This one got presented to me where you were unable to enroll any iOS device with InTune, this particular example the error tell you exactly exactly where the problem is.
The device in this particular case, and iPad is unable to download the profile that should be assigned to it when in tune tries to remote manages the device, this is the error we were getting:
If you are not familiar with this process for you to be able to manage Apple devices, there’s a process Call device enrollment protection or DEP That activates the serial number of the particular Apple device, usually device will just activate itself, However, in this case, we wish to have managed devices so when your iPhone usually tries to activate itself it replaced by the remote management screen you get above enrollment screen.
The way DEP works requires you to have an Apple business manager account, where within that you add your MDM server, which, in this particular example is InTune.
Once your MDM server is added, you can then download a token from Apple business manager (ABM) that you then provide to InTune to be able to synchronize all your DEP devices with InTune.
Enrollment Tokens Management
Login to InTune portal in the usual way then navigate to Devices > iOS/iPadOS > iOS/iPadOS Enrollment then choose Enrollment Program Tokens as below:
Then when here you will see the tokens enrolled in InTune like this:
Yon can see we have an "Active" one and a "Warning" version, the "Warning" version has failed to sync to in this case someone generated a new token from ABM and that is why the old token is invalid and failed, so for this example we need to focus on the "Active" one.
If you click on that option you will see that the sync is active and on the right you will have default profiles assigned which looks good as below:
On the side menu choose profiles and you will see 2 x profiles one for mobile devices and one for laptops, here we are intrested in the mobile devices one, aka the top profile, so click on that:
You will notice that it looks like this, so we have a default profile for mobile devices with no devices assigned to it, which means there is no profile assigned, which now explains the "Invalid profile" as there is not one actually assigned to new/existing devices:
That means if you click on the devices option, you will then see a list of serial numbers and if we take the top device, you will notice that column for "profile assigned" is set to N/A - it cannot enrol without a profile....
So click the box next to the device in question and then choose "Assign Profile" then choose the profile from earlier and click Apply.
Then go back into the iOS profile and then click assigned devices, you will now see in this example a device that has been added and enrolled a device that been assigned the profile but has not been activated.
If you wish to add all the devices to this profile then choose the option "Assign Devices" the select all the device (of which one iOS and iPadOS will be shown) with the tick box at the top and then choose assign.
