Notes from Custom app distribution and device management lab: (Wednesday, June 24th, 2020):

Question: For Automated Device Enrollment customization using identity providers like Azure AD, Ping or Okta, how is the use of multi-factor authentication being supported? For context, when I log into certain services in my shop using Azure AD, I'm requested to then open the Microsoft Authenticator app on my iPhone and do something (like hit an Approve button, enter a displayed code, get a code from SMS, etc.) How does the enrollment customization handle that?

Answer: You can host whatever WebUI you want for your modern authentication view. It shouldn't matter because all ADE is providing a web browser-like view to host whatever URL is needed for your modern authentication, then the modern authentication actions all take place within the web UI window. Once the MDM profile is downloaded and installed, the web view is automatically dismissed.


Question: Related - Does your MDM also need to be set up for that same identity provider as the one you're using in ADE, or can it be separated? For context, my shop uses SAP Cloud Identity for its identity provider, but our MDM doesn't really support Cloud Identity so it is using Azure AD instead. Does that mean I can't use Cloud Identity for ADE Enrollment customization?

Answer: Technically, it can be different but it would make for a complex setup and potentially fragile. Ideally, the MDM server is also going to be handling the ADE authentication with the same modern authentication used for the MDM's authentication.


Question: Will we ever be able to manually add macOS devices into DEP similarly to how we can add iOS devices using configurator?

Answer: Apple cannot comment on future plans. File Feedback to request this.


Question: Any plans to add sign in with Managed Apple IDs from the login window?

Answer: Apple cannot comment on future plans. File Feedback to request this.


Question: Will macOS ever require internet connectivity to be provisioned so that Macs cannot skip the device enrollment process?

Answer: Apple cannot comment on future plans. File Feedback to request this. User approved MDM will provide supervision on macOS Big Sur now, which may address this.


Question: Can we bring back an easier way of renewing the enrollment profile through Recovery? For context, we have received numerous Macs directly from Apple where we have had to "renew" the enrollment profile before DEP/ADE would recognize the device was associated with our MDM, as of 10.15, that process to achieve this became quite cumbersome.

Answer: As of now, the only viable solution is to wipe and reload the OS. File Feedback to request this.


Question: During the keynote and state of the union it was shown that app store iOS apps can be run on Macs with Apple silicon. Would this also apply to in-house/enterprise apps. Can we just copy an .ipa file to a Mac and double click it?

Answer: Yes, it should be possible to run any iOS apps, including in-house apps. It should work to just double-click, but test this out and post questions to the Developer Forums to get confirmation.
Notes from Custom app distribution and device management lab: (Wednesday, June 24th, 2020):
 
 
Q