Nov 04 2022 05:27 AM
I have recently taken over management of my company's Intune/Endpoint Manager environment for management of iOS and MacOS devices. The current setup has multiple configuration profiles that are assigned to a machine group that dynamically contains all MacOS devices. We have Endpoint Manager connected to Apple Business Manager, so the devices automatically enroll in Endpoint Manager at first boot. When the desktop support tech goes to setup a new MacOS device for a user, they create local user accounts for the user and for tech use. At that time, the configuration profiles (and some apps assigned as "required") install as expected in the background. Note: The tech does NOT login to Company Portal as this effectively assigns their user account to that machine in Endpoint Manager. Once they have completed the initial setup, they have the user login to the device and then login to Company Portal. However, to do so, the tech has to first remove the Configuration Profiles, then login to Company Portal and then the Configuration Profiles download and install again. I found that in Tenant admin > Customization > Configuration, device enrollment is set to "Available, with prompts".
My question is if we are auto-enrolling devices, would setting the "Device Enrollment" option in the Customization section of Tenant Admin be set to "Available, no prompts" or "Unavailable" get rid of this round-about issue we're seeing with the Company Portal app setup?
Nov 05 2022 05:28 PM
Nov 06 2022 06:01 PM - edited Nov 06 2022 06:04 PM
Hi @klenTAHN,
I guess you’re using User Affinity Enrolment method in your macos enrolment profile. Apple Setup Assistant prompts during the enrolment process to login to Azure which support modern authentication now.
Do you know what user the techs are using during the process(this step is before creating local admin)? To do a workaround to the issue you seeing, I would ask the techs to use the employee creds during enrollment process, this will eliminate that issue with Intune Portal and re-enrollment. Because user affinity enrolment is one to one relationship, you can’t use DEP account. Otherwise you have to use device type but that’s not your requirements.
I have included three articles, note the 2nd one shows the enrolment when modern authentication not supported.
Hope this helps!
Moe
From MSFT docs-
’Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air, so you don't need to have physical access to devices.’
https://learn.microsoft.com/en-us/mem/intune/enrollment/macos-enroll?WT.mc_id=EM-MVP-5003177
https://hmaslowski.com/home/f/corporate-macos-automated-device-enrollment-ade-to-memintune
https://oliverkieselbach.com/2021/07/14/comprehensive-guide-to-managing-macos-with-intune/
Nov 07 2022 05:55 AM
Nov 07 2022 05:08 PM - edited Nov 07 2022 05:09 PM
Hi @klenTAHN,
It’s not possible, Company portal checks to see if the logged on user has UDA (User Device Affinity) with the device. If they don’t, it’ll try to enroll again which what you’re seeing.
Best way is to use User Affinity and sign with user creds, it’s very similar to Windows AutoPilot experience.
Hope this helps!
Moe
Nov 11 2022 07:56 AM