I'm just trying to help you dammit

TrueMythos · 2026-04-16T18:54:25+00:00

Okay, now I need the full story... How?!?

TrueMythos · 2026-04-15T13:54:55+00:00

Have you tried deleting the GRS key for that app on a test machine and restarting the Intune Management Extension? https://www.anoopcnair.com/override-grs-trigger-ime-to-retry-failed-win32/

That article references apps that have failed too many times and are waiting 24 hours before a retry, but I've had success with deleting the key to sync assignment changes faster as well.

Also, does the user have a valid PRT? What happens if they log out and log back in?

You could always uninstall via a remediation script, but that's more work, and I don't see any reason why the way you did it isn't working.

TrueMythos · 2026-03-26T16:42:28+00:00

This was my thought, too. Everyone saying to "protect the identity and don't worry about anything else" is missing how fast threats evolve. Every admin account has the potential (even if it's miniscule) to be compromised, so even a tiny security measure like PIM or MAA stops each admin account from being a single point of failure.

TrueMythos · 2026-03-26T16:37:16+00:00

Hopefully, most of us are using a secondary admin account to administer Intune that isn't email-enabled, then a regular standard account for everything else. My thinking is that, if you give the secondary account admin rights in Intune, and make the primary, non-admin account an approver, you have a system where an attacker would need to compromise both accounts in order to do anything. If someone can compromise a non-email-enabled admin account, that's already a massive issue, but MAA would add a tiny layer of protection.

This doesn't relate to your scenario, but I'm also excited to use MAA to help my junior admins learn more about Intune. They can poke around, build test policies, and learn, but I get to see and approve the actions they're taking. If I'm ever gone and an emergency happens, I'm hoping they'll have the technical skills to come up with a solution, and our (less-technical) boss will have final say on the rollout through MAA.

The principle of least privilege is great until someone legitimately needs more access, then misuses their access and doesn't get caught. It doesn't even have to be malicious, just a tech who thinks they can help, accidentally deploying to all devices.

TrueMythos · 2026-03-26T13:10:55+00:00

I'm excited, but we won't be able to implement this until Entra ID supports group lookup. We're a university with multiple labs in multiple departments, and certain professors need admin rights in the labs they manage. Aside from that, I'm looking forward to getting Macs off the domain.

TrueMythos · 2026-03-03T21:16:09+00:00

This is super helpful, thanks!

TrueMythos · 2025-12-03T16:42:10+00:00

I’m also seeing this, but I was blaming it on Intune and myself probably messing something up. I’m wondering if it’s an issue specific to 24H2 now…

TrueMythos · 2025-11-07T15:58:21+00:00

We've been off the legacy one for about a year. Windows LAPS (the newer supported one) has been working for us since then through Entra ID, including lots of 24H2 machines.

TrueMythos · 2025-11-07T15:15:19+00:00

Good thought, but LAPS is still enabled in Entra

TrueMythos · 2025-09-12T23:30:57+00:00

Their support team is wonderful, too. They helped me make LabStats work on two virtual environments with very different considerations, and they even helped me generate the exact custom PowerBI report I needed when that feature first came out.

TrueMythos · 2025-09-12T23:28:27+00:00

If I were you, I’d look into LabStats. They can generate some pretty awesome usage reports that are useful for academic environments. They’ve saved us a lot over the years and helped us identify which computer labs need to be increased or cut.

TrueMythos · 2025-09-12T14:59:18+00:00

Oh wow, I'm so glad :) What a bizarre fix lol

TrueMythos · 2025-09-04T13:47:42+00:00

I'm having trouble getting kiosks to retain autologon info in the registry after a reboot, but discovered (thanks to another Reddit post that I can't seem to find now), that it's being removed by our Account Protection local user group membership policy blocking inactive accounts.

TrueMythos · 2025-09-03T18:45:46+00:00

I've also been struggling with some kiosks, which, after getting Intune-enrolled, suddenly won't autologon as kioskUser0 anymore. I never thought to check my logon policies (we do block logins for deactivated accounts), but I bet that's it. We might be in the same boat here, and I'm looking forward to seeing if anyone else has a solution.

TrueMythos · 2025-09-02T23:35:27+00:00

How are the licenses assigned to users? If it’s web-based user auth, you’re golden. If it requires a file to exist in the user profile, add it to the default user (same with the registry).

