User Profile
PatrickF11
MCT
Joined Jan 31, 2019
User Widgets
Recent Discussions
Conditional Access falsely detects logins from Android as Linux (and blocks them)
Hi everyone, we're facing an issue which we can't solve correctly: Scenario: Users are accessing M365 Content from Windows, iOS and Android Devices. Conditional Access is configured to block Logins from "unknown platforms", so only Win, iOS and Android are allowed. Issue: Some users experience weird issues: They're using an app with m365 SSO. The App opens up the Edge Browser for handling the login-flow. Afterwards the login fails. As i can see in the Entra SIgn-in Logs the user-agent is linux. (Therefore it gets blocked correctly) A few minutes before the same user, with the same mobile phone, with the same app access isn't blocked, because the login was recognized correctly as android. Currently i don't have any ideas and i was hoping some of you have great ideas. 🙂 (Adjusting the Conditional Access Policy to allow linux isn't an option, of course.) Regards, PatrickRe: New Intune App listed?
Jeevious Same Issue here, but not solved yet. The customer wanted us to create a conditional access policy that blocks sign ins from unmanaged devices. Therefore i've created: All Users included All cloud apps included "Microsoft Intune" and "Microsoft Intune Enrollment" excluded Conditions: Exclude filtered devices: deviceOwnership -eq Company OR deviceOwnership -eq Personal Access control: Block The policy is fine i guess. But: The SignIn Logs of the user shows that the App the user is trying to sign in while Intune Enrollment is "Microsoft Intune Web Company Portal". Unfortunately this cannot be exkluded. (By the way: We're using Automated Device Enrollment via Apple Business Manager / Intune Enrollment Program Token to enroll these devices.) There must be a better solution than excluding users temporarily from the policy..... 😕 (This cannot be a solution of course). Here you can see the sign-in logs: Right after excluding the user from the conditional access policie it worked immediately (of course). (The "interupt" event was the MFA prompt, just as expected.) Kind regards PatrickRe: Platform SSO for macOS not working
Thanks for your posting. But we need to make clear that there is a huge difference in using "Password" or "Secure Enclave Mode". In my understanding: Password is only a thing to make the user experience a little better by keeping the entra id and the local password in sync, so the user only need to remember one password. Secure Enclave instead is a feature like Windows Hello for Business, so some kind of passwordless authentication which is respected by entra mfa. Are there any other thoughts regarding my estimation?Platform SSO for macOS not working
(Update after long troubleshooting: the two main issues until now were: Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors! When using in europe you need to remove some URLs (detailed information in this thread)) Hi folks, i'm working hard on implementing Platform SSO for macOS (MSlearn) (2nd Link: Join a Mac device with Microsoft Entra ID during the out of box experience with macOS PSSO (preview) for ourselves and our customers. I worked all the way through the Microsoft Learn Articles as well as 3rd Party blog posts or reddit discussions. (MS Intune Support think they need to forward my ticket to the Azure Support. I don't get it :D) The issue is: The Platform SSO Profile in Intune is always on error code 100001. I tested this with different tenants, in every single one the issue is the same. The config profile is configured as followed: When looking at the device this is what should appear: But this doesn't happen on the device. What i'm also wondering about: When signin in on a mac device enrolled via ADE, after i log in to the company portal app (current version), it states that it is unable to register the device. Is this an expected behaviour? I don't think so, isn't it? It would be so great to come into contact with others of you having the same issue or, even better, that solved this issues. 🙂 Thank you very much in advance Regards Patrick Ps.: Maybe some of the mslearn article contributors have any idea? Mandi Ohlinger, arnabbiswas ? 🙂Re: Platform SSO for macOS not working
Intunestuff Oh sorry, i've immediately corrected this in my posting. I am surprised how I got this mixed up... Thank you for clarifying RussMeyer-Epik Thanks, but the apple business manager is only responsible for synchronizing the devices to intune. The deployment itself is via Intune of course. Maybe there are other ways i didn't know, yet? Are you sure the "Token to User mapping" is necessary in this scenario? Do you have any documentation regardings this in context using ABM? drumroll..... It works... And the mistake was.... it was me... -.- Although I said that I would check everything twice, I had a... blank space.... (right before the Extension Identifier value) The pop-up appears immediately after this was fixed. For the sake of troubleshooting i did not added the "token to user mapping", so i can clearly see what would have been the issue. Currently i'm testing the secure enclave mode and if it is working how it should work. I'm going to reply again when this is tested 🙂 (I've added a hint in the initial posting regarding the leading / trailing spaces in the configs and the URLs to be removed)Re: Platform SSO for macOS not working
