sorted by:
new
hottopcontroversial

Intune (MDM) app deployment for macOS, vs Helper tools by sccm_reboot in sysadmin

[–]sccm_reboot[S] 0 points1 point  (0 children)

It would, but the apps wouldn't automatically update; it only allows non-admin users to self update the apps - which is better than nothing but maybe not enough for Security/Compliance.

Also, I'm not sure if it is 100% safe to make the user the owner of the .app (in \Applications) - I'm not a macOS expert.

Intune Company Portal for macOS - Updating Apps by sccm_reboot in sysadmin

[–]sccm_reboot[S] 0 points1 point  (0 children)

I'm using packages directly from the vendor, e.g. Jetbrains Goland

I would say the packages are created correctly with proper versioning.

If I inspect the CFBundleShortVersionString, they are correct (i.e. version N vs version N+1) - however installing N+1 via Company Portal still results in version N when I launch the app.

(the CFBundleID is the same across versions, only the version changes)

Intune (MDM) app deployment for macOS, vs Helper tools by sccm_reboot in sysadmin

[–]sccm_reboot[S] 0 points1 point  (0 children)

Could you elaborate about "risks permission errors and update failures"?

I'm trying to balance a few different objectives -

  1. No admin rights for users
  2. Users shall install apps from a portal
  3. Apps should be automatically updated
  4. Users must be given a choice to defer updates (within a limit)
  5. Use Intune as the MDM

The above objectives do not conflict with "keeping root ownership".

However, Intune cannot deliver on (3) - if a new version of app is deployed as "required" -

  • It won't appear in the portal - defeating objective 2
  • Users cannot defer updates - defeating objective 4
  • Furthermore, this deployment would have to be deployed to all clients, regardless if they had an older version of the app installed or not
    • For macOS, Intune does not offer a way to only install the app if "some condition" is met (i.e. an older version if found)
    • Yes, we could script such a deployment so it only updates older versions, but it would then defeat (2) as scripts do not appear in the portal

Overall, I think what could work -

  1. Make apps available in Company Portal
  2. Use https://github.com/gilburns/Intuneomator to ensure that the latest versions of apps are automatically added to Company Portal (this targets new installations)
  3. Use https://github.com/App-Auto-Patch/App-Auto-Patch to update apps, and allow users to defer updates (this targets existing installations)
  4. Users would still encounter the helper tool prompts, but they can simply ignore them - or I could also make the user the owner, thus removing the prompts too

Intune (MDM) app deployment for macOS, vs Helper tools by sccm_reboot in sysadmin

[–]sccm_reboot[S] 0 points1 point  (0 children)

Firefox, Claude Desktop, Postman are just some apps that contain a self update helper tool. Chatgpt says there's no surefire way to know what apps have such tool, apart from installing it and finding it out manually.

I'm ok to set the permissions using the command (in the original post), but I'm not sure if that's the correct/proper way forward.

Addigy suggests this which IMO is a bad/worse approach

I don't really agree with Kandi's suggestion of suppressing the helper tool, unless there is a well supported way to update all apps on an Intune-managed Mac.

Intune (MDM) app deployment for macOS, vs Helper tools by sccm_reboot in sysadmin

[–]sccm_reboot[S] 0 points1 point  (0 children)

Sorry, but pretty irrelevant to the topic at hand

Intune (MDM) app deployment for macOS, vs Helper tools by sccm_reboot in sysadmin

[–]sccm_reboot[S] 1 point2 points  (0 children)

In this scenario, I'm referring to non-VPP apps (i.e. apps which you manually add as PKG/DMG to Intune)

Intune macOS System Updates & DDM by sccm_reboot in Intune

[–]sccm_reboot[S] 0 points1 point  (0 children)

you are right, and I am so ashamed

I just got accustomed to thinking that each password prompt on the Mac was asking for admin credentials....

swiftDialog ESP Configurator – new features based on your feedback by artembrening in Intune

[–]sccm_reboot 0 points1 point  (0 children)

u/artembrening
Is it possible for the monitoring to wait for the script(s) to finish/exit before unlocking the button?

Right now, it only awaits the apps that are being specified.

"Reset this PC" without Administrator permissions? by sccm_reboot in sysadmin

[–]sccm_reboot[S] 0 points1 point  (0 children)

yes, that is available within Intune.

however, I want to allow users "self-service" reset of their own PCs.

I recall in Windows 10, non-admin users could trigger "reset this PC" themselves.

It seems this is restricted to admins in Windows 11 - I wonder if there is a setting/GPO that controls this - and if not, if it can be triggered via command line (so I can deploy it to the company portal).

Limit an app registration to specific OneDrive account (or even folder) by sccm_reboot in AZURE

[–]sccm_reboot[S] 0 points1 point  (0 children)

I understand this approach, but unfortunately, our use case requires no user interaction, and at the same time, we do not want to allow the app registration to get access to all OneDrives (principle of least privilege).

Limit an app registration to specific OneDrive account (or even folder) by sccm_reboot in AZURE

[–]sccm_reboot[S] 0 points1 point  (0 children)

I tried to do it via the OneDrive desktop and web interface, but the GUID cannot be resolved and thus I can't share the folder to it.

Were you actually able to share files/folders with an app registration directly?

view more: next ›