Hey everyone,

I have created several iOS AppStore apps in SCCM and deployed them to both a User collection and a Device collection as Required installations (some devices will not have user affinity, thus the deploy to device as well).

The Devices have an enrollment profile assigned with DEP integrated into SCCM.  The devices show up properly in SCCM once enrolled (during activation) however none of the deployed iOS apps are coming down the device.  There is an Apple ID tied to the devices.

As a side note, I have a single Web app deployed the same way via SCCM and that is installed upon activation.  Am I missing something?  

If I enroll a device via the Company Portal app (i.e. non DEP), AppStore apps come down right away.

Thoughts?

• Edited by William Bracken Thursday, September 10, 2015 5:03 PM

So the plot thickens.  For grins, on an already enrolled via DEP/Activation device, I installed the Company Portal app.  After logging into the Company Portal app, I was prompted to enroll the device AGAIN, even though the Management profile was already there and verified.  I went ahead and walked through the enrollment process again, and the required apps came down almost immediately. 

This cannot possibly be a requirement to double enroll.  Calling Intune support now.

 deployed them to both a User collection and a Device collection as Required installations (some devices will not have user affinity, thus the deploy to device as well).

Having UDA is basically not a requirement at all (if you are not using a requirement rule that forces you to do so).
What does the monitoring node show for those deployments?

"Unknown Error" is what the deployments show.  I opened a case with Intune Support and was told that deploying managed applications to a DEP enrolled device was not a supported feature, and that effectively DEP is only good for devices that wont need applications deployed.  So there's that...

I asked if this was a limitation of Intune and was told no, it was a limitation of DEP which I refuse to believe.

Another fun artifact is that when you download and install Company Portal and go through the second enrollment process, you get 2, yes 2 devices in SCCM.  The one from DEP, and another from Company Portal.

I find it almost incomprehensible that this is truly by design.  I am getting on a call with the Intune Support DEP subject matter expert tomorrow to talk through all of this as the gentleman I spoke with today admitted he wasn't very familiar with DEP.

I'll post back once I have that conversation.

From http://www.apple.com/business/dep/ which screams not a limitation of DEP, but a limitation of Intune (or bug)

Zero-touch configuration for IT.

With the Device Enrollment Program, large-scale deployments of iPad, iPhone, and Mac are seamless. Automate mobile device management (MDM) enrollment for every device, so that when activated, they are immediately configured with account settings, apps, and access to corporate services over the air. Theres no need for staging services, and no need for IT to physically access each device to complete setup.

Now that I think about it, the Configuration Item/Baseline I had deployed to require a passcode did not come either.  So I believe this argument is breaking down even more.  Smells much more like an issue at hand rather than "by design"..

I've just pinged the product group about the statement of Intune support. 

Thanks Torsten.  Looking forward to what they have to say.

Quick update.  I can confirm that what I was told yesterday was false.  This morning when I fired up the same iPad I DEP enrolled yesterday, I was prompted to enter a PIN code (from deployed Baseline) and many, although not all, of the apps pushed down to the device.  

So I have two issues to discuss with Intune support today.

1. Why did it take several hours after enrollment for apps to come down

2. Why didn't all of the apps come down.

I am going to retest with another iPad today and see if I can pin down how long it actually takes for apps/settings to come down.

Still interested in hearing back if you get anything from the product group Torsten.

Thanks as always.

More fun discovered this morning.  Since we now have to apply an Application Management Policy to apps like Word, Excel, etc. when deployed, these apps wont open when deployed to a DEP enrolled device.

You get the nice message when opening the app of:

App cannot be used because an invalid policy was set or you have not enrolled your device using the Company Portal app.

 So that sucks..  Guess that's another item I will be discussing with Intune support.  

Just got off the phone with a DEP SME from Intune support who told me that if you used DEP, you must use the apple ID that you configured with DEP integration, and that non managed apps should come down.  If you use a personal Apple ID (which I am sure 90% of people will) that it bypasses intune and you get mixed results.  

In addition, managed apps, which are forced now in SCCM when you deploy them, will indeed not work when deployed through DEP.  So effectively DEP is useless when you need to deploy managed apps, (read, all Microsoft apps).  The solution as he told me is to use Apple Configurator and touch each and every single device to disable activation lock via Supervision.

I am floored.  They are supposed to be emailing me the technet articles that outline this behavior.

The alternative is to enroll in company portal after you have activated via DEP, which works, however it creates an additional object in SCCM.  Guess I'll look into creating a script that detects the duplicate object and remove the DEP based one after Company Portal enrollment.

The hits keep rolling..

No RBAC support for managing the Company-owned node in SCCM.  You have to be Full Administrator with no Scope limits.

No way to unassign a device from a DEP enrollment profile.  Once assigned, it can only be reassigned to another profile. 

Enrolling using the Company Portal after DEP doesn't appear to be a viable option.  Apps, although required in the SCCM deployment are not enforced and can be removed.  Since they are not required they will not come back down.  Not all apps came down either and no apps in the company portal.  

Moral of the story, DEP integration is worthless at this time unless you do not plan on deploying any Microsoft Office (i.e managed) apps, or conditional access.  Looks like we will need to remove the DEP integration and touch every device with Apple Configurator to Supervise.

Here's a couple of quotes from the Intune support contact:

After reviewing the public facing articles, I haven't seen any documentation stating either way that pushing Managed Apps is possible/not possible at the present time. I can submit a request to have these articles updated to clarify such information to hopefully prevent confusion in the future.

Just to confirm, I have verified with multiple engineers in the product group that this scenario is not possible at this time. 

And:

This is a direct quote from one of our Product Group engineers:

DEP (Apple's Device Enrollment Program) enrolled devices are not compatible with:

- Conditional Access

- Mobile Application Management (MAM, aka. Managed Apps)

- Company Portal App (WPJ features)

NOTE: Using CA or MAM with DEP enrolled devices is unsupported.

During the DEP account setup process, the Microsoft Intune account is uploaded to the Apple Admin Console and is tied to the DEP account.  Intune is deployed as part of the DEP package and does not use the Company Portal app for enrollment.  Therefore, Workplace Join does not occur, which MAM and Conditional Access require for use.

ALSO NOTE:  The customer won't be able to use these features with DEP enrolled devices.  Applying a MAM policy to the device will cause login issues because the device is looking for (Company Portal app) enrollment which is required to be compliant

• Edited by William Bracken 13 hours 7 minutes ago

Hi Folks - 

I'd like to try and help clarify a couple things here. 

1. At this time, a device enrolled in Intune using DEP supports pushing policies/profiles to that device
2. Please do not try to install/enroll thru Company Portal on DEP devices, this is not yet supported (bad stuff will happen). And as a result, the following scenarios will not work for DEP-enrolled devices.
   - Conditional Access
   - Mobile App Mgmt (you cannot deploy any managed apps from this list)
3. App deployment (for apps *not* on the above list) should work as long as you use the Required Install deployment method
   - you must setup your user/device groups appropriately

We are working on changes to ensure that DEP + Company Portal app can work together, and should have a fix available in the next couple months. Once we release the update, it will be required that you setup your DEP enrollment profile with Prompt for User Affinity (per these instructions) in order to work with Company Portal. If you choose "No user affinity" then the Comp Portal app will never work.

Additional notes:

• The Apple ID you use to setup the DEP device is not relevant, and does not need to match the one from the DEP Portal.
• If you are observing that Required Install apps (except for ones from this list) are not getting deployed, please open a support ticket. Same deal if you're observing policies/profiles not making it to the device. These should both work.

-Kieran Gupta, Intune Product Team

• Edited by Kieran GuptaMicrosoft employee 12 hours 37 minutes ago

Thank you for the follow up Kieran.  We are eagerly waiting for an update where we can once again use DEP for wireless supervision as well as Conditional Access/Managed Apps.

"Once we release the update, it will be required that you setup your DEP enrollment profile with Prompt for User Affinity (per these instructions) in order to work with Company Portal. If you choose "No user affinity" then the Comp Portal app will never work."

