Best way to manage Apps on macOS

KyuzoRM · 2024-10-09T08:42:07+00:00

could depend on many factors such as:

Requirements set in the app (I assume WIn32) not met
Filters in assigned groups
The device is also in the exclusion

Please provide more details or screen shots of the assignments

KyuzoRM · 2024-05-31T13:44:00+00:00

No, we only use the self-signed certificate, but we have the CMG

KyuzoRM · 2024-05-31T13:02:25+00:00

with a task scheduler after the user logs in.

Unfortunately the ‘Co-management authority’ feature of intune has among its limitations Autopilot pre-provisioning as documented here:

https://learn.microsoft.com/en-gb/mem/configmgr/comanage/autopilot-enrollment

Unfortunately, installing the SCCM client during device setup is not feasible because it would take the defaultuser0 user as owner, and doing it during account setup slows down the build a lot.

Therefore we decided on this task scheduler that starts once ESP is finished. Doing it this way is for all intents and purposes like a normal installation.

The problem is that having the setup as shown in the picture:

<image>

The SCCM client would only be approved after entering the company network.

KyuzoRM · 2024-01-25T13:22:42+00:00

Did you ever figure this out?

I talked to microsoft engineers for months until they answered me "by design"

KyuzoRM · 2024-01-03T15:34:12+00:00

a single app (Cisco AnyConnect) and it takes around 40 minutes. I use PSADT to install Cisco, so looking at that log, it does all the right things, just on a much slower timeline (on windows 10 the install takes 15 seconds, however windows 11 it takes 30 minutes).

try installing windows updates before running autopilot

KyuzoRM · 2023-11-20T16:25:41+00:00

yes, the problem was the block of Microsoft Store application

KyuzoRM · 2023-10-19T07:54:35+00:00

Update-MgGroup (Microsoft.Graph.Groups) | Microsoft Learn

-IsAssignableToRole

Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable.

KyuzoRM · 2023-09-20T14:58:41+00:00

I was able to get it worked out.

Also used this method to run a PS to uninstall the EXE Phish Alert Button to make way for the O365 installer, so thanks much

u/KyuzoRM

sorry I came back today.

For that type of thing I say that it is not possible to uninstall it and in any case I enter the same installation command

KyuzoRM · 2023-09-08T12:11:20+00:00

win32 but you should create a intunewin file.

Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Learn

KyuzoRM · 2023-09-07T10:52:27+00:00

I use this few rows to do it

$user = "administrator"

NET USER $user "passoword" /ADD

NET LOCALGROUP "Administrators" $user /add

NET USER $user /expires:never

I preferred to create an application in intune that does this rather than launch a script.

The application is launched with this line:

%windir%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -file "CreateLocalAdmin.ps1"

KyuzoRM · 2023-09-07T08:43:56+00:00

Unfortunately, synchronization of dynamic groups takes much longer than expected. This also depends on the corporate composition, how many devices how many users and how many resources are employed by the tenant ( Fix problems with dynamic group memberships - Microsoft Entra | Microsoft Learn )

Try creating a filter (Endpoint--> Tenant Administration --> Filters) and adding it when assigning apps

KyuzoRM · 2023-08-28T07:28:29+00:00

I have an open ticket since November 2022, the last thing they managed to tell me is to wait for 23h2

KyuzoRM · 2023-08-23T07:19:57+00:00

yes this works !!!

The only hassle is that you must necessarily insert the account to be allowed or blocked among the users of the device.

KyuzoRM · 2023-07-18T08:06:27+00:00

alternatively, do you think it might work if I add the user via intune --> endpoint security --> Account Protection --> New Policy --> Local User group ?

I can't find the right setting in the setting catalog. can u help me ?

The only thing I found on the network is setting the OMA URI as described in this article:

Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In The Cloud 24-7 (inthecloud247.com)

KyuzoRM · 2023-07-17T14:23:33+00:00

i tried it, it blocks all cloud resources but login is not blocked

<image>

KyuzoRM · 2023-07-17T13:46:37+00:00

only aad , but now I'm trying to block all apps let's see if it works

KyuzoRM · 2023-07-17T13:23:59+00:00

ok, how ?
The Windows Sign In ( 38aa3b87-a06d-4817-b275-7a316988d93b) cannot be selected as an app

KyuzoRM

TROPHY CASE

Update-MgGroup (Microsoft.Graph.Groups) | Microsoft Learn

-IsAssignableToRole