Friday, July 16, 2021

Support Tip: Company Portal Single App Mode is not enforced through the CP during ADE Enrollment

We've had a service health dashboard (SHD) post live (IT268020) for a few days while we investigated a case and have also been working with Apple to reproduce the issue and further troubleshoot. We are closing the SHD post and we’ll keep this blog updated with the latest information. Sharing the details of this known issue below.

Here's the scenario: User’s automated device enrollment (ADE) through the Company Portal isn't enforcing Single App Mode for devices running iOS/iPadOS 14.6 and later. What this means is that if you select single app mode, and the device runs into this issue, instead of just showing the Company Portal during enrollment, it’s allowing full access to the device, such as the Home Screen and App Library. Users could go to a browser, for example, and access web resources. Any user-targeted settings will not be applied until the user authenticates using the Company Portal. If devices go to sleep while in this state, they may appear to freeze by no longer accepting input through touch or button press.


Devices affected: New enrollments only; existing devices are not impacted. This affects not all, but many models running iOS/iPadOS version 14.6 and later and enrolling through the ADE flow with Single App Mode until authentication enabled.


Workarounds: There are two workarounds – 1) A force restart of the device when it gets stopped in the enrollment process typically returns it to single app mode as expected. 2) A better workaround is to use Setup Assistant with Modern Authentication as authentication method for Automated Device Enrollment (ADE), currently in public preview: Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+) - Intune Public Preview - Microsoft Tech Community


We will keep this post updated as new information becomes available. 

Posted at