macOS
212 TopicsUnderstanding application types in Microsoft Intune for macOS
By: Iris Yuning Ye | Product Manager - Microsoft Intune As an IT admin managing macOS endpoints, leveraging Microsoft Intune for app deployment can streamline your workflow and enhance security. If you can install an app via macOS embedded terminal, we want to make sure Intune can do the same thing at scale for your devices. Intune supports various app types, each with its unique use cases and benefits. In this blog, we’ll explore the differences among these app types and provide guidance on when and how to use each one. > macOS > Add app). There are two channels for apps that are deployed in Intune to managed macOS endpoints: Apple’s mobile device management (MDM): The MDM channel is the built-in device management channel provided by Apple. When using the MDM channel, there are strict rules ensuring apps are installed from trusted sources are recognized by Apple. Review Apple’s documentation for further details: Distribute custom packages for Mac - Apple Platform Deployment. Intune agent: The Intune agent channel allows more flexible app installations from Microsoft Intune on managed macOS endpoints. For this channel, admins must upload the DMG or PKG file to Intune. The macOS device then downloads this file and installs the app locally. MDM channel apps Microsoft apps These are Microsoft first-party apps that can be directly installed from Intune, and you don’t need to upload any file. In addition, Intune installs Microsoft AutoUpdate to run in the background on macOS, and will update the existing Microsoft apps to the latest version available at the time. Recommended usage scenario: You want to be on the latest version of the core Microsoft apps without having to upload the apps or maintain upgrades over time. Add these apps through the Intune admin center by selecting the specific apps you want to deploy. Also, ensure your users have the necessary licenses to access these apps. Find more details in: Understand Microsoft apps in Microsoft Intune. App Store – Volume Purchase Program (VPP) apps Since Apple VPP apps are managed via Apple Business Manager or Apple School Manger and synchronized to Intune via a VPP token, this option is not available in the dropdown list for Intune app types. Recommended usage scenario: You need to manage (assign/revoke/reassign) licenses of free or purchased store apps or custom apps. Or, you need to deploy App Store apps without the user having to log in to the App Store. This can be achieved by using device licensing. Apple supports uploading PKG from App Store, but you will need access to: Apple Developer account Apple Developer certificate Apple App Store notarization Find more details in: How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune. Web clip Web clips are used to direct users to specific web resources from within the Intune Company Portal. This is helpful for guiding users to important sites or resources. Recommended usage scenario: You need to provide easy access to websites as pinned Dock items. Add a web link in Intune by specifying the URL. It will appear in the Company Portal as “Required app” for easy access. Find more details in: Add web apps to Microsoft Intune. Web link Web link shares similar functionalities with Web clip. But web clip has the most up to date settings, so we recommend using web clip to cover web link cases. Find more details in: Add web apps to Microsoft Intune. Line-of-business (LOB) app macOS LOB apps are typically developed in-house. This app type requires you to upload a PKG file to Intune. Then, Intune installs the LOB app on the user's device. It’s highly recommended to only upload flat packages, which must not have nested folders within the archive. Recommended usage scenario: You need to manage app removal on Intune MDM unenrollment and manage whether the app data is backed up to iCloud. The apps must be marked as “install as managed”. Your PKG app is signed using an Apple Developer ID installer certificate. PKGs for LOB apps must be signed using an Apple Developer ID installer certificate. If you need to distribute a PKG that is unsigned, use the macOS (PKG) option instead. Find more details in: Understand line-of-business apps for your managed environment. Intune agent channel apps macOS DMG app An admin has to upload a DMG file from local when creating a new app policy in admin portal. The .app under the DMG file will be copied to the Application folder to install on the device. Recommended usage scenario: You need to deploy a disk image that contains one or more applications in .app format to be installed to the Applications folder. Note that all apps are unmanaged and won’t be uninstalled when the MDM profile is removed. Find more details in: Add a macOS DMG app to Microsoft Intune. macOS PKG app An admin has to upload a PKG file from local when creating a new app policy in the admin center. Complex PKGs are also supported by this deployment type. Complex PKG: A complex PKG refers to a type of package file used primarily in macOS environments that includes more intricate configurations and requirements compared to standard PKG files. These packages often contain multiple components, scripts, and dependencies that need to be managed during the installation process. Recommended usage scenario: You need to deploy a PKG with advanced controls for pre-install or post-install scripts. You need to deploy a PKG containing only scripts and no app payload. You need to deploy a PKG that the macOS LOB app workflow cannot install. You need to deploy a PKG that is not signed by an Apple Developer ID installer certificate. Pre-install and post-install scripts are available for apps installed via Intune agent. Note that all apps are unmanaged and won’t be uninstalled when the MDM profile is removed. Find more details in: Add an unmanaged macOS PKG app to Microsoft Intune. Conclusion In summary, Intune provides robust support for managing macOS endpoints through its comprehensive app deployment capabilities, allowing you to confidently deploy and manage a variety of application types to meet the diverse needs of your organization. Stay tuned for our next blog on pre- and post-install scripts for macOS! Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.1KViews1like3CommentsBooking events not appearing on Apple Calendar
Cross posting from an Apple Support community post here. Seems that when an event is created on my Outlook/M365 calendar at work, it never appears on my Apple Calendar for that account. All other events are sync'ing up just fine and show as any other event. This seems to be an issue on the current version of MacOS Calendar for Ventura and on Big Sur. Anyone else having issue with Booking events not appearing in their Apple Calendar?Solved7.4KViews9likes10CommentsAppointments in Bookings are no longer synchronized with Apple Calendar
Hello, since macOS Sequoia the appointments in Bookings are no longer synchronized with Apple Calendar on Mac. However, the appointments are synchronized on iOS 18.2 devices. Has anyone else had this problem?60Views3likes3Commentsenable Accessibility Tree on macOS in the new Teams (work or school)
