Event details
129 Comments
- When I make changes to a configuration policy for our macOS machines, it forces a password reset. Unfortunately, this reset cannot be successfully completed, and we have to retrieve the MacBook "Filevault Recovery key" for the machine to perform a full password reset. Is there a fix for this issue, or are there any upcoming plans to address it?
I'm having trouble deploying the SentinelOne Agent for Mac OS using Intune. It seems like I can't use the LOB method because there's a token involved. I really don't want to go through the hassle of using another app to bundle the PKG and token together and then upload it. Is there an easier way to do this? I've tried sending it through a script, but I keep getting failed errors. Sometimes, the app installs without the token, which defeats the purpose. I'd appreciate it if anyone could share their experiences or tips with me
- Is there a technical reason that Microsoft doesn't allow changing the Primary User in Intune for Macs, whereas it can be changed for Windows devices? This is useful when transferring a computer to a new user. Currenlty to change the Primary user assigned to a Mac, the device must be retired in Intune and re-enrolled (resulting in loss of escrowed FileVault recovery key), or wiped for a fresh start, but that's not always practical.
I am having issues making LOB apps available in company portal. The same pkg that works when you either deploy it as a required pkg or manually install it in a macbook, it gets stuck on downloading or fails when I try to install it from Company portal with error Error code: 0x87D13B67- The app state is unknown. I have followed the documentation on microsoft learn but to no avail. Is anyone else experiencing the same issues when deploying LOB pkg apps? Does this feature work correctly?
- I am also struggling with this. I feel like there is a piece missing in the process since the LOB Store was depreciated. I can assign apps to devices, groups or users but can't make optional apps show up in the company portal.
- Is there a plan or the intention to deploy via intune a LAPS like solution or Endpoint privileges management solution on MacOS
- Question: When using MacOS the initial enrollment isn't as smooth as with Windows. How can you, if possible, deploy a Mac with autopilot (based on HWID) to ensure this always enrolls smoothly? Question: How can you use Microsoft Entra ID single sign on on a Macbook as the initial user? If my username is John.Doe@microsoft.com that this portrays as well as the username of the laptop on which you can then use your Azure password or a pincode like it can be setup with Windows Hello
- Observation: When using the “Settings catalog policy” for MacOS it is not showing in the Device configuration profile blade.
If this is regarding the macOS setting catalog reporting feature, so you cannot see properly if settings catalog policies are applied or not but other type of policies such as custom policy type work fine?
I reported this issue earlier and recently got this message from Intune Support about this issue:
update regarding the reporting for Setting Catalog policies for macOS devices issue. We can confirm that a hotfix is ready to be deployed to all tenants for this issue, and is rolling out as 2403.
Hope this helps 😊
- Question: When configuring “Privacy Preferences Policy Control” settings for MacOS in a “Settings catalog policy” we are receiving error code 10022. Is this a known issue or are we doing something wrong?
- Question: When enrolling a Mac the user becomes root user on that Mac, how to convert this root (primary) user to a standard user without local admin rights?
AnyaNovichevaMicrosoft
Hi Pelle-netpack, thank you for your question! One admin user on a Mac is required, so you need at least another user to downgrade that initial admin user. To downgrade an initial admin user, you can use a script to make that user a standard user. Or you can use platform SSO to define user rights (as a new user, and as a persistent user).
It is on our roadmap to add local admin configuration settings within the macOS enrollment policies so you can do this directly from the enrollment policy (configure both an admin user and a primary standard user from the same enrollment policy).
Thanks for participating in today's session of AMA: Securely manage macOS with Intune! For reference, the panel covered this topic at around 6:30.
- We're using shell scripts to create a local admin account with an encrypted password and downgrade the others.
- Would be nice to have a policy item for this, and maybe also to have Intune create an admin account to be used for "emergency" access via FileVault recovery key
- Heather_Poulsen
Community Manager
A friendly note from your Community Managers:
Don't want to forget your question for this Ask Microsoft Anything (AMA) session? Post it in advance - here and now is great! Have multiple questions? We'd love it if you posted each one as a new comment so we can more easily see them and answer accordingly.
