This week is all about just-in-time (JIT) registration and compliance remediation. Not something completely new, but it’s new that it’s now available for all iOS and iPadOS enrollments. In a way this post is a follow-up, or deeper dive, to this post about getting started with web-based device enrollment. While that post was really focused on the web-based device enrollment, this post is focused more on a specific feature that’s also used for web-based device enrollment. That feature is JIT registration. JIT registration, however, can be used for more than just the registration of the device. It can also be used for the compliance remediation of the device. This post will start with a short introduction to JIT registration and JIT compliance remediation, followed with the configuration steps. This post will end with experiencing JIT registration and JIT compliance remediation.
Introducing just-in-time registration and compliance remediation
It basically – maybe a bit obviously – all starts with JIT registration. JIT registration enables users to perform the device enrollment from a work or school app (e.g. Microsoft Teams app). That also means that when relying on JIT registration, the Intune Company Portal app is not required for the device enrollment. That behavior can be achieved because JIT registration utilizes the Apple Single Sign-On (SSO) extension to complete the registration in Microsoft Intune. The best part is that basically any app – Microsoft and non-Microsoft – that’s configured with the Apple SSO extension, can be used to perform the device registration and eventually the compliance remediation. That Apple SSO extension drastically reduces the authentication prompts for the user on the device and establishes SSO on the whole device.
Besides that, JIT compliance remediation is the icing on the cake. JIT compliance remediation is automatically enabled on devices that are relying on JIT registration and that are targeted with compliance policies. The best part of it is that the compliance remediations happens automatically and immediately in an embedded flow within the app that the user is using for the registration of the device (e.g. Microsoft Teams app). Through that flow, the user can see the compliance status of the device and can eventually take additional steps to remediate any issues. When the device is non-compliant, the Intune Company Portal website is used to show the reason of being non-compliant. JIT compliance remediation does not rely on JIT registration to be the enrollment flow. In other words, it can also be used on devices that are already enrolled.
Note: JIT compliance remediation can also be used for existing devices to provide the embedded compliance flow.
Configuring just-in-time registration
When looking at the required configuration for JIT registration and JIT compliance registration, it’s all about the configuration of the Apple SSO extension. That extension is utilized by JIT registration and JIT compliance registration, and relies on the Microsoft Authenticator app. To configure JIT registration, which is the starting point of both functionalities, a Device features profile can be used. The following eight steps walk through the minimal required configuration.
- Open the Microsoft Intune admin center portal and navigate to Devices > iOS/iPadOS > Configuration profiles
- On the iOS/iPadOS | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select iOS/iPadOS to create a profile for iOS and iPadOS devices
- Profile type: Select Templates > Device features to configure the required setting
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) iOS/iPadOS
- Profile type: (Greyed out) Device features
- On the Configuration settings page, as shown below in Figure 1, perform at least the following actions and click Next
- Navigate to Single sign-on app extension and configure the following settings
- With SSO app extension type select Microsoft Entra ID as type
- With Additional configuration add at least the following key-value pairs
- Configure device_registration as key, of the String type, with the value {{DEVICEREGISTRATION}}
- (Optional) Configure browser_sso_interaction_enabled as key, of the Integer type, with the value 1
Note: The latter setting, of browser_sso_interaction_enabled, can be used to also enable SSO within Safari.
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Important: Keep in mind that the Apple SSO extension relies on the Microsoft Authenticator app.
Experiencing just-in-time registration and compliance remediation
After applying the configuration for JIT registration and JIT compliance remediation, it’s pretty straight forward to experience the behavior. Even when the device is already registered. The easiest method to get the whole experience, is by making sure that the device is not yet registered. And that can nowadays even be on a personal device. A personal device is in this case also the easiest method to get the whole experience. Below in Figure 2 is the starting point when the user tries to access corporate resources through an app that is configured with the Apple SSO extension. In this example the Microsoft Teams app was used. As soon as the user tries to connect their work or school account, the JIT registration experience is triggered. That starts the enrollment of the device without the Company Portal app and provides a more streamlined enrollment flow.
When the device is enrolled, the JIT compliance remediation flow becomes interesting. That also relies on the same technology and configuration. Below in Figure 3 is an example of the related user experience, when the user tries to access corporate resources through an app that is configured with the Apple SSO extension. In this example the Microsoft Teams app was used. As soon as the users tries to access their work or school account, the JIT compliance and remediation flow is triggered. That provides an in-app flow for verifying the compliance of the device, as also shown in Figure 4. In general, the user won’t notice this behavior. Only when the device is non-compliant, the user will see the JIT compliance and remediation flow. For more details of the non-compliance status, the user can be redirected to the Intune Company Portal website.
Important: Keep in mind that it’s important to have the required enrollment methods configured before being able to rely on JIT registration. In this example, make sure to configure web-based device enrollment.
More information
For more information about just-in-time registration for iOS and iPadOS devices, refer to the following docs.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.