Intune enrollment for iOS supervised mode with Apple Configurator

  • Article

Hello all,

Back again with another blog post.  This time, we'll be diving into Intune enrollment iOS supervised mode via Apple Configurator.  Admittedly, this is something I'd heard about sparingly, but never really tinkered with until a customer of mine came to me with a requirement that they needed to be able to disable iMessage on specific iOS devices in their Intune tenant.  I was aware of supervised mode and knew it was attainable with enrollment in Apple's DEP program.  However, I wasn't aware that supervised mode is also attainable leveraging Apple Configurator and Setup Assistant.  So what is iOS supervised mode?  iOS supervised mode is an enrollment state of an iOS device that allows an administrator more control over a device than in traditional BYOD scenarios.  The settings that are opened up to an administrator for control in supervised mode are listed in the first link below, one of which being iMessage control.  So, our focus for to today is step-by-step instructions on how I did a proof of concept in my Intune tenant before assisting my customer with the implementation.  I do have screenshots for the steps below.  But for now, I will not include them as to avoid making the blog so long I'd need to break it up into parts.  However, If enough people comment they would like screens, I will include them.

So where do we begin?  Like any good Microsoft employee, when my customer asked if this were possible, I reviewed our documentation on the topic.

iOS Device Restrictions Enroll iOS devices with Apple Configurator

And per usual, I had more questions after reviewing the docs.  As such is the purpose of this blog.  To lay it all out to make it easier on you if you so decide to implement a similar scenario.  First things first, we have some pre-requisites.  Ensure you meet the pre-requisites before proceeding any further.

Pre-Reqs for Apple Configurator Enrollment

Step 1: Create the Apple Configurator Profile in Intune tenant

  1. Open a web browser and go to https://portal.azure.com
  2. In the left pane, select More Services and type in Intune.   Click Intune to open the Microsoft Intune management blade
  3. Within the Intune blade, select Device enrollment
  4. On the Device enrollment blade, select Apple enrollment
  5. In the Manage Apple Configurator Enrollment Settings section, select AC Profiles
  6. On the Apple Configurator Enrollment Profiles blade, click Create to create a profile
  7. On the Create Enrollment Profile blade, type in a name for the profile in the Name field.  In the User Affinity dropdown, ensure Enroll with user affinity is selected and click Create
  8. Close all the blades to get back to the Intune management blade

Step 2: Create an Intune group to populate devices

  1. In the Intune management blade, in the left pane, click on Groups
  2. In the Groups blade, in the middle pane, click New group
  3. On the Group blade, set the Group Type drop-down to Security.   Type in a name for the group in the Group name field.  For example, iOS Supervised Devices.  Set the Membership type drop-down to Dynamic Device
  4. Click the Add dynamic query box
  5. On the Dynamic membership rules blade, set the first dropdown to enrollmentProfile.  Change the second dropdown to Equals.   In the third field, type in the name of the enrollment profile you created in step 7 of the previous section and click Add query
  6. Back on the Group blade, click Create to create the group

Step 3: Upload a CSV that contains the serial numbers and details of devices to be enrolled with Apple Configurator and assign the AC profile to the devices

  1. Open Excel and created a 2-columned CSV file that contains the serial number of the device in the first column and details in the second column.  For example, in the first column, type in 123456789.   In the second column type in Matt's iPad.
  2. Save the file as a CSV file
  3. Within the Intune blade, select Device enrollment
  4. On the Device enrollment blade, select Apple enrollment
  5. In the Manage Apple Configurator Enrollment Settings section, select Apple Configurator Devices
  6. On the Apple Configurator Devices blade, click Add
  7. On the Add Devices blade, in the Select Profile drop-down, select the AC profile
  8. Within the Specify the path to the list you want to import, click the blue folder icon and browse to the CSV you created earlier and click Open
  9. Click Add to import the device list
  10. Close the Add Devices blade.  Back on the Apple Configurator Devices blade, you should see the devices from the device list you imported
  11. Click on each device and click Assign Profile
  12. On the Assign Profile blade, select the AC profile from the drop-down and click Assign
  13. Repeat steps 11-12 until all devices are assigned the AC profile
  14. Close all the blades to return to the Intune management blade

Step 4: Export the AC Profile to obtain MDM URL for Intune tenant for Apple Configurator

  1. Within the Intune management blade, select Device enrollment
  2. On the Device enrollment blade, select Apple enrollment
  3. In the Manage Apple Configurator Enrollment Settings section, select AC Profiles
  4. Select the AC profile you created earlier in Step 1
  5. In the AC profile blade, click Export Profile
  6. In the Export Profile blade, copy the value in the Profile URL field to notepad and save as you will need it later
  7. Close all blades to return to the Intune management blade

