Did you know: there is a password reset token missing on some MDM-managed iOS devices (Intune)
Intune recently shared a known issue in MC203629, whereby about 1% of devices Intune enrolled with iOS 13+ do not return the token needed to allow a passcode reset. Apple has now addressed the bug in 13.3.1 and higher, however, simply updating to 13.3.1 cannot fix already-enrolled devices. Devices without a password reset token will need to update to 13.3.1, then unenroll and reenroll in the service.
How does this affect me?
Your end users will only run into this if they enrolled into Intune with iOS 13+, forget their passcode, and need to reset their passcode. If the owner of the device never needs to remove or reset the passcode using Intune, there’s no issue. If the passcode for a device is lost and you have no method outside Intune to recover it, the device will have to be factory reset and enrolled again. Devices that got into this state were typically ones that had a user alias change or had a user account disabled and then re-enabled. When they went to enroll, they did not receive the token needed to allow a passcode reset. Therefore, Intune cannot reset the passcode on these devices, either through Microsoft Endpoint Manager Intune admin UI under Remove passcode setting or by the end user Reset Passcode setting at https://portal.manage.microsoft.com.
What action do I need to take?
– Run the PowerShell script linked to in “Additional Information.” This will give you the list of affected devices.
– Make sure your end user has a backup of their data from the device (typically through iCloud or another backup offer).
– Update the impacted devices to 13.3.1, then unenroll and reenroll the device.
– Rerun the PowerShell script. If the device still shows there, then you’ll want to completely wipe the device then reenroll.
– If the device is still on the report when you re-run it, the device is not in a good state. Apple recommends wiping wcontact usithout restoring a backup and then reenrolling again.
– Any devices still on the report after trying in this state after enrolling multiple times will need a ticket with Apple to investigate further.
If your looking to better streamline your mobile devices, please check out our Enterprise Mobility Enterprise solution.
If you’d like to schedule a free one hour consultation with someone from our enterprise mobility services team please contact us
