We're getting ready to swap out over 180 cell phones in the next few weeks—about 30 iPhones and 150 Androids. Since many of these phones are for field technicians, it's important they're ready for use as soon as they can pick them up. We implemented Intune last year, so everyone has set up the company portal (for Android) or downloaded the management profile (for iOS) on their own. After enabling conditional access policies, we require multi-factor authentication (MFA) for all users.
Here's where I need some advice: If some users won't be able to come in for a few days or even weeks, what's the best strategy to ensure they can still access their accounts? Currently, our procedure involves having users re-register for MFA in Entra, adding a temporary password to their accounts, setting up their phones as corporate devices using a QR code, and pushing everything via Intune. However, that leaves users potentially unable to get through MFA if they haven't authenticated recently. Is there a better way to handle this?
5 Answers
You might want to have users enroll the new phone at aka.ms/mfasetup before they return the old one. That way they can handle MFA without needing to reset anything, but I'm not sure how they would do that without the new phone being set up first.
I've had to do this for field staff a bunch of times without ever touching a device. You can automate most of it! Just use a Temporary Access Pass (TAP) for setup. The new device should be set up using a quick TAP and QR code entry to bypass MFA. You can push all necessary apps with Intune after that, and then help them add the new device to their authenticator through aka.ms/mfasetup. Just make sure you send them the PIN separately and not with the device.
Definitely avoid treating device enrollment and MFA transfer as one single step. Pre-configure phones using Zero Touch or Knox so they arrive in Intune ready to go. Then use a TAP to let the user set up the Authenticator while still having their old phone's MFA active. This prevents a complete lockout on swap day!
It might be helpful to create a thorough guide for users on what to do for the new phone setup. Cover the unboxing, MDM enrollment, how to add the new device to MFA, and details on returning the old phone. Depending on who your users are, staggering swaps could also lighten the load on your helpdesk.
I’m still learning about Intune, but there’s something called "device staging" that might work for you. Plus, consider using TAP for MFA instead of requiring them to re-register. This could simplify things.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures