Event banner
Event details
89 Comments
- can you confirm the ability to toggle bluetooth on/off for iOS is coming in 2309? Rather than just grey out the option?
- benjamin_flamm
Microsoft
Confirmed - this was released in our What's New documentation: https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#managed-settings-now-available-in-the-apple-settings-catalog-
- What is the best way to distribute the iOS beta via Intune?
- I don't know... but I've detected an issue with iPadOS 17, how could I determine if is it an Intune issue with this OS version or if is it a bug with iPadOS17? My issue is with background wallpaper... I'm deploying a wallpaper for Lock screen but it's applied to Home screen too...
- MACOS--I am having 2 issues with the Company Portal detailed below 1/. I configured a policy "Is Active" for 30 days. 2/. I have 2 devices (macOS) that are not compliant with my policy, after I checked on my client's device, they always open the device and work on this every day. 3/. I opened the Company Portal and saw the account was still signed on. 4/. I tried many times to select "Check status" on the Company Portal and got the issue: "There was an error while checking status. Your status may not be up to date. Try checking again" 5/. After I tried step 4, I removed this device and re-enroll and I got a new issue: "Unable to confirm setting" after the MDM profile is installed. Could you tell me how many ways to check/troubleshoot the issue for macOS and Windows? I don't see any docs from MS about troubleshooting that issue. Example: how do collect the log to troubleshoot?
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 01:35.
- What is the best way to connect apple products to the intune environment? Do you need Apples admin portal to have full access to IOS devices?
- benjamin_flammApple's admin portal is the recommended way to get Apple devices supervised, but you can also use Apple Configurator to manually supervise devices. All Macs that enroll in MDM are automatically supervised whether through ADE or Company Portal.
- Will Platform SSO truly support wireless for macOS, and will we be able to control admin account credentials?
- Arnab BiswasYes, through a combination of things, you can have true passwordless and able to manage the admin account credentials. There are a couple of nuances that should be discussed separately here. The first account on the device requires a local password to be set - this remains the case even with PSSO configured. Creating the local account and managing the password is going to be supported through the local account command and in the long-term, the admin password will be managed via LAPS. However, with the advent of PSSO, the need of a local password will be minimized for the first account and eliminated for subsequent accounts when using PSSO with "Enable create user at login" setting in the SSO extension. The PSSO experience is truly passwordless with the following exceptions: (1) you need to enter your Entra password the first time the password is synced to the local account, (2) when you restart your device or when the PSSO user is logged out, a password is required, (3) when your Entra password changes, macOS will prompt you to enter your new password.
- This was meant to say passwordless! Not wireless 🙂
- Will new features in Sonoma, such as Account-Driven User Enrollment, be available on day Zero?
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 02:50.
We would love to know when / if there will be improved pkg install and bash scripting support for the Mac. Currently only .pkg's can only install apps into the Applications folder. Would love the ability to install any .pkg, as well as schedule and run bash scripts. Custom extension attributes based on bash scripts would be great too. Thank you!
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 06:45.
- Also, one annoying issue for Mac enrollment in Intune is the way compliance is displayed for devices without user affinity. Even though a mac is compliant with all the applied policies, the search GUI will display it as Non Compliant, and it drives me CRAZY.
- benjamin_flammThanks for the feedback! We'll take this back with the owning team
- IT Security demands the use of 802.1x user certificates to access company LAN, Wifi and VPN. Currently we are using Intune's SCEP workflow to deploy user certificates to our macOS computers. These user certificates are stored in the System Keychain. Which allows other user of the computer to make use of that other user's certificate. What can be done to let one computer be used my multiple users and have every user have it's own user certificate in his own user keychain?
Thanks for participating in today's AMA: Troubleshoot device issues with Intune! For reference, the panel covered this topic at 21:35.
- Thank you for the reply! Transcripted answer from the video: "Yeah, that's a great question and a very insightful one. I have three things to say about this, the first one being that today, the way we think of our Mac use cases, it is built as a single managed user device. So, all the scenarios that we build in, including Platform SSO that we are releasing, it's currently aimed at those types of scenarios. Now, that doesn't mean that we don't support multiple-user scenarios. You could still enroll a device without device affinity and have multiple users sign in. But as soon as you start putting down certificates that access resources on the device, we need to be able to really validate who the user is and that we are providing the right set of certificates to the right user. In terms of validating that, we made some design choices where, in the early days of supporting our resource access scenarios using certificates, that currently means that we deliver the kind of verification we need. We can only verify that this is the device that it's meant for, but not so much who the user is, which resulted in us making this choice. Now, we have been hearing this feedback from a lot of you that there is a business case and a need for providing the right certificate in the user Keychain because that also has an end-user impact for... It's a much better user experience for having to select that certificate. And we are working through that feedback to make sure that we can still meet the needs of security that we have while supporting that scenario. Now, to that end, and about multiple user devices, the good news is with... ANDY: I think we lost Arnab again. TYLER: It looks like we lost Arnab again. ANDY: So, to finish Arnab's point there, so yes, V2 of Platform SSO that Apple announced at WWDC does support multiple accounts. And so, as we roll out V1 support, we'll be adding V2. I don't have the specific timelines there, but I'm sure Arnab can share it. But it is something we need to support. And then, just going back to the user cert thing, we know this is an issue. I want people to know that. We know we need to fix this. As Arnab mentioned, there was a security reason, initially, why we went the route we went, but we also hear you loud and clear, and we need to make a change, and we're evaluating what our options are to both meet the one security issue we had while also looking at the input that you've all provided us. At the end of the day, we don't want to block you in. So we want you to adopt and you be able to utilize Intune as your management option. And so, we will absolutely be looking and providing some updates, hopefully sooner rather than later, on what our plan is on user certs. TYLER: Absolutely. It's a great question on security, and thank you for bringing that up and for providing the updates. I appreciate the mental synchronization there between Arnab and Andy. Thank you, Andy, for jumping in on that."
We observe that the user experience of the initial deployment of profiles, scripts, applications when the user receives his new macOS computer and logs in for the first time is rather random. The user does not know what happens and when the device is ready for him to use. To speed things up we even need to force quit the IntuneMDMAgent because it seems to stall from time to time.
How will Microsoft improve this experience?
Thanks for participating in today's AMA: Powerful Apple device management with Intune! For reference, the panel covered this topic at 14:00.
- Thanks for the reply! Transcripted answer from the video: "Well, I think what you'll see, we have a preview coming up for what's called the "awake config" command. We already have it on iOS. I mean, that's the starting point. So that will allow that policy, and I know Apple now allows apps, and we'll be looking at scripts, as well, to happen before the user exits the Setup Assistant, right? So that's the baseline. Additionally, we're revamping all of ADE. So we're migrating the profiles over to what we're calling "EC V2," or Enrollment Configuration V2, which is similar to our Settings catalog, so all this data-driven UI so we'll be able to build much more faster feature sets. And one of them is to create more control over what different profiles and apps get installed during that window. And so, definitely you'll see more and more of that in the next year about controlling what goes first, what's on there. I think it's going to be critical not just for what you're choosing but what we are putting on you. So, whether it's Platform SSO or even the Authenticator app, you know, we need to have those on the device for part of our enrollment. And so we want to make sure those are there first to enable. And so, yeah, we definitely acknowledge there's some more granular controls we need to add, and the first part of that will be the Awake Config feature set coming out this fall."
