A quick post this time to share with you the solution to an issue recently experienced involving Intune iOS devices in supervised mode.
When you Turn On the Supervised mode for you managed iOS devices in Intune, you get some additional features like remotely restart, rename the device or launch the Lost Mode. This will depend on the enrollment method that you select, as is only available through the Device Enrollment Program or Apple Configurator with Setup Assistant enrollment and the use case scenario is for Company owned devices.
At the following link iOS device settings to allow or restrict features using Intune you will find a detailed list of the restriction settings available for iOS devices in Intune, some restrictions are available only through supervised mode.
After enrolling some devices in Intune, the following error appeared on a group of iOS devices:
I searched on the Common error codes and descriptions in Microsoft Intune, but I couldn’t find this error message: -2016332086 (4026:Removal date in the past)
First things, first.
I recommend to follow the followoing troubleshooting steps:
- Check for any conflicts in existing compliance policies, maybe there are multiple policies assigned at user and device level with conficting settings
- Check for duplicated devices on the console and remove the one with the oldest check-in time
- Follow this procedure to change your passcode in case is expired How to reset your device passcode from the Company Portal website
- If not possible, review any restriction settings to change your passcode configured in Intune
In this case it wasn’t possible to change the passcode, and the following restrictions were configured in Intune under:
Dashboard – Device Configuration – Profiles – Profile – Device restrictions – Password:
So, the setting in red is blocking the passcode modification for the devices under supervised mode.
This is what is blocking the users to change their passcode, and because the expiration time has been passed the devices are marked as noncompliant.
In this case we are using the Intune device compliance state in conditional access strategies, to allow only devices marked as compliant to access a set of services:
With a non-compliant state, users are not able to connect to these services.
Once the Passcode modification setting was changed to Non configured:
Users were able to change their passcode on the devices and be marked as compliant.
I hope you find this helpful!
Until next time