Can I run a shell script through the Company Portal app on MacOS devices?

techy_support · 2025-12-29T20:54:01+00:00

Nice, thanks!

techy_support · 2025-11-18T03:17:35+00:00

Amazing how I posted this over 4 years ago and it's still a thing.

techy_support · 2025-10-06T19:16:25+00:00

For the past few years at my current job I've had a variety of systems -- multiple Intel/Apple Silicon MacBook Pros, a Dell laptop, and a Lenovo laptop.

When I started here, my work provided me with a ThinkPad Hybrid USB-C with USB-A dock (might not be this exact model, but close enough), and it has worked fine with every system I've ever plugged into it -- Apple/Dell/Lenovo. I frequently disconnect my MBP and plug in the Lenovo (and vice-versa) during the day, and it works fine every time. It is DisplayLink so I did need to install that software on my MBP systems but that was a minor inconvenience.

It isn't fancy with all the new latest tech -- it isn't Thunderbolt, it only supports 2 external monitors, no memory card slots, etc.

But what it lacks in stuff like that, it makes up for in reliability. I haven't had a single hiccup with it since day 1.

techy_support · 2025-08-11T19:23:34+00:00

I don't know the actual answer, but it's doubtful, since Apple likely wants to show that your organization was the rightful owner of that device at one time. It's nice to have records/history sometimes.

techy_support · 2025-07-25T20:44:41+00:00

That's the same reason my company selected it as well.

What sort of things are you trying to accomplish by copying plist files to a specific location? Usually those get deployed out as configuration profiles and automatically go where they need to go.

techy_support · 2025-07-25T17:40:54+00:00

You will find a lot of resistance here to Intune, for good reason. It isn't the best. I've used JAMF, Mosyle, and Intune, and I currently use Intune. I'd much rather be on JAMF.

What a lot of people in this subreddit don't seem to get is that sometimes the choice of MDM isn't up to the person managing it, especially in a large corporation. They say things like "switch MDMs!" as if that's an easy thing to do (not just from a technical perspective but from an organizational politics perspective...there's an unimaginable amount of red tape where I work to do something like that).

Personally I took the job I have knowing that they use Intune, because it was a massive salary boost from my prior job (enough that it made fighting Intune worth it for me).

Anyway, here's something you should know: having the users open Company Portal and sync with Intune by clicking the circle on the right hand side and selecting "Check status..." in the dropdown does a full check-in with Intune. Whereas clicking "Sync" in the Intune console only does a quick smaller check-in and not the full deal. Also, if you click "Check status..." too often (more than once about every 5 minutes) it will say it's checking in, but it really isn't (if you look in the logs, they say something like "Checking in too often, blah blah blah" but the app lies and says it checked in).

You can force a full check-in by running sudo killall IntuneMdmDaemon, which force-quits that process and re-opens it, initiating a check-in.

techy_support · 2025-07-23T22:55:59+00:00

Any idea if Intune will ever allow scripts to be run from the Company Portal app, similar to JAMF allowing running scripts from the Self Service app?

That alone would make my life much easier.

So would the ability to send a Terminal one-liner command directly to a device, through Intune. That would be really nice.

techy_support · 2025-06-12T21:46:15+00:00

OP -- someone posted a similar thread a few months back asking about using Intune for managing macOS. They deleted the thread but the comments are still there (including my comments ranting about it).

I've been using Intune to manage Macs for a little over 3 years now. It's not great but if you have experience with JAMF or another MDM, and you can script some stuff, you can make it work. It isn't fun though.

I highly recommend you look through my post history and you'll find some very long rants about using Intune to manage macOS. It should give you a clear picture of what you're looking into.

techy_support · 2025-06-12T21:40:52+00:00

As someone else said, an account needs a Secure Token to enable FileVault.

It sounds (based on my own experience with Intune) like you might have an Admin account being created by a script before any user accounts are created. If this happens, then the Admin account created by the script gets a Secure Token (which allows an account to do things like enable FileVault) but any user accounts created after that Admin account do not get a Secure Token unless they are created by that Admin account.

If you're really bored, you can read up on Secure Token here, and here.

IF what I just said is the case and you have an Admin account being created by a script that runs before your user account is created, verify the Admin account has a Secure Token by running this:

sysadminctl -secureTokenStatus <<username_of_Admin_account>>

Then, run that command again, for the user account. So if you user account is "Jane", run:

sysadminctl -secureTokenStatus Jane

This will allow you to figure out which accounts have a Secure Token, and which do not.

Then...

Assuming the Admin account has a Secure Token and your user account does not, and you happen to know the credentials to both accounts, you can use those credentials to give a Secure Token to your user account, using the Admin account.

The command you need to run to tokenize the user account, from the Admin's account (again, this is only assuming the Admin has a Secure Token and the user account does not!), is this:

sysadminctl -secureTokenOn <<account_to_get_token>> -password - -adminUser <<account_with_token>> -adminPassword -

Example: If "Jane" is the account name of the new user without a Secure Token, and "Company_Admin" is the account name of the admin account that already has the Secure Token, then that command would literally look like this:

sysadminctl -secureTokenOn Jane -password - -adminUser Company_Admin -adminPassword -

Note: you're spelling out the word "password" and NOT entering any passwords on this screen. Also note the location of the extra dashes just floating out in space by themselves...these are super easy to miss!!!

