Issues With IOS Device Registration Via IMEI In Intune
To create the list, create a two-column, comma-separated value (.csv) list without a header. Add the 14-digit IMEI or serial numbers in the left column, and the details in the right column. Only one type of ID, IMEI or serial number, can be imported in a single .csv file. Details are limited to 128 characters and are for administrative use only. Details aren't displayed on the device. The current limit is 5,000 rows per .csv file.
Issues with iOS device registration via IMEI in Intune
Some Android and iOS/iPadOS devices have multiple IMEI numbers. Intune only reads one IMEI number per enrolled device. If you import an IMEI number but it is not the IMEI inventoried by Intune, the device is classified as a personal device instead of a corporate-owned device. If you import multiple IMEI numbers for a device, uninventoried numbers display Unknown for enrollment status.Also note:Serial Numbers are the recommended form of identification for iOS/iPadOS devices.Android Serial numbers are not guaranteed to be unique or present. Check with your device supplier to understand if serial number is a reliable device ID.Serial numbers reported by the device to Intune might not match the displayed ID in the Android Settings/About menus on the device. Verify the type of serial number reported by the device manufacturer.Attempting to upload a file with serial numbers containing dots (.) will cause the upload to fail. Serial numbers with dots are not supported.
Imported devices are not necessarily enrolled. Devices can have a state of either Enrolled or Not contacted. Not contacted means that the device has never communicated in with the Intune service.
When a device's ownership type is changed from Corporate to Personal, Intune deletes all app information previously collected from that device within seven days. If applicable, Intune will also delete the phone number on record. Intune will still collect an inventory of apps installed by the IT admin on the device and will still collect a partial phone number for the device after it is marked as personal.
Automated Device Enrollment lets you automate Mobile Device Management (MDM) enrollment and simplify initial device setup. You can supervise devices during activation without touching them, and lock MDM enrollment for ongoing management.
In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment.
Intune marks devices going through the following types of enrollments as corporate-owned, and blocks them from enrolling (unless registered with Autopilot) because these methods don't offer the Intune administrator per-device control:
Company Portal needs device administrator permissions to securely manage your device. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately.
With the release of Apples iOS 13.1 a new device management type became available; User Enrollment. This update brings an iOS equivalent to Android Enterprise work profile available which is especially for managing personal (BYOD) devices. Like with Android work profile, it separates the users personal and corporate apps and data. It creates an isolated managed volume that keeps work apps and data separate and secure from personal apps and data.To support User Enrollment, Microsoft rolled out new enrollment types (in Preview) in Intune to support User Enrollment. In this blog I will have a first look at iOS User Enrollment with Microsoft Intune.
As I want to show the complete enrollment experience for an end-user with the choice between private owned or corporate owned device, I choose Required.Have a look at the Information message which is shown when you choose Required:Deploy the Azure Authenticator app as required for Conditional Access to work.
On the end-user device a pop-up is shown when you open the Intune Company Portal app, confirming the removal of the device from Intune. The managed apps with corporate data are indeed removed from the device, without performing a factory reset or removing personal data.
Not much changed since I did the first tests with iOS User Enrollment.Application deployment still doesn`t seem to work when you set the assignment as required and the license type to Device. If you use license type User, the installation is running fine, but the reporting in the Intune portal shows different behavior, sometimes Succeeded and some Failed (with different errors, like the one already mentioned or The app is already installed on the device, but is not managed by Intune. MDM cannot prompt management take over on devices with OS version lower than iOS 9. The user can manually uninstall the app and then install it via MDM.).Installing applications which are assigned as Available, do work fine now. The app is installed, but again reporting in the portal shows different statuses.
thanks for the posts and blog. very informative. I had an Idea, whereby I could use the complianceState cmdlet inconjuction with a Toast Notification. The toast notification will popup up periodically e.g every 1 hour and produce a custom toast message with the current devices compliance state. Ideally the api call should need to run with the correct permissions to read etc. Let me know what you think.
So after the attacker realizes that Conditional Access has been configured to require Intune Compliance, now all the hacker has to do is find a device to enroll into Intune. The attack consists of a hacker logging into a virtual machine they control somewhere, and then they Azure AD Join it to the target organization (with MDM Auto Enrollment), or Azure AD Register with Device Management (Intune) because they have obtained the username and password of the user. Perhaps the user had MFA enabled on their account, but the user has accidentally authorized the attacker to logon via MFA Push Notification or Phone Call (this happens a lot actually, so you should switch users to Code Match, or wait for Microsoft to roll it out which is coming soon).
RegisteredDevices that are Azure AD registered are typically personally owned or mobile devices and are signed in with a personal Microsoft account or another local account.
Hybrid JoinedDevices that are hybrid Azure AD joined are owned by an organization and are signed in with an on-premises Active Directory Domain user account belonging to that organization. This account is then in an OU that is synced to the Cloud, and Conditional Access Policies can then use this to device state as a Grant Control.
Important Side Note: This forum post illustrates what happens when you configure enrollment restrictions to block Personally owned devices to Block but then neglect to manually change Autopilot devices to Corporate. They will get error 80180014 because they forgot to set the Autopilot devices to Corporate. -intune/error-80180014-due-to-device-restrictions-for-windows-autopilot/m-p/1155809
The process of managing with Apple Business Manager first starts, when your organization purchases Apple devices from Apple or from Apple authorized resellers. You have to log into your Apple Business Manager account. If you already have an account with Device Enrollment Program, you can migrate to Apple Business Manager by following the prompts available on your DEP portal. You have to register MDM with the Apple Business Manager portal. Once you have registered the MDM server, secure communication is enabled between the MDM server and the Apple portal. This is used to synchronize the details of devices, purchased by your organization. When you find the devices synced from the Apple portal, you can assign it to users. Whenever the devices are activated, all restrictions and configurations imposed using MDM are automatically installed on all your devices over-the-air (OTA). By configuring ABM, you can ensure all the organization's devices are managed by MDM by default as soon as they are activated.
One of the advantages of adding devices like iPhones, iPads, and MacBooks to Apple Business Manager is that these devices can be enrolled without any user interaction. Learn how to add devices to ABM from the steps below.
To add devices to Apple Business Manager, the reseller details must be added to the ABM portal. So every time devices are purchased from the same reseller, the devices are added to the ABM portal and in turn, to the MDM server due to the integration of the ABM portal with the MDM server.
Mobile Device Manager Plus will automatically sync with the Apple Business Manager every 24 hours. On syncing, all the settings configured in the ABM portal will get applied to the devices and listed on the MDM console. Admins can schedule this sync time according to the time when resellers add the devices to the ABM portal. Follow the steps mentioned below to schedule ABM sync time:
Supervision Identity contains the identity of the organization that manages the device and hence is unique to every organization. This identity is associated with the supervise