CxO Summary: Why This Matters for Your Organization

When corporate iOS/iPadOS devices fail to enroll properly via Apple Business Manager (ABM) and Microsoft Intune, your organization faces significant risks and operational costs. This summary outlines the business impact and the value of resolving these issues.

Business Impact

  • Security Gaps: Unsupervised devices cannot enforce critical security policies, such as mandatory encryption, app restrictions, and data loss prevention, leaving corporate data vulnerable.
  • Compliance Risks: Devices showing a "Not Contacted" status are not managed, leading to audit failures for frameworks like the CIS Benchmark, NIST 800-171, or GDPR Article 32.
  • Operational Overhead: IT teams waste valuable hours troubleshooting individual enrollment issues instead of focusing on strategic initiatives.
  • User Productivity Loss: Employees cannot access corporate resources like email, apps, and files until their device enrollment is successfully resolved.

Risk Mitigation Value

Proper ABM enrollment with device supervision is a cornerstone of a modern, secure endpoint strategy. It enables:

  • Conditional Access Enforcement: Ensures that only compliant devices can access Microsoft 365, SharePoint, and other corporate applications.
  • Zero Trust Alignment: Makes device health attestation a key part of your identity and access control strategy.
  • Automated Compliance: Policies are deployed automatically, reducing human error and ensuring consistent security posture.

ROI Context

The return on investment is clear. Manual troubleshooting for a single device can take 2-4 hours of an IT administrator's time. A properly configured automated ABM setup takes approximately 15 minutes per device. For a fleet of 100 devices, this translates to 200-400 hours of saved IT labor.

The Problem: Symptoms and Initial Observations

When an iOS/iPadOS device fails to enroll correctly through ABM, the symptoms in the Microsoft Intune admin center are consistent and clear. The device appears, but it remains in a non-functional, unmanaged state.

What You See in Intune

Navigating to Devices > iOS/iPadOS > [Device Name], you'll observe the following properties:

Property Observed Value Expected Value
Status Not contacted Managed / Compliant
Last contacted Never Recent timestamp
Supervised No Yes
Enrollment type Empty or "User Enrollment" "Automated Device Enrollment"
Management state Unmanaged Managed

Critical Observation

Despite verifying that the enrollment profile in Intune is correctly configured and assigned, the device never retrieves this profile during the Setup Assistant. This is the central clue to understanding the root cause.

Root Cause: How Post-Activation Enrollment Breaks the Flow

The issue stems from a fundamental misunderstanding of how Apple's Automated Device Enrollment (formerly DEP) works. The problem is not with Intune or ABM, but with the sequence of events during the device's initial activation.

Comparison diagram of correct vs broken ABM enrollment flows
Correct enrollment flow vs. broken flow when device is added to ABM after activation

The Critical Sequence Problem

Here's what typically happened:

  1. The device was activated and set up before being added to Apple Business Manager.
  2. After activation, Apple Configurator was used to manually add the device to ABM.
  3. The device was then correctly assigned to the Intune MDM server in ABM and synced.
  4. The user attempts to enroll, but the device bypasses the mandatory ABM enrollment profile.

Why This Breaks Enrollment

Apple's enrollment logic is tied to the device's very first boot sequence:

  • When a new (or factory-reset) device connects to Wi-Fi, it contacts Apple's activation servers.
  • It checks its serial number against the ABM database.
  • If found and assigned to an MDM server, it is forced to download the enrollment profile, applying supervision and management settings.
  • If not found (or if already activated), it skips this check and proceeds with a standard consumer setup. No supervision is applied.

When you add a device to ABM with Apple Configurator after it has been activated, the device's activation record is already "sealed" on Apple's servers. It will not re-check for an ABM profile on subsequent reboots. A factory reset is the only way to force this check to happen again.

The Solution: Factory Reset and Re-Enrollment

To fix this, you must guide the device back to its initial, out-of-the-box state, allowing it to correctly perform the ABM check.

Step-by-step guide for iOS device factory reset and ABM re-enrollment
Factory reset workflow to enable proper ABM enrollment

Prerequisites (Critical - Do NOT Skip)

Before you begin, ensure the following:

  • User Data Backup: Instruct the user to back up all important data to iCloud or a computer.
  • Intune Configuration Verified: Double-check that the enrollment profile is assigned to the device in Intune and that the ABM token has recently synced.
  • ABM Assignment Verified: Confirm in the ABM portal that the device is assigned to your Intune MDM server, not "Apple Configurator."

Step-by-Step Resolution

  1. Prepare Intune: Manually sync your ABM token in Intune (Devices > iOS/iPadOS enrollment > Enrollment program tokens > Sync) and verify the device has the correct profile assigned.
  2. Factory Reset the Device: On the iOS/iPadOS device, go to Settings > General > Transfer or Reset > Erase All Content and Settings. This is non-negotiable; a simple settings reset will not work.
  3. Re-run Setup Assistant: Proceed through the initial setup screens (Language, Region). When you connect to Wi-Fi, the device will contact Apple's servers.
  4. The Critical Moment: The "Remote Management" screen will appear, indicating that the device has successfully found its assignment in ABM. Proceed with the on-screen instructions to authenticate with Microsoft Entra ID.
  5. Verify Success: Once setup is complete, check the device's status in Intune. It should now show as Supervised and Managed, with a recent contact time.
Visual comparison of failed versus successful ABM enrollment
Failed enrollment (left) vs. successful supervised enrollment (right)

Prevention: Avoiding This Issue in the Future

Fixing the problem is good, but preventing it is better. Implement these best practices to ensure a smooth, zero-touch enrollment experience from day one.

Best practice workflow for corporate iOS device procurement and ABM enrollment
Recommended procurement workflow for zero-touch ABM enrollment

Best Practice 1: Procure Devices Through Authorized Channels

  • Always purchase devices from Apple or an Apple Authorized Reseller.
  • Provide your Apple Customer Number or Reseller ID at the time of purchase.
  • This ensures devices are automatically added to your ABM account before they are shipped, making them ready for zero-touch enrollment out of the box.

Best Practice 2: Establish a Clear Device Procurement Policy

Create a formal policy that prohibits employees from purchasing corporate devices from retail stores. Enforce this through your expense policies and asset management procedures.

Best Practice 3: Use Intune Enrollment Restrictions and Conditional Access

  • Configure Enrollment Restrictions in Intune to block personally owned iOS/iPadOS devices from enrolling.
  • Implement a Conditional Access policy that requires devices to be marked as compliant before they can access corporate resources. This provides a powerful business justification for enforcing proper enrollment procedures.

Complex IT? I make it simple – with M365, which protects, scales, and brings clarity. For SMEs that rely on smart solutions.

Call to Action

Need help streamlining your iOS device management, setting up ABM, or troubleshooting complex Intune issues? Visit https://easym365.de for expert consulting and hands-on support. For more technical deep dives, check out the EndlessTech Blog.