Apple ADE enrollment not prompting for Entra ID authentication during setupSolved

Hey, @noor_k,

This is not a platform limitation. Hexnode supports enforced user authentication during Apple Automated Device Enrollment so that users are prompted to sign in with their corporate identity provider credentials during Setup Assistant. For this to work, make sure the authentication requirement is applied to the ADE profile that is assigned to the device. In general, verify the following:

1. The device is assigned to the correct Hexnode UEM server in Apple Business.
2. The device appears under Automated Device Enrollment > Devices in Hexnode UEM after sync.
3. The ADE enrollment profile assigned to the device has Enforce Authentication enabled.
4. The authentication method is configured to use the required identity provider, such as Microsoft Entra ID.
5.  The updated ADE profile is assigned to the target devices.
6. The device is erased or restarted back into Setup Assistant so it can pick up the updated ADE configuration. If the device already passed Setup Assistant before the profile was updated, it may not show the authentication screen until it goes through the ADE enrollment flow again.

That explains part of it. I had changed the authentication setting, but the device was still able to finish setup without signing in. I may not have updated the ADE profile that was actually assigned to the device. What happens to devices that are already enrolled without authentication? Will they suddenly prompt users or get locked out after I enable this?

Enabling Enforce Authentication for ADE does not affect devices that are already enrolled. Existing devices will continue to operate normally and users should not receive a sudden authentication prompt because of this change. The setting applies to devices going through Setup Assistant after the updated ADE profile is assigned.

For devices that were already enrolled without user authentication, you do not need to re-enroll them just to associate an owner. You can use the Change Owner action in Hexnode to map those devices to the correct Entra ID user accounts. For the test device that skipped authentication, check the device entry under Automated Device Enrollment > Devices and confirm that the updated enrollment profile is assigned. After that, erase the test device and run through Setup Assistant again.

Updating the authentication requirement in both Apple Business/ADE assignment and the Hexnode ADE profile fixed it. After erasing the device and starting setup again, it prompted for Entra ID credentials and enrolled with the correct user association.