Support tip: Troubleshooting Microsoft Intune management agent on macOS
By: Chris Kunze – Principal Product Manager | Microsoft Intune The Microsoft Intune management agent for macOS is a crucial part of deploying and managing applications and scripts through Intune. It manages running scripts and installing apps of types macOS app (DMG) and macOS app (PKG). The following questions will help you verify if your Intune management gent is installed, operational, and functioning properly. Is the agent installed? The Intune management agent, displayed as Microsoft Intune Agent on a device, is installed when scripts or apps requiring the agent are assigned. This is usually at device enrollment since the agent installs immediately after the device receives the Intune management profile. Once installed, you can find the agent at /Library/Intune/Microsoft Intune Agent.app. You can also check the version of the client installed by right clicking the file and selecting 'Get Info'. A screenshot of the Microsoft Intune agent information. Are the agent processes running? There are two processes that should run once the agent installs: IntuneMdmDaemon: Responsible for PKG, DMG, and running scripts as root. IntuneMdmAgent: Responsible for running scripts as user. You can use the following command in Terminal to determine if the processes are running: pgrep -il "^IntuneMdm" If it’s determined that the processes aren’t running, they can be restarted by launching the Microsoft Intune Agent.app. Are logs being generated? The transaction logs for the Microsoft Intune Agent start with IntuneMDMDaemon and are found at /Library/Logs/Microsoft/Intune. If the transaction logs aren’t being generated, and the Microsoft Intune Agent is installed, ensure that scripts or PKG or DMG apps are assigned to the device. If the transaction logs aren’t being generated, and the Microsoft Intune Agent is installed, ensure that scripts or PKG or DMG apps are assigned to the device. What is shown in the logs? The IntuneMDMDaemon logs are broken up into 6 columns of data delimited by a pipe character (|). Each log line provides the following information: Date and time of the log Process (IntuneMDM-Daemon) Log level (Information, Warning, and Error) Process ID Task that wrote the log Task information Note: The logs in this blog were collected on different days and times and may not align perfectly between sections. A screenshot of the agents logs for the IntuneMDMDaemon process. Did the app install? If you're troubleshooting a specific app that isn't installing correctly, start by searching or filtering the log using the app ID or app name. The app ID is typically the most reliable identifier, as it consistently marks log entries related to that app. You can discover an app’s ID in the logs or in the URL of the app in the Microsoft Intune admin center. For example, in the screenshot below, the highlighted section of the URL in the address bar represents the app ID of the sample app shown. A screenshot of the Microsoft Intune admin center, highlighting the app ID displayed in the URL. You can also retrieve the app ID (displayed as the PolicyID) from the logs themselves by searching for the app name as in the following example log line: 2025-06-13 10:04:02:924 | IntuneMDM-Daemon | I | 10429 | AppDetector | Detecting app with specific bundle ID. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts, AppType: PKG, IgnoreVersion: true The Microsoft Intune Agent detects if an app is installed on the device two ways: Is the bundle ID returned from a Spotlight Search? Is there a package receipt? To manually check for bundle ID and package receipt, use the following Terminal commands. Spotlight Search test Note: This command is case sensitive so pay special attention to the case of the bundle ID. mdfind "kMDItemCFBundleIdentifier == '{bundleid}'" A screenshot of the output of the mdfind command run in Terminal. Package receipt test Use pkgutil in Terminal to check if the package is installed. pkgutil --pkg-info {bundleid} A screenshot of the output of the pkgutil command run in Terminal. If your app or script isn't in the logs, check its assignment in the Intune admin center. Log entries will show reasons for any installation failures. When did the agent start? Each time the agent starts, a full sync will be kicked off and you’ll see the following line in the logs: 2025-06-13 10:03:59:892 | IntuneMDM-Daemon | I | 10426 | SidecarDaemonLifecycleManager | Initializing service. This line is added to the current log whenever the agent starts or restarts—whether due to a system reboot, the agent process being terminated, or an update being applied. Missing device ID and tenant ID? After enrollment, the first time the Microsoft Intune Agent runs, the logs will return these two lines: 2025-06-13 10:03:59:893 | IntuneMDM-Daemon | W | 10432 | TreatmentProvider | Missing device ID 2025-06-13 10:03:59:893 | IntuneMDM-Daemon | W | 10432 | TreatmentProvider | Missing tenant ID This occurs because the agent doesn’t have the device or tenant ID yet, so it requests these details from the gateway. After the information has been collected, your logs will have something similar to these lines: 2025-06-13 10:04:01:415 | IntuneMDM-Daemon | I | 10434 | VerifyEnrollmentStatus | Successfully verified MDM server info. URL: https://i.manage.microsoft.com/DeviceGatewayProxy/ioshandler.ashx?Platform=MacMDM 2025-06-13 10:04:01:415 | IntuneMDM-Daemon | I | 10434 | VerifyEnrollmentStatus | Successfully verified device status. DeviceId: 04674b8c-69b5-4450-b4dc-82a8c0025d18, OSVersionActual: 15.5.0, Version: 2506.002, VersionInstalled: 2506.002 2025-06-13 10:04:01:415 | IntuneMDM-Daemon | I | 10434 | VerifyEnrollmentStatus | Successfully verified enrollment status. Environment: PROD, Region: NA, ASU: AMSUA0602, MSU: MSUA06, AccountID: 691617c5-0000-0000-0000-000000000000, AADTenantID: c53fda5f-0000-0000-0000-000000000000 What is the HealthCheckWorkflow? The Microsoft Intune agent has a heartbeat that runs about every minute to verify the status of the agent and connection to Intune. If the agent is running properly, the following two log lines will represent this heartbeat: 2025-06-13 10:03:59:893 | IntuneMDM-Daemon | I | 10432 | HealthCheckWorkflow | Starting health check Domain: pulse 2025-06-13 10:03:59:901 | IntuneMDM-Daemon | I | 10426 | HealthCheckWorkflow | Completed health check Domain: pulse What policies are installed? You can see what policies are installed by the Microsoft Intune Agent in the logs. A line similar to the one below lists the policy IDs for the policies: 2025-06-13 10:04:02:923 | IntuneMDM-Daemon | I | 10435 | SyncActivityTracer | Validating data Context: apply mac app policies, Count: 4, PolicyID: ["14f79200-7c53-48ed-8d8e-287ae52a9c82", "c76df059-7bc6-468c-956d-56cf63a59888", "cc2af15f-9ed6-4c65-89bd-bc203031803f", "f6b5b5bd-9e87-42fc-94f8-31a2bc4bc255"] This list includes all Microsoft Intune Agent policies, including PKGs, DMGs, and shell scripts. If the policy ID isn’t listed for the app you want installed or script you want to run, it’s likely that itisn’t assigned properly. What will I see when a required app installs? When a device is notified of an app to install, the logs show the following. Determine intent for Required app: 2025-06-13 10:04:02:924 | IntuneMDM-Daemon | I | 10429 | AppPolicyHandler | Handling app policy. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, Primary BundleID: com.intune.AddScripts, IgnoreVersion: true, Count: 1, AppType: PKG, App Policy Intent: RequiredInstall Detecting app: 2025-06-13 10:04:02:924 | IntuneMDM-Daemon | I | 10429 | AppDetector | Detecting app with specific bundle ID. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts, AppType: PKG, IgnoreVersion: true Detecting app by path: 2025-06-13 10:04:02:978 | IntuneMDM-Daemon | W | 10431 | AppDetector | Error detecting install path for app. Error: BundleInfoProviderError.bundleNotFound, PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, AppType: PKG, BundleID: com.intune.AddScripts, IgnoreVersion: true App not found by path: 2025-06-13 10:04:02:978 | IntuneMDM-Daemon | I | 10431 | AppDetector | App not found on disk, trying to detect app receipt PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts, AppType: PKG, IgnoreVersion: true Detecting app by receipt (bundle ID): 2025-06-13 10:04:02:978 | IntuneMDM-Daemon | I | 10431 | AppDetector | App not found on disk, trying to detect app receipt PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts, AppType: PKG, IgnoreVersion: true App receipt not found: 2025-06-13 10:04:03:064 | IntuneMDM-Daemon | I | 10429 | AppDetector | Receipt not detected in receipt library, install app PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts, AppType: PKG, IgnoreVersion: true 2025-06-13 10:04:03:064 | IntuneMDM-Daemon | I | 10429 | AppDetector | App with specific bundle ID is NOT installed on the device. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts, AppType: PKG, IgnoreVersion: true Need to install app: 2025-06-13 10:04:03:064 | IntuneMDM-Daemon | I | 10429 | AppInstallManager | App policy execution plan: Install PKG app [CK] Add Scripts PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, AppType: PKG, BundleID: com.intune.AddScripts Starting app install: 2025-06-13 10:04:03:064 | IntuneMDM-Daemon | I | 10429 | AppInstallManager | Starting app installation for mac app policy. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, AppType: PKG, BundleID: com.intune.AddScripts Download app: 2025-06-13 10:04:03:064 | IntuneMDM-Daemon | I | 10429 | AppBinaryDownloader | Start app content info metadata download PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts 2025-06-13 10:04:03:064 | IntuneMDM-Daemon | I | 10429 | SidecarService | Getting mac app content info from GW PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts 2025-06-13 10:04:03:788 | IntuneMDM-Daemon | I | 10432 | AppBinaryDownloader | Starting app binary download for mac app policy. