Smartphone enrolment (Apple)

mimi1255
Here to help

Smartphone enrolment (Apple)

Hello, 

 

I get a problem with Meraki Dashboard to enroll an iphone. 

I have set up the Apple Business Manager with Azure AD to sync my users (it works I get my users in Apple Business Manager). 

In Meraki Dashboard (ADE) I can see my iphone in the console (the sync with Apple Business Manager works correctly). 

 

I enabled these settings regarding the end user enrollment:

mimi1255_1-1663769206996.png

 

 

I enabled these settings regarding the end user settings:

mimi1255_0-1663769123195.png

 

In Azure I created this : 

mimi1255_2-1663769292319.png

mimi1255_3-1663769322195.png

mimi1255_4-1663769357479.png

 

And the secret : 

mimi1255_5-1663769410932.png

 

From the mobile (iphone) I get this screen : 

mimi1255_6-1663769478800.png

 

Then when I fill login with the email address and password it does not work (incorrect login or password) : 

mimi1255_7-1663769529877.png

 

I used an account synchronized in Apple Business Manager. 


Could you help me please ? 


Thanks. 

 

 

 

 

 

 

11 Replies 11
BlakeRichardson
Kind of a big deal
Kind of a big deal

@mimi1255  The account credentials it is asking for at enrolment are for a Meraki administrators account I believe, NOT your Azure AD.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
mimi1255
Here to help

Hello @BlakeRichardson are you sure? because with an android device it works with the Azure AD account of a user authorized to enroll the mobile. 

When I assign a profile in meraki (within Apple ADE menu), is it necessary to specify this URL ? 

mimi1255_0-1663833085284.png

 

beks88
A model citizen

Enrollment redirect URL is just for a custom designed log in page upon Authentication.

 

 

The Meraki docs still state, that Azure AD through DEP isn't supported, maybe someone from support can confirm.

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication

 

 

However, if you are using User Enrollment there is currently a known issue I reported a few days ago

https://community.meraki.com/t5/Mobile-Device-Management/iOS-16-iPad-OS-16-already-known-issues/m-p/...

 

 

I'm referring to "known issue" since it has already been discovered by Microsoft in terms of updating a "user enrolled" device

https://techcommunity.microsoft.com/t5/intune-customer-success/ios-ipados-15-devices-enrolled-with-u...

mimi1255
Here to help

Thank you for your reply @beks88.

When you say : The Meraki docs still state, that Azure AD through DEP isn't supported, maybe someone from support can confirm.

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication

 

In addition they said we can select the authentication mode in the list (Azure AD included) : Apple User Enrollment Deployment Guide - Cisco Meraki

 

So how can we enroll our iphones from DFU mode ? I understood we have to use the option "Manage : Use Meraki hosted accounts". But do we need to create accounts manually in Meraki ? 


Thanks.

 

beks88
A model citizen

You need to differentiate

 

To my understanding, federated authentication is only required if you need the usage of managed Apple IDs.

Managed Apple IDs are only required if you want the user to enroll via User Enrollment with his private device or you need to push books and/or apps which are user assigned.

 

If you only have Azure AD as identity provider and no real access to the Domain Controller server, your only option is Meraki hosted accounts.

The docs haven't changed this "warning" the last 4 years since my first touch with Systems Manager. Maybe you can contact support to be sure if it's finally supported. I personally never tested it.

 

But if you want to test it, I think you'll currently need a supervised device which is coming from Apple Business Manager

 

 

beks88
A model citizen

@PaulF can you confirm the docs about Azure AD with DEP are still valid and not supported?

mimi1255
Here to help

@beks88 I have a real access to the domain controller server. It is the reason I created the link with Azure AD in meraki. 
All my mobiles are coming from Apple Business Manager. These mobiles appear in Meraki (the sync between both works correctly).

My unique problem is the authenticiation when the mobile is enrolling when it starts. 

I get the organization page so I accept then I get the authentication page. 

I would like to enroll my devices in device owner. 


Thanks. 

beks88
A model citizen

With real access I meant, do you have a hybrid version of AD and can remote access to the desired Windows server or only the web page?

 

If so, you could also try to activate the authentication via SM Agent or MX (if there is one in use)

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication#Active_Directory_...

 

But as you already mentioned in another reply, there is a newer docu which mentions Azure AD, I would try my luck with support than

mimi1255
Here to help

In this procedure they said : Note: If you are using Active Directory, Azure AD, Google Auth, or OpenID Connect then Owners are created automatically at the time of enrollment

 

Apple User Enrollment Deployment Guide - Cisco Meraki

 

I think this one is up to date. 

mimi1255
Here to help

Hello, 

Could you help me please ? Because I did not get a reply from the support. 

 

Thanks 

PaulF
Meraki Employee
Meraki Employee

There is an issue with iOS 16 enrollments that Engineering is working on. They have a case open with Apple as it *may* be a bug on Apple's side.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels