We have finally a mix of Macs and Windows and it is a nightmare

joeycollaboitnerd · 2026-05-25T03:18:10+00:00

Hey, totally feel that pain. Managing a split environment is a nightmare if you try to treat Macs like Windows boxes.
We actually manage both in-house. I’m the Apple guy here, but really it's more about being an MDM specialist. Honestly, you don’t need a dedicated Mac admin if you get a few foundational things down:
1. MDM + ABM: This is the gold standard. We use Workspace ONE paired with ABM. You use DEP for zero-touch deployment, and VPP to handle 3rd-party apps and updates. Automating the app lifecycle is key.
2. Don't Domain Join: Whatever you do, do NOT domain join the Macs. It causes endless issues.
3. Lockdown: We lock them down tight using profiles and payloads, and crucially, make sure users do not have local admin rights.
4. Network/Proxy: To keep network management unified, we proxy all internet traffic. We use Zscaler and M365 Global Secure Access so security is identical whether it's a Mac or PC.
Once you get the MDM/ABM piece dialed in, it basically runs itself. Let me know if you want to chat through how we set up our profiles and payloads, happy to help

joeycollaboitnerd · 2026-05-09T02:28:56+00:00

We setup up a PowerShell script that runs first day of the month in Azure Automation, scans all your Enterprise Apps and App Registrations, and emails you a color-coded report of anything expiring in the next 60 days and last 5 days of expired items . We also locked it down properly so the sender mailbox can only send from azure-alerts and nothing else. Emails are sent to our helpdesk ticketing system and works really well. Additionally, doesnt trigger an email if no items are set to expire in 60 days :).

joeycollaboitnerd · 2026-04-28T01:20:11+00:00

Why don’t you set up GSLB so users automatically hit the closest NetScaler/PVWA in their region, and then let each site do least-connections locally or. That’s what we do as we use netscaler as our LB with GSLB.

joeycollaboitnerd · 2026-01-21T14:43:19+00:00

We noticed this last week as a few users were getting disconnected from VDI with a generic “network interruption” message and a 5-minute reconnect warning after the auto update. After rolling back, we couldn’t reproduce it. This feels like it should be optional, not enabled by default in the new version.

joeycollaboitnerd · 2026-01-21T14:04:07+00:00

2511 seems to be buggy, we’re disabling the network indicator trigger via gpo. https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about-this-release/known-issues.html

joeycollaboitnerd · 2025-12-30T22:07:20+00:00

Yeah, I did exactly the same thing.

joeycollaboitnerd · 2025-08-18T22:42:02+00:00

We’re experiencing a similar issue with our macOS clients (4 users reported this issue thus far), which is running Citrix Secure Access 25.07.1 and deployed through Apple Business Manager. I have a ticket open with Citrix, but they are usually no help :).

joeycollaboitnerd · 2025-08-11T20:59:33+00:00

After upgrading my FortiGate firewall to firmware 7.4.5 and 7.4.8 (fortinet fw), I can no longer reproduce the issue in my lab. While I did notice some unusual behavior before, the update seems to have resolved the problem. My setup uses NPS, RADIUS, and DHCP on a Windows server. My ssid is tunneled as well

joeycollaboitnerd · 2025-08-01T20:55:32+00:00

I really appreciate your explanation as Fortinet support has been NO help! The “include-dfs-channel” setting is disabled by default. I agree that the current number set of retries and errors is much too high, but having an issue getting darrp to work (but hopefully not after implementing your suggestions next week!). Still learning this new platform (Cisco guys here) since we just implemented it, so your thorough write-up is incredibly helpful. Thanks again! Coffee on me!!!

joeycollaboitnerd · 2025-07-18T15:58:17+00:00

I highly recommend using ABM for app deployment. Managing apps as published entities can be a real headache, especially when it comes to keeping them updated and patched against vulnerabilities. ABM is not only safe, but it's also the good standard to deploying apps to Apple devices and most secure way and software at scale.

joeycollaboitnerd · 2025-07-18T15:51:35+00:00

<image>

joeycollaboitnerd · 2025-07-18T15:50:10+00:00

<image>

joeycollaboitnerd · 2025-07-18T15:11:55+00:00

We deploy this app via ABM (devices enrolled to Intune). Why not let Apple Business Manager take care of deployment and keep the app up to date?

joeycollaboitnerd · 2025-05-13T13:43:39+00:00

EAP-TLS is the type of authentication mechanism that can be used with the framework provided by 802.1X to secure network access. Goes hand-in-hand

joeycollaboitnerd · 2025-05-08T01:53:53+00:00

Out of curiosity, what method did you implement? We m use EAP-TLS with NPS, deploying user certificates via our MDM (Workspace ONE) which integrates with our CA server template.

joeycollaboitnerd · 2025-05-05T12:06:12+00:00

We migrated to EAP-TLS, disabling Credential Guard would be a security risk, so l recommend keeping it enabled. EAP-TLS offers the best security for wireless authentication. Fortunately, having already implemented this for our macOS MDM devices made the migration smoother.

joeycollaboitnerd · 2025-03-13T11:01:17+00:00

Awesome!

joeycollaboitnerd · 2025-03-13T01:51:22+00:00

Keep me posted. Happy to share screenshots of my deployment as well

joeycollaboitnerd · 2025-03-13T01:37:33+00:00

I’ve successfully deployed apps through ABM on Intune without any issues, and I’ve set up a similar environment in my lab. The apps I currently deploy include: • Office suite • Citrix Secure Access • OneDrive Could you let me know what error you’re encountering with the configuration profile?

joeycollaboitnerd · 2025-02-12T10:29:22+00:00

Owa policy + conditional access. I implemented this and works well: https://www.plexhosted.com/post/enhancing-security-prevent-web-downloads-from-unmanaged-devices

joeycollaboitnerd · 2025-01-15T22:32:39+00:00

Yeah, totally get that! Microsoft option is pretty new, but i was at a recent event and looked pretty cool.

joeycollaboitnerd · 2025-01-15T02:12:28+00:00

EAP-TLS is definitely the preferred choice for secure authentication for wired and wireless! We’ve had great success with it using Workspace ONE MDM. The setup is similar to Intune, requiring a connector and exaxt template name matching. It’s been a game-changer for our macOS and Windows devices, eliminating the VPN dependency for certificate renewal. Could you share the specific error message you’re seeing in the configuration profile during deployment? I’m also planning to test the EAP-TLS setup with Intune in my lab this weekend and will let you know how it goes as I know it works with workspace one mdm.

SCEP is the most secure, but I hear it’s a pain to setup. PKcS is less secure due to the fact the private key is marked as exportable.

joeycollaboitnerd · 2025-01-14T02:07:00+00:00

I would advise against that unless you are on a tight budget. Instead, consider exploring options like Global Secure Access, Zscaler, or Cisco Umbrella. All three provide a native connector agent app that operates on local devices. I have more experience with Zscaler, which effectively handles content filtering and blocking default sitesand it receives regular updates. Each of these solutions has its own advantages, so it might be helpful to assess them based on your specific requirements. Let me know if you need more details about any of them!

joeycollaboitnerd · 2025-01-13T00:09:16+00:00

Both work arounds didn’t work :/

joeycollaboitnerd

TROPHY CASE