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, Size: 2948.0 2025-06-13 10:04:03:812 | IntuneMDM-Daemon | I | 10432 | AppBinaryDownloader | Attempt 1 of 3 to download app binary. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts 2025-06-13 10:04:03:817 | IntuneMDM-Daemon | I | *10417 | HttpClientLogger | Network request succeeded. Method: PUT, StatusCode: 200, Description: ok, URL: https://agents.amsua0602.manage.microsoft.com/TrafficGateway/TrafficRoutingService/SideCar/StatelessSideCarGatewayService/SideCarGatewaySessions('7EFAA5B2-ADA9-4422-A55C-A2A08FBB6655')?api-version=1.1, ClientRequestId: 7665A5F1-3E11-406E-910B-715EE3231BD1 2025-06-13 10:04:03:943 | IntuneMDM-Daemon | I | 10427 | AppBinaryDownloader | Successfully downloaded app binary content. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, BundleID: com.intune.AddScripts Decrypt content: 2025-06-13 10:04:03:943 | IntuneMDM-Daemon | I | 10427 | AppInstallManager | Starting app binary decryption for mac app policy. PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, AppType: PKG, BundleID: com.intune.AddScripts Install Required app: 2025-06-13 10:04:03:945 | IntuneMDM-Daemon | I | 10427 | AppInstallManager | Install required for app PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, AppType: PKG, BundleID: com.intune.AddScripts 2025-06-13 10:04:03:945 | IntuneMDM-Daemon | I | 10427 | PkgInstaller | Starting PKG app installation PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, BundleID: com.intune.AddScripts, AppName: [CK] Add Scripts 2025-06-13 10:04:03:945 | IntuneMDM-Daemon | I | 10427 | ScriptOrchestrationLogger | Running system script. Domain: apps, User: root, PolicyID: c76df059-7bc6-468c-956d-56cf63a59888 Successful app install: 2025-06-13 10:04:05:362 | IntuneMDM-Daemon | I | 10551 | PkgInstaller | Successful PKG installation - installer completed with success status PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, BundleID: com.intune.AddScripts, AppName: [CK] Add Scripts 2025-06-13 10:04:05:363 | IntuneMDM-Daemon | I | 10551 | AppInstallManager | Successfully installed all apps PolicyID: c76df059-7bc6-468c-956d-56cf63a59888, AppName: [CK] Add Scripts, ComplianceState: Installed, EnforcementState: Success, Product Version (BundleID of primary app): 1.0, Primary BundleID: com.intune.AddScripts 2025-06-13 10:04:05:363 | IntuneMDM-Daemon | I | 10551 | ExecutionClock | Policy measurement. ID: c76df059-7bc6-468c-956d-56cf63a59888, Context: macAppInstall, Duration: 2.4395320415496826, Status: success If your logs diverge from the above, be sure that the app is assigned properly and all the correct endpoints are reachable by the client system. What do I see when an available app installs? Available app installs are very similar to required app installs. The main difference is that no detection is run prior to installing the app. In addition, the log lines that show the determined intent and installation are slightly different. Determine intent for Available app: 2025-06-18 12:52:38:693 | IntuneMDM-Daemon | I | 27013 | AppPolicyHandler | Handling app policy. PolicyID: 69045d7b-4e79-464b-bff6-3d4908f303f3, Primary BundleID: com.intune.TestScript, IgnoreVersion: true, Count: 1, AppType: PKG, App Policy Intent: Available Install Available app: 2025-06-18 12:52:38:693 | IntuneMDM-Daemon | I | 27013 | AppInstallManager | Available app install, skipping detection PolicyID: 69045d7b-4e79-464b-bff6-3d4908f303f3, AppName: [CK] Test Script, AppType: PKG, BundleID: com.intune.TestScript 2025-06-18 12:52:38:693 | IntuneMDM-Daemon | I | 27013 | AppInstallManager | Install required for app PolicyID: 69045d7b-4e79-464b-bff6-3d4908f303f3, AppName: [CK] Test Script, AppType: PKG, BundleID: com.intune.TestScript What do I see when a script runs? Scripts and their execution are also captured in the logs. Since you can only assign scripts as required, no intent is determined. Unless you schedule a script to run on a recurring basis, scripts will only run once on a Mac. Script to run 2025-06-18 13:12:38:188 | IntuneMDM-Daemon | I | 8303 | ScriptPolicyRunner | Running ad-hoc script policy PolicyID: b9b4b299-9a36-40bf-b43a-db295ee49dd6, ExecutionContext: root, ExecutionFrequency: 0, RetryCount: 3, BlockExecutionNotifications: true Starting script 2025-06-18 13:12:38:235 | IntuneMDM-Daemon | I | 5355 | ScriptOrchestrationLogger | Running management script. Domain: policy, User: root, PolicyID: b9b4b299-9a36-40bf-b43a-db295ee49dd6 Completing script 2025-06-18 13:12:43:949 | IntuneMDM-Daemon | I | 5355 | ScriptOrchestrationLogger | Finished management