MacOS Limitations with Intune Enrolment and Conditional Access

Summary

This article summarizes current limitations affecting macOS devices when it comes to Intune enrolment and conditional access.

Body

This article summarizes current limitations affecting macOS devices when it comes to Intune enrolment and conditional access.

Shared University Devices

While it is possible to enroll macOS device without user affinity (shared device), this scenario is not supported by Microsoft for users with assigned conditional access policy that requires compliant device to access University apps and data. This is true for shared devices enrolled using Direct Enrolment (DE) as well as Automated Device Enrolment (ADE) methods with or without Platform SSO (PSSO) enabled for the user. Any user of such shared device will be unable to get past the conditional access validation stage while attempting to access University apps and data. A message will appear asking to  "Set up your device to get access" even though this device is already enrolled in Intune by the primary user. This is working as intended by Microsoft because they currently do not support conditional access on devices enrolled in Intune without user affinity.

If the device meets the requirements of PSSO, as a workaround, it can be enrolled using ADE with user affinity (primary-user scenario) and additional users of the device will be able to get past the conditional access validation stage while attempting to access University apps and data.

Personal Devices (BYOD)

Personal macOS devices can be enrolled in Intune using Company Portal app for the primary-user scenario (with user affinity). However, only the primary user of the device will be able to access University apps and data protected by conditional access. If there is a second local account on this device that belongs to another employee of the University, that user will be unable to get past the conditional access validation stage while attempting to access University apps and data. A message will appear asking to  "Set up your device to get access" even though this device is already enrolled in Intune by the primary user. This is working as intended by Microsoft because they currently do not support this scenario.

Details

Details

Article ID: 151435
Created
Tue 8/27/24 11:40 AM
Modified
Tue 8/27/24 12:07 PM

Related Articles

Related Articles (1)

In order for your Apple macOS computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access most of University systems and data.