Event banner
Event details
- Like the MAM/App Protection Policies on Mobile Devices or Edge MAM in Windows, what would you recommmend to use as built-in DLP mechanism for MacOS?
Thanks for participating in today's session of AMA: Securely manage macOS with Intune! For reference, the panel covered your question at around 47:35.
- How do conflicts between Apple password requirements and the Entra password requirements resolve? For instance the Apple no duplicate characters in the password would not allow my Entra password to be used.
mcnahumMicrosoft
Yes, that will be the job of the MacAdmin to manage it. I would recommend to have a "simple" password policy ( even no password policy) and let entra enforce the password. Conditional access made it mandatory to access the ressources. In Sonoma the user cannot change it after it is in Sync- So we would need to remove the requirement before we transition to PSSO to ensure no conficts before the go live?
- What is the best practice to enable SSO for 3rd party apps with Platform SSO?
- mcnahumThis site is probably a good start: https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin Platform SSO is based on the SSO extension
- Your detailed step-by-step instructions for the enrollment setup are key to ensuring that I can successfully navigate the process. Your valuable insights will allow me to complete the enrollment process with ease and confidence. Would you kindly provide me with your expert guidance?
- mcnahumthanks, I hope you could find what you need here: https://aka.ms/intunemymac
- Nobody seems to want to reply to my questions because it’s different then the normal questions but I don’t understand I didn’t give anyone or any company permission to “manage” said device you must have mitigation standards for this type of exploitation .
- The only way to get an MDM enrollment without the user manually enrolling it is via DEP, which must be configured via Apple School Manager or Apple Business Manager. The only way your computer is enrolled in one of those programs is by purchasing it from a vendor that submits the enrollment or the device is manually added through a very specific process. If no users have admin they also won't be able to enroll the device manually in another organization's MDM. If you're having problems with this, did you buy a used computer that wasn't removed from Apple Business Manager or Apple School Manager? If so, the business/organization needs to remove it. Any other profiles would be removed with a device reset (whether you have admin or not).
- I’ve tryed reset and it puts an old version of Mac back on and looking at logs you can see it’s not a normal install it’s being intercepted. Maybe it’s malware or useing this and you’re correct I tryed to sign in won’t let me but I have a account with school management under running process you can see school manager
- mcnahumOk I get I understand your question, I guess your Mac is register on Apple ABM and this is why it pop'up to be managed. Please check where you purchased it
- It’s on my brand new iPhone aswell.. I’ve found endpoints from jamf. With my username as a sub domain . I have so much intel on this to prove and show usernames ip addresses screen shots but I can’t find why or how to stop and remove it. I been in cyber security for a few years in school learning and starting a business but his has stopped me dead with any progress I have to find someone to help me work with..
- Currently managing Mac devices via Jamf. What is the best practice to change the MDM solution to Intune. Will all the Jamf supported features now be available in Intune?
- Currently, there is no way to programmatically prompt end users to sign into Entra IDs integration of Platform SSO. What can be done to invoke the sign in prompts via a command line interface so large enterprises that want to roll out Entra ID PSSO to end users are able to on some interval? Looking for a command to call via an MDM or LaunchAgent/Daemon to accomplish this.
- My company has a issue where some devices will not be able to open company portal regularly after enrollment, company portal reinstallation or if the device is just offline for long enough that the authentication tokens expire. All devices have the exact same profiles and settings applied. And I have also disabled any workprofiles or enrollment settings for Company Portal on MacOS to test. And all are DEP/ADE enrolled through our hardware supplier. All devices are on MacOS 13.x to 14.4. When this issue appears, the device will get a login prompt as usual. But then Company Portal will attempt device enrollment. Which bugs out with a error message. "Could not obtain the final profile using the encrypted profile service. The credentials within your profile may have expire. Try downloading a new profile." Would you know what causes this behaviour?
- Where can I find documentation on setting up platform SSO, or has this yet to be released?
James_YaoFor setting up platform SSO, there is documentation that was published by Neil in the Mac Admins Viva community. If you are not a member, the link to join is https://aka.ms/macadmins.
- Is the Platform SSO with Entra functionality in the demo available now, or is this still in preview?
- Rachelle_BlanchardIt's still in private preview 🙂 We'll make lots of announcements once it's available broadly.