script. Domain: policy, User: root, PolicyID: b9b4b299-9a36-40bf-b43a-db295ee49dd6 Script run status 2025-06-18 13:12:43:950 | IntuneMDM-Daemon | I | 5355 | ScriptPolicyRunner | Ad-hoc script policy ran PolicyID: b9b4b299-9a36-40bf-b43a-db295ee49dd6, TotalRetries: 0, Status: Success, ExitCode: 0 How long did it take to run? 2025-06-18 13:12:43:950 | IntuneMDM-Daemon | I | 5355 | ExecutionClock | Policy measurement. ID: b9b4b299-9a36-40bf-b43a-db295ee49dd6, Context: shellScript, Duration: 5.769531011581421, Status: success Already run script 2025-06-18 13:13:28:232 | IntuneMDM-Daemon | I | 11413 | AdHocScriptProcessor | Not running script policy because this policy has already been run. PolicyID: b9b4b299-9a36-40bf-b43a-db295ee49dd6 When you assign a script to a device, the install configuration is also sent to the device. The configuration for this is also listed in the log and an example is included above in the “Script to run” bullet. The following table shows the mapping of settings from the Intune admin center for a script to the values shown in the log for this type of log line. Value in Intune Representation in logs Run script as signed-in user ExecutionContext Hide script notifications on devices ExecutionFrequency Script frequency RetryCount Max number of times to retry if script fails BlockExecutionNotifications Conclusion The Microsoft Intune Agent for macOS is a critical part of Mac management in Intune as it’s responsible for running shell scripts and installing both PKG and DMG types of macOS apps. This blog discussed how to access the logs for the macOS Microsoft Intune management agent, what is collected, how to read, and understand the logs to determine what apps were installed and what scripts were ran. Resources Here are some additional resources to help with your macOS management journey with Intune. Understanding Microsoft Intune management agent for macOS Add an unmanaged macOS PKG app to Microsoft Intune Add a macOS DMG app to Microsoft Intune Use shell scripts on macOS devices in Microsoft Intune Network endpoints for Microsoft Intune If you have any questions or want to share how you’re managing your macOS devices with Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.Support tip: Move to declarative device management for Apple software updates
By: Benjamin Flamm – Product Manager | Microsoft Intune Apple recently announced at the Worldwide Developer Conference (WWDC) in June 2025 that mobile device management (MDM) software updates are deprecated in the upcoming Apple OS 26 versions. Instead, software updates will need to use declarative device management (DDM). In this blog, we want to provide you with everything you need to know to navigate this transition and easily manage software updates in DDM. What is DDM? DDM is an enhancement to Apple’s device management protocol that makes devices more proactive and autonomous, and this is perfectly highlighted by the major improvements that DDM brings to managing software updates. Previously, Intune had to send update commands and repeatedly check for the update status. With DDM, Intune simply tells the device the required OS version and the installation deadline, while the device proactively updates Intune on its progress from download to installation. Move to DDM for software updates The MDM software update features in Intune will initially be marked as ‘deprecated’ in the Intune admin center and support will end shortly after Apple OS 26 releases. Devices will ignore MDM update settings when DDM update settings are being enforced, so the only steps you need to do are to create your DDM update policies using the settings catalog. The following table lists the MDM software update features that’ll be unsupported later this year, along with the matching DDM feature that is currently available or coming soon. Legacy MDM feature New DDM feature iOS/iPadOS update policies Software Update or Software Update Enforce Latest settings, located in the settings catalog under Declarative Device Management (DDM): macOS update policies iOS update installation failures report Apple software update failures (Devices > Monitor) which is expected to release with Intune’s August (2508) service release. macOS update installation failures report Software updates report (macOS per-device) macOS software updates (Devices > All devices, select a macOS device > macOS software updates) which is expected to release with Intune’s July (2507) service release. macOS Settings catalog > Software Update payload and settings Software Update Settings located in the settings catalog under Declarative Device Management (DDM): Settings in the iOS or macOS ‘Device restrictions’ template Settings catalog > Restrictions, software update delay settings How do I manage software updates using Intune? With Apple deprecating MDM software updates, DDM is the recommended method to manage software updates in your organization. For a thorough guide that highlights the differences between MDM and DDM, along with how to configure DDM software updates review: Managed software updates with the settings catalog. Useful resources Apple announcements: Announcement of DDM software updates at WWDC 2023 Introduction of Software Update Settings at WWDC 2024 Announcement of MDM update deprecation at WWDC 2025 Intune Apple settings catalog configuration list | Microsoft Learn Apple Platform Deployment guide for managing updates | Apple Support Stay tuned to this post for updates! If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune.Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. > Devices > Configuration profile settings picker = 'Blocked App Bundle IDs' Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. > Apps > iOS/iPadOS > Add App searching for 'DeepSeek - AI Assistant' app Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: http://www.deepseek.com showing error: This site can't be reached Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.Deploying macOS FileVault with Microsoft Intune
By: Marc Nahum – Senior Product Manager | Microsoft Intune FileVault is Apple's built-in disk encryption technology for macOS. To deploy FileVault securely and effectively in an enterprise setting, it requires a deeper understanding. Originally launched in 2005 with Mac OS X 10.3 Panther, FileVault has evolved significantly. The release of FileVault 2 in 2011 with Mac OS X Lion marked a major upgrade. Since then, Apple has continued to improve its capabilities. For example, macOS Sequoia now supports unlocking FileVault using Microsoft Entra ID credentials through Platform SSO. In this blog, you'll learn how to: Enable FileVault for macOS using Microsoft Intune Use and manage recovery keys Manually import FileVault recovery keys into Intune Troubleshoot FileVault issues during device migration to Intune Although FileVault has been around for nearly 20 years, much of the guidance available online is outdated or based on older versions of macOS. This blog focuses on current best practices for enterprise deployment, specifically for: Devices running macOS Sonoma (version 14) or later Apple silicon hardware Microsoft Intune as the mobile device management (MDM) solution for policy enforcement and recovery key escrow Legacy methods, such as Institutional Recovery Keys, are now considered obsolete and won’t be covered. Instead, we focus on building a modern, secure, and maintainable FileVault deployment strategy. Are recent Mac devices encrypted by default? Yes. Apple silicon Macs,and Intel-based Macs with a T2 Security Chip, are encrypted by default at the hardware level. This encryption uses a unique identifier stored in the Secure Enclave. However, the encryption becomes user-aware and policy-enforceable only when FileVault is enabled. Once activated, FileVault enhances security by linking the encryption to the user’s login password in addition to the hardware-based key. This ensures that access to the data requires proper user authentication. Apple provides detailed information on this process in their Apple Platform Security Guide. Enabling FileVault with Intune FileVault is a key component of macOS security and should be considered a mandatory requirement for organizations except where local laws explicitly prevent it. Intune offers several ways to configure FileVault, but the settings catalog is the recommended approach. It helps avoid policy conflicts and ensures consistent, reliable behavior across devices. It’s also the most future-proof method, as it aligns with ongoing platform and Intune updates. 📋 Steps to configure FileVault via settings catalog Login tothe Microsoft Intune admin center Navigate to Devices > macOS Create a new configuration profile: Profile type: Settings Catalog Name the profile and provide a clear description In the Settings Picker, locate Full Disk Encryption and configure the following in the subsections FileVault Defer → Enabled Enable → On (default) Force Enable In Setup Assistant → True Recovery Key Rotation in Months → (e.g., 6 months) FileVault Options Prevent FileVault From Being Disabled → True FileVault Recovery Key Escrow Location → Your Enterprise Name Note: The Defer setting was mandatory in certain versions of macOS. While this might not be required in the latest releases, it’s still recommended to enable it for added security and a more predictable user experience. Proceed through Scope tags and Assignments. It’s recommended to assign the profile to All devices (interpreted here as “all Macs”), use filters if needed. The usage of static groups of devices is also an option but dynamic device groups are not compatible with the “Force Enable In Setup Assistant” option, which is needed for enforcing encryption during the setup