Skip to main content

Fix Slow Intune Deployments

·1073 words·6 mins
Table of Contents

TL;DR Intune Apps and Settings can take between 20-30 minutes to deploy on new devices using standard deployment methods. You can reduce this to almost instant deployments (under 2 minutes), skip to the solution if you don’t care about background.

My organization uses a large number of iOS devices that have to be configured without user affinity because they are shared by a team of people for various functions. We use Apple ADE for enrollment and we have a number of enrollment profiles that can be assigned to these devices to configure them for their various use cases.

One of these profiles included devices that are used by patients and need to be reset frequently to validate that no data was left on the device. When using the standard methods for deploying apps and settings it might take 10 minutes for apps and settings to appear on the device after it resets, or in extreme examples it could take more than an hour.

This was a big issue when there wasn’t time between patients and a device needed to be ready immediately.

The Standard Process for Configuring an Enrollment Profile #

There are three main components when configuring an Enrollment Profile in Intune:

  • The ADE sync, profile settings and assignments
  • Dynamic groups populated based on the Enrollment Profiles
  • Apps and Settings that are assigned to the dynamic groups

You create your ADE token, sync the devices from Apple Business, then create your profiles and assign them to the devices you sync. Then you create an Azure AD dynamic group that is populated based on the Enrollment Profile value. Finally, you assign any apps or settings for that profile to the dynamic group.

When a device is reset or initially configured, it gets assigned to Intune during the setup screen registration process and picks up it’s profile. An Azure AD and Intune device record is created and populated with information about the device. And then the device gets added to it’s dynamic group and receives the assignments targeting that group.

The Problem #

As I mentioned earlier, it seems to take 20-30 minutes for the profiles to apply after a device is reset. We opened a support case with Microsoft to try and lower this time because it was a critical issue when we needed to reset a device between patients and have it ready quickly.

Working with the first tiers of Microsoft support, they tried to indicate that this was an issue with Apple. In their words, “Intune assigns the Apps, but the Apple servers actually load the apps on the devices via VPP.” It was pretty easy to dismiss this as the issue however, because ALL of the deployments from Intune experienced the same delay for their initial deployments. Our company wallpaper and settings loaded at the same time that the apps started to install, indicating the problem was in the assignments/deployments rather then the Apple app installations.

While going through the device reset and deployment process with another engineer as they monitored the backend logs, we discovered the actual problem which wasn’t an issue with Intune at all. The problem with the delayed deployments was actually an Azure AD issue, it was specifically caused by the time it takes for the enrollment profile dynamic groups to populate their membership.

This also explained why we sometimes saw even longer deployment times during times of peak azure usage. There is no established intervals for dynamic groups to update, according to Azure’s documentation they are affected by the size of your organization (and probably also subject to load on the Azure AD services).

The Solution #

Once we knew the delay was being caused by the dynamic groups, the solution was just a matter of bypassing group membership altogether by deploying apps and settings to All Devices instead.

Obviously we don’t want to deploy everything to every device, that kind of defeats the purpose of having separate profiles. Not to mention we have distinct settings for single user/dedicated devices and our shared team devices.

So rather then targeting the enrollment profiles with dynamic groups, we can use device filters instead with the same criteria.

In our initial tests we deployed the critical app and it’s settings as required, assigned to All Devices with a filter excluding Enrollment Profiles not equal to the one we needed. (I’ve had issues using Include filters in the past, so I opted to write filters with the intention of using exclude instead.)

After configuring the assignment, I reset a device and the app loaded in 45 seconds after reaching the home screen. Further testing has since confirmed it takes less than one minute for most devices to receive the assignments configured this way.

You can get more information about how filters work from Microsoft’s Documentation

Other Considerations #

We have expanded this fast deployment method to most of the device settings in our environment targeting large groups of devices, like our wireless profiles, the home/lock screen images, the lock screen messages, the removal of native iOS apps, etc. There are a couple things worth considering when using this method in a broader context.

You can only configure a single assignment using this method for each App, App Configuration or Device Configuration #

You can only create a single assignment per app/setting targeting the All Devices group. Because of this, you can’t create multiple filters and make multiple assignments to All Devices with unique filters. Instead you would need to write a single filter to fit the device assignment that you want and pair that with a single All Devices assignment.

Because of this, we’ve made an organizational decision that this can be used for assignments targeting large groups of devices like “all shared devices” or “all iPads”. We don’t want the administrative burden of maintaining filters for individual apps that might be assigned to multiple profiles.

You can still use Include or Exclude assignments to groups #

If you wanted to configure an App to deploy quickly to one profile that needs it, you can use this method targeting a single profile and still have assignments targeting traditional group too.

You can also assign something to All Devices and exclude groups if necessary. In a case like this you will want to be mindful of how assignments apply. Anything deployed to All Devices will load immediately, and any exclusions will only take affect once the dynamic group membership applies.

Related

Intune RBAC - How Intune Processes Multiple Assigned Roles
·1356 words·7 mins
TL;DR # Jump to the How Intune Evaluates Permissions from Multiple Roles section, and then review the Visualizing Multiple RBAC Assignments for a quick synopsis of the issue.
Bulk assign devices to iOS Enrollment Profiles in Intune
·869 words·5 mins
TL;DR # This script can be used to do two things: get your iOS Enrollment Tokens and Profiles from your Intune tenant, and assign a list of devices to profiles using a csv input file.
Terraform Comparing Count and For_Each
·1068 words·6 mins
When I was looking at building the module that could attach additonal disks to servers in azure I know I needed to support the ability to add and potentially remove data disks without the risk of losing data.