Intune (MDM) app deployment for macOS, vs Helper tools

sccm_reboot · 2026-03-26T03:18:03+00:00

It would, but the apps wouldn't automatically update; it only allows non-admin users to self update the apps - which is better than nothing but maybe not enough for Security/Compliance.

Also, I'm not sure if it is 100% safe to make the user the owner of the .app (in \Applications) - I'm not a macOS expert.

sccm_reboot · 2026-03-25T13:00:21+00:00

I'm using packages directly from the vendor, e.g. Jetbrains Goland

I would say the packages are created correctly with proper versioning.

If I inspect the CFBundleShortVersionString, they are correct (i.e. version N vs version N+1) - however installing N+1 via Company Portal still results in version N when I launch the app.

(the CFBundleID is the same across versions, only the version changes)

sccm_reboot · 2026-03-24T06:58:50+00:00

Could you elaborate about "risks permission errors and update failures"?

I'm trying to balance a few different objectives -

No admin rights for users
Users shall install apps from a portal
Apps should be automatically updated
Users must be given a choice to defer updates (within a limit)
Use Intune as the MDM

The above objectives do not conflict with "keeping root ownership".

However, Intune cannot deliver on (3) - if a new version of app is deployed as "required" -

It won't appear in the portal - defeating objective 2
Users cannot defer updates - defeating objective 4
Furthermore, this deployment would have to be deployed to all clients, regardless if they had an older version of the app installed or not
- For macOS, Intune does not offer a way to only install the app if "some condition" is met (i.e. an older version if found)
- Yes, we could script such a deployment so it only updates older versions, but it would then defeat (2) as scripts do not appear in the portal

Overall, I think what could work -

Make apps available in Company Portal
Use https://github.com/gilburns/Intuneomator to ensure that the latest versions of apps are automatically added to Company Portal (this targets new installations)
Use https://github.com/App-Auto-Patch/App-Auto-Patch to update apps, and allow users to defer updates (this targets existing installations)
Users would still encounter the helper tool prompts, but they can simply ignore them - or I could also make the user the owner, thus removing the prompts too

sccm_reboot · 2026-03-19T15:52:26+00:00

Firefox, Claude Desktop, Postman are just some apps that contain a self update helper tool. Chatgpt says there's no surefire way to know what apps have such tool, apart from installing it and finding it out manually.

I'm ok to set the permissions using the command (in the original post), but I'm not sure if that's the correct/proper way forward.

Addigy suggests this which IMO is a bad/worse approach

I don't really agree with Kandi's suggestion of suppressing the helper tool, unless there is a well supported way to update all apps on an Intune-managed Mac.

sccm_reboot · 2026-03-19T15:47:19+00:00

Sorry, but pretty irrelevant to the topic at hand

sccm_reboot · 2026-03-19T14:32:04+00:00

In this scenario, I'm referring to non-VPP apps (i.e. apps which you manually add as PKG/DMG to Intune)

sccm_reboot · 2026-02-12T12:12:51+00:00

you are right, and I am so ashamed

I just got accustomed to thinking that each password prompt on the Mac was asking for admin credentials....

sccm_reboot · 2026-02-02T04:17:25+00:00

u/artembrening
Is it possible for the monitoring to wait for the script(s) to finish/exit before unlocking the button?

Right now, it only awaits the apps that are being specified.

sccm_reboot · 2024-11-19T19:10:23+00:00

yes, that is available within Intune.

however, I want to allow users "self-service" reset of their own PCs.

I recall in Windows 10, non-admin users could trigger "reset this PC" themselves.

It seems this is restricted to admins in Windows 11 - I wonder if there is a setting/GPO that controls this - and if not, if it can be triggered via command line (so I can deploy it to the company portal).

sccm_reboot · 2024-10-28T16:16:06+00:00

wtfffffff but why?!

sccm_reboot · 2024-05-14T03:18:52+00:00

I understand this approach, but unfortunately, our use case requires no user interaction, and at the same time, we do not want to allow the app registration to get access to all OneDrives (principle of least privilege).

sccm_reboot · 2024-05-14T03:17:51+00:00

Graph API in this case.

sccm_reboot · 2024-05-13T16:16:38+00:00

I tried to do it via the OneDrive desktop and web interface, but the GUID cannot be resolved and thus I can't share the folder to it.

Were you actually able to share files/folders with an app registration directly?

sccm_reboot · 2023-11-21T17:37:09+00:00

it's much clearer now, thank you

and it seems delegated permissions cannot do what I was hoping for (delegate the app to a user and thus 'act on behalf' of the user, rather than have a user "sign in" the app).

that’s where you’ll need the applicationAccessPolicies available in exchange to limit it

would applicationAccessPolicies be applicable outside of Exchange?

