Just to add to this… I have a setup where I need to restrict local admin access but it looks like I have to go the script route for now until Intune supports it. I’ll update if I can get it working or not.
Keep in mind when deciding “show/hide” when configuring the enrollment profile, it’s just to show or hide those options during the apple setup assistant. The user can still manually configure and set those options once they get passed the apple setup assistant. 👍🏼
@@62128Kevin Correct, you should rely on separate configs to enable/disable items.. The Enrollment profile options at the beginning of this video with those Show/hide options, I like to think of this piece as modifying/expediting the initial first time experience within the Apple Set up Assistant steps. Example, you hide the "Apple Pay" or "Face ID/ Touch ID" option. This just hides the option to set up those features within the first initial Apple Set up Assistant experience, but the user can always go into the device later and set it up. Hope this helps..
Miss yall. I like having the devices by program token divided up because there are cases where you might have multiple tokens and you can see what devices are associated with what tokens. Using the alias in the shell script would also make it so you don't have to update the shell script if something changes in it. It will always use the redirect link to the latest published version of the script. Like someone else mentioned, if you do the #! /bin/bash for the first line, it will upload fine but I haven't tested it pushed out.
Great to see you guys are updating your content. Can I add to the idea box to add videos of the new intune macos management features. Items like: platform sso, local account creation, macos updates with DDM. Keep up the great work.
I’d like to see this as well! I’m also looking for a source describing the local admin config you mentioned. This is something we struggle with since all onboarded devices have the first user as local admin.
The file you uploaded was just a line. So it didn't include the shebang at the start of the script file before uploading so it was telling you. (Macadmin here haha)
I managed to get all the pre-requisites and currently prior to starting the MacBook I don't get a pop-up showing remote management and as per your instructions of rebooting, I could. I am sure many experienced this. Now I want to restrict many other things like erasing all data, adding apple ID etc..
You would integrate your Apple Business (or School) Manager instance with your tenant in order to enable managed Apple IDs. The important thing to remember is that requires a user's UPN match their email address. UPN aliases and Alternate IDs are not supported. From personal experience I would not recommend managed Apple IDs unless you're ready to put up with users constantly requesting password resets. Managed Apple IDs are a huge pain.
The biggest reason I think to block the Apple ID until you've pushed a provisioning profile is so you can disable the ability for a user's personal Apple ID to put on a Activation Lock. We let users sign in with Apple ID but it won't happen til after the OOBE and we have blocked the Find My locks
A locked enrollment from memory will prevent the removal of the management profile only after a 30 day period. Attempts to remove the profile within that 30 day period would generally succeed - At least that is how the locked enrollment behaves on iOS and iPadOS.
8:53 - yeah create a dist list for this is good except for the 2FA code bit. I used to do a twilio number to get codes and then script them to the dist list, but more of these 2FA services are now blocking obvious VOIP numbers for verification codes :-(
Hello Guys, Thank you for clear explanation, Is the group you added for assignment of Appa & Scripts, is it dynamic group or manually you added mac to that "License" group? One more question can we add UTM Virtual mac to ABM?
I still need to install the profiles after log in to the company portal. What is the problem here? Of course its not possible to install the profiles because they were enrolled automatically
I think I saw somewhere that macOS company portal will be moved to a web portal due to the time it takes for them to get an app through apples approval processes
I just created all this for my company, my two tests macOS devices I had to bring into ABM through using my phone and apple configurator 2 app.............. I have the enrollment profile setting set for lockdown, however the device is still not greyed out and allows the deletion of the management profile under settings. Is this because the devices need to be registered inside of ABM for 30 days first? thanks!
How are you differentiating between Company devices and BYOD devices? Do you have a video summarizing the need to manage both corporate devices (fully) and personal BYOD devices (partially)?
We have a video on personally owned iOS device enrollment coming in a week or so. Essentially, you can configure your device enrollment restrictions to allow/prevent personal enrollment. Ideally, corporate devices are pre-registered in Apple Business Manager - then they will come in as Supervised devices. Otherwise users can enroll corporate or personal devices using Company Portal.
@@IntuneTraining, Thanks for the answer. Looking forward to that video. Is setting up apple business manager with federated access to entra ID still required for personal mobile iOS devices? My understanding was it is still needed for personal devices so that we can setup a separate business icloud account that we manage while not touching an end users' personal icloud settings/data.
I don't quite understand MDM user scope and MAM user scope. Do you just have to use that if you want to work with scopes? We just use groups never used scopes for anything.