hello! so i build apps for macOS that use the AX Tree exposed by other apps. in the old Teams, i was able to expose the AX Tree by sending a call to Teams (see https://www.electronjs.org/docs/latest/tutorial/accessibility#macos for more info). it doesn't work anymore in the new Teams. there's another flag that can be sent to apps, but it doesn't work either. the new Teams doesn't expose its AX Tree to my calls. but i **KNOW** it is possible to expose it, because i've found at least one third party app that is able to do so. so, my question, what needs to be done to the new Teams so that i can have access to the AX Tree with my own apps? thank you!938Views1like9CommentsWindows could not start the SQL server (SQLEXPRESS) service (macOS)
I have a common problem that I just cannot figure out after scrolling through posts expressing a similar issue. I am currently running a macOS using a virtual machine that has Windows 11. Due to what I understand are compatibility issues in the CPU architecture, I downloaded SQL Server 2019 Localdb. After downloading the engine, I noticed that SQL Server (SQLEXPRESS) is stopped in SQL Server Configuration Manager, but when I try to right click and start, I get the message shown in the pictures with an operating system error 3. initerrlog: Could not open error log file 'C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Log\'. Operating system error = 3(The system cannot find the path specified.). I checked the file paths again and they are all correct. Also, I noticed that the startup parameters were not listed so corrected this issue by going to the Registry Editor and added the strings manually. They were added successfully in the Configuration Manager, but when I go to start the service I get the same error message as above saying that my request failed (Event ID: 17058), but this time the issue is I get an Access Denied: initerrlog: Could not open error log file ‘c:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Log\ERRORLOG’. Operating system error = 5(Access is denied). I went to folder security and granted full access to all the users, but that did not solve the problem. Any help would be much appreciated.46Views0likes1CommentmacOS 'native' app consuming too much memory/GPU (Apple Silicon)
Dear Microsoft, Ever since the launch of the Apple Silicon machines, macOS users have been using the macOS native app of Teams via Rosetta 2. Due to that, the application is consuming a great amount of memory when compared to the Edge PWA of the Microsoft Teams web app. In my day-to-day I can notice that the Microsoft Teams app is in total consuming 2,10GB, however, if I hop into a call that number increases to 3,10GB.. If the video camera is turned on it goes beyond 3,30GB. Besides memory, there's also the battery life component where teams are my highest energy usage app on my Macbook Pro 14" with the M1 Pro chip. due to that my battery life only lasts up to 5-6 hours maximum. Additionally, I noticed during a video call my M1 Pro (GPU) is being used by around 80-90% when using the webcam. I understand developing a 'Universal App' takes time but I would like to ask ahead of the 'Performance' event what are your plans for the macOS users because we have been enduring this for the last 2 years ever since the M1 machines come out. Could you possibly let us know of a possible Beta Preview version of a universal app or an up-to-date Electron version that supports performance improvements? Please point me in the right direction so I can upload logs/stats regarding performance to further help you improve the product and assist the development team if needed.RDP is locked to 30FPS for MacOS clients
I have found that even after going through the guide below, RDP connection remains locked to 30FPS if I connect to my Windows machine from my Mac. Frame rate is limited to 30 FPS in remote sessions - Windows Server | Microsoft Learn Is there any way to set the frame rate to 60FPS while using the Mac client for RDP? Thank you.52Views0likes0CommentsmacOS - SCEP user certificate is not re-enrolled when user delete it from Keychain
Hi, we are facing strange issue within Intune, when manually deleted SCEP User certificate is not re-enrolled automatically based on configuration profile. Also this configuration profile is NOT marked as non-compliant even after a week of syncs for that device. And what is the most important, SCEP configuration profile definition from point of view of macOS knows, that SCEP certificate is missing because, when you open config profile within Settings/Device Management on macOS, there is error saying "Not found in keychain". Documentation https://learn.microsoft.com/en-us/mem/intune/protect/remove-certificates saying exactly following: Manually deleted certificates Manual deletion of a certificate is a scenario that applies across platforms and certificates provisioned by SCEP or PKCS certificate profiles. For example, a user might delete a certificate from a device, when the device remains targeted by a certificate policy. In this scenario, after the certificate is deleted, the next time the device checks in with Intune it's found to be out of compliance as it is missing the expected certificate. Intune then issues a new certificate to restore the device to compliance. No other action is needed to restore the certificate. So it means that if user delete SCEP User certificate from keychain, doesn't matter if it was intention or accident, as long as I keep SCEP Configuration profile within Intune for exact device and user, Intune must initiate re-enrolling/re-generating new certificate based on this profile. This is not happening on our macOS's laptops and only workaround I've got from MS Support is to remove device from Configuration profile and then return it back... But imagine when you have 1000 macOS laptops and 100 users (extreme example, but could happen, i.e. developers trying things) delete their certificates from Keychain. Whole action to removing devices and users from that profile is time wasting. first create special groups to include affected devices and affected users, then add that group to exclusion, wait a long for sync of all macOS's, then starting to removing those devices and users from group to return configuration profile back. Also comment from MS Support was, that they cannot escalate the case to different team, because I have selected exact time zone and only they are responsible for that time zone (what a bullshit???) and that my case is already escalated withing his team manager. But his team manager is same low-skilled incompetent as engineer got my support case. And if certificate is returned when I remove and re-add config profile, then case is finished (what another bullshit????) - but from my point of view it's not finished because it's not a fix, it's workaround and very complex, time and money wasting workaround. Note to Microsoft: Please STOP hiring ! low-skilled incompetent Indian support teams, just because they costs less then European or United States engineers!!!! You are wasting our money, our time, our patience and you want more and more money for your subscriptions and we are getting less and worst services.188Views1like0Comments