Introduction:
We are in the process of migrating our MDM (Mobile Device Management) solution from MobileIron to Intune which is a MDM solution from Microsoft. Intune supports both on-premises mailbox and O365 mailbox. I have ave successfully migrated few pilot users to O365 and they have successfully enrolled their mobile devices with Intune. Things were moving in a right direction. So we continued the migration and all of sudden, few of the migrated users who were trying to enroll their devices faced enrollment issue.
Issue:
The enrollment issue is not for all users who were in the migration batch. Only few got this issue. So initially we thought that the issue was with Intune. At the same time Intune portal also mentioned about the service degradation. I would like to explain what exactly the users are facing during the enrollment. After downloading the Intune app, they typed their corporate email address. We have SSO enabled using ADFS infrastructure which is federated with O365. Ideally after entering the email address by looking the federated domain they will be redirected to our ADFS login page. As I said before after entering their email address, few users got the following error message, and rest of them were able to login successfully and enrolled their device.
“An error occurred
An error occurred. Contact your administrator for more information”
Cause:
We collected the logs from the Intune app for those who faced the issue. While checking the logs it was mentioning about “Error in issuing token”. This issue is not specific to OS. Android and iOS devices got the same error. We did not get a chance to check with Windows device because those who were facing the issue is coming under the above said device category. We worked with Intune support and they initially told that the issue with Azure and Intune end. Later they came back and told that the issue was fixed but the users were still facing the same issue.
Resolution:
We didn’t expect that this was causing the issue. The issue was with the settings that is configured in our ADFS server. Especially with the authentication settings in the Intranet. We need to have both Form Based Authentication (FBA) and Windows Integrated Authentication (WIA) but we had only WIA. The affected users were trying to enroll the device using company Wifi so they were treated as an intranet users. Intune app will not support WIA as per MS statement. We did not think about this because I worked with other application with the same settings. Uses were able to login to that portal for other application.
As per MS recommendation we have enabled FBA and tested the enrollment. It worked as expected. It’s good to learn something new during every deployment but this took almost a week to figure it out. I am writing this article to save your time in case you face the same issue. Let me your thoughts through comments below. Happy troubleshooting J
Leave a Reply