assistant without user intervention. If you’re using Platform SSO with Password synchronization you can use the FileVault Policy setting to force the device, connected to the network, to check Microsoft Entra ID password when a device is turned back on (macOS 15 and later). This setting can be found in the setting catalog under Authentication / Extensible Single Sign On (SSO) / Platform SSO And must be set to: AttemptAuthentication Refer to this article to properly configure Platform SSO and select the method to use it: Configure Platform SSO for macOS devices in Microsoft Intune. Once the profile is deployed and the device receives the configuration, FileVault will be activated and the recovery key securely escrowed in Intune. The key is stored in the device properties, Recovery Keys section and is accessible only to admins with proper role-based access. All access is audited. If the device is set as “Personal” in Intune, the recovery key will not be visible in the admin center. Enrolled with Automated Device Enrollment with the device in Apple Business Manager Enrolled from Intune Company Portal as a bring-your-own device In cases where FileVault isn’t enabled during Setup Assistant, such as in bring-your-own-device (BYOD) scenarios using the Intune Company Portal, the same policy will trigger FileVault activation after the next reboot, prompting the user to take the necessary actions. Using the FileVault recovery key The FileVault recovery key serves as a secure fallback for users who forget their login password. When used properly, it allows access to the Mac without requiring a password reset or device re-enrollment. While Apple documents the recovery key process on their support site, one useful detail is often overlooked: If the ”?” icon doesn’t appear on the Mac login screen, users can select Shift + Option + Return to manually bring up the recovery key prompt. This can be particularly helpful during support scenarios where the user is locked out, but the device is still enrolled and reachable via Intune. At this stage, the Mac has completed booting and can still receive remote commands such as running scripts or executing device actions. Manually escrowing an existing recovery key If FileVault is already enabled on a Mac before it’s enrolled in Intune, users can manually escrow their personal recovery key using the Intune Company Portal. This is especially useful in bring-your-own-device (BYOD) scenarios or in loosely managed enrollment flows, where FileVault may have been activated outside of the IT admins control. Steps to import the recovery key: Verify FileVault status Launch Terminal and run: fdesetup status This confirms whether FileVault is currently enabled. Rotate and display the recovery key Run the following command to generate a new personal recovery key: sudo fdesetup changerecovery -personal The user must have administrator privileges to execute this command. Upload the recovery key to Intune using the Company Portal website. Open a browser and navigate to: https://portal.manage.microsoft.com Select the corresponding Mac device (if prompted) Choose “Store Recovery Key” and paste the new key from the Terminal output On the same page, users can also retrieve an existing recovery key if it has already been escrowed. This manual method ensures that devices encrypted outside the MDM provisioning flow can still benefit from secure recovery key escrow and retrieval through Intune. Migrating to Intune A common challenge when migrating to Intune from another MDM is that FileVault may already be enabled. Aside from the manual steps, organization’s might consider another approach which is to automate the escrow of existing recovery keys using tools like Escrow Buddy, an open-source tool developed by Netflix. For all considerations of migrating to Intune we wrote another blog on it: aka.ms/Intune/mac-migration. Reach out for help If you’re interested in learning more about FileVault and other Mac scenarios, there are a couple more things you can do. Join our Microsoft Mac Admins community on LinkedIn. Our product teams are there, plus thousands of others who’re using Intune to manage their Apple devices in a Microsoft Enterprise environment. If you have a question about Microsoft and Mac, someone in this community will likely have the answer. If you have 150 Microsoft 365 licenses or more, you can also Request FastTrack assistance. Our FastTrack team are experts at helping our customers make the most of their investment in Microsoft technologies. Lastly, if you’re looking for a deeper engagement, consider finding a Microsoft partner to support your migration needs. If you have any questions or want to share how you’re managing and migrating your Apple macOS devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked.
Edge Read Aloud feature fails on landscape PDF documents with tables.
