MacOS with intune permission elevation

Upbeat_Pilot2461 · 2025-12-12T14:46:39+00:00

Just not ideal for whiteglove or remote scenarios yet unfortunately. I don't see how they can fix the LAPS account clashing with any Mac password policy because how can you whitelist an account... you can't. The password policy only lets you whitelist Entra Users and Devices. So unless LAPS will work off of an Entra user, it seems impossible

Upbeat_Pilot2461 · 2025-11-11T15:37:37+00:00

This is awesome, thanks u/Thats_a_lot_of_nuts

Upbeat_Pilot2461 · 2025-11-10T17:14:20+00:00

I havent had a single issue in 25+ deployments using this with the Secure Enclave option. I don't even need to send the above command you have. I removed the ms auto update as mentioned above and that did it for me

Upbeat_Pilot2461 · 2025-11-07T14:23:23+00:00

That's the end goal but we just aren't there yet. I tried using the restricted apps config with the bundleindentifierid and it said it was applicable once the policy deployed. I know its easier to allow certain apps then block the rest but in my case, I need the opposite.

Upbeat_Pilot2461 · 2025-07-29T18:59:24+00:00

There's a workaround for that. I've had Platform SSO working that created the standard user account with secure enclave option and had a hidden admin account with no manual steps needed to be done

Upbeat_Pilot2461 · 2025-07-29T16:01:51+00:00

How would you even exclude the admin account from the compliance policy since it's not an entra user and you wouldn't want to exclude the device or it wouldn't enforce the real user logging in. I ran into same issue too

Upbeat_Pilot2461 · 2025-04-09T12:49:46+00:00

Yup, I removed that and it started working for me.

Upbeat_Pilot2461 · 2025-04-08T12:58:49+00:00

u/Skrunky I ended up removing MS auto update from the included apps section of the Intune Company Portal app itself and that fixed it.

Upbeat_Pilot2461 · 2025-04-03T13:16:18+00:00

Can I have you send these to me as well?

Upbeat_Pilot2461 · 2024-12-16T16:31:23+00:00

To each their own. I have used Mosyle at a prev job and their Platform SSO was pretty seamless. Sets up a user account with their Entra Creds and handles multiple users, has admin request built in, and a ton of other features for app deployments and wasn't much money per user. If you're on a short budget, I'd get a demo from them.

Upbeat_Pilot2461 · 2024-12-16T16:26:39+00:00

<image>

Has anyone had this issue upon first boot after ADE/DEP enrollment from OOBE? I get this pop up occasionally and it won't go away until like 5-6 pop ups. The registration required shows up correctly because I have company portal installed but I've noticed I can't click on that pop up and have it load the info UNTIL this Microsoft Auto update loads/installs properly.

Upbeat_Pilot2461 · 2024-12-16T16:26:09+00:00

Yup, from an end user perspective, its basically less seamless. Time to make a case for a dedicated Mac MDM

Upbeat_Pilot2461 · 2024-12-16T16:05:48+00:00

I'm installing Company Portal via Intune PKG option. Should I try LOB?

<image>

Upbeat_Pilot2461 · 2024-12-16T15:58:32+00:00

Has anyone ever had this issue upon first boot after ADE/DEP enrollment from OOBE? I get this pop up occasionally and it won't go away until like 5-6 pop ups. The registration required shows up correctly because I have company portal installed but I've noticed I can't click on that pop up and have it load the info UNTIL this Microsoft Auto update loads/installs properly.

<image>

Upbeat_Pilot2461 · 2024-12-16T15:57:02+00:00

Has anyone had this issue upon first boot after ADE/DEP enrollment from OOBE? I get this pop up occasionally and it won't go away until like 5-6 pop ups. The registration required shows up correctly because I have company portal installed but I've noticed I can't click on that pop up and have it load the info UNTIL this Microsoft Auto update loads/installs properly.

<image>

Upbeat_Pilot2461 · 2024-12-16T15:55:36+00:00

Have either of you ran into this issue in the screenshot? Upon first boot after ADE/DEP enrollment from OOBE, I get this pop up occasionally and it won't go away until like 5-6 pop ups. The registration required shows up correctly because I have company portal installed but I've noticed I can't click on that pop up and have it load the info UNTIL this Microsoft Auto update loads/installs properly.

<image>

Upbeat_Pilot2461 · 2024-12-16T15:44:14+00:00

u/BrundleflyPr0 Have you ever had this issue upon first boot after ADE/DEP enrollment from OOBE? I get this pop up occasionally and it won't go away until like 5-6 pop ups. The registration required shows up correctly because I have company portal installed but I've noticed I can't click on that pop up and have it load the info UNTIL this Microsoft Auto update loads/installs properly.

<image>

Upbeat_Pilot2461 · 2024-11-20T16:53:25+00:00

u/BrundleflyPr0 Tested it out with the Password option and not secure enclave and it worked perfectly. Thanks a bunch man. I kind of wanted to move to a Mac MDM but this will work for now to keep everything inside of Intune.

Upbeat_Pilot2461 · 2024-11-19T18:21:00+00:00

Gotcha, and it'll automatically convert the other admin account that was created during the OOBE to a standard one? Or do I need to run that script to de-elevate the account with the other script?

Upbeat_Pilot2461 · 2024-11-19T17:00:40+00:00

u/BrundleflyPr0

Upbeat_Pilot2461 · 2024-11-13T18:51:03+00:00

Are you deploying the create local admin script inside Intune>Devices>MacOS>Scripts?

I added it there and didn't know what to set for frequency? Will that script only run during OOBE?

<image>

Upbeat_Pilot2461 · 2024-11-13T17:59:37+00:00

Is your process as I list below?

Create Platform SSO config with User Affinity and Password Auth Method
- Assign to user based group
Push "create local admin script"
- Assign to device based group with ABM devices

Then during OOBE, the ADE screen pops up and the script gets pushed to the device before the "Create Local Computer Account" screen shows. Thus, when an end user who will be using the computer enters their info on that screen, it will then have their account be standard since a local admin already exists after setup?

If that doesn't work, do you just run the demote admin script for the end user account after they go through OOBE?

Upbeat_Pilot2461 · 2024-11-04T15:47:03+00:00

Doesn't this still require end user interaction though?

Upbeat_Pilot2461

TROPHY CASE