This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article helps Intune administrators understand and troubleshoot problems when enrolling iOS/iPadOS devices in Intune. See Troubleshoot device enrollment in Microsoft Intune for additional, general troubleshooting scenarios.
The following table lists errors that end users might see while enrolling iOS/iPadOS devices in Intune.
| Error message | Issue | Resolution |
|---|---|---|
| NoEnrollmentPolicy | No enrollment policy found | The Apple Push Notification Service (APNs) certificate is missing, invalid, or expired. Check that enrollment has been set up correctly and that iOS/iPadOS as a platform is enabled. For instructions, see Set up iOS/iPadOS and Mac device management,Get an Apple MDM push certificate, and Renew Apple MDM push certificate. |
| DeviceCapReached | Too many mobile devices are enrolled already. | The user must remove one of their currently enrolled mobile devices from the Company Portal before enrolling another. See detailed instructions here. |
| Company Portal Temporarily Unavailable | The Company Portal app on the device is out of date or corrupted. | Remove the app, validate user credentials, and then reinstall the app. See detailed instructions here. |
| APNSCertificateNotValid | There's a problem with the certificate that lets the mobile device communicate with your company's network. |
The Apple Push Notification Service (APNs) provides a channel to contact enrolled iOS/iPadOS devices. Enrollment will fail and this message will appear if:
Important: Make sure that you renew the APNs certificate. Don't replace the APNs certificate. If you replace the certificate, you have to re-enroll all iOS/iPadOS devices in Intune. For Intune standalone, see Renew Apple MDM push certificate. For Microsoft 365, see Create an APNs Certificate for iOS devices. |
| AccountNotOnboarded | There's a problem with the certificate that lets the mobile device communicate with your company's network. | The Apple Push Notification Service (APNs) provides a channel to contact enrolled iOS/iPadOS devices. Enrollment will fail and this message will appear if:
|
| DeviceTypeNotSupported | The user might have tried to enroll using a non-iOS device. The mobile device type that you're trying to enroll isn't supported. Confirm that device is running iOS/iPadOS version 8.0 or later. |
Make sure that your user's device is running iOS/iPadOS version 8.0 or later. |
| UserLicenseTypeInvalid | The device can't be enrolled because the user's account isn't yet a member of a required user group or the user doesn't have the correct license. |
Users must have the correct license type for the mobile device management authority. For example, they'll see this error if Intune has been set as the MDM authority, but the user has a System Center 2012 R2 Configuration Manager license. Review Set up iOS/iPadOS and Mac management with Microsoft Intune and information about how to set up users in Sync Active Directory and add users to Intune and organizing users and devices. |
| MdmAuthorityNotDefined | The mobile device management authority hasn't been defined. |
The mobile device management authority hasn't been set in Intune. Review item #1 in the Step 6: Enroll mobile devices and install an app section in Get started with a 30-day trial of Microsoft Intune. |
This section includes token sync errors related to Apple Automated Device Enrollment (ADE):
| Error message | Cause | Solution |
|---|---|---|
| Expired or invalid token | The token may be expired, revoked, or malformed. | Renew the token. If you have any issues renewing the token, contact the Intune support team, as you may need to use a new public key on the existing MDM server in Apple Business Manager or Apple School Manager: Preferences > MDM Server Settings > Upload Public Key. |
| Access denied | Intune can't talk to Apple anymore. For example, Intune has been removed from the MDM server list in Apple Business Manager or Apple School Manager. The token has possibly expired. | 1. Verify whether your token has expired, and if a new token was created. 2. Check to see if Intune is in the MDM server list |
| Terms and conditions not accepted | New terms and conditions (T&C) need to be accepted in Apple Business Manager or Apple School Manager. | Accept the new T&C in Apple Apple Business Manager or Apple School Manager Portal. Note: This must be done by a user with the Administrator role in Apple Business Manager or Apple School Manager. |
| Internal server error | Needs further investigation | Contact the Intune support team, as additional logs are needed |
| Invalid support phone number | The support phone number is invalid. | Edit the support phone number for your profiles. |
| Invalid configuration profile name | The configuration profile name is either invalid, empty, or too long. | Edit the name of the profile. |
| Invalid cursor | The cursor was rejected by Apple or not found. | Contact the Intune support team. They can retry syncing from the Intune service. |
| Cursor expired | The cursor is expired on Intune's side. | Contact the Intune support team. They can retry syncing from the Intune service. |
| Required cursor | The cursor wasn't initially set by Intune during the sync. | Contact the Intune support team to fix the sync and return the cursor. |
| Apple profile not found | Multiple possible causes | Create a new profile, and assign the profile to devices. |
| Invalid department entry | The department field entry is invalid | Edit the department field for your profiles. |
If the ADE token upload fails, you might see an error message that resembles the following:
An error occurred.
