With many client deployments, I wanted to share my thoughts on the automated enrollment techniques available in Microsoft Intune MDM and the minor limitations they provide regarding Multi-Factor Authentication (MFA). The use of multi-factor authentication (MFA) with Intune enrollments is a great security measure because of the critical nature of MFA in modern cloud security.

However, there are a few caveats to consider when using this feature:

  1. Multi-factor Authentication (MFA) is not supported when using automatic enrollment methods. End users will not be prompted to provide a second form of authentication, such as a fingerprint or a text message code when enrolling in their device.
  2. Automatic enrollment methods are only available for certain devices, such as Windows 10, iOS, and Android. If a device does not meet the requirements, it will not be able to be automatically enrolled.
  3. Automatic enrollment methods require the use of a device management profile, which can have a significant impact on the device’s functionality and user experience.
  4. Automatic enrollment methods may not be suitable for all organizations and use cases. Some organizations prefer to use manual enrollment methods or a combination of manual and automatic methods to control enrollment better.
  5. It is important to test automatic enrollment methods in a lab environment before deploying them in production to ensure that they work as expected and do not cause any unexpected issues.

When choosing the Microsoft Intune MDM strategy and enrollment method, you have a lot of freedom. I have put some relevant TOS blogs below to help you decide if the approach is best for your business.

  1. What is Microsoft Intune? – Ultimate Guide & 12 Core Features
  2. How to Setup Microsoft Intune tenant | TECHOM Systems

Multi-factor authentication Microsoft Intune Scenario 

Before I explain how to set up this multi-factor authentication, it’s important to say a few words about the situation. This particular configuration of multi-factor authentication is only possible when the following are true:

  • Microsoft Intune has been designated as the Mobile Device Management Authority.
  • Only during the enrollment of the device is multi-factor authentication necessary;
  • There is no single sign-on feature.

Multi-Factor Authentication and Apple DEP

Apple DEP (Device Enrollment Program) allows organizations to enrol and manage many iOS and macOS devices. When used with Multi-Factor Authentication (MFA), users have to provide additional forms of authentication beyond username and password for enrolling their devices. MFA provides an additional layer of security to ensure that only authorized users can enrol devices in the DEP program. Caveats include that if a user loses access to the MFA method they used for enrollment, they may not be able to access their device or its resources. Additionally, if a device is lost or stolen, its leads are wiped, and the data is lost. It happens by requiring a one-time passcode sent via SMS or using a third-party authentication app. It’s important to consider the trade-offs between security and convenience when implementing MFA and Apple DEP.

Which came first, Single App Mode or MFA?

Single App Mode (SAM) is a feature available on iOS devices that allows an organization to restrict a device to run only a single app to improve security and productivity. The feature typically locks a device into a specific task, such as a kiosk or point-of-sale device. Apple introduced it in iOS 6.

Multi-Factor Authentication (MFA) requires a user to provide more than one form of authentication to access a system or application. It is designed to provide an additional layer of security beyond a traditional username and password. MFA has been around for several years and is supported by many platforms and services.

So, Multi-Factor Authentication (MFA) came. First, it’s a security measure that has been around for several years, while Single App Mode (SAM) is a feature introduced later by Apple in iOS 6.

Workarounds

Using Microsoft Intune, an administrator can block access to external devices, but an internal media player can still play media. Endpoint Management is done with Intune on both corporate and BYOD devices in a way that keeps corporate data safe.

I think you really have three options, and you need to choose the right one based on your organisation’s security and MFA needs.

Disable MFA from Microsoft Intune Enrollment

Azure AD Conditional Access enrollees can do this if you restrict access to Microsoft Intune Enrollment from inside the cloud services Azure AD manages. This is analogous to the Intune Company Portal, through which you enrolled your Apple device. So, Single App Mode ensures that enrollments are the same across the whole business, even though this lowers security.

Disable MFA from Microsoft Intune Enrollment
Disable MFA from the user while Microsoft Intune enrolling 

Every time the enrolling user unlocks a new device and enrols it, you might momentarily deactivate MFA for them. Although this adds a lot of administrative work, a smaller business may consider it. It may not be acceptable in companies with tens of thousands or even millions of users. 

Disable MFA from the user while enrolling Microsoft intune
You may also consider using the one-time bypass for the MFA.

Brief the user to do MFA from another device

We think about this for high-security organisations where you can’t get around MFA policies in any way. You need to tell the user that they can enrol their new company device using MFA on their old device or a personal device.

