Blog Post

Intune Customer Success
3 MIN READ

Day zero support for iOS/iPadOS 17 and macOS 14

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Sep 18, 2023
With Apple's recent release of iOS/iPadOS 17.0 and macOS 14.0 Sonoma, we’ve been working hard to ensure that Microsoft Intune can provide Day zero support for Apple’s latest operating systems so that...
Updated Feb 27, 2024
Version 15.0
apple
macos
TinTrungNguyen's avatar
TinTrungNguyen
Copper Contributor
Nov 21, 2025

Dear team

Let me share the exact scenario where the issue occurs with the user is synced from on-premises AD to Microsoft Entra ID via Azure AD Connect

Existing macOS device

 - Joined to on-premises Active Directory domain our.com.vn

 - User domain01 logs in locally (Kerberos-bound AD account)

 - This user is synced from on-premises AD to Microsoft Entra ID via Azure AD Connect

 - User installs Company Portal and enrolls the Mac using email address removed for privacy reasons

 - After enrollment, Intune pushes a passcode policy (we set password expiration = 90 days)

 - User logs out of the keberos user domain01 and logs back in

Issue:

macOS shows the message 
"Password Expirition"
“Your password has expired” with two options: 
"Change password"   or   "Continue"

Question:

Why does an Intune passcode policy affect a local Kerberos-bound Active Directory account (domain01 )?



Important observation:
But with the user is not synced from AD to MS Entra ID (I created the same user email address removed for privacy reasons in MS Entra)

Existing macOS device

 - Joined to on-premises Active Directory domain our.com.vn

 - User domain02 logs in locally (Kerberos-bound AD account)

 - User installs Company Portal and enrolls the Mac using domain02@our.com.vn

 - After enrollment, Intune pushes a passcode policy (we set password expiration = 90 days)

 - User logs out of the keberos user domain02 and logs back in
=> There is no issue

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Dec 02, 2025

Hi TinTrungNguyen​ 

 

Thanks for sharing your scenario, and have you reached out to us on X regarding this? If so, we can confirm that the the behavior would be correct as when you enroll a macOS device in Intune using BYOD, Intune applies passcode policies at the device level, and a kerberos-bound to on-prem AD account is treated as a local account. If you wish to engage further or if there's anything further we can help with, please reach out to us via the existing DM open on X.

 

Thanks! 

Intune Support Team