MDM and MAM scope is only for Windows. MDM scope is allowing users to enrol a Windows device into Intune. MAM is primarily used if you intend to use Windows information protection
BTW you video is really helpful Please answer my below question if you have an answer of if you didn't happen to understand my question Let me explain again How user will change the password Like in window CTRL + Alt + Delete change password Boom Password changed in login password and AD password as well. How can I handle this behavior in macOS
I saw that they did deploy that script to the “licenses” user group. So that’s why it worked. The company portal VPP app they hovered over in the video was actually for iOS, not macOS. 👍🏼
Apple works very hard to allow users to ignore updates, it's one of the most frustrating parts of managing Macs. There are a couple of software solutions (Nudge, S.U.P.E.R.M.A.N.) that help enforce updates but they're not true enforcement, they're really just bugging users to apply updates.
I’ve a change in now for Nudge but supposedly our IT head doesn’t like open source software so not sure how that’s going to play out. Also got another change for setting up ASM so maybe when they are supervised I will have more control. Tnx for clarifying though because I would have hated to go through all that and there was just a setting in Intune to extend the restart timer.
for the single line command to work you just needed to add shebang at the start of the script. I tried posting full scrip but my comment got removed. shebang is this line below #!/bin/sh
![[กูเพิ่งซื้อมึงปิดหนี] 20 นาที ผมรีวิวเกมที่แย่ที่สุดในโลก CONCORD](http://i.ytimg.com/vi/XhC-3q3Ii7I/mqdefault.jpg)
I love this reboot series! Thanks for the tips and walkthrough, it's super helpful. I'm looking forward to more videos about this topic!
Thanks for all the training you guys are providing. This is amazing!
Perfect timing for me. I am provisioning my first MAC OS devices this week via inTune.
Its under the apple enrolment token because you can have multiple tokens for devices. So it's associated to the enrolment token
Very helpful thank you!
Just to add to this… I have a setup where I need to restrict local admin access but it looks like I have to go the script route for now until Intune supports it. I’ll update if I can get it working or not.
Looking forward to part two of this.
Keep in mind when deciding “show/hide” when configuring the enrollment profile, it’s just to show or hide those options during the apple setup assistant. The user can still manually configure and set those options once they get passed the apple setup assistant. 👍🏼
We can block it with Configuration profile or something else ?
@@62128Kevin Correct, you should rely on separate configs to enable/disable items.. The Enrollment profile options at the beginning of this video with those Show/hide options, I like to think of this piece as modifying/expediting the initial first time experience within the Apple Set up Assistant steps. Example, you hide the "Apple Pay" or "Face ID/ Touch ID" option. This just hides the option to set up those features within the first initial Apple Set up Assistant experience, but the user can always go into the device later and set it up. Hope this helps..
I switched to mac and can't wait to see more.
Miss yall. I like having the devices by program token divided up because there are cases where you might have multiple tokens and you can see what devices are associated with what tokens. Using the alias in the shell script would also make it so you don't have to update the shell script if something changes in it. It will always use the redirect link to the latest published version of the script. Like someone else mentioned, if you do the #! /bin/bash for the first line, it will upload fine but I haven't tested it pushed out.
Great to see you guys are updating your content. Can I add to the idea box to add videos of the new intune macos management features. Items like: platform sso, local account creation, macos updates with DDM. Keep up the great work.
I’d like to see this as well! I’m also looking for a source describing the local admin config you mentioned. This is something we struggle with since all onboarded devices have the first user as local admin.
The file you uploaded was just a line. So it didn't include the shebang at the start of the script file before uploading so it was telling you. (Macadmin here haha)
It was a frustrating moment in the video XD
@henchffs same!
@@IntuneTraining just have to say I really love what you guys are doing for the community! You’re awesome!
Discovered that we needed to edit the Local MAC account's username to match the AD username in order to get LDAP synced services to "match".
Yeah, I'm keen for a video on Platform SSO too.
I managed to get all the pre-requisites and currently prior to starting the MacBook I don't get a pop-up showing remote management and as per your instructions of rebooting, I could. I am sure many experienced this.
Now I want to restrict many other things like erasing all data, adding apple ID etc..
AppleID is a big question as you didn’t discussed about Managed AppleID. Platform SSO is another one
You would integrate your Apple Business (or School) Manager instance with your tenant in order to enable managed Apple IDs. The important thing to remember is that requires a user's UPN match their email address. UPN aliases and Alternate IDs are not supported. From personal experience I would not recommend managed Apple IDs unless you're ready to put up with users constantly requesting password resets. Managed Apple IDs are a huge pain.
