Bulk assign devices to iOS Enrollment Profiles in Intune
Table of Contents
TL;DR #
This script can be used to do two things: get your iOS Enrollment Tokens and Profiles from your Intune tenant, and assign a list of devices to profiles using a csv input file.
Background #
We are migrating devices from another MDM solution into Intune. As part of this process, we reassigned our corporate devices from the Apple Business portal (DEP) to our Intune tenant. We have thousands of devices that were reassigned, with about 10 different Intune profiles that they could be to assigned to.
The problem is, it’s currently not possible to bulk assign profiles to DEP devices form the Intune UI. After a quick search I came across this Apple Enrollment repo that has a script base I can modify for my purpose.
Initial Run-Through #
I ran through the script once to get an idea of its inputs before I began my work.
Console Output from the default script: #
Assign-ProfileToDevice -id $id -DeviceSerialNumber $DeviceSerialNumber -ProfileId $ProfileID
Please specify your user principal name for Azure Authentication: [USERNAME]
Checking for AzureAD module...
DEP tokens found: 1
Please enter device serial number: [SERIAL]
Listing DEP Profiles...
1. CORP-IOS-MULTI-Covid
2. CORP-IOS-MULTI-Epic Welcome
3. CORP-IOS-MULTI-EUS Department Shared
4. CORP-IOS-MULTI-General
5. CORP-IOS-MULTI-Interpreter Services
6. CORP-IOS-MULTI-MyChart Bedside
7. CORP-IOS-MULTI-TELE-Remote Patient Monitoring
8. CORP-IOS-MULTI-TELE-Shared
9. CORP-IOS-MULTI-TrayInMotion
10. CORP-IOS-SINGLE-Dedicated
11. CORP-IOS-SINGLE-TELE-Dedicated
Select the profile you wish to assign (numerical value): 11
Success: Device assigned!
The user interaction is very simple, so I won’t really need to do anything other than adding some additional functions. I know the portion of the script I need to build actually has two steps:
- List each DEP Token and Profile
- Assign profiles to a list of devices using a CSV input
Rather than get rid of what’s already been done, I decided to add a menu in the beginning of the script that prompts you to choose how you would like to use it. That way I can still use what already exists and just add to it:
$Options = @("List all Tokens and Profiles",`
"Assign profiles to multiple devices (requires a csv input)",`
"Assign a profile to a single device")
Write-Host "Choose what you would like to do:"
for ($i=1;$i -le $Options.count; $i++) {
Write-Host "$i. $($Options[$i-1])"
}
Write-Host
[int]$ScriptPrompt = Read-Host "Enter the value for the option you would like "
Once that was added, I just need to write the next components.
List the DEP Token and Profile #
This is really simple, I need to lookup the values from our tenant and display them to the user. For usability, I also want to provide an option to generate a sample CSV to be used as an input in the next step.
I can use these two lines from the existing script to get all the information I need:
$tokens = (Get-DEPOnboardingSettings)
$Profiles = (Get-DEPProfiles -id $TokenId).value
I don’t even need the token or profile ID at this point because I would rather have user-friendly names that will work to retrieve the IDs later. So I can loop through each profile within each token to generate a complete list and then write the list to the console. In my case I only have one token, so the output is pretty simple.
TokenName |
ProfileName |
|---|---|
Intune |
CORP-IOS-MULTI-Covid |
Intune |
CORP-IOS-MULTI-Epic Welcome |
Intune |
CORP-IOS-MULTI-EUS Department Shared |
Intune |
CORP-IOS-MULTI-General |
Lastly, I added a prompt for generating a sample CSV export that includes all of the values. Using that, I can export my device serial numbers from my existing MDM and designate their token and profile.
Assign profiles to a list of devices using a CSV input #
After filling out my CSV, I can use my Get-InputFile function to bring the assignments in for the next step.
Once I input the file, I can recycle some of the existing code to assign it:
$AssignedTokenName = $Device.Token
$AssignedProfileName = $Device.Profile
$SelectedToken = $tokens | Where-Object { $_.TokenName -eq "$AssignedTokenName" }
$SelectedTokenId = $SelectedToken | Select-Object -ExpandProperty id
$Profiles = (Get-DEPProfiles -id $id).value
$SelectedProfile = $Profiles | Where-Object { $_.DisplayName -eq "$AssignedProfileName" }
$SelectedProfileId = $SelectedProfile | Select-Object -ExpandProperty id
$ProfileStatus = Assign-ProfileToDevice -id $SelectedTokenId -DeviceSerialNumber $DeviceSerial -ProfileId $SelectedProfileId
I did modify the Assign-ProfileToDevice function a little bit to output a Success/Failure status so I can log my results as well.
Summary #
I finished copying the old script as the 3rd option and ran through my testing. Because the existing script already worked, I didn’t really have any issues come up other than normal things like making sure variables are spelled right and brackets are closed.
I did add one function to save the output file:
Function Save-Output ($FileName, $DataOutput) {
$CurrentFolderPath = "$((Get-Location).Path)"
$OutputPath = "$CurrentFolderPath\$FileName"
$DataOutput | Export-CSV $OutputPath -NoTypeInformation
Write-Host "Output saved to:"
Write-Host -ForegroundColor Yellow "$OutputPath"
Set-Clipboard -Value $OutputPath
}
As a final polish tip, if your script has user interaction and it outputs to a file, it can be helpful to write that file path to the clipboard using Set-Clipboard. This way your user can just paste the file path into Run to open it without needing to copy/paste manually. You can see that in the last line of the code snippet above.
That’s it. You can get the final script from my Github.