ABM – Invalid Profile during enrollment (Default Enrollment Restriction)

I stumbled upon a pretty dazzling error the other day where the solution wasn’t too obvious for me so I thought I would share my findings.

Prerequisites which all were in place:
– Apple Business Manager configured and Apple-devices where transmitted from reseller.
– Integration with Intune in place and devices successfully synced to my Intune-tenant.
– ABM-profile assigned to the successfully synced devices with User Affinity-setting configured.

During the provisioning of the device when the iPhone or iPad is turned on after the device has connected to cellular or WiFi, the ABM-profile is about to be downloaded to the device. But this time it only got prompted with “Invalid Profile”.

I tried deleting the device from Intune and re-synced ABM, I also tried modifying the settings for the ABM-profile and redeployed the ABM-token in Intune. I even tried resetting the whole ABM-integration between Intune and ABM but nothing solved my issue. The solution was instead, related to my Enrollment Restriction setup. You can find your enrollment restrictions in Endpoint Manager by going here and navigating to Devices/Enroll Devices and then Enrollment Restrictions.

Check out your Default restriction targeting All Users, and be sure to note the description of it:
This is the default Device Type Restriction applied with lowest priority to all users regardless of group membership.”

That’s what I had missed. I had made another Device type restriction with priority 1, that targeted my Intune Users and in that restriction iOS were allowed for enrollment. Beneath that one, in the Default restriction iOS was blocked. The result is that manual user driven Intune-enrollment for a mobile device works for users who are members of my Intune-Users group but the automatic enrollment by Apple Business Manager did not.

Conclusion: in other words, my bad! I had modified the default one way before the ABM-integration was in place and the regular iPhone-enrollments worked flawlessly. So be sure to double check your Enrollment Restrictions if you stumble upon any ABM Invalid Profile related errors.

