admin console will deploy the application to the device without the necessary app configuration keys resulting in an undesired enrolment experience.

Resolution:
Navigate to Microsoft Intune > Client Apps and ensure there are no versions of the Company Portal currently deployed. If there are remove the deployment.

1


Issue: [When using VPP] The Company Portal is never downloaded to the device for the users to complete the user affinity step

Explanation:
If the device that is showing the above symptoms has already been enrolled in the service and has worked previously, it may be that during the previous unenrolment procedure the VPP device-based licences were not successfully revoked or you have run out of VPP licences for the Company Portal.

Resolution 1:
Navigate to Client Apps (Microsoft Intune > Client Apps) and locate the VPP version of the Company Portal application. Once selected ensure you have available licences as highlighted below.

2

Resolution 2:
Locate the device in the Intune Console (Microsoft Intune > Devices – All devices), click “More” then select “Revoke licences”. If this does not resolve the issue move onto Resolution 3.

3

Resolution 3:
Navigate to VPP tokens in the Intune Console (Microsoft Intune > Client Apps > VPP Tokens, select the Context Menu “…” finally choose to “Sync”

4

Resolution 4:
if none of the above steps work please log a ticket with Microsoft Support.


Issue: The Company Portal is never downloaded to the device for the user’s to complete the user affinity step after restoring an iCloud backup.

Explanation:
When you restore a backup that you made from the same device, it applies the supervision and management settings from the backup. So if the device was unsupervised/not in DEP at the time of backup, the restore would revert the device to being unsupervised and not managed by Intune.

Resolution:
Rather than performing a restore at DEP enrolment, wait for the device to be fully enrolled and then perform a selective restore. (Settings > AppleID > iCloud) and select the data you wish to be restored



Run Company Portal in Single App Mode until Authentication


Issue: Once the device has finished initial provisioning the user may receive an error message that states “Guided Access app unavailable please contact your administrator”.

5

Explanation:
This means that the autonomous single app mode policy has applied on the device but the Company Portal application the policy applies to is currently not installed. It is normal to see this error message for the first few minutes whilst the Company Portal is installing. However, if the issue persists and the Company Portal does not install on the device please follow the sections above beginning with “The Company Portal is never downloaded to the device for the user’s to complete the user affinity step”.


Authentication with Apple Setup Assistant instead of Company Portal

Issue: our users that have MFA enabled are unable to enrol their device in DEP

Explanation:
MFA is not supported when enrolling using Setup Assistant.

Resolution:
Change your DEP deployment to authenticate with Company Portal instead of Apple Setup Assistant (Microsoft Intune > Device Enrollment > Apple Enrollment > Enrollment Programme Tokens > Profiles > [DEP Profile] > Properties)

Note: [DEP Profile] will be the name of your DEP profile that you are using to enrol your devices.


6

.

Issue: When a user of a DEP enabled device attempts to access a cloud app and Conditional Access is enabled, the user receives a message that “you’re sign in was successful, but your admin requires your device to be managed by [Company Name] to access this resource. Enrol now.

Explanation:
Conditional Access is not supported when enrolling using Setup Assistant

Resolution 1:
Change your DEP deployment to authenticate with Company Portal instead of Apple Setup Assistant (Microsoft Intune > Device Enrollment > Apple Enrollment > Enrollment Programme Tokens > Profiles > [DEP Profile] > Properties)

Note: [DEP Profile] will be the name of your DEP profile that you are using to enrol your devices.

6


Non DEP Setting specific troubleshooting


Issue: a DEP device is not appearing in the Intune console under DEP devices.

Explanation:
The DEP device has not been setup to sync with the Intune MDM server.

Resolution 1:
Ensure that the device is assigned to an MDM server in Apple Business Manager or the Apple DEP portal. For more information on this procedure please see the relevant documentation to which portal you are deploying from.

Apple DEP > https://help.apple.com/deployment/business/

Apple Business Manager > https://help.apple.com/businessmanager/



Issue: The device completes setup without entering the DEP workflow.

Explanation:
The device in question may not have been setup to sync with an MDM server or it may not be assigned an enrolment profile in Intune.

Resolution 1:
Ensure that the device is assigned to an MDM server in Apple Business Manager or the Apple DEP portal. For more information on this procedure please see the relevant documentation to which portal you are deploying from.

Apple DEP > https://help.apple.com/deployment/business/
Apple Business Manager >
https://help.apple.com/businessmanager/

Resolution 2:
Ensure that the device is assigned to an MDM profile in Intune (Microsoft Intune > Device Enrollment > Apple Enrollment > Enrollment Programme Tokens > Devices, select the device in question and click “Assign profile” selecting the profile you wish the device to enrol with.)

7


Thanks for reading, please feel free to reach out to me on twitter or LinkedIn for clarification on any of the above.





Stewart McLaughlan

Stewart McLaughlan

Enteprise Mobility + Security SME

Leave a Reply

Your email address will not be published.