Event banner
AMA: Powerful Apple device management with Intune
Event details
Get the answers you need to efficiently and effectively manage all things iOS and macOS. Curious about day zero support for upcoming Apple releases? Single sign-on support? Declarative device management support for software updates? Join this Ask Microsoft Anything (AMA) event with your questions and let our product and engineering teams provide insights and answers on how you can put the latest capabilities to work for you!
Post your questions in the Comments below. We'll have experts responding in the live stream and others in chat. |
This AMA is part of Tech Community Live: Microsoft Intune edition. Visit https://aka.ms/TCL/Intune for the full agenda.
- TommekeBrass ContributorDo you have any plans on supporting the shared-ipad devices as Intune 'managed device' (MDM managed) objects so we don't have to by-pass conditional access and application protection policies? The current shared-ipad Intune feature does not comply with zero-trust principles in this way and not suited for hybride FLW scenarios where MAM-only is also used for personal devices in combination with shared-ipad devices.
- benjamin_flammMicrosoftNo definite timelines to share
- DylangouldBrass ContributorWhen I wipe a iOS device, the Device wipes and goes back through auto enrollment as expected.. but then in Azure Active directory I seem to have duplicate entry/ It creates a new entry in AD but doesn't remove the old entry, is their a solution for this minus wiping the device then deleting it after it starts the wipe.
- benjamin_flammMicrosoftPlease add your vote to the feedback portal - I believe this is cross platform and isn't limited to solely Apple device management
- DavidMontesinCopper ContributorAre there any plans for Apple TV support in Intune? Our organisation has purchased Jamf to manage Apple TVs (Approximately 4,000 Apple TVs). We are using it to deploy apps to them, Apply Wifi-Configuration, remotely reboot them and lock them down when required.
- Char_CheesmanCommunity Manager
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 29:30.
- MakeITGoodBrass ContributorIs there anything in the works that would better help with the management of shared user devices (Apple and Android)?
- Char_CheesmanCommunity Manager
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 44:35.
- mcmengodCopper Contributor
For Android I did some tests with devices enrolled as dedicated devices and playing with MHS
- Ebuke_OkweseBrass ContributorMy two biggest questions: 1. Public Preview for Platform SSO on Mac when? 2. Declarative device updates for iOS/iPadOS when?
- Char_CheesmanCommunity Manager
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 10:40.
- MakeITGoodBrass ContributorHello! Can you recommend a formal, deep dive, training that covers Intune management specific to mobile devices (i.e. management of iPhones, iPads, Android devices)? Most Intune training that I've come across is deficient in these areas as the focus is more on desktop and apps and only slightly touches on mobile devices. It would be nice to have training specific to the mobile devices mentioned above. Thank you.
- benjamin_flammMicrosoftIf you have a Microsoft account team, then they can help set up workshops and other engagements with a focus on mobile devices.
- HajoBrass ContributorWill the macOS VPN profile in intune ever support EAP-only authentication besides the already available Username/Pass & Certificate. So I can configure the Intune supplied SCEP certificate profile for that authentication. (normal Certificate does not work in an EAP-only scenario)
- Lance_CrandallMicrosoftPing me offline about this. Username/Pass has been the only request from customers so curious what your scenario is.
- Martin BehrmannCopper Contributor
We observe that the user experience of the initial deployment of profiles, scripts, applications when the user receives his new macOS computer and logs in for the first time is rather random. The user does not know what happens and when the device is ready for him to use. To speed things up we even need to force quit the IntuneMDMAgent because it seems to stall from time to time.
How will Microsoft improve this experience?
- Char_CheesmanCommunity Manager
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 14:00.
