Troubleshooting iOS device enrollment problems in Microsoft Intune

Gjelder: Microsoft Intune

What does this guide do?
Helps administrators understand and troubleshoot problems when enrolling iOS devices in Intune.

Who is it for?
Administrators who implement and oversee a Microsoft Intune environment.

How does it work?
This guide provides suggestions for troubleshooting some of the most common problems when you enroll iOS devices in Intune.

Estimated time of completion:
15-30 minutes.

Before you start troubleshooting, it’s important to collect some basic information. This information can help you better understand the problem and reduce the time to find a resolution. 

Collect the following information about the problem:

  • What is the exact error message?
  • Where do you see the error message?
  • When did the problem start? Has enrollment ever worked? 
  • What platform (Android, iOS, Windows) has the problem?
  • How many users are affected? Are all users affected or just some?
  • How many devices are affected? Are all devices affected or just some?
  • What is the MDM authority? If it's System Center Configuration Manager, what version of Configuration Manager are you using?
  • How is enrollment being performed? Is it “Bring your own device" (BYOD) or Apple Device Enrollment Program (DEP) with enrollment profiles?

Now let's start troubleshooting based on the answers to these questions. 

Select your problem:

Before you start troubleshooting, it’s important to collect some basic information. This information can help you better understand the problem and reduce the time to find a resolution. 

Collect the following information about the problem:

  • What is the exact error message?
  • Where do you see the error message?
  • When did the problem start? Has enrollment ever worked? 
  • What platform (Android, iOS, Windows) has the problem?
  • How many users are affected? Are all users affected or just some?
  • How many devices are affected? Are all devices affected or just some?
  • What is the MDM authority? If it's System Center Configuration Manager, what version of Configuration Manager are you using?
  • How is enrollment being performed? Is it “Bring your own device" (BYOD) or Apple Device Enrollment Program (DEP) with enrollment profiles?

Now let's start troubleshooting based on the answers to these questions. 

Select your problem:

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if there's an unspecified problem with iOS on the device.

Resolution

To fix the issue, follow these steps:

  1. Put the device in recovery mode and then restore it. Make sure that you set it up as a new device.
     

    Note Restoring iOS deletes all data on the device, therefore make sure that you back up the data first.

    For more information about how to restore iOS devices, see https://support.apple.com/HT201263.

  2. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if your Intune tenant is configured to only allow corporate-owned devices. 

Resolution

To fix the issue, follow these steps:

  1. Sign in to the Azure portal.
  2. Select More Services, search for Intune, and then select Intune.
  3. Select Device enrollment > Enrollment restrictions.
  4. Under Device Type Restrictions, select the restriction that you want to set, select Properties > Select platforms, select Allow for iOS, and then click OK.
  5. Select Configure platforms, select Allow for personally owned iOS devices, and then click OK.
  6. Re-enroll the device.

Cause

This issue occurs if the necessary CNAME records in DNS don't exist.

Resolution

To fix this issue, create CNAME DNS resource records for your company’s domain. For example, if your company’s domain is contoso.com, create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to EnterpriseEnrollment-s.manage.microsoft.com.

Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

If there's more than one verified domain, create a CNAME record for each domain. The CNAME resource records must contain the following information:
 

TYPE

Host name

Points to

TTL

CNAME

EnterpriseEnrollment.company_domain.com

EnterpriseEnrollment-s.manage.microsoft.com

1 Hr

CNAME

EnterpriseRegistration.company_domain.com

EnterpriseRegistration.windows.net

1 Hr

If your company uses multiple domains for user credentials, create CNAME records for each domain.

Note Changes to DNS records might take up to 72 hours to propagate. You can't verify the DNS change in Intune until the DNS record propagates.

Cause

This issue occurs if you enroll a device that was previously enrolled with a different user account, and the previous user was not appropriately removed from Intune. 

Resolution

To fix this issue, follow these steps:

  1. Cancel any current profile installation.
  2. Open https://portal.manage.microsoft.com in Safari. 
  3. Re-enroll the device.

    Note If enrollment still fails, remove cookies in Safari (don't block cookies), then re-enroll the device.

Cause

This issue occurs if the device is already enrolled with another MDM provider.

Resolution

To fix this issue, follow these steps:

  1. Open Settings on the iOS device, go to General > Device Management.
  2. Remove any existing management profile.
  3. Re-enroll the device.

Cause

This issue occurs if the user who is trying to enroll the device does not have a Microsoft Intune license. 

Resolution

To fix this issue, follow these steps:

  1. Go to the Office 365 Admin Center, and then choose Users > Active Users.
  2. Select the user account that you want to assign an Intune user license to, and then choose Product licenses > Edit.
  3. Switch the toggle to the On position for the license that you want to assign to this user, and then choose Save.
  4. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if an Apple MDM push certificate isn't configured in Intune, or the certificate is invalid. 

Resolution

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if the Company Portal app is out of date or corrupted.  