I've encountered an issue with the Read Aloud feature in Microsoft Edge when opening PDF documents in landscape orientation that contain tables. The Read Aloud option is available and can be activated, but it gets stuck loading indefinitely and never starts reading. No error message is shown. In contrast, the same feature works perfectly with portrait-oriented PDFs, even when those PDFs include tables. I tested this on both Windows and macOS with up-to-date Edge versions. The issue appears to be consistent and not OS-specific. My clients use tables in landscape PDFs for better readability and formatting. It’s unclear whether the problem is due to the landscape orientation alone or the combination of landscape + tables. However, tables in portrait PDFs do not cause any issues. Has anyone else experienced this behavior? Is there a known fix or workaround? Would appreciate any feedback or confirmation from the Edge team.
Text Formatting Indicator
Is there, or could there be either, a newer addition to, or a third-party app for allowing text formatting to be displayed via the Text Formatting Indicator? Currently, the Text Formatting Indicator will display an icon if the caps lock, dictation, or language are in use. It would be efficient to have such a notification when Bold, Italic, Underline, or Highlight is active.
Behavior monitoring is now generally available for Microsoft Defender for Endpoint on macOS
Enhancing macOS security with behavior monitoring As attackers become more sophisticated in today’s rapidly evolving threat landscape, security strategies must continue to innovate to keep pace. For instance, static signature-based approaches to malware detection are useful but not enough. Rather, when combined with more dynamic forms of detection like behavior monitoring, your environment is better equipped to block new and evolving threats. Behavior monitoring observes how software behaves in real-time to detect and analyze potential threats based on the behavior of the applications, daemons, and files within your system. Behavior monitoring is a cornerstone of Microsoft Defender’s cloud-based protection strategy. A wide array of our most advanced protection capabilities rely on behavior monitoring’s cloud models to not only detect but also effectively respond to complex and evolving threats. Today, we’re excited to announce that behavior monitoring is now generally available on macOS, and is rolling out broadly over the course of the next few weeks. Like with Windows and Linux, behavior monitoring for macOS extends Defender for Endpoint’s protection beyond static signatures to track the larger scale relationships between processes. This capability significantly enhances the early detection of suspicious or malicious activities by spotting unusual process interactions and patterns. What does this mean for customers? By extending this critical technology to macOS, customers will benefit from a consistent level of protection across all of their devices. Behavior monitoring introduces a rich new stream of telemetry that helps lay important groundwork for advancing innovative protections against threats targeting macOS users. In the future, it will be possible to build custom logic based on the process and file system events supported by behavior monitoring, equipping you with a more dynamic and tailored way to secure your endpoints. Real-world example of behavior monitoring Let's understand the significance of this feature. The Atomic macOS Stealer (AMOS) is a sophisticated macOS malware engineered to steal sensitive information from systems. It targets a broad spectrum of data, including Keychain passwords, system information, files from desktop and documents folders, macOS user passwords, browser data (such as cookies and login credentials), and cryptocurrency wallets. To evade detection, AMOS employs obfuscation techniques like XOR encryption, making its payloads challenging to identify through static analysis alone. Due to its advanced nature, effective detection of AMOS necessitates dynamic analysis and behavior detection methods, rather than relying solely on static signature-based approaches. Behavior monitoring alerts are displayed in the Microsoft Defender XDR portal alongside all other alerts, enabling effective investigation. The following image in the Microsoft Defender XDR portal shows that Defender detected and terminated a suspicious action using behavior monitoring on macOS. The following image is an alert in the Microsoft Defender XDR portal that shows that a suspicious action was blocked using behavior monitoring technology. To experience the Mac antivirus behavior monitoring and blocking, users will need a minimum version Microsoft Defender for Endpoint, which is 101.25032.0006. Availability Our macOS behavior monitoring and blocking capabilities are available on the following major versions of Mac currently supported by Microsoft Defender for Endpoint: macOS Ventura (13) macOS Sonoma (14) macOS Sequoia (15) Behavior Monitoring is being rolled out automatically following our safe deployment practices (SDP) per the schedule below. Channel Staring Date App Version External 3/31/2025 > 101.25042.0002 Production 5/19/2025 > 101.25032.0006 Once fully deployed, behavior monitoring will be on by default for everyone. You can confirm your device’s enrollment status by checking the output of mdatp health --details features in your terminal. If your device is not yet enabled automatically, you can enable it manually. Enabling Behavior Monitoring For customers