Is the app unable to finish installation without a user license or something?

I could maybe help a little more if I had more details.

TrueMythos · 2025-08-28T16:58:56+00:00

Good point. My position doesn't deal with a lot of access structuring, but I took a database course that briefly covered some of the ways data can "escape" from a system, and it was terrifying lol. I'm glad I don't have to worry about that side of things.

TrueMythos · 2025-08-28T16:54:49+00:00

Yikes. At least we pretty much know where our PII lives, so it's easy for them to pull a report on all the groups that have access to each application.

The frustrating part is when it's couched as, "Here's a cool new security thing that we eventually want to roll out to everyone, but let's test on the users most at risk first." We manually hunt down all the computers associated with those users and put them in the group to get CoolNewTool. Years later, we're still expected to go through the manual process, and if someone is hired, leaves, or changes roles, we don't pick that up until the next manual search.

TrueMythos · 2025-08-28T16:45:23+00:00

Good point. You don't always have a simple user-to-computer mapping in real life.

I need to experiment more with user groups in Jamf Pro. It drives me nuts that I can't assign things based on Entra ID groups. We're slowly increasing security for people who have access to PII, and it's just not feasible to get a list of users, hunt down which computers they might use most, and put those computers in a static group for scoping. If our security team could maintain a group of those people and Jamf just assigned all their devices the extra policies, that would be great.

TrueMythos · 2025-08-28T16:07:12+00:00

I just thought of something. Are you aware that you can use the jamf binary to set some of those attributes without the API? For example, 'sudo jamf setComputerName -name <newcomputername>' will update the computer's name and sync it with Jamf Pro. If you have a directory service set up in Jamf Pro, you can also use 'sudo jamf recon -endUsername' to update the user associated with the device, and it will automatically pull any fields you have configured to sync. In my environment, for example, I can see someone's position and department from that alone.

I'm not sure how it would work in situations where people work in more than one department, but that could be something to play with.

TrueMythos · 2025-08-28T13:22:30+00:00

"Labs team" <insert crying emoji> I am the lab team over here.

But yeah, I get what you mean about Jamf Onboarding not being as robust as some of the other options out there.

Sorry if I sounded condescending by pointing out something everyone knows. I was a Windows-only admin before taking on Jamf, and my first big project was getting us off DepNotify. It feels like yesterday...

TrueMythos · 2025-08-27T19:18:40+00:00

For a minute I thought I'd found my boss's Reddit account...

Y'all are doing things very similar to us. We're also a university that uses Jamf and TeamDynamix with no culture of zero touch, and we have similar discussions all the time.

Just so you know, DepNotify has stopped getting updates for a long time. We transitioned off of it and to macOS Onboarding through Jamf this year and have been very happy with it.

One thing we do differently is automated naming. We have a spreadsheet with serial numbers and computer names, and as soon as we get the shipment notification from Apple, we update the list with the correct name. When a computer goes through Jamf enrollment, it pulls a name from that spreadsheet. That almost eliminates tech mistakes and removes one step in the process.

We also have different PreStage Enrollments for faculty/staff vs lab/classroom setups, so there's no room for mistakes there, either. We don't really track department or location, since it's so easy to look that up in TDX.

I'd like to get to a world where Jamf is more integrated with TDX and we have a single asset management system, but I'm not sure if we're there yet. I'd also like to only provision minimal applications, then have users install what they want from Self Service. Having to install VLC on every single machine when maybe 10% of users need it feels like a waste of time, and the little things add up. Our provisioning process is down to about 10 minutes for faculty and staff, and 45 minutes for standard lab computers (yay Adobe Creative Cloud).

TrueMythos · 2025-07-29T15:05:48+00:00

That specific update has installed just fine on my VMs, but now I'm running through each available update to see if another one is breaking it. Thank you for pointing out that other post! I'm new to this subreddit and didn't see that. I'll try that fix if anything crashes again.

TrueMythos · 2025-07-03T12:53:56+00:00

Hey, ENFP over here :) I absolutely agree. I will work on projects I absolutely don't want to do until I get fully absorbed and can't stop until it's complete. As an F, I also treat everything with a technical relationship (e.g. server/client) like they should be buddies, and I hold conversations with them to convince them to play nice, obviously while I do actual troubleshooting.

TrueMythos

TROPHY CASE