Thanks for the video. It looks very far from complete to me. It's improved, but it's not slick. Users should be asked to sign in once, with their Entra creds. AppleID should be automatic, and the fact that there is a local account should not be visible to the user. And that's before we consider the new passwordless initiatives, like keypass, or existing options, like fingerprint ID on Macs. These should Just Work. Mac users are Mac users because they are used to, and want a fuss free first class experience. They are not going to like this much.
Far away from a MDM solution like Jam! This new features gives me a lot of headache because it's not working. I created a created a new enrollment profile checked "Await Final Config" and created a dynamic group which equals the enrollment profile. The I added this dynamic group to an app profile to install Company Portal and to a configuration profile to enable FV (Force Enable in Setup Assistant). BUT neither it will install the app nor it will show the FV screen during Setup Assistant - and yes I activated FV also in the enrollment profile. Did I missed something?
I’m a bit confused here. You said no matter the password you add here it will change to the actual M365/EntraID password on sync? So what about passwordless? There are no passwordless options here. And also the SSO plugin in MacOS will allow for SSO for apps and browsers even when logging in with a password. So, CA policy’s? Would a Mac user be promoted for MFA at every interaction with M365 with policy’s forcing MFA or authentication strength? Kinda annoying. What passwordless login options does this solution offer? I guess FIDO2 keys but password still remains. I don’t even know my password anymore only using Windows Hello or Authenticator for login on web and windows. You should be able to do weblogin here with phone sign in via the standard web login method. And what about TAP? Doesn’t work either. With that said. It’s not ready yet. They have some way to go to feature parity
Hey - yeah apologies, I've started this video after already configuring all that stuff. Apple Business Manager enrollment ensures the device heads to the right tenant during initial startup. This might help! th-cam.com/video/ePkLDFsEURw/w-d-xo.html
Thanks for the video. It looks very far from complete to me. It's improved, but it's not slick. Users should be asked to sign in once, with their Entra creds. AppleID should be automatic, and the fact that there is a local account should not be visible to the user. And that's before we consider the new passwordless initiatives, like keypass, or existing options, like fingerprint ID on Macs. These should Just Work. Mac users are Mac users because they are used to, and want a fuss free first class experience. They are not going to like this much.
Great video, Dean! Funny thing, I've had Mac also pick those lips when testing!
Awesome stuff bro, thx
No problem 👍
So when the user changes their entra ad password does that sync to the Mac login password?
Great! But for that u need the Apple Business Manager or?
Far away from a MDM solution like Jam! This new features gives me a lot of headache because it's not working.
I created a created a new enrollment profile checked "Await Final Config" and created a dynamic group which equals the enrollment profile. The I added this dynamic group to an app profile to install Company Portal and to a configuration profile to enable FV (Force Enable in Setup Assistant). BUT neither it will install the app nor it will show the FV screen during Setup Assistant - and yes I activated FV also in the enrollment profile.
Did I missed something?
I’m a bit confused here. You said no matter the password you add here it will change to the actual M365/EntraID password on sync?
So what about passwordless? There are no passwordless options here. And also the SSO plugin in MacOS will allow for SSO for apps and browsers even when logging in with a password. So, CA policy’s? Would a Mac user be promoted for MFA at every interaction with M365 with policy’s forcing MFA or authentication strength? Kinda annoying. What passwordless login options does this solution offer? I guess FIDO2 keys but password still remains.
I don’t even know my password anymore only using Windows Hello or Authenticator for login on web and windows. You should be able to do weblogin here with phone sign in via the standard web login method. And what about TAP? Doesn’t work either.
With that said. It’s not ready yet. They have some way to go to feature parity
How does the mac knows that device is owned by the organisation during the inital setup . Can someone please explain
The Mac is ostensibly enrolled in Apple Business (or school) Manager.
what version of Intune has this feature in it?
the tenant i used is v2401
What about Azure AD user login? I can’t seem to figure this one out without jamf connect.
This will come with Platform SSO which MSFT keeps pushing back back but is really near
@@jpricric9722 my company just received preview access to platform SSO Friday. I’ve been building it out and will be testing.
Dean,
How does a standard MacOS out of the box build auto enroll to the correct tenant?
I may have missed something there.
Hey - yeah apologies, I've started this video after already configuring all that stuff. Apple Business Manager enrollment ensures the device heads to the right tenant during initial startup.
This might help!
th-cam.com/video/ePkLDFsEURw/w-d-xo.html
@@DeanEllerbyMVP I had managed to avoid that so far, using user enrollment.
Maybe in time...LAPS for Mac? 🤣
Ok, maybe just Standard user instead of Admin for local user?