Event banner
AMA: Powerful Apple device management with Intune
Event Ended
Thursday, Sep 14, 2023, 09:30 AM PDTEvent details
Get the answers you need to efficiently and effectively manage all things iOS and macOS. Curious about day zero support for upcoming Apple releases? Single sign-on support? Declarative device managem...
Heather_Poulsen
Updated Nov 15, 2024
Martin Behrmann
Sep 07, 2023Copper Contributor
IT Security demands the use of 802.1x user certificates to access company LAN, Wifi and VPN. Currently we are using Intune's SCEP workflow to deploy user certificates to our macOS computers. These user certificates are stored in the System Keychain. Which allows other user of the computer to make use of that other user's certificate.
What can be done to let one computer be used my multiple users and have every user have it's own user certificate in his own user keychain?
- Char_CheesmanSep 15, 2023Community Manager
Thanks for participating in today's AMA: Troubleshoot device issues with Intune! For reference, the panel covered this topic at 21:35.
- Martin BehrmannSep 27, 2023Copper ContributorThank you for the reply! Transcripted answer from the video: "Yeah, that's a great question and a very insightful one. I have three things to say about this, the first one being that today, the way we think of our Mac use cases, it is built as a single managed user device. So, all the scenarios that we build in, including Platform SSO that we are releasing, it's currently aimed at those types of scenarios. Now, that doesn't mean that we don't support multiple-user scenarios. You could still enroll a device without device affinity and have multiple users sign in. But as soon as you start putting down certificates that access resources on the device, we need to be able to really validate who the user is and that we are providing the right set of certificates to the right user. In terms of validating that, we made some design choices where, in the early days of supporting our resource access scenarios using certificates, that currently means that we deliver the kind of verification we need. We can only verify that this is the device that it's meant for, but not so much who the user is, which resulted in us making this choice. Now, we have been hearing this feedback from a lot of you that there is a business case and a need for providing the right certificate in the user Keychain because that also has an end-user impact for... It's a much better user experience for having to select that certificate. And we are working through that feedback to make sure that we can still meet the needs of security that we have while supporting that scenario. Now, to that end, and about multiple user devices, the good news is with... ANDY: I think we lost Arnab again. TYLER: It looks like we lost Arnab again. ANDY: So, to finish Arnab's point there, so yes, V2 of Platform SSO that Apple announced at WWDC does support multiple accounts. And so, as we roll out V1 support, we'll be adding V2. I don't have the specific timelines there, but I'm sure Arnab can share it. But it is something we need to support. And then, just going back to the user cert thing, we know this is an issue. I want people to know that. We know we need to fix this. As Arnab mentioned, there was a security reason, initially, why we went the route we went, but we also hear you loud and clear, and we need to make a change, and we're evaluating what our options are to both meet the one security issue we had while also looking at the input that you've all provided us. At the end of the day, we don't want to block you in. So we want you to adopt and you be able to utilize Intune as your management option. And so, we will absolutely be looking and providing some updates, hopefully sooner rather than later, on what our plan is on user certs. TYLER: Absolutely. It's a great question on security, and thank you for bringing that up and for providing the updates. I appreciate the mental synchronization there between Arnab and Andy. Thank you, Andy, for jumping in on that."
Location
Microsoft Tech Community