Will we see an update that will allow managed apps to be deployed to a device that will not be tied to a user?  i.e. a shared device, thus no prompt for user affinity?

The hits keep rolling..

No RBAC support for managing the Company-owned node in SCCM.  You have to be Full Administrator with no Scope limits.

No way to unassign a device from a DEP enrollment profile.  Once assigned, it can only be reassigned to another profile. 

Enrolling using the Company Portal after DEP doesn't appear to be a viable option.  Apps, although required in the SCCM deployment are not enforced and can be removed.  Since they are not required they will not come back down.  Not all apps came down either and no apps in the company portal.  

Moral of the story, DEP integration is worthless at this time unless you do not plan on deploying any Microsoft Office (i.e managed) apps, or conditional access.  Looks like we will need to remove the DEP integration and touch every device with Apple Configurator to Supervise.

Here's a couple of quotes from the Intune support contact:

After reviewing the public facing articles, I haven't seen any documentation stating either way that pushing Managed Apps is possible/not possible at the present time. I can submit a request to have these articles updated to clarify such information to hopefully prevent confusion in the future.

Just to confirm, I have verified with multiple engineers in the product group that this scenario is not possible at this time. 

And:

This is a direct quote from one of our Product Group engineers:

DEP (Apple's Device Enrollment Program) enrolled devices are not compatible with:

- Conditional Access

- Mobile Application Management (MAM, aka. Managed Apps)

- Company Portal App (WPJ features)

NOTE: Using CA or MAM with DEP enrolled devices is unsupported.

During the DEP account setup process, the Microsoft Intune account is uploaded to the Apple Admin Console and is tied to the DEP account.  Intune is deployed as part of the DEP package and does not use the Company Portal app for enrollment.  Therefore, Workplace Join does not occur, which MAM and Conditional Access require for use.

ALSO NOTE:  The customer won't be able to use these features with DEP enrolled devices.  Applying a MAM policy to the device will cause login issues because the device is looking for (Company Portal app) enrollment which is required to be compliant

• Edited by William Bracken Friday, September 11, 2015 6:39 PM

Hi Folks - 

I'd like to try and help clarify a couple things here. 

1. At this time, a device enrolled in Intune using DEP supports pushing policies/profiles to that device
2. Please do not try to install/enroll thru Company Portal on DEP devices, this is not yet supported (bad stuff will happen). And as a result, the following scenarios will not work for DEP-enrolled devices.
   - Conditional Access
   - Mobile App Mgmt (you cannot deploy any managed apps from this list)
3. App deployment (for apps *not* on the above list) should work as long as you use the Required Install deployment method
   - you must setup your user/device groups appropriately

We are working on changes to ensure that DEP + Company Portal app can work together, and should have a fix available in the next couple months. Once we release the update, it will be required that you setup your DEP enrollment profile with Prompt for User Affinity (per these instructions) in order to work with Company Portal. If you choose "No user affinity" then the Comp Portal app will never work.

Additional notes:

• The Apple ID you use to setup the DEP device is not relevant, and does not need to match the one from the DEP Portal.
• If you are observing that Required Install apps (except for ones from this list) are not getting deployed, please open a support ticket. Same deal if you're observing policies/profiles not making it to the device. These should both work.

-Kieran Gupta, Intune Product Team

• Edited by Kieran GuptaMicrosoft employee Friday, September 11, 2015 7:09 PM

Here you go.  1304017859

My biggest issue here is that this is not publicly documented anywhere.  I started a project with a new customer of ours just to uncover there limitations during implementation.  Had there been sufficient documentation outlining all of this then we could not have wasted time/money going down this path.  :-/

Thanks for the follow ups Kieran

BTW, I have another case open now trying to unwind DEP from SCCM/Intune.  De-assigning the devices in the Apple DEP portal and removing the DEP support for Intune in the Admin Console left all the devices that have synced with DEP in the console, including the devices that have assigned profiles, in which you cannot unassign.  You can only assign to a different profile.  :-/

I'll follow up once I have a resolution on this issue as well.