- Martin BehrmannCopper ContributorThanks for the reply! Transcripted answer from the video: "Well, I think what you'll see, we have a preview coming up for what's called the "awake config" command. We already have it on iOS. I mean, that's the starting point. So that will allow that policy, and I know Apple now allows apps, and we'll be looking at scripts, as well, to happen before the user exits the Setup Assistant, right? So that's the baseline. Additionally, we're revamping all of ADE. So we're migrating the profiles over to what we're calling "EC V2," or Enrollment Configuration V2, which is similar to our Settings catalog, so all this data-driven UI so we'll be able to build much more faster feature sets. And one of them is to create more control over what different profiles and apps get installed during that window. And so, definitely you'll see more and more of that in the next year about controlling what goes first, what's on there. I think it's going to be critical not just for what you're choosing but what we are putting on you. So, whether it's Platform SSO or even the Authenticator app, you know, we need to have those on the device for part of our enrollment. And so we want to make sure those are there first to enable. And so, yeah, we definitely acknowledge there's some more granular controls we need to add, and the first part of that will be the Awake Config feature set coming out this fall."
- Martin BehrmannCopper ContributorIT Security demands the use of 802.1x user certificates to access company LAN, Wifi and VPN. Currently we are using Intune's SCEP workflow to deploy user certificates to our macOS computers. These user certificates are stored in the System Keychain. Which allows other user of the computer to make use of that other user's certificate. What can be done to let one computer be used my multiple users and have every user have it's own user certificate in his own user keychain?
- Char_CheesmanCommunity Manager
Thanks for participating in today's AMA: Troubleshoot device issues with Intune! For reference, the panel covered this topic at 21:35.
- Martin BehrmannCopper ContributorThank you for the reply! Transcripted answer from the video: "Yeah, that's a great question and a very insightful one. I have three things to say about this, the first one being that today, the way we think of our Mac use cases, it is built as a single managed user device. So, all the scenarios that we build in, including Platform SSO that we are releasing, it's currently aimed at those types of scenarios. Now, that doesn't mean that we don't support multiple-user scenarios. You could still enroll a device without device affinity and have multiple users sign in. But as soon as you start putting down certificates that access resources on the device, we need to be able to really validate who the user is and that we are providing the right set of certificates to the right user. In terms of validating that, we made some design choices where, in the early days of supporting our resource access scenarios using certificates, that currently means that we deliver the kind of verification we need. We can only verify that this is the device that it's meant for, but not so much who the user is, which resulted in us making this choice. Now, we have been hearing this feedback from a lot of you that there is a business case and a need for providing the right certificate in the user Keychain because that also has an end-user impact for... It's a much better user experience for having to select that certificate. And we are working through that feedback to make sure that we can still meet the needs of security that we have while supporting that scenario. Now, to that end, and about multiple user devices, the good news is with... ANDY: I think we lost Arnab again. TYLER: It looks like we lost Arnab again. ANDY: So, to finish Arnab's point there, so yes, V2 of Platform SSO that Apple announced at WWDC does support multiple accounts. And so, as we roll out V1 support, we'll be adding V2. I don't have the specific timelines there, but I'm sure Arnab can share it. But it is something we need to support. And then, just going back to the user cert thing, we know this is an issue. I want people to know that. We know we need to fix this. As Arnab mentioned, there was a security reason, initially, why we went the route we went, but we also hear you loud and clear, and we need to make a change, and we're evaluating what our options are to both meet the one security issue we had while also looking at the input that you've all provided us. At the end of the day, we don't want to block you in. So we want you to adopt and you be able to utilize Intune as your management option. And so, we will absolutely be looking and providing some updates, hopefully sooner rather than later, on what our plan is on user certs. TYLER: Absolutely. It's a great question on security, and thank you for bringing that up and for providing the updates. I appreciate the mental synchronization there between Arnab and Andy. Thank you, Andy, for jumping in on that."
- BlackGloveEng1Copper Contributor
We would love to know when / if there will be improved pkg install and bash scripting support for the Mac. Currently only .pkg's can only install apps into the Applications folder. Would love the ability to install any .pkg, as well as schedule and run bash scripts. Custom extension attributes based on bash scripts would be great too. Thank you!
- Char_CheesmanCommunity Manager
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 06:45.