An error occurred while uploading the Enrollment Program token. Request ID: AjaxError: ajaxExtended call failed
In this case, try the following steps to create a new token:
Sign in to Graph Explorer as an Intune administrator.
Run a GET request to enumerate the tokens in the tenant by using the following URL:
https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings
If necessary, grant consent and rerun the request.
Find the GUID of the token that needs to be renewed.
Run a GET request to get the public encryption key of the token by using the following URL:
https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings/<TokenGuid>/getEncryptionPublicKey
The response looks like the following example:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Edm.String",
"value": "-----BEGIN CERTIFICATE-----SOMEBASE64STRING==-----END CERTIFICATE-----"
}
Copy the value from the response and create a text file as follows. Then, save the text file as a .pem file. For example, token.pem.
Important
The file contains three lines, and there are no link breaks in the base64 string.
-----BEGIN CERTIFICATE-----
SOMEBASE64STRING==
-----END CERTIFICATE-----
Sign in to Apple Business Manager or Apple School Manager and find the token server that needs to be updated. Then, select Edit.
In the MDM Server Settings section, upload the .pem file, and then select Save.
Note
If you receive an error message indicating the file format is incorrect, make sure that the file is created according to step 5. After the file format is fixed, close the page and select Edit again.
Select Download Token to download the new token.
Sign in to Intune and select to refresh the downloaded token.
This section provides troubleshooting steps for these additional scenarios:
Enrolling ADE devices with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user tokens. Active Directory enables this endpoint by default. If WS-Trust 1.3 isn't enabled, Automated Device Enrollment (ADE) iOS/iPadOS devices can't be enrolled.
To get a list of enabled endpoints, use the Get-AdfsEndpoint PowerShell cmdlet and looking for the trust/13/UsernameMixed endpoint. For example:
Get-AdfsEndpoint -AddressPath "/adfs/services/trust/13/UsernameMixed"
For more information, see Get-AdfsEndpoint documentation and Best practices for securing Active Directory Federation Services. For help with determining if WS-Trust 1.3 Username/Mixed is enabled in your identity federation provider, contact Microsoft Support if you use AD FS. Otherwise, contact your third-party identity vendor.
This error indicates that the Company Portal app is out of date or corrupted.
Solution:
The error "User Name Not Recognized. This user account isn't authorized to use Microsoft Intune. Contact your system administrator if you think you have received this message in error." indicates that the user who is trying to enroll the device doesn't have a valid Intune license.
When you turn on an ADE-managed device that is assigned an enrollment profile, enrollment fails, and you receive the following error message:
asciidoc
mobileassetd[83] <Notice>: 0x1a49aebc0 Client connection: XPC_TYPE_ERROR Connection invalid <error: 0x1a49aebc0> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string: 0x1a49aee18> { length = 18, contents = "Connection invalid" } }
iPhone mobileassetd[83] <Notice>: Client connection invalid (Connection invalid); terminating connection
iPhone com.apple.accessibility.AccessibilityUIServer(MobileAsset)[288] <Notice>: [MobileAssetError:29] Unable to copy asset information from https://mesu.apple.com/assets/ for asset type com.apple.MobileAsset.VoiceServices.CombinedVocalizerVoices
iPhone mobileassetd[83] <Notice>: 0x1a49aebc0 Client connection: XPC_TYPE_ERROR Connection invalid <error: 0x1a49aebc0> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string: 0x1a49aee18> { length = 18, contents = "Connection invalid" }
Cause: There's a connection issue between the device and the Apple ADE service.
Solution: Fix the connection issue, or use a different network connection to enroll the device. You may also have to contact Apple if the issue persists.
Cause: The enrollment is blocked by a device type restriction.
Solution:
When you turn on an ADE-managed device that is assigned an enrollment profile, the Intune enrollment process isn't initiated.
Cause: The enrollment profile is created before the ADE token is uploaded to Intune.
Solution:
When you turn on an ADE-managed device that is assigned an enrollment profile, the initial setup sticks after you enter credentials.
Cause: Multifactor authentication (MFA) is enabled. Currently, MFA doesn't work during enrollment on ADE devices if the authentication method is set to Setup Assistant (legacy).
Solution: Disable MFA, and then re-enroll the device. Alternatively, change the authentication method to Setup Assistant with modern authentication.
Government users signing in from another device are redirected to the public cloud for authentication rather than the government cloud.
Cause: Microsoft Entra ID doesn't yet support redirecting to the government cloud when signing in from another device.
Solution: Use the iOS Company Portal Cloud setting in the Settings app to redirect government users' authentication towards the government cloud. By default, the Cloud setting is set to Automatic and Company Portal directs authentication towards the cloud that is automatically detected by the device (such as Public or Government). Government users who are signing in from another device will need to manually select the government cloud for authentication.
Open the Settings app and select Company Portal. In the Company Portal settings, select Cloud. Set the Cloud to Government.
Training
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.