@@dp4491 password reset is not an issue if you use the authentication federation but still the managed appleid restriction 😉
The biggest reason I think to block the Apple ID until you've pushed a provisioning profile is so you can disable the ability for a user's personal Apple ID to put on a Activation Lock. We let users sign in with Apple ID but it won't happen til after the OOBE and we have blocked the Find My locks
A locked enrollment from memory will prevent the removal of the management profile only after a 30 day period.
Attempts to remove the profile within that 30 day period would generally succeed - At least that is how the locked enrollment behaves on iOS and iPadOS.
8:53 - yeah create a dist list for this is good except for the 2FA code bit. I used to do a twilio number to get codes and then script them to the dist list, but more of these 2FA services are now blocking obvious VOIP numbers for verification codes :-(
Hello Guys, Thank you for clear explanation, Is the group you added for assignment of Appa & Scripts, is it dynamic group or manually you added mac to that "License" group? One more question can we add UTM Virtual mac to ABM?
I still need to install the profiles after log in to the company portal. What is the problem here? Of course its not possible to install the profiles because they were enrolled automatically
I think I saw somewhere that macOS company portal will be moved to a web portal due to the time it takes for them to get an app through apples approval processes
I just created all this for my company, my two tests macOS devices I had to bring into ABM through using my phone and apple configurator 2 app.............. I have the enrollment profile setting set for lockdown, however the device is still not greyed out and allows the deletion of the management profile under settings. Is this because the devices need to be registered inside of ABM for 30 days first? thanks!
How are you differentiating between Company devices and BYOD devices? Do you have a video summarizing the need to manage both corporate devices (fully) and personal BYOD devices (partially)?
We have a video on personally owned iOS device enrollment coming in a week or so. Essentially, you can configure your device enrollment restrictions to allow/prevent personal enrollment. Ideally, corporate devices are pre-registered in Apple Business Manager - then they will come in as Supervised devices. Otherwise users can enroll corporate or personal devices using Company Portal.
@@IntuneTraining, Thanks for the answer. Looking forward to that video. Is setting up apple business manager with federated access to entra ID still required for personal mobile iOS devices? My understanding was it is still needed for personal devices so that we can setup a separate business icloud account that we manage while not touching an end users' personal icloud settings/data.
Can you do a video on how to register without user affinity?
Hi Intune Training
You can you handle changing password in MacOS account with AD account
is there solution for that
I don't quite understand MDM user scope and MAM user scope. Do you just have to use that if you want to work with scopes? We just use groups never used scopes for anything.
MDM and MAM scope is only for Windows. MDM scope is allowing users to enrol a Windows device into Intune. MAM is primarily used if you intend to use Windows information protection
@@samsthoughts6867 Got it, thank you!
You're talking about platform sso.. but that's not supposed to be a just in time account creation. You still need a form of making an account first
BTW you video is really helpful
Please answer my below question if you have an answer of
if you didn't happen to understand my question
Let me explain again
How user will change the password
Like in window CTRL + Alt + Delete change password Boom
Password changed in login password and AD password as well.
How can I handle this behavior in macOS
@7:06 I just wanted to yell WAIT STOP, THERE IS A RENEW BUTTON
Why do you already have device in the Apple Business account?
Because we’ve used this several times before and have uploaded things already.
Strange that the Company Portal worked, because when you interrupted the recording, it was not assigned to anyone...
I saw that they did deploy that script to the “licenses” user group. So that’s why it worked.
The company portal VPP app they hovered over in the video was actually for iOS, not macOS. 👍🏼
Anyone know how to give the user more notice when forcing macOS updates without a 3rd party tool?
Apple works very hard to allow users to ignore updates, it's one of the most frustrating parts of managing Macs. There are a couple of software solutions (Nudge, S.U.P.E.R.M.A.N.) that help enforce updates but they're not true enforcement, they're really just bugging users to apply updates.
I’ve a change in now for Nudge but supposedly our IT head doesn’t like open source software so not sure how that’s going to play out. Also got another change for setting up ASM so maybe when they are supervised I will have more control.
Tnx for clarifying though because I would have hated to go through all that and there was just a setting in Intune to extend the restart timer.
for the single line command to work you just needed to add shebang at the start of the script. I tried posting full scrip but my comment got removed.
shebang is this line below
#!/bin/sh
Was looking for this reply