IOS Device Registration Issue – Duplicate Devices
After configuring a Conditional Access Policy to require compliant devices, I noticed that user’s IOS devices were failing the compliance check. Further investigation showed the devices as listed in Intune were compliant, but when looking in Azure AD, the user would have (2) devices – one compliant and Intune managed and one not compliant. The AzureAD Device ID in Intune corresponded to the compliant Intune managed device listed in AzureAD as expected. The Sign in logs indicated the device (Device ID) failing the compliance check in the conditional access policy was the non-Intune managed device that was indicating not compliant in AzureAD.
Devices are Personally Owned, BYOD. We were using an Account Driven User Enrollment policy. Device enrollment into Intune seemed to be successful without any errors indicated. Devices were receiving the required apps upon enrollment.
I’ve successfully reproduced the issue numerous times using a test device and test account. After enrolling into Intune, there is only 1 device – non-MDM managed in the AzureAD (Device does show in Intune as compliant). Upon signing into the Company Portal app, the 2nd Intune Managed device shows up in the AzureAD list. However, the device doesn’t pass the conditional access policy when utilizing apps such as Outlook, conditional access policy sign in logs indicate conditional access policy failed due to non-compliant device. The Device ID indicated corresponds with the non-MDM managed device in AzureAD.
Switching to user enrollment with Company portal, and utilizing the Company portal app to enroll, everything works, and I only end up with 1 device in AzureAD.
I’m going crazy trying to resolve this. The Account driven enrollment was a few clicks easier for my very non-technical user base. Any insight or thoughts would be appreciated! I’ve got 100 devices enrolled, and I’m really not looking forward to having to re-enroll them all.
After configuring a Conditional Access Policy to require compliant devices, I noticed that user’s IOS devices were failing the compliance check. Further investigation showed the devices as listed in Intune were compliant, but when looking in Azure AD, the user would have (2) devices – one compliant and Intune managed and one not compliant. The AzureAD Device ID in Intune corresponded to the compliant Intune managed device listed in AzureAD as expected. The Sign in logs indicated the device (Device ID) failing the compliance check in the conditional access policy was the non-Intune managed device that was indicating not compliant in AzureAD. Devices are Personally Owned, BYOD. We were using an Account Driven User Enrollment policy. Device enrollment into Intune seemed to be successful without any errors indicated. Devices were receiving the required apps upon enrollment. I’ve successfully reproduced the issue numerous times using a test device and test account. After enrolling into Intune, there is only 1 device – non-MDM managed in the AzureAD (Device does show in Intune as compliant). Upon signing into the Company Portal app, the 2nd Intune Managed device shows up in the AzureAD list. However, the device doesn’t pass the conditional access policy when utilizing apps such as Outlook, conditional access policy sign in logs indicate conditional access policy failed due to non-compliant device. The Device ID indicated corresponds with the non-MDM managed device in AzureAD. Switching to user enrollment with Company portal, and utilizing the Company portal app to enroll, everything works, and I only end up with 1 device in AzureAD. I’m going crazy trying to resolve this. The Account driven enrollment was a few clicks easier for my very non-technical user base. Any insight or thoughts would be appreciated! I’ve got 100 devices enrolled, and I’m really not looking forward to having to re-enroll them all. Read More