Step 5: Create Apple Configurator Profile to manage settings

  1. On a supported Mac device, preferably running High Sierra, download and install Apple Configurator 2 from the app store
  2. Open Apple Configurator 2
  3. In top left corner is the Apple Configurator menu, click File and select New ProfileNOTE: A window called All Devices may be in the forefront, move this window to the side for now
  4. This action will open the New Profile window.  In this window are several options to configure.  Review each tab of settings as you like in the left pane.  For the sake of this blog, we'll only configure the required General settings and the iMessage setting under Restrictions .  On the General tab, type in a name for the profile in the Name field.  There are other optional fields.  Fill them out as desired
  5. In the left pane, select the Restrictions tab.  In the middle pane, click the Configure button.  Find the Allow iMessage setting and uncheck the box
  6. In the Apple Configurator menu, click File and select Save.   Save the profile to the desktop of the Mac.  Wherever you are working in the Intune management blade, copy the file from the Mac to this device
  7. Leave Apple Configurator open as we will return here shortly to prepare devices

Step 6: Create and Assign iOS device restriction custom policy in Intune management blade

  1. The file you just created in the last step.  Rename the file extension to .XML
  2. Going back to Intune, within the Intune blade, select Device configuration
  3. On the Device configuration blade, select Profiles
  4. On the Profiles blade, select Create Profile
  5. On the Create Profile blade, type in a name for the profile in the Name field.  For example, iOS Disable iMessage.  In the Platform drop down, select iOS.   In the Profile type dropdown, select Custom
  6. The Custom Configuration Profile blade will open.  Type in a name for the custom configuration in the Custom configuration profile name field
  7. In the Configuration profile file field, click the blue folder icon and browse to where you copied the Apple Configurator profile in the previous step.  Select the file and click Open.   The File contents field will populate with the data from the file you selected.
  8. Click OK to return to the Create profile blade
  9. On the Create profile blade, click Create
  10. On the Profiles blade, click the profile you just created.  The profile settings blade will appear.  On this blade, select Assignments
  11. On the Assignments blade, in the Assign to dropdown, select Selected Groups.  Below that, click on Select groups to include
  12. On the Select groups to include blade, in the Select field, type in the name of the group created in Step 2 earlier.  Click on the group and click the Select button at the bottom of the blade
  13. Back on the Assignments blade, click the Save button

Step 7: Use Apple Configurator to prepare device

  1. Before doing anything, on the device you wish to prepare, open up Settings > Click on your Name > iCloud
  2. If an iPhone, turn off Find my iPhone.  If an iPad, turn off Find my iPad
  3. Connect the device to the Mac device with a USB cord
  4. In the All Devices windows of Apple Configurator, the device will show up.  Select the device and then click the Prepare button in the toolbar above
  5. This action will step you through a wizard.  On the Prepare Devices screen, in the Prepare with dropdown, ensure Manual Configuration is selected.  Also check the Supervise devices and Allow devices to pair with other computers checkboxes are selected and click Next
  6. On the Enroll in MDM Server screen, click Next
  7. On the Define an MDM Server, type in a name for the MDM server in the Name field.  In the Host name or URL field, paste in the URL you exported in Step 4 above and click Next.   On the next screen, you will be prompted to add trust anchor certificates for the MDM server.  Select the certificate appleconfigurator2.manage.microsoft.com and then click Next
  8. On the Assign to Organization screen, click Next
  9. On the Sign in to the Device Enrollment Program screen, click Skip
  10. On the Create an Organization screen, type in the details of your organization and click Next
  11. On the Configure iOS Setup Assistance screen, click Prepare.   NOTE: This screen contains options that dictate the user experience after the device is prepared.  If you select boxes here, the user will be presented to configure those settings during the device setup.  Review each setting and determine if you organization requires that you allow users to configure these settings
  12. You'll be prompted that preparing the device requires it to be erased.  Click Erase on the prompt.  The device will now be prepared.  Wait for the preparation to complete.  After the device has completed preparing, you can complete the setup of the device yourself and give to the user.  Or, you can allow the user to complete the Setup Assistant to complete the device setup

Step 8: Use Setup Assistant to complete enrollment of device

  1. Once the device has finished preparing, you or the user must complete Setup Assistant on the device so it is enrolled and policy applied to the device
  2. On the device, press the home button.  Depending on how you configured Setup Assistant in the previous step, you or the user will be prompted to configure the items selected in the previous section for step 11.  
  3. Select a Wifi network and connect.  Alternatively, connect to a cellular network if no Wifi.  Once connected, click Next
  4. You will see a Remote Management screen for your organization.  Click Apply Configuration
  5. Type in the user credentials to enroll and click Next
  6. You'll see a screen stating the configuration from your organization is being installed.  Once this is complete, click Get Started
  7. On the device, click on Settings > Device Management and you will see your organization's management profile on the device.  This means the device has successfully enrolled and is now applying policy to the device.  It may take some time for the custom device restriction policy to come and apply.  Give it at least 30 minutes for the custom policy to be applied

Step 9: Validate the iOS device restriction custom policy successfully applied

If you complete the Setup Assistant prior to giving the user the device.  You can validate the policy is applied to the device.  If you do not, you can view the data in the Intune blade for success/fail of the custom policy assignment after some time.

  1. On the device, open Settings > Device Management  > Management Profile > Restrictions
  2. On the Restrictions screen, you will see that iMessage is not allowed on the device

And there you have it!  Another adventure in Intune and the many ways we have to enroll and configure devices.  Please feel free to comment and share.  Until next time!