After a few weeks of i'm back testing platform sso. This is the current status: It is not working, even if the profile gets assigned successfully after removing some URLs. (Not working means, nothing pops up for the user to click through the final steps to activate PSSO. I've already worked through the mentioned article from intuneirl. The main issues are Company Portal is installed on the client but with installation failures in intune: "One or more apps contain invalid bundleIDs. (0x87D13BA2)" The installation itself was done just as MS described or the intuneirl blog described. (Download package, new LOB App, upload, ...) When manually opening the company portal app on the mac device it says "This is device is not registered" (I'm not sure if this really a problem or if it's just a consequence of the previous problem.) Result: The whole deployment works just fine instead of plattform SSO is not popping up like mentioned e.g. in this screenshot: And therefore nothing is registered inside the user account. When looking here the red area isn't there: (Screenshot from IntuneStuff Blog) Any further ideas are highly appreaciated. I'm a little bit desperate already 😞 Mandi Ohlinger: Some information from your side? Thanks everyone in advance Patrick 🙂Re: Platform SSO for macOS not working
Hey Kishoth_P, Platformer , RussMeyer-Epik thanks for participating in this topic. 🙂 What should i outline? The current configuration of mine is already screenshoted in this thread, a few posts above yours. I've attached the current settings catalog screenshot again at the end of this post. The company portal now gets installed correctly after removing all the app bundle ids except from the main one (Screenshot attached below)(Kudos to Platformer). Currently i don't think this has anything to do with the main issue that PSSO isn't working (But i really don't know why MS doesn't describe the issue with the bundle-IDs in their docs?! Every administrator following the ms docs should have 100% errors in deploying company portal app to macOS) The "registration required" PopUp (Screenshot attached below) isn't showing up to complete the process, so: No, PSSO isn't working at all. The only way of logging in to the system is with the one local account with the initial set local password. Platformer I can recreate the error in your screenshot as you mentioned (Settings \ Passwords \ PW options \. ..). So we're both in the exact same situation. Great, isn't it? 😉 What do you mean with minimum authorization in your entra id? What i can tell regarding my environment: We're using cloud-only identities, no on-premises active directory. I don't think your're having issues with the entra id accounts. Of course you should use entra id connect for example to sync your on-prem identities to azure-ad / entra id so you're working with "one account" and not with two seperate ones for on-prem auth and cloud auth. RussMeyer-Epik: Thanks for your information. But others than yours, mine (and i think the one from Platformer too) is configured via Apple Business Manager (Automated Device Enrollment). But: Where are trailing spaces? Every time i copy & paste something i check twice if there are trailing or leading spaces, so i can guarantee, there are no wrong spaces in my configuration. Current settings catalog for platform sso: Company Portal Installation: Missing pop-up "registration required"Re: iOS managed contacts - how to deal with that?
Just to keep anyone updated on this: In the meantime, we have still not found a simple solution for this instead of using the 3rd Party Tool "Secure Contacts" at one of our customers. This works of course, but unfortunatelly this is not the preferred way for all of our customers. 😞 Why isn't Microsoft implementing Apple CallKit? This would be the best solution. 😞Re: Platform SSO for macOS not working
mshrm Okay i've removed four URLs and afterwards all the config was successful, BUT: Entra PSSO isn't showing up the pop-up mentioned in the docs: Do you have an idea? Let me outline all the configs i've made: Platform SSO policy Deployed via settings catalog to All Users Filevault Policy deployed via Endpoint protection policy instead of settings catalog, because settings catalog wasn't working as mentioned in my first posting. Company Portal App deployed via line-of-business app to all devices So what am i missing? Whats missing for platform sso? How did you manage to activate filevault without user interaction? The endpoint protection policy asks the user for activation. In the settings catalog there is a policy which should enable filevault before the user logs in, unfortunatelly this wasn't working for me (Screenshot in 1st post). Thanks in advance :--) PatrickRe: Platform SSO for macOS not working
Hi Scott Breen, thanks for your feedback. The test device i use is on macOS Sonoma, 14.5 (23F79). At the first step i didn't have an sso extension profile becaue i did not find any advice to do so in the msdocs mentioned in my initial post. After opening up a support case, which unfortunatelly wasn't successful, i was advices to create a sso extension template with this settings (applied to the device) What MS Support told me is that Filevault needs to be in place. - First issue: FileVault would only becomes active when the user logs in and confirms it. - after this the support told me to create a filevault policy via settings catalog with the setting: "Force Enable In Setup Assistant". Unfortunatelly this profile isn't that effective, because the only thing that happens is that the user gets the following prompt: After confirming this message nothing happens (no active filevault) and the message re-appears once in a while.Re: dynamic group based on assigned license
I would like to suggest that most policies should go to device groups or „all devices“. This makes the deployment more efficient if you‘re going to use the pre-provisioning feature. This is my personal best practice in nearly any customer environment. There are only very few policies that are applied to users in my cases.
