Using Setup Assistant with modern authentication

This week is all about the support for a new authentication method when using Automated Device Enrollment (ADE). That new authentication method is Setup Assistant with modern authentication and is available for iOS/iPadOS devices running version 13.0 and later and for macOS devices running version 10.15 and later. Setup Assistant with modern authentication enables organizations to require authentication with Azure AD, including the ability to require MFA, and enables users to immediately use their device. This post provides an introduction to this new authentication method, followed with the steps to configure an enrollment profile with this new authentication method. This post ends with a quick look at the enrollment experience when using Setup Assistant with modern authentication.

Note: At the moment of writing Setup Assistant with modern authentication is still in public preview.

Introduction to Setup Assistant with modern authentication

Setup Assistant shapes the out-of-the-box experience of Apple devices. At first start, Setup Assistant will walk the user through the steps of activating, configuring and personalizing their Apple device. When using Apple Business Manager (ABM) – and specifically ADE – in combination with Microsoft Intune, the experience of Setup Assistant can be adjusted. The IT administrator can choose which configuration options and personalization options are shown to the user and can make sure that the device will enroll in Microsoft Intune.

The main challenge, with the legacy options for authentication in Setup Assistant, was that every interaction would break the sign-in of the user. That would happen when requiring MFA, or when prompting the user to change or update their password. As an alternative Microsoft provided the option to authenticate with the Company Portal app and lock the device in the app until that authentication was performed. That was also not always the best experience, as it could take a while for the Company Portal app to be available and the device to be usable.

Setup Assistant with modern authentication should address all those issues. The user will be able to authenticate during the Setup Assistant – including when interaction is required – and the device will be ready for use immediately. The small catch, however, is that the user should also still sign-in to the Company Portal app once it’s installed. Without that sign-in the device will enroll in to Microsoft Intune, but won’t report a compliance state yet. That means that in combination with Conditional Access (CA), the user won’t be able to access company data and resources. The sign-in to the Company Portal app is required to finish the registration and to set the user affinity. After that, the device will show in the list of devices of that specific user.

Configuration of the enrollment profile for the Setup Assistant with modern authentication

Setup Assistant with modern authentication can be configured by using an enrollment profile. An enrollment profile can be assigned to devices that are synchronized via ABM to Microsoft Intune. That means that the ADE configuration should be in place. Once that configuration is in place, the following six steps walk through the process of creating the required enrollment profile for iOS/iPadOS devices.

Note: The process of creating the required enrollment profile for macOS device is very similar. That enrollment profile has fewer settings, but the important configurations are all around the user affinity and the authentication method. And that configuration is the same (see step 4 below).

1. Open the Microsoft Endpoint Manager admin center portal and navigate Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles
2. On the {YourEnrollmentToken} | Profiles page, click Create profile > iOS/iPadOS to open the Create profile wizard
3. On the Basics page, provide the following information and click Next

• Name: Provide a name for the profile to distinguish it from other similar profiles
• Description: (Optional) Provide a description for the profile to further differentiate profiles
• Platform: iOS/iPadOS is preconfigured based on the initial start of the wizard

1. On the Management Settings page, as shown in Figure 1, provide at least the following information and click Next

• User affinity: Select Enroll with User Affinity as value, as the configuration of the authentication method is only applicable in combination with user affinity
• Authentication Method: Select Setup Assistant with modern authentication as value, to provide the required modern authentication with the Setup Assistant
• Install Company Portal with VPP: Select Use Token: {YourToken} as value, to enable the installation of the Company Portal app without the need of a user to first connect a personal Apple Id
• Supervised: Select Yes, to enable a larger set of configuration options
• Locked enrollment: Select Yes as value, to make sure that the enrollment is locked on the device
• Sync with computers: Choose between Allow All, Deny All and Allow Apple Configurator by certificate, to specify if the device is allowed to sync with computers
• Apply device name template (supervised devices only): Choose between Yes and No, to specify if the device should follow a specific naming standard
• Device Name Template: Specify a device name template when the requirement (and previous configuration) is to apply a device name template

Note: The variable {{SERIAL}} can be used as serial number in the device name and the variable {{DEVICETYPE}} can be used as the device type in the device name.

• Figure 1: Overview of the enrollment profile configuration

1. On the Setup Assistant page, provide at least the following information and click Next

• Department: Specify the department name that should be displayed in the Setup Assistant
• Department Phone: Specify the department phone number that should be displayed in the Setup Assistant
• Setup Assistant Screens: Specify the screens that should be displayed in the Setup Assistant

1. On the Review + create page, verify the configuration and click Create

Once the enrollment profile is created, it can be assigned to devices that are synchronized via ABM. That assignment can be achieved by using one of the following methods.

• Default profile – Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles and use Set default profile to configure the default profile that is automatically assigned to all synchronized iOS/iPadOS devices for that specific enrollment token
• Assign profile – Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Devices and use Assign profile to manually configure the profile that is assigned to the specifically selected iOS/iPadOS devices that are synchronized for that specific enrollment token

Enrollment experience for the Setup Assistant with modern authentication

Once the enrollment profile is configured and assigned, it’s time have a look at the new enrollment experience. Depending on the number of Setup Assistant screens – as configured in step 5 – the enrollment is simple and leaves little room for error. The most interesting point starts with the Remote Management screen, as when the user clicks next the modern authentication sign-in experience will be triggered. That will ask the user to sign-in and – depending on the MFA-configuration – prompt the user for MFA, as shown below in Figure 2. After that sign-in, the user must walk through any remaining Setup Assistant screens and eventually lands automatically and quickly on the home screen as shown in Figure 3. That also shows the early stages of the device set up, as the apps still need to be provisioned. When the installation of the Company Portal app is pushed by using Apple VPP – as configured in step 4 – the user will see the installation of that app when swiping to the left.

Once the user is up-and-running, the user isn’t done with the device enrollment. When the user would start by using the Outlook app, and a CA policy is in place that requires a managed device, the user will receive a friendly message that will direct the user to the Company Portal app. Also, when the user would start by opening the Company Portal app, the user will see that a sign-in is still required, as shown in Figure 5. The user should sign-in again and walk through finalizing the enrollment process as shown in Figure 6 and 7. After going through that process, the user will be fully up-and-running and have access to company data and resources.

More information

For more information about creating enrollment profiles in Microsoft Intune, refer to the documentation about Automatically enroll iOS/iPadOS devices by using Apple’s Automated Device Enrollment.