Automate Intune UPN Changes for iOS

Problem Context

Companies using Microsoft Intune need to change user email addresses (UPN) during rebranding or domain migrations. While this works on Windows and macOS, iOS devices fail to update without wiping or re-enrolling—breaking access to corporate apps and causing authentication loops.

Pain Points

Admins must manually wipe or retire/re-enroll every iPhone, losing locked enrollment and forcing users to remove management profiles. Microsoft confirms this is ‘working as designed,’ leaving no official fix. Failed workarounds include signing out/in of company portals or Authenticator, which don’t resolve the issue.

Impact

Downtime disrupts employee productivity, IT teams waste hours on manual fixes, and security risks arise from unmanaged devices. Re-enrollment also resets device configurations, requiring reconfiguration. The financial cost of labor and lost productivity adds up quickly for large deployments.

Urgency

UPN changes are time-sensitive (e.g., during mergers or rebranding) and cannot be delayed. Without a fix, companies face ongoing support tickets, frustrated users, and potential compliance violations from unmanaged devices.

Target Audience

IT administrators, Intune/MDM specialists, and enterprise mobility teams in companies using Microsoft Intune for iOS device management. This affects organizations of all sizes but is most critical for mid-large enterprises with 100+ iOS devices.

Solution Approach

A tool that automates the Intune UPN change process for iOS devices by temporarily detaching them from Intune, pushing a new management profile with the updated UPN via Apple’s MDM APIs, and re-enrolling them while preserving locked enrollment where possible. It handles the entire workflow without manual intervention.

Key Features

1. Apple MDM Profile Push: Uses Apple’s MDM APIs to send a new configuration profile with the updated UPN to iOS devices, bypassing Intune’s limitations.
2. Automated Re-enrollment: Re-enrolls devices in Intune while attempting to retain locked enrollment status.
3. Monitoring & Alerts: Tracks device status in real-time and notifies admins of successes/failures via email or Slack.

User Experience

Admins select the UPN change task in the dashboard, input the new domain, and click ‘Start.’ The tool handles the rest: detaching devices, pushing profiles, and re-enrolling them. Users see a brief interruption (5–10 minutes) but retain all apps and data. Admins get a summary report with device statuses and any errors.

Differentiation

No existing tool automates this specific workflow. Microsoft’s official stance is to wipe or re-enroll, and competitors like Jamf or Mosyle focus on macOS/Windows. This tool fills the gap with a lightweight, API-driven solution that works within Intune’s constraints while preserving device management.

Scalability

Pricing scales with the number of devices (per-device or tiered pricing). The tool can handle UPN changes for 100+ devices in a single batch, and admins can schedule recurring updates (e.g., quarterly domain migrations). Future features could include compliance reporting or integration with other MDM tools.

Expected Impact

Eliminates the need for manual device wipes or re-enrollments, saving IT teams 10+ hours per UPN change cycle. Restores immediate access to corporate apps, reducing user frustration and support tickets. Ensures compliance by maintaining managed device status, even during domain changes.