Support for Multi-token DEP and Authentication with Company Portal


We’ve introduced a new experience to make it easier for you to manage iOS device enrollment through Apple’s Device Enrollment Program (DEP), Apple School Manager (ASM), or Apple Configurator. With Intune support for multi-token DEP, we aim to address scenarios where you would have multiple tokens, for example, when you are purchasing devices from several DEP resellers, have multiple DEP accounts or are migrating devices from other MDM vendors.

This new release will provide a richer experience while basic functionality remains the same. You will be able to assign enrollment profiles, push configurations and enroll devices as before, while being able to manage devices in groups separated by tokens.

As part of this new experience, to support modern authentication like Multi-factor authentication (MFA), admins will be given the option to authenticate with Company Portal instead of Apple Setup Assistant when enrolling devices with user affinity. With this option, end users will be asked to enter their credentials in the Company Portal app that will be automatically installed.

More information about enrolling iOS devices with Apple’s enrollment programs can be found at Enroll iOS devices in Intune. Click on the relevant link on that page to see screenshots of the current and new user interface (UI).

Experience for new customers

Any new trial or paid tenants created on or after February 7 will automatically see the new workflow and UI in their console immediately or after they log out and log in again. For these tenants, when they select ‘Enroll with User Affinity’, the default setting will be to Authenticate with Company Portal, which they can change if needed.

Experience for existing customers

For existing customers, we’ll need to enable this feature in the backend, to make sure there is no impact to your end users. We’ll notify you through Message Center when your tenant is enabled for this feature. Again, there will be no end user impact to currently enrolled devices. After migration, you will see the modified workflow in the console, along with the option to authenticate with Company Portal. If you want to use authentication with Company Portal, you should edit your existing profiles or create a new profile with the feature enabled and assign them to devices.

Note that existing customers who may want to try out the new feature by creating a new tenant will not be able to use an existing token. Using an existing token will cause token upload to fail. In such cases, we recommend that you create a new MDM server on Apple, generate new PEM file with a new account, upload the PEM file to the MDM server, and get a new token. You can then upload this token to the new account.

Planned Schedule

We’ll update this section with our schedule to move existing customers to the new experience, so you’ll know when you can expect to see this in the console.

Let us know if you have any questions!

Comments (2)

  1. when is the modern authentication is going to be getting enabled here for DEP Enrollment?

    1. MFA should be enabled already for new tenants. If you are an existing customer, it could take up to April to have this feature enabled. You will hear from us through a Message Center post when your tenant is enabled for this experience.

Skip to main content