macOS enrollment - prompt to change the Mac login password
Cheers everyone! We are in the pilot phase of our macOS Intune enrollment and I've created the compliance policy which blocks simple passwords and applied this to a few test machines. After the 1st reboot I got a prompt to change the Admin password to meet the requirements. All worked fine until I've changed the "Maximum minutes of inactivity before password is required". After the first reboot, both local admin accounts (one, the IT admin, the 2nd of the actual user) get again a prompt that in order to login the password needs to be changed. Did the changes again and the story repeats itself after changing some other parameter (not something related to the actual password complexity) and ended up in the same loop. It looks like everytime I edit something in the Compliance profile, the user will be prompted to change his password, which doesn't make sense to me. Does anyone know why this is happening and how this behaviour can be changed? I don't want to enable "simple passwords" as just a workaround. Thank you in advance! ๐
macOS - SCEP user certificate is not re-enrolled when user delete it from Keychain
Hi, we are facing strange issue within Intune, when manually deleted SCEP User certificate is not re-enrolled automatically based on configuration profile. Also this configuration profile is NOT marked as non-compliant even after a week of syncs for that device. And what is the most important, SCEP configuration profile definition from point of view of macOS knows, that SCEP certificate is missing because, when you open config profile within Settings/Device Management on macOS, there is error saying "Not found in keychain". Documentation https://learn.microsoft.com/en-us/mem/intune/protect/remove-certificates saying exactly following: Manually deleted certificates Manual deletion of a certificate is a scenario that applies across platforms and certificates provisioned by SCEP or PKCS certificate profiles. For example, a user might delete a certificate from a device, when the device remains targeted by a certificate policy. In this scenario, after the certificate is deleted, the next time the device checks in with Intune it's found to be out of compliance as it is missing the expected certificate. Intune then issues a new certificate to restore the device to compliance. No other action is needed to restore the certificate. So it means that if user delete SCEP User certificate from keychain, doesn't matter if it was intention or accident, as long as I keep SCEP Configuration profile within Intune for exact device and user, Intune must initiate re-enrolling/re-generating new certificate based on this profile. This is not happening on our macOS's laptops and only workaround I've got from MS Support is to remove device from Configuration profile and then return it back... But imagine when you have 1000 macOS laptops and 100 users (extreme example, but could happen, i.e. developers trying things) delete their certificates from Keychain. Whole action to removing devices and users from that profile is time wasting. first create special groups to include affected devices and affected users, then add that group to exclusion, wait a long for sync of all macOS's, then starting to removing those devices and users from group to return configuration profile back. Also comment from MS Support was, that they cannot escalate the case to different team, because I have selected exact time zone and only they are responsible for that time zone (what a bullshit???) and that my case is already escalated withing his team manager. But his team manager is same low-skilled incompetent as engineer got my support case. And if certificate is returned when I remove and re-add config profile, then case is finished (what another bullshit????) - but from my point of view it's not finished because it's not a fix, it's workaround and very complex, time and money wasting workaround. Note to Microsoft: Please STOP hiring ! low-skilled incompetent Indian support teams, just because they costs less then European or United States engineers!!!! You are wasting our money, our time, our patience and you want more and more money for your subscriptions and we are getting less and worst services.
AWS Chime based apps (Slack or 3CX) calls drop-out - Only on Intune enrolled MacOS 15 + MS Defender
Hi Intune_Support_Team , I have recently come across with an Issue. Issue: Call Dropout, Network freeze on AV Calls for Apps / Platforms Description: I have noticed this issue on only MacOS Devices enrolled on Intune; that are later updated to MacOS15 Sequioa using Intune policy Mac Update policy + MS Defender for Endpoint Enrolled, with MS Defender Network Filter added to the list, hangs / freezes AV calls for 2-3 seconds like a network glitch on Slack Huddles. This also happens on 3CX Telephone app in bit different way as 3CX agent's audio is not heard by far-end Customer. Both of these only happens on Device upgraded to MacOS 15 + Defender + Network Filter with just Slack and 3CX. Google Meet, Zoom, Teams works well. NOTE : Compared to a Device which is not on Intune /Defender with MacOS 15 Slack Huddle and 3CX is a Charm. I also tried initially to look into Apple MacOS bugs, didnt find much, then raised a request to Slack Support, In Response I got this Hi there Swapnil, Thanks for contacting Slack support. What is happening here is that users are losing media connectivity to the huddles server, causing them to drop and then be reconnected. This can happen for a number of reasons, but if you've recently updated to macOS 15 Sequoia, there is a macOS networking bug which is highly likely to be the cause in this case (https://support.apple.com/en-au/102281). The issue is as follows: Overall the connection may be completely fine. Suddenly the media connection to the huddles server stops completely (even if the rest of the internet connection is fine). After the huddles server detects a period of no data being sent/received, it forces the client to reconnect to the huddle. This can help for some time but it may eventually repeat again through each huddle. Unfortunately in each case we cannot help explain the exact underlying