2023E05 - ABM and macOS provisioning (I.T)

I love this reboot series! Thanks for the tips and walkthrough, it's super helpful. I'm looking forward to more videos about this topic!

Perfect timing for me. I am provisioning my first MAC OS devices this week via inTune.

Thanks for all the training you guys are providing. This is amazing!

I switched to mac and can't wait to see more.

Very helpful thank you!

Looking forward to part two of this.

Its under the apple enrolment token because you can have multiple tokens for devices. So it's associated to the enrolment token

Miss yall. I like having the devices by program token divided up because there are cases where you might have multiple tokens and you can see what devices are associated with what tokens. Using the alias in the shell script would also make it so you don't have to update the shell script if something changes in it. It will always use the redirect link to the latest published version of the script. Like someone else mentioned, if you do the #! /bin/bash for the first line, it will upload fine but I haven't tested it pushed out.

I managed to get all the pre-requisites and currently prior to starting the MacBook I don't get a pop-up showing remote management and as per your instructions of rebooting, I could. I am sure many experienced this.
Now I want to restrict many other things like erasing all data, adding apple ID etc..

Great to see you guys are updating your content. Can I add to the idea box to add videos of the new intune macos management features. Items like: platform sso, local account creation, macos updates with DDM. Keep up the great work.

Keep in mind when deciding “show/hide” when configuring the enrollment profile, it’s just to show or hide those options during the apple setup assistant. The user can still manually configure and set those options once they get passed the apple setup assistant. 👍🏼

Yeah, I'm keen for a video on Platform SSO too.

A locked enrollment from memory will prevent the removal of the management profile only after a 30 day period.
Attempts to remove the profile within that 30 day period would generally succeed - At least that is how the locked enrollment behaves on iOS and iPadOS.

Discovered that we needed to edit the Local MAC account's username to match the AD username in order to get LDAP synced services to "match".

The file you uploaded was just a line. So it didn't include the shebang at the start of the script file before uploading so it was telling you. (Macadmin here haha)

Hello Guys, Thank you for clear explanation, Is the group you added for assignment of Appa & Scripts, is it dynamic group or manually you added mac to that "License" group? One more question can we add UTM Virtual mac to ABM?

I just created all this for my company, my two tests macOS devices I had to bring into ABM through using my phone and apple configurator 2 app.............. I have the enrollment profile setting set for lockdown, however the device is still not greyed out and allows the deletion of the management profile under settings. Is this because the devices need to be registered inside of ABM for 30 days first? thanks!

The biggest reason I think to block the Apple ID until you've pushed a provisioning profile is so you can disable the ability for a user's personal Apple ID to put on a Activation Lock. We let users sign in with Apple ID but it won't happen til after the OOBE and we have blocked the Find My locks

I think I saw somewhere that macOS company portal will be moved to a web portal due to the time it takes for them to get an app through apples approval processes

8:53 - yeah create a dist list for this is good except for the 2FA code bit. I used to do a twilio number to get codes and then script them to the dist list, but more of these