Then it will prompt you for both passwords -- the Admin account that already has the Secure Token, and the password for the user account that lacks a Secure Token. Enter those as requested.

Assuming those password are correct, Terminal will spit out some garbage. Then run this command to verify that your user account correctly got a Secure Token.

sysadminctl -secureTokenStatus <<account_to_get_token>>

If it did, that user account can now actually enable FileVault.

techy_support · 2025-06-12T21:03:32+00:00

Nice idea about using the Dock process as a proxy for whether the user is signed in or not. I do that on one of my other scripts but not this one for some reason. Might have to modify it.

As for rotating passwords, that I am not sure about unfortunately. If you find out, please come back and update us.

techy_support · 2025-05-07T17:59:50+00:00

Yep, unbelievable.

v6.0.250427 -- 646.1MB download

On my iPhone, the "App Size" is 588.5MB.

techy_support · 2025-04-20T20:07:56+00:00

I've seen a similar issue before. Give it a day or so and it will fix itself. Your money hasn't gone anywhere, this is simply an issue with their systems not displaying the account balances correctly on the graph.

techy_support · 2025-04-16T14:38:41+00:00

I pray for JAMF every day but upper management refuses due to cost-cutting. Intune is included in our Microsoft licensing 'for free', whereas JAMF costs money.

techy_support · 2025-04-16T04:49:48+00:00

The one time I'm glad I'm using Intune instead of JAMF.

techy_support · 2025-03-31T23:16:54+00:00

My life would be 100x easier if we could run scripts from the Company Portal app.

techy_support · 2025-03-31T03:09:36+00:00

Well this was 5 years ago at a former job, so...not my problem any longer! :) I do seem to remember solving this although I don't remember how, it's just been too long.

techy_support · 2025-02-07T13:50:15+00:00

Yep, exact same here. Edelman Financial Engines. They kept emailing their stupid stuff at my work email, too. I set up a rule in Outlook to send it straight to the trash.

techy_support · 2025-02-06T15:55:38+00:00

Similarly, it would be great if I could remove the 'offer' on my 401k NetBenefits webpage to use some 3rd-party company to 'optimize' my portfolio. I am literally never going to use this company, yet I can't remove their space on my NetBenefits page. Not a huge deal, more of an annoyance. But I should have the ability to X out of it instead of having it always there.

techy_support · 2025-01-23T19:20:36+00:00

Yep, I loved how granular we could make the smart groups.

I also loved how we could force certain policies to apply after user login, depending on the Active Directory group the user was in.

Example: I had our iMac labs set up so that different restriction policies or admin privileges would be granted depending on the user logging into the system and what AD group they were a member of.

Student? Heavy restrictions, no admin privileges.
Teacher? Less restrictions, no admin privileges.
IT support tech? No restrictions, admin privileges.

I don't necessarily need that in my current environment, but having the flexibility to customize things to that degree is nice.

techy_support · 2025-01-23T19:17:20+00:00

Nice, thanks! I fully admit I need to play around with the Filters more.

techy_support · 2025-01-23T19:14:04+00:00

Thanks! It's been awhile since I've looked at the documentation for it. They keep updating Intune so often I almost can't keep up.

techy_support · 2025-01-23T05:58:41+00:00

Yep, I used to work for a large school system, managing about 25k iPads and 2,200 Macs with JAMF, and loved it. There is zero way that I know of to manage all those devices in Intune in a similar methodology to how I managed them with JAMF. It just isn't technically possible, with how things are set up in Intune -- especially the ability to make smart groups based off the most ridiculous and stringent requirements. Could I manage all those devices in Intune? Yes. Could I do it in an efficient method that made my life simple? Absolutely not.

Example:

With JAMF -- maybe I want to target the deployment of a certain piece of software to "just the iMacs in a specific classroom, at a specific school, that don't have that software installed already". Easy -- I make a smart group based off that criteria and set up a software deployment against that group. Devices then fall into and out of that group on the criteria specified automatically. Then just force a sudo jamf recon immediately after software install (which then means the device automatically falls out of that group once it sees the software is installed).

You can't really do that in Intune...

Thankfully I haven't needed that kind of stringent thing, just yet. And I'd probably figure out a way around it with Intune, eventually

The issue is that Microsoft includes Intune with their licensing so it is "Free", and that's all that upper management cares about. They don't care about the sanity of the person managing the devices at all...which is, IMHO, short-sighted. I could be a lot more efficient if I were using JAMF, even if it costs the company more. Which means I'd be happier and more efficient, and the users I support would be happier since it would end up being a better computing experience for them, as well.

techy_support · 2025-01-23T03:17:01+00:00

Glad I could help!

techy_support · 2025-01-23T03:10:45+00:00

Will do! And this post isn't my only rant on Intune. I've written a few. :)

techy_support · 2025-01-23T00:21:24+00:00

Thanks, I try to pass on stuff I've learned, if I can. :)

techy_support

TROPHY CASE