that need to change the settings of behavior monitoring, you can use Intune or a 3rd party MDM for enterprises or manually using sudo mdatp config behavior-monitoring for a trial deployment. Support for behavior monitoring in Defender for Endpoint’s security settings management experience is expected this summer. Additional resources for securing macOS with behavior monitoring The following resources can help you optimize your macOS security and behavior monitoring settings: Refer to the following article for more details about configurations related to behavior monitoring. Monitor the What's new in Microsoft Defender for Endpoint on Mac page for upcoming announcements. Read this blog to learn more about how behavior monitoring works on Linux. We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft Defender XDR portal. Learn more To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.optional suggestion: new menu bar app for mac
i wish i could launch one of my edge profile (no matter from which edge) directly in the menu bar. so you create a profile launcher.app and then i can search a profile installed on my 4 browser, without need to launch a browser. at the moment we can do similar things once the browser is launched using the dock icon or using the sync icon or using the menu bar option inside edge. but there is still the limit that we can do it for one browser. we cannot search profiles installed on all 4 browser. plus every time you launch the browser, you open the last used profile. so we first need to close and then switch (which requires time). profile switching is slower in edge compared to google. now with this new app you would simply launch a profile inside an edge app, without launching the previous profile.Exploring the use cases of payloadless packages in Microsoft Intune for macOS
By: Iris Yuning Ye | Product Manager - Microsoft Intune Payloadless PKGs are a powerful tool that extends macOS app management functionality. A payloadless PKG is a type of package file used primarily in macOS environments that doesn’t contain or deliver any actual application or data files. Using Intune, you can deploy payloadless PKGs to managed macOS endpoints using built-in macOS PKG management capabilities. The best use case of payloadless PKGs is for running scripts on-demand. Additionally, since payloadless packages are PKG files installed via macOS agent channel, pre-install and post-install scripts are also available. Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy scripts. However, Microsoft does not support the scripts themselves, even if they’re on our GitHub repository. They’re provided for example only. You’re responsible for anything that they may do within your environment. Always test! The example below is a script that modifies the desktop dock. You can deploy this to managed macOS endpoints using a payloadless PKG. This is a partial code snippet only to present the key dock configuration. To fully modify the endpoint’s desktop dock, you need to update the script further including specifying local app paths and adding logic to conditionally configure the dock that applies to your environment. For the complete script, refer to: Microsoft Shell Intune Samples - Dock. (Omitted the preparation code lines) # Check if apps are installed if [[ "$waitForApps" == true ]]; then echo "$(date) | Waiting for apps to be installed..." wait_for_apps_installation 900 # Wait 900 seconds for apps to be installed fi #if useDockUtil is true, use dockutil to configure the dock if [[ "$useDockUtil" == true ]]; then echo "$(date) | Configuring dock with dockutil" install_dockutil_if_missing configure_dock_with_dockutil else echo "$(date) | Configuring dock with plist" configure_dock_via_plist fi By deploying this via a payloadless app, you can make it available in the Intune Company Portal. To do this you’ll need to use a payloadless package (Intune Unmanaged PKG) and a post-install script (Intune PKG Post Install Script). Upload dock.pkg to Intune: This is a totally empty PKG that creates a receipt name of com.intune.dock. For guided steps on how to upload the PKG refer to: Add an unmanaged macOS PKG app to Microsoft Intune. When you assign the package, ensure that you do it as available. Paste dock5.sh contents as Post Install Script: For this flow, ensure that waitForApps is set to false. For details of pre-install and post-install scripts, refer to the blog: Understand pre-install and post-install scripts in macOS Intune. Here is a demo of what it looks like when you deploy this payloadless package to modify endpoint desktop dock: There are multiple app types available for deployment from Microsoft Intune to managed endpoints including macOS PKGs which you also use for payloadless PKGs. Learn more about the different app types in the blog: Understanding application types in Microsoft Intune for macOS. > macOS > Add App > macOS app (PKG)). In conclusion, payloadless PKGs are a versatile tool that enhances macOS app management. With the ability to add and configure macOS apps in Intune, you can maintain a high level of control and flexibility over your macOS app deployments. For more information on adding and deploying a macOS PKG in Intune, refer to: Add an unmanaged macOS PKG app to Microsoft Intune. If you missed it, check out Understanding application types in Microsoft Intune for macOS, and Understand pre-install and post-install scripts for macOS in Microsoft Intune, and let us know if you have any questions, by leaving a comment or reach out to X @IntuneSuppTeam.
