Could not enroll iOS devices to SCCM Configmgr Hybrid environment

 

I had setup standalone intune (MDM authority to Intune)  to manage mobile devices long-time ago ,but after doing some testing on android,windows and iOS devices ,i decided to change MDM authority from Intune to Configuration Manager console (hybrid) . To change the MDM authority from intune to hybrid ,Login login to SCCM console  ,go to administration –>cloud services –>Microsoft intune subscription –>Add Microsoft Intune Subscription

image

This process will prompt you to login using Microsoft intune subscription ,configure company contact information,logo etc.

After doing all the initial setup , verified logs and confirm that the MDM authority is set to Hybrid using URL https://admin.manage.microsoft.com/MicrosoftIntune/App.aspx

Admin page—>Mobile device management ,Mobile device management authority set to Configuration Manager

image

After this is done ,you can enable windows and android platform directly but for iOS devices ,you need to create APN certificate request ,download the APN certificate which is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority.

Once you are done with the enable iOS enrolment and uploaded the Apple Push Notification service certificate ,you can start enrolling the iOS devices.

Note:Do not upload the Apple Push Notification service (APNS) certificate until you enable iOS enrolment in the Configuration Manager console.

Once am done with the configuration setup ,i have enrolled windows and Android devices and these devices appear in SCCM console but not iOS devices.

Have tried enrolling few iOS devices ,but they never appear in SCCM console.I can see the applications ,company logo etc that i published to my users in the company portal in iOS device but the compliance just stuck for longer time without any joy.

This lead me to look at the logs .For this ,open the company portal and shake the device to get option to send logs.

Here is snippet from log .

2017-08-16 05:20:22.812 ERRO  com.microsoft.ssp.aad 0 TID=1   AADTokenFactory.swift: 55 (init()) ADAL 2.4.1 iOS 10.3.3 [2017-08-16 05:20:22 - 47F99BAC-ED26-4C45-980F-47C45A4E5F23] Error raised: (Domain: "ADAuthenticationErrorDomain" Code: AD_ERROR_UI_USER_CANCEL ProtocolCode: "(null)" Details: "The user has cancelled the authorization."

correlationId = "47F99BAC-ED26-4C45-980F-47C45A4E5F23";

error = "Error with code: AD_ERROR_UI_USER_CANCEL Domain: ADAuthenticationErrorDomain ProtocolCode:(null) Details:The user has cancelled the authorization.. Inner error details: Error domain: ADAuthenticationErrorDomain\nCode: 403\nDescription: The operation couldn\U2019t be completed. (ADAuthenticationErrorDomain error 403.)\nUser info: {\n}";

After going through lot of troubleshooting steps which includes verifying the APN certificate expiry date in SQL database ,settings etc ,finally reach out to microsoft to check what is happening behind the scenes. There is nothing for us to troubleshoot on the intune part .

After spending few hours time with Microsoft support engineer ,they have told me that ,APN certificate that was uploaded corrupted and it requires to reset the MDM authority to fix the issue.

To reset MDM authority ,i need to perform the following actions

1. remove the users from the Intune User Group. Point the Intune Subscription to an empty user collection, or, remove all users from the targeted collection  and confirm in the CloudUserSync.log that users are removed.

2. Uncheck the iOS platform to purge the APNs certificate

3.  Delete any and all published applications that are for MDM Devices

4. Delete any and all polices that are for MDM Devices

5. Remove the Windows Intune Connector from within the Configuration Manager Console.

6. Remove the Intune subscription by right-clicking the subscription and selecting Delete

• Restart the SMS Executive Service

Once you are done with these steps ,Microsoft Engineer will proceed to reset MDM authority and able to successfully enroll iOS devices.

After you change the MDM authority from intune to sccm ,devices are already enrolled to intune will switch to SCCM and for this ,it can upto 8 hours to re-appear these devices into your SCCM console.

What you need to consider (best practise)  while switching your MDM authority from Intune to Configuration Manager is that ,you should use the same APN certificate that was used in standalone in SCCM but with renewed  certificate means ,renew the APN certificate that was used intune ,download it from apple store and uploaded into SCCM to avoid corruption of APN certificates.

Reference https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority

Leave a Reply