cause is as it occurs on the end of each users network environment. In your case however, if users are experiencing the issue after upgrading to macOS 15, the aforementioned networking bug is the most likely cause. Normally the causes of these kinds of issues are as follows: Firewall or other network configuration closing websockets media connections. The macOS Sequoia bug causes this specific kind of problem. Overzealous modem/router throttling media connections. ISP throttling media connections. On the another response they also mentioned about something is probably not right with MS Defender Network Filter blocking out traffic for AWS Chime Server. Hi Swapnil, Thanks for your reply. Because there are so many variables we aren't going to be tracking this on our side. One thing I would say is that you should just be sure that there are no third party dependencies in your macOS environment which might be in need of an update. I'll give you a random example: Organisations using the Zscaler client connector would have encountered a variation of this issue (https://help.zscaler.com/client-connector/firewall-posture-check-failure-macos-sequoia). The macOS updates alone would not have addressed it, Zscaler needed to issue an update to their client connector software. Until users were running the Zscaler client with the relevant fix, no amount of system updates would have prevented them from running into the compatibility issue. So all I am saying is that you should be keeping an eye out for updates to both macOS and any relevant 3rd party dependencies - it's possible you will need to take manual action in some way first. The public facing macOS updates tend to be quite vague, so it is probably best to start with MS Defender and any other relevant 3rd party configurations before waiting on a macOS update to ultimately fix the issue. You may also prefer to pre-emptively seek confirmation from their respective support services so you know exactly what your next steps are. I hope this gives you a better idea on how to approach the issue and plan for updates Swapnil, and apologies I couldn't provide more guidance. After reading about this I tried to dig little more and understood, 3CX is also using AWS Chime A/V Servers. My users are stuck and losing their Slack Huddles which is day to day quick AV. Any insightful info on this one will be helpful. Thanks Swapnil email address removed for privacy reasonsPlatform SSO for macOS not working
(Update after long troubleshooting: the two main issues until now were: Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors! When using in europe you need to remove some URLs (detailed information in this thread)) Hi folks, i'm working hard on implementing Platform SSO for macOS (MSlearn) (2nd Link: Join a Mac device with Microsoft Entra ID during the out of box experience with macOS PSSO (preview) for ourselves and our customers. I worked all the way through the Microsoft Learn Articles as well as 3rd Party blog posts or reddit discussions. (MS Intune Support think they need to forward my ticket to the Azure Support. I don't get it :D) The issue is: The Platform SSO Profile in Intune is always on error code 100001. I tested this with different tenants, in every single one the issue is the same. The config profile is configured as followed: When looking at the device this is what should appear: But this doesn't happen on the device. What i'm also wondering about: When signin in on a mac device enrolled via ADE, after i log in to the company portal app (current version), it states that it is unable to register the device. Is this an expected behaviour? I don't think so, isn't it? It would be so great to come into contact with others of you having the same issue or, even better, that solved this issues. ๐ Thank you very much in advance Regards Patrick Ps.: Maybe some of the mslearn article contributors have any idea? Mandi Ohlinger, arnabbiswas ? ๐
Is there a way to Downgrade admin account to standard account for Intune enrolled Mac's.
HI, For Macs enrolled in Intune, we are required by policy to revert the admin account to a standard account. As of right moment, every enrolled device has administrator account by default. So kindly assist in providing the answer.
Checkpoint capsule connect VPN on MacOS
Hey, I'm trying to setup Checkpoint VPN on MacOS with intune. I have found VPN configuration in configuration profiles for MacOS, there was option for CheckPoint Capsule Connect. Issue is that i didn't find install file for Capsule connect on macos. Profile is installing successfully, but obviously fails to start without the application. I assume that there is application for MacOS since it allows configuration for it. I have checked checkpoint site and it is dead easy to configure it for windows or on macos with YAML. Can someone advise on how to set it up?
macOS SCEP certificate is not stored to login keychain
With macOS, Intune can distribute SCEP profiles, and we can specify certificate type as "Device" or "User". However, the certificate will be stored in the System keychain if I specify the "User" certificate type. Is it occurred in my environment? And, it is a spec? nayuta,
macOS and Apple ID restrictions
All, I am just starting out enrolling macOS devices with Intune/Endpoint Manager, and most things are working as expected. I have configuration policies for some items, some scripts to change things, install the company portal, etc. One thing I cannot seem to figure out is how to confine the Apple ID. I have the federation configured to ensure our corporate email addresses are Managed Apple IDs, but what I cannot seem to find or figure out is how to restrict the Apple ID login on corporate managed machines so the end user can only use our managed Apple IDs. I could settle for blocking Apple ID signin completely, and found a custom template that is supposed to do that, but it does not seem to work either. Has anyone accomplished this with Intune? I do have all iCloud settings disabled so the user should not be able to save things outside of OneDrive or local, but I really don't want the users to use a personal Apple ID and installing apps from the store, etc. Any direction would be appreciated.