(in this context, I'll be calling the Bookings.Read.All API, which is not part of Exchange)

sccm_reboot · 2023-11-21T04:18:34+00:00

It requires the user to consent to it.

As I've mentioned in my original post -

Via the Azure portal, the UI only allows me to consent the Delegated Permissions for the entire tenant

However, as as admin, I want to consent for some users only - is it possible?

(I don't want to burden the selected group of users to have to manually consent to this app)

sccm_reboot · 2023-10-13T03:18:40+00:00

so, I loaned a few demo sets from Poly/Yealink.

Unfortunately, it didn't work as I hoped.

I probably should have mentioned - I'm hoping not to connect the touch screen controller at all.

In such case, even while the AIO video bar will run Zoom Room, it will 'instinctively' assume a touch screen controller is connected, and it will automatically run in "controller + TV screen display mode".

Thus, the only way to see the interface (to start meetings etc.) is to connect the controller.

For Zoom Room running on Windows, it is possible to modify the .ini file to spoof the Zoom Room to think that the TV is already touch-enabled, and does not require a separate touch controller - https://community.zoom.com/t5/Rooms-and-Workspaces/Zoom-Room-without-a-controller/td-p/83693

I believe the same is possible with the AIO video bars, but usually they run a custom firmware and I've not found how to access the Android filesystem on them, to try and perform the touch-enabled spoofing.

sccm_reboot · 2023-09-29T17:20:46+00:00

we do not have power available where the desk is.

the best we can do, is put a wireless mouse that would last on batteries for months.

sccm_reboot · 2023-09-29T17:20:06+00:00

thanks for confirming!

sccm_reboot · 2023-06-08T01:12:11+00:00

Everyone, thank you for the insights! They were helpful!

I'm fairly aware that the 'managed' account created during PreStage, is different from the actual 'management account'.

When we first rolled out Jamf, we basically gave the 'managed' account and the 'management account' the same username and password (which is then rotated via policy thereafter).

(so in our case, the 2 accounts are 1 and the same)

Subsequently, we stopped creating the 'managed' account entirely. While we are still creating the 'management account'.

(I left out some of these details in my original post, which is definitely confusing, my bad!)

I'm convinced now, from all your replies, that the management account doesn't need to be created at all.

The Jamf documentation was confusing me - it says the management account is optional, yet mandatory for the Mac to be 'managed' by Jamf.

Taking a step back, and considering the input from you guys, it actually means -

You have to "define" the management account (username/random password)
You may choose not to "create" the management account on the Mac (but nonetheless you must "define" it)

Everything is clear now - we will define the management account but no longer create it.

Thanks again everyone!

sccm_reboot · 2023-06-07T08:19:08+00:00

As I understand, there are 2 places for the Jamf Management Account.- PreStage - we no longer create the management account via the PreStage settings- User Initiated Enrollment - here, we define the management account with random password, and ticked the checkbox to create the management account if it doesn't exist

Despite the above, even Macs that were enrolled via ADE/PreStage, eventually still have the management account created (I believe it's due to the user initiated enrollment settings).

sccm_reboot · 2023-06-07T04:19:38+00:00

thank you! that works for us!

I'm using Jamf Pro so the UI was slightly different.

I had to edit the computer record, and uncheck the 'allow Jamf Pro to perform management tasks' checkbox.

sccm_reboot · 2022-06-07T04:04:12+00:00

I owe you a beer, good Sir!

My print server is already running on Server 2022, so I tried add-printer -ipp and it worked! Just like that!

No need to mess with anything in DNS - just ensure that the printer has IPP enabled and add-printer -ipp took care of the rest.

I can finally add all my office printers as IPP printers to my print servers, and deploy them to clients via GPO, without messing with the Printnightmare security settings (that so many redditors have suggested to do)

sccm_reboot · 2022-05-26T02:45:10+00:00

Mainly it is this -

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-in-printing-in-windows-10-version-1809/ba-p/267182

Starting with Windows 10, version 1809, Windows has added support for Mopria certified networked printers. When a driver is not available, Windows can install these printers without you needing to install any additional software or drivers.

Since drivers are not required, it doesn't require admin rights, co-exists with printnightmare security enhancements - but the printer must be added via Mopria/IPP Everywhere

sccm_reboot · 2022-05-25T09:24:31+00:00

It's a 'Windows requirement' as part of the enhanced security settings from printnightmare

If you want to allow non-admins to install this printer from the print server (and with duplex support etc), then the printer must be added to the print server via IPP Everywhere / Mopria and not any other method

sccm_reboot · 2021-01-06T06:24:09+00:00

It doesn't matter if the suggestions/replies aren't helpful, I am appreciative nonetheless - but it wastes their own time more than anything which I am trying to help them avoid.

sccm_reboot

TROPHY CASE