With Intune support for Multi-token DEP, admins are given the option of authenticating with Company Portal when enrolling devices with user affinity as we’ve shared previously in our blog post. After a recent Intune release, admins have the ability to lock Company Portal in Single App mode so users have to sign in to the Company Portal before getting access to a device. In this post, we’re sharing some tips and troubleshooting about the experience that you may find useful.
Consider a case where you have enrollment settings configured as shown in the screenshot.
The Company Portal provisioned through Apple’s Volume Purchase Program (VPP) can fail to install in case VPP tokens expire, run out of Company Portal licenses, get deleted, get assigned to another Intune tenant or get assigned to another MDM vendor. This could also happen due to a temporary outage in Apple services. In this situation, users on blocked devices can get stuck in the installation process for more than 10 minutes and see screens similar to what is shown below.
Note that in normal cases, end users will see this screen for about 45-60 seconds while the Company Portal is installing in the background and launches in Single App mode. This is an OS limitation and we have a request in with Apple to be able to customize this message.
Troubleshooting VPP token issues
Admins will need to figure out any issues with the VPP token to ensure that users do not get their devices in a blocked state. Any issues with the VPP token can be found by going to the Device enrollment blade in Intune and navigating to Apple enrollment > Enrollment program tokens > (token name) > Profiles > (profile name) > Manage > Properties. You should see a message with a reason for the block as in the sample screenshot below.
Issuing a remote wipe
After any VPP token issues have been resolved, devices should be wiped, and the enrollment process will have to be started from the beginning. Users can wipe a device by going to portal.manage.microsoft.com or ask an admin to issue a remote wipe. An admin can get a list of devices by going to Apple Enrollment> Enrollment program tokens > (token name) > Devices and filter for devices in “Blocked” state.
Blocked devices can also be found at Enrollment program tokens > (token name) > Profiles > (profile name) > Monitor > Assigned devices.
You can reach out to us if you have any questions or feedback on the experience!
9/21/18: Updated to note that we have made a feature request to Apple.