We are currently facing interesting issue that is impacting all the Enrollment program tokens profiles in Intune that are using Authentication Method: Company Portal
Receiving “Invalid Profile” error while enrolling Apple Devices
User Affinity & Authentication Method
User affinity: Yes
Authentication Method: Company Portal
Run Company Portal in Single App Mode until authentication: Yes
Management Options
Supervised: Yes
Locked enrollment: Yes
Shared iPad: No
Sync with computers: Allow All
Device Name
Apply device name template (supervised only): Yes
Any idea?
If we will re-create the profile with Company Portal it isnt working
If we will create the profile with Setup assistant with modern authentication all works fine
All the tokens are valid.
Only change we have did recently was domain confirmation.
Hehe, we manage to fix it. 
Third lvl did an (security) change for default enrollment restriction to forbid enrollment of the iOS devices. 
You know one Tenant a lot of companies.
The idea was that device that isn’t bound to some OU will be forbidden to enroll.
But this idea ended on knowledge that the device in the time of obtaining first management profile have actually no allegiance and therefor default is applied and therefore is blocked.
1 Like
Yeah, unfortunately there is no way to present more informative feedback on the device other than failed enrollment.
Glad you found the cause.
Curious, are you segmenting your tenant in anyway? Scope tags and Intune limited access roles?
In our Tenant we are using scope tags, it works the way that 2nd lvl administrator of specific organization see only profiles with the tag of the given organization.
What is interesting though we did step-by-step installation and checked the AAD each time we went through some milestone and the device is in AAD after the very last step. So it is really interesting that it was forbidden by the enrollment restriction policy.
