Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Install iOS Roaming Client using Intune and Apple Business Manager

Minetta Gould Community Team DNSFilter Staff
  • Edited

A DNSFilter customer shared these enhanced steps with our team, so we're passing along to our community! These instructions are specifically for adding the DNSFilter iOS Roaming Client from the Apple Business Manager (ABM) Volume Purchase Program (VPP) store, and deploying via Intune.

Prerequisites

  • Enroll devices in the M365 tenant. This includes steps to initially enroll devices in the Intune account and setup device access. Consult Microsoft's documentation for updated processes concerning Intune
  • We recommend testing any deployment on a small number of devices before deploying to an entire environment 

Step one: Deploy the Roaming Client from ABM VPP

  1. Deploy DNSFilter – Roaming Client from ABM (business.apple.com). Select a reasonable number of licenses to meet your current and expected future needs. There is no charge for DNSFilter for this action. Assign licensing later in the DNSFilter dashboard

  2. Decide on a plan to deploy. One recommendation is to create a small set of test devices using an Entra group for device assignments. When testing is complete, you may use approaches such as Entra groups with dynamic assignments defined with a rule such as (device.deviceOwnership -eq "Company") -and ((device.deviceOSType -contains "iPhone") -or (device.deviceOSType -contains "iPad"))

Step two: Add the Roaming Clients to Intune

  1. Go to intune.microsoft.com, then on the left navigation pane, select Tenant administration
  2. Select Connectors and tokens
  3. Select Apple VPP Tokens. Find your VPP token and using the button on the right side

  4. Select Sync from the context menu.  This is done to accelerate a 12-hour schedule sync cycle

  5. Locate the DNSFilter app in under Home \ Apps \ Monitor \ By Platform \ iOS/iPadOS apps. confirm the app appears before proceeding 

Step three: Create the iOS configuration

  1. Download the DNSFilter .mobileconfig file. Use this to configure the licensing and other options
  2. Save this file into a version control system such as Git
  3. Create a copy for each deployment Site, e.g. one file for iPhones and another for iPads; one file for employees and another for executives. These copies are for different data

    ⚡️ Pro Tip: If you plan to have more than one mobile site, name the .mobileconfig with a descriptive name such as .mobileconfig-iPads.
     
  4. Using a text editor, edit this section:
<dict>
           <key>site_key</key>
           <string>YOUR SITE KEY HERE</string>
           <key>host_name</key>
           <string>{{SERIALNUMBER}}</string>       
           <key>dns_over_tls_enabled</key>
           <false />
</dict>
  • In the example above, replace YOUR SITE KEY with your license key from the DNSFilter dashboard
  • Make sure SERIALNUMBER is all upper case
  • Refer to Intune Device Attribute Settings on Microsoft’s site, paying close attention to the paragraph regarding capitalization. Though it may well be possible to replace SERIALNUMBER with another value, not all asset tag variables have been tested

🚨 WARNING: If you deploy with the incorrect case, spelling or with to change the variable later, the IT administrator must remove DNSFilter from the device and then remove from the DNSFilter web administration panel.

When done editing, use an XML validator to double check the file, then save.

Step four: Assign the configuration in Intune

  1. Return to intune.microsoft.com
  2. Navigate to Devices \ iOS/iPadOS \ Configuration

  3. Select Create to create a policy

  4. Choose Profile type as Templates and choose Custom

  5. Enter a name and description for the profile

  6. Select the appropriate .mobileconfig created earlier, and enter a name for the profile

  7. Save and assign

    ✍️ If the configuration profile reports Check-in status as Error, with error code -2016341112, then the device may be busy. It will most likely accept the profile later, assuming there are no syntax errors in the profile.
     
  8. Return to the DNSFilter application in Intune under Apps
  9. Assign DNSFilter to the target devices, most likely the test group. Ensure license type is Device.

    ✍️ Consider setting Install as removable as No to prevent users from deleting DNSFilter to by-pass the policies. If choosing this configuration, remove the installed applications on devices using the uninstall assignment option prior to deleting the application from Intune itself.
     
  10. Sync the test devices from the Devices main grid to force the deployment 

Monitor deployments in Intune and in the DNSFilter dashboard. When satisfied, proceed with a larger rollout.

1

Comments

0 comments

Please sign in to leave a comment.

New post

Featured posts