Guided Access app unavailable, and Apple DEP

This is a doozy of a problem. During enrollment in Single App Mode, this brief pop-up window with helpful information should be visible for no more than a minute. In terms of Microsoft is associated, at least. Some users have reported that Microsoft Intune has a bug that seems to this screen frozen forever. 

Guided Access app unavailable, and Apple DEP - Microsoft Intune
Guided Access app unavailable. Contact your administrator, please.

Workarounds

There are a few ways to work around this situation, and you can choose from these two.

You need to reset the phone

Experience has shown that if you leave your phone on the “Guided Access app unavailable” prompt and wait, it may eventually resume automatically. Actually, you may reset the phone till one day it works and registration is successful. It may need one reset, 10 resets, or, if you’re fortunate, you may never encounter this problem.

Don’t function Single App Mode

Microsoft advises this, but it’s a pain to use when signing up for Apple DEP. It looks like the programme (Company Portal) can’t get a VPP licence when the option is locked. The solution is to enrol the device without the option turned on. VPP is needed for the user’s application to be downloaded from the Company Portal.

Don't function Single App Mode

Multi-Factor Authentication, Google Zero Touch, Samsung KME, and Android Fully Managed devices

Android Fully Managed is different from Apple DEP enrollments because the Intune Company Portal is no longer utilised exclusively for enrolling devices. In addition, Android Fully Managed devices may use Microsoft Intune and the Microsoft Intune Company Portal.

Even worse, the latest Microsoft Intune Company Portal app isn’t one of the Conditional Access programmes. Because of this, it is not able to intercept.

Additional Conditional Access settings that cover All cloud applications are necessary for this problem to arise. This is a common practice that many businesses use instead of developing app-level regulations.

Workarounds

There are three ways to get around this that you should try. These workarounds are pretty much the same as the ones for Apple DEP, except that you can’t exclude the cloud app from Conditional access right now.

Disable MFA from the user while enrolling

When a user unlocks and enrols a new device, you may temporarily deactivate MFA for that user. There is a lot of extra paperwork involved, but a smaller company may be able to handle this. This may not be acceptable in large enterprises with tens of thousands or even hundreds of thousands of users.

Disable MFA from the user while enrolling
You may also consider using the one-time bypass for the MFA.

Brief the user to do MFA from another device with Microsoft Intune

This is something to think about for really secure institutions where exceptions to MFA norms are simply not an option. In order to enrol the new corporate device, the user must first complete MFA on their old device and/or a personal device.

Re-model your Conditional Access policies

To re-model your Conditional Access policies, you will need to review and update the rules and conditions determining when your resources are granted or denied. This may involve updating the conditions based on user or device attributes and adjusting the policies to reflect changes in the threat landscape or compliance requirements. Additionally, consider implementing multi-factor authentication or other security measures to secure your resources further. It is recommended to consult with experts and test your policies before implementing them in production.

To be enforced, a Conditional Access policy must have at least the following:

  • The policy Name.
  • Assignments
    • Apply the policy to Users and/or groups.
    • Apply the policy to Cloud apps or actions.
  • Access controls
    • Control Grant or Sessions controls
  • Enables policy 

Re-model your Conditional Access policies

Result

The result of this configuration is exactly as expected; multi-factor authentication is only needed with Microsoft Intune MDM automatic enrollment.

As a whole, automated enrollment programmes are the best option, particularly for well-established enterprises. The MFA has a few drawbacks you’ll need to acknowledge and work around. We may not have these problems in the future as Microsoft Intune’s features and possibilities continue to expand rapidly. For now but, that is the manner the cookie crumbles.

Interested in improving MFA and other caveats with Microsoft Intune MDM automatic enrollment?

Look no further than TECHOM Systems and our expert services for Microsoft solutions.

At TOS, we provide services for Microsoft Intune, a cloud-based enterprise mobility management (EMM) solution. Services offered by TOS for Intune include:

  1. Deployment and Configuration: We deploy Intune, configure its settings and policies, and connect it to other systems like Active Directory.
  2. Management and Monitoring: We manage and update policies, deploy apps, monitor compliance and security, and offer ongoing support and troubleshooting.
  3. Practising and Consulting: TOS can help organisations get the most out of their Intune deployment by providing practice and consulting services.

Schedule a meeting with our experts today to find out more about how we can help your organisation with Microsoft Intune.