Typing this on the first Mac we deployed using the SSO plugin. I am so glad Microsoft finally released this. We have been waiting a long time for this.
Some quick comments/questions:
- Once configured, the enrollment of the Mac itself in Intune was done correctly. The settings for the user then followed afterwards. Policies and software deployments were applied. The SSO flow works correctly. Everything seemed to be perfect. However, when opening the Company Portal for the first time it errored out. After a restart of the app the Company Portal then complained that the Mac was not registered. I thought this was strange, as everything was working correctly. The terminal command 'app-sso platform -s' also returned the information that one would expect. I then proceeded to go through the Company Portal registration wizard once more in an attempt to get everything 'clean', but that also let to an error that the device management profile could not be applied. There was also a second 'zombie' device object registered in Intune after this attempt. I deleted that object from Intune. But, I have the feeling that since then additional settings and software deployments are no longer being applied. This seems to be similar to what mcanizzaro24 experienced?
- My user account was the first user on the Mac and was made an admin, despite the configuration profile settings that I wanted a 'standard' user. It is mentioned somewhere that the first account needs to be an admin, but this is not a sustainable way of working in an organisation. Our users should never be admins. Is this by design? From Apple or Microsoft?
- MS Expert I also got an out-of-the-blue request to change my password on the second day my Mac was registered, but in my case it did coincide with a change of a configuration policy a few minutes before that. The policy did not contain a change to the password length settings. But, maybe there is a link with the application of a policy?
- During the managed app deployment, two Apple Store apps (Microsoft Remote Desktop and the Azure VPN app) could not be installed due to an expired VPP token in our Intune tenant. We renewed the token in Intune/ABM, but these two apps do not pick up on this change and are not installed. We tried to manually sync the Mac dozens of times, waited a few days, but all to no avail. The MDM seems to refuse to restart the installation process for these apps.
- Every single time I log in, the Mac now shows the message 'Configuring MDM push services...'. Sometimes this is shown underneath my name and the login progress bar. Sometimes it is a separate window with an 'OK' button. Is this normal? I can imagine that the Mac is checking in with Intune at that point, but the use of the word 'configuring' (instead of 'applying', 'contacting', or something else) gives me the impression that something is still going wrong during the login procedure. It would be nice if the documentation also contained a reference to this message, so that those who are new to this world know whether this is informational or an error.
Looking forward to the GA release of this! 🙂