iOS Devices Randomly Unregistering in Entra ID and Intune: Causes and Workarounds
Managing iOS devices with Microsoft Entra ID and Intune usually provides a smooth experience. Devices are registered, enrolled, and compliant, giving users seamless access to apps and resources. But some admins are reporting a frustrating issue:
Certain iOS devices randomly unregister from Entra, even after they were already registered and enrolled in Intune.
This problem breaks compliance and access, forcing users to re-register repeatedly.
📌 Symptoms Reported
- Issue affects only some iOS devices, not all.
- Users suddenly see app errors such as:
- “Failed to get valid credentials.”
- “Set up your device to get access.”
- In the Company Portal app, the device shows as “not registered” and prompts the user to register again.
- In Microsoft Entra ID portal:
- MDM: None
- Security Settings: N/A
- Compliance: N/A
- Re-registering fixes it temporarily, but the issue returns for some users.
🔎 Why This Matters
When a device unregisters:
- Conditional Access fails → Users are blocked from apps like Outlook, Teams, and OneDrive.
- Compliance is broken → Intune cannot verify encryption, passcode, or OS version.
- Admin confusion → Devices appear as noncompliant or unmanaged in reports.
This isn’t just an inconvenience — it directly impacts productivity and trust in BYOD or corporate iOS programs.
⚠️ Possible Causes
While no confirmed root cause has been shared, here are the most likely areas to investigate:
- Apple Device Token Expiry
- If the APNs (Apple Push Notification service) token is not renewed properly, devices may fail to check in and eventually unregister.
- Company Portal or Authenticator App Corruption
- Updates to iOS or app versions can sometimes invalidate device certificates or cached tokens.
- Conditional Access + Device Registration Conflicts
- If a user has multiple devices or duplicate device objects in Entra, policy conflicts may cause the device to unregister.
- Hybrid Identity or Sync Issues
- In environments using hybrid join, sync delays or stale device records can trigger de-registration.
- User Actions
- In some cases, users may unintentionally remove management profiles during troubleshooting or OS updates.
🛠️ Workarounds and Troubleshooting Steps
Until Microsoft releases an official fix or guidance, admins can try the following:
- Re-register the device
- Have the user sign out of the Company Portal and re-enroll.
- This refreshes the device certificate and often restores compliance temporarily.
- Check Apple MDM Push Certificate
- Ensure the APNs certificate is valid and not close to expiry.
- Review Conditional Access Policies
- Look for overlapping policies that may block access during re-registration.
- Clear stale device records
- Remove duplicate or orphaned devices in Entra ID before re-registering.
- Update Company Portal and iOS
- Ensure the device runs the latest iOS version and Company Portal app build.
- Monitor with Logs
- Review Intune diagnostic logs (collected from the Company Portal) and Entra sign-in logs to identify repeated errors.
📝 Best Practices to Minimize Impact
- Educate users to report issues quickly instead of attempting self-removal of management profiles.
- Use Intune compliance policies with grace periods to reduce sudden access loss.
- Regularly audit device registration reports in Entra to catch anomalies.
- Pilot new iOS versions before wide rollout to detect compatibility problems early.
✅ Conclusion
The issue of iOS devices randomly unregistering in Entra and Intune is disruptive and not yet fully explained. While re-registration restores functionality, the recurring nature points to deeper problems with device tokens, app updates, or identity sync.
For now, IT admins should apply workarounds, monitor device compliance, and escalate cases to Microsoft support if the issue persists across multiple users.
