Forum Discussion
Mac Not Compliant on Intune because of DefaultDeviceCompliancePolicy.RequireRemainContact
I'm dealing with a Mac that suddenly went Not Compliant last week based on the compliance policy DefaultDeviceCompliancePolicy.RequireRemainContact. As I understand it, the computer must sync with Intune at least every 30 days, or this policy gets grumpy. Apparently, this hasn't been happening, nor did the usual warning emails get sent out, because well, there isn't a trigger for RequireRemainContact. My Conditional Access policy finally blocked everything, even though the user has been working away on the device for the last 30 days uninterrupted.
Oddly, this computer hasn't missed a beat syncing with Defender for Endpoint. It's only on the Intune side that things have gone sour. I have the user exempted from the CA policy now, so he's able to work. That usually fixes the problem on a Windows device, but not so on this Mac.
I need to get this resolved, but I'm not sure how? I've tried the usual: syncing from the device, syncing from my portal, rebooting, exempting the device from CA, etc. Nothing's working.
I found a similar issue here (Sync your device with Intune issue, mac, not compliant - Microsoft Community Hub), which involved wiping the device and starting over. The box is remote and I'd rather avoid the shipping, if possible. Worse, the user is one of senior devs with a highly specialized installation. A wipe would be really disruptive for him.
Hopefully someone knows more about this than I do.
Thanks,
- The computer aged out of Intune today. After that, we were able to re-enroll using Company Portal as per normal. The machine is compliant and working again.
MS Support just closed my ticket without resolution. We tried syncing from the device, without success. They advised me to update my Apple Business Manager VPP token (which had expired). Then we updated the apps on the device with MS AutoUpdate, and tried syncing again. No success. Support's official advice is to reformat the device and re-enroll. It's a remote device and anything remote on a Mac is an interruption for the user. In this case, the user would lose a day's work helping me. Which isn't really an option.
If memory serves, this is how it went last time. However, by the time I was ready to reformat, the device had aged out of Intune. At that point, we were able to re-enroll normally, and without further issue. This current device will age out in a week or two, and I'll see if we can re-enroll at that time.
- Five months later and I have another one. Sadly, I don't remember how the last device got resolved. I'm pretty sure I didn't have to wipe the device though. I have another ticket open with MS Support, so we'll see what they find.
Dr_Snooze Just replying to say I have the exact same issue here, with a Mac I'd rather not wipe. Hopefully this is fixed or a solution found soon.
- Issue IT549491 was resolved last Friday, but the device still shows Not Compliant. IT549491 was immediately replaced by IT555162, and followed shortly by IT555436. Both involve problems getting Macs to play nice with Intune. Not sure if they are related to my issue yet.
- According to Support, the recent Apple Rapid Security Response update has caused a lot of issues with Intune's mgmt. I'm told a fix is in the works.
Issue ID = IT549491, if you want to follow along in your portal. - Wow. I stumped all the smart guys.
