Platform SSO for macOS not working
(Update after long troubleshooting: the two main issues until now were: Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors! When using in europe you need to remove some URLs (detailed information in this thread)) Hi folks, i'm working hard on implementing Platform SSO for macOS (MSlearn) (2nd Link: Join a Mac device with Microsoft Entra ID during the out of box experience with macOS PSSO (preview) for ourselves and our customers. I worked all the way through the Microsoft Learn Articles as well as 3rd Party blog posts or reddit discussions. (MS Intune Support think they need to forward my ticket to the Azure Support. I don't get it :D) The issue is: The Platform SSO Profile in Intune is always on error code 100001. I tested this with different tenants, in every single one the issue is the same. The config profile is configured as followed: When looking at the device this is what should appear: But this doesn't happen on the device. What i'm also wondering about: When signin in on a mac device enrolled via ADE, after i log in to the company portal app (current version), it states that it is unable to register the device. Is this an expected behaviour? I don't think so, isn't it? It would be so great to come into contact with others of you having the same issue or, even better, that solved this issues. 🙂 Thank you very much in advance Regards Patrick Ps.: Maybe some of the mslearn article contributors have any idea? Mandi Ohlinger, arnabbiswas ? 🙂
Intune/Company Portal Constant popups
Hey We're trying to use intune for our mostly catalina and Bigsur macos fleet, and we're noticing on multiple peoples machines that they'll get regular popups mentioning they need to approve Profiles/MDM. Even after using their finger/password to approve the changes, they'll get new pop ups. I don't see any mention in the system.log regarding this popup. If I look in the Intune MDM logs the only regular errors that i see are regarding a "microsoft.com requires a client cert" but i'm not sure if this is related. NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, NSErrorFailingURLKey=https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, _kCFStreamErrorDomainKey=1}) error 1: authenticationError(Error Domain=NSURLErrorDomain Code=-1206 "The server “manage.microsoft.us” requires a client certificate." UserInfo={NSLocalizedDescription=The server “manage.microsoft.us” requires a client certificate., NSErrorFailingURLStringKey=https://manage.microsoft.us/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, NSErrorFailingURLKey=https://manage.microsoft.us/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, _NSURLErrorRelatedURLSessionTaskErrorKey=( _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <####.>.<####>, NSUnderlyingError=0x7fe4e552daf0 {Error Domain=kCFErrorDomainCFNetwork Code=-1206 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x7fe4e565bb30 [0x7fff807deb70]>{length = 16, capacity = 16, bytes = 0x100201bb17610d070000000000000000}}}}) error 5: authenticationError(Error Domain=NSURLErrorDomain Code=-1206 "The server “manage-selfhost.microsoft.com” requires a client certificate." UserInfo={NSLocalizedDescription=The server “manage-selfhost.microsoft.com” requires a client certificate., NSErrorFailingURLStringKey=https://manage-selfhost.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, NSErrorFailingURLKey=https://manage-selfhost.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses, _NSURLErrorRelatedURLSessionTaskErrorKey=(
When will Platform SSO release for macOS
Hi, Doe anyone know from the Intune team is there has there been any update/progress as to when platform SSO will release (even Preview/Beta) https://techcommunity.microsoft.com/t5/microsoft-intune-blog/microsoft-simplifies-endpoint-manager-enrollment-for-apple/ba-p/3570319 Also I read/saw that here https://www.macsysadmin.se/video/day3session6.mp4 that we would be getting support for auto-enrolment & local admin and standard user account management. Is the above video true what is on the roadmap? Thanks
macOS and Apple ID restrictions
All, I am just starting out enrolling macOS devices with Intune/Endpoint Manager, and most things are working as expected. I have configuration policies for some items, some scripts to change things, install the company portal, etc. One thing I cannot seem to figure out is how to confine the Apple ID. I have the federation configured to ensure our corporate email addresses are Managed Apple IDs, but what I cannot seem to find or figure out is how to restrict the Apple ID login on corporate managed machines so the end user can only use our managed Apple IDs. I could settle for blocking Apple ID signin completely, and found a custom template that is supposed to do that, but it does not seem to work either. Has anyone accomplished this with Intune? I do have all iCloud settings disabled so the user should not be able to save things outside of OneDrive or local, but I really don't want the users to use a personal Apple ID and installing apps from the store, etc. Any direction would be appreciated.macOS SCEP certificate is not stored to login keychain
With macOS, Intune can distribute SCEP profiles, and we can specify certificate type as "Device" or "User". However, the certificate will be stored in the System keychain if I specify the "User" certificate type. Is it occurred in my environment? And, it is a spec? nayuta,macOS VPP apps fail to deploy, "License not eligible for device assignment" (Monterey)
Hello, Our macOS VPP apps sometimes fail to deploy, when using Intune/Microsoft Endpoint manager for app deployment. Symptoms: - All deployed VPP apps missing from computer - VPP apps may be deploying fine for another computer, running the same or different os version - Running sync for problem computer may or may not trigger app install from the App Store - From macOS console log, triggering sync provides some interesting errors (Pages app installation): error 15:51:41.985744+0200 appstored AMSURLSession: [___/com.apple.iWork.Pages:___] Protocol completed with error. Error Domain=AMSErrorDomain Code=305 "Server Error" UserInfo={NSLocalizedFailureReason=License not eligible for device assignment., AMSServerAllowed=false, AMSServerErrorCode=9628, AMSServerPayload={ "cancel-purchase-batch" = 1; customerMessage = "License not eligible for device assignment."; failureType = 9628; "m-allowed" = 0; pings = ( ); }, NSLocalizedDescription=Server Error} - App deployment seems to fail before InstallApplication command - App licence is verified to be valid for device assignment - After a lenghty amount of time, VPP apps may or may not eventually install on the problem computer - Re-installing the OS and Intune MDM Agent makes no difference - Intune MDM Agent is working fine, other applications (.intunemac) and policies are being applied to the computer I'm not sure if this is a Intune problem or a macOS/Apple problem, so I will cross post this and provide links below. https://www.reddit.com/r/Intune/comments/skatzu/macos_vpp_apps_fail_to_deploy_license_not/ https://discussions.apple.com/thread/253636604 https://techcommunity.microsoft.com/t5/microsoft-intune/macos-vpp-apps-fail-to-deploy-quot-license-not-eligible-for/m-p/3116114 Has anyone ran into this problem?
Is there a way to Downgrade admin account to standard account for Intune enrolled Mac's.
HI, For Macs enrolled in Intune, we are required by policy to revert the admin account to a standard account. As of right moment, every enrolled device has administrator account by default. So kindly assist in providing the answer.
MACOS Erase from enrolled Device
Hi All, Has anyone tried the erase function below for a MACOS device that's been enrolled in Intune as per below? The process seems to work as follows - The device is removed from Intune as expected - The device restarts and appears to have been wiped, but then fails to start and shows the following The macBook's I have tested on are as follows - running the latest version - Mojave - have filevault turned on - are circa 2017. I suspect this may have something to do with the macbook trying to install the original OS (possibly sierra) from the recovery partition and it fails. Possibly something to do with the change in file system between versions? Ideally I would like the erase function to return the MacBook to a fresh installation of Mojave. Any help appreciated Gerry
