I'm facing a challenge with enrolling Apple devices through the Device Enrollment Program (DEP). When users power on their devices and reach the login screen indicating the device is managed by my organization, their sign-ins are flagged as 'risky' by Microsoft Entra ID. This results in a conditional access policy that blocks them from completing the enrollment process. The problem is that users are stuck unless IT steps in to clear the risky sign-in and mark them as safe. I'm looking for a way to enable secure enrollment without compromising our overall security posture. Has anyone else encountered this issue, and how did you resolve it?
2 Answers
It sounds like you’re dealing with a situation where the sign-in is treated as an unfamiliar login, possibly due to unusual sign-in properties. This could lead to users being flagged as risky. In our case, we don’t prevent access outright but instead require MFA for medium to high-risk sign-ins and might prompt a password reset for higher risk levels. Have you looked into your risk policies? It could help clarify whether this is affecting your DEP enrollments.
Have you checked if the login uses Multi-Factor Authentication (MFA) or if it’s happening at a trusted location? It’s important to look into what specific detection is being triggered during the sign-in process. That could help identify the underlying issue.
I did get treated as an unfamiliar sign-in and password spray issue. The sign-in error code was 530031, indicating that a conditional access policy prevented token issuance. The specifics of the policy aren’t applied to this login, but I suspect it might be the MFA prompt for logins not from our network.