Microsoft Enterprise SSO Prompts to Enroll in Intune

McAwesome
Valued Contributor

We're currently testing out the Microsoft Enterprise SSO plug-in (without Platform SSO) for macOS and have run into an odd problem.  Everything works perfectly, but if the user opens the Company Portal application it tries to get them to enroll the device into Intune.  This makes for an awkward scenario where the user is guided to download the Intune management config, see it fail to install, and then back out until they can say "Postpone."  Not a great experience, and telling people to just not open the app doesn't really work at scale.  Is there any way to suppress this Intune enrollment prompt from the Company Portal app when we deploy it for the Microsoft Enterprise SSO?

 

NOTE: We're not currently using Intune for device management outside some testing, and we do not have Device Compliance integration set up just yet. It's on our roadmap, but hasn't been a high priority.  We can probably move it up if it is an assumed prereq for the Microsoft Enterprise SSO plugin.

9 REPLIES 9

wakco
Contributor III

I'm still testing as well, but I had thought about that, (we are not using Intune for Macs either), so I set up a couple of restrictions in Restricted Software, one with a message for users, one without (for lab Macs), here is a screenshot of the one with...

Screenshot 2024-03-21 at 12.53.30.png

That should allow the Microsoft SSO Extension to continue to work, while blocking people from opening the Company Portal app.

AJPinto
Honored Contributor III

This is a good idea, I am going to steal this lol. Thanks!

husnudagidir
Contributor

Hi,

 

Is this feature ready for active use now? Is there anyone using it? Is it currently possible to log in to macOS devices with Azure ID? Is there any documentation on how to do this?

Officially, no, it just entered Public Preview, yesterday.

I have been testing it though, and yes, configured correctly it can enable logging into macOS with an Entra ID (formerly Azure AD account).

Yes, there is documentation that has been provided through the #microsoft-entra and #platform-sso channels on the MacAdmins Slack. I’ll try to paste them here shortly.

wakco
Contributor III

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/platform-sso-for-macos-now-in-public-pre...
https://learn.microsoft.com/en-us/mem/intune/configuration/platform-sso-macos
These are probably a good start, but allow me to remind you that it is a Public Preview, and it is not recommended to be pushing it out to all of your managed Macs yet, just concentrate on testing and working out how it might best fit in your environment. Microsoft currently have official release slated for January 2025, but this can be checked here: 

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=383952

Hi,

 

I will look at the documents. However, there is a question that comes to my mind. While using Jamf Connect, it directly asked me for my login ID and created a local user based on this. Is there a similar process in the process here? Will it be necessary to use a configuration profile as well?

Yes, config. profile is required.

Hi,

 

I made the necessary configurations. However, I cannot pass the screen that asks for my entry ID. Even though I entered my information correctly, it remains on this screen. Has anyone experienced this or know a solution?Cursor_and_Notification_Center.png

I haven't had the issue myself, but I see everyone mentioning something about compliance and MFA, so you may want to check out the Microsoft Mac Admins linkedIn group, or the Mac Admins channels #microsoft-entra or #platform-sso.