Resolution

To fix this issue, follow these steps:

  1. Remove the Company Portal app from the device.
  2. Download and install the Microsoft Intune Company Portal app from App Store.
  3. Re-enroll the device.

Cause

This issue occurs if the user tries to enroll more devices than allowed.

Resolution

To fix this issue, follow these steps:

  1. Open the Intune portal, go to Devices > All Devices, and check the number of devices the user has enrolled.
  2. Go to Admin > Mobile Device Management > Enrollment Rules, check the device enrollment limit. By default, the limit is set to 15. 
  3. If the number of devices enrolled has reached the limit, remove unnecessary devices, or increase the device enrollment limit.

    Note Because every enrolled device consumes an Intune license, we recommend that you always remove unnecessary devices first.
  4. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if the user tries to enroll more devices than the device enrollment limit..

Resolution

To fix this issue, follow these steps:

  1. Open the Intune admin portal, go to Devices > All Devices, and check the number of devices the user has enrolled.

    Note You should also have the affected user logon to the Intune user portal and check devices that have enrolled. There may be devices that appear in the Intune user portal but not in the Intune admin portal, such devices also count toward the device enrollment limit.
  2. Go to Admin > Mobile Device Management > Enrollment Rules, check the device enrollment limit. By default, the limit is set to 15. 
  3. If the number of devices enrolled has reached the limit, remove unnecessary devices, or increase the device enrollment limit.

    Note Because every enrolled device consumes an Intune license, we recommend that you always remove unnecessary devices first.
  4. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if the Company Portal app is out of date or corrupted.  

Resolution

To fix this issue, follow these steps:

  1. Remove the Company Portal app from the device.
  2. Download and install the Microsoft Intune Company Portal app from App Store.
  3. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if the user who is trying to enroll the device does not have a valid Intune license. 

Resolution

To fix this issue, follow these steps:

  1. Go to the Office 365 Admin Center, and then choose Users > Active Users.
  2. Select the affected user account, and then choose Product licenses > Edit.
  3. Verify that a valid Intune license is assigned to this user.
  4. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if the user who is trying to enroll the device does not have a valid Intune license. 

Resolution

To fix this issue, follow these steps:

  1. Go to the Office 365 Admin Center, and then choose Users > Active Users.
  2. Select the affected user account, and then choose Product licenses > Edit.
  3. Verify that a valid Intune license is assigned to this user.
  4. Re-enroll the device.

Symptom

When you turn on a DEP-managed device that is assigned an enrollment profile, the Intune enrollment process isn't initiated.

Cause

This issue occurs if the enrollment profile is created before the DEP token is uploaded to Intune.

Resolution

To fix this issue, follow these steps:

  1. Edit the enrollment profile

    You can make any change to the profile. The purpose is to update the modification time of the profile. 
  2. Synchronize DEP-managed devices.

    Open the Intune portal, go to Admin > Mobile Device Management > iOS > Device Enrollment Program, and then choose Sync now. A sync request is sent to Apple. 

Symptom

When you turn on a DEP-managed device that is assigned an enrollment profile, the initial setup stucks after you enter credentials.

Cause

This issue occurs if Multi-Factor authentication (MFA) is enable. Currently MFA doesn't work during enrollment on DEP devices.

Resolution

To fix this issue, disable MFA, and then re-enroll the device. 

Symptom

When you turn on a DEP-managed device that is assigned an enrollment profile, enrollment fails, and you receive the following error message:

Cause

This issue occurs if there's a connection issue between the device and the Apple DEP service. 

Resolution

To fix this issue, fix the connection issue, or use a different network connection to enroll the device. You may also have to contact Apple if the issue persists.
 

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if a management profile is already installed on the device. 

Resolution

To fix this issue, follow these steps:

  1. Open Settings on the iOS device, go to General > Device Management.
  2. Tap the existing management profile, and tap Remove Management.
  3. Re-enroll the device.

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if the Apple Push Notification Service (APNs) certificate is missing, invalid or expired.

Resolution

To fix the issue, verify that a valid APNs certificate is added to Intune. For more information, see Set up iOS and Mac device management

Congratulations! Your Intune enrollment problem is resolved. For more information about iOS devices enrollment in Intune, see the following:

You can also post a question in our Microsoft Intune forum here.

For all the latest news, information and tech tips, visit our official Intune blogs:

For more information about iOS devices enrollment in Intune, see the following:

You can also post a question in our Microsoft Intune forum here.

For all the latest news, information and tech tips, visit our official Intune blogs:

Symptom

Enrollment fails, and you receive the following error message:

Cause

This issue occurs if there's a problem with the Apple Push Notification service (APNs) certificate configured in Intune. 

Resolution

To fix this issue, renew the APNs certificate, and then re-enroll the device.

IMPORTANT Make sure that you renew the APNs certificate. Don't replace the APNs certificate. If you replace the certificate, you have to re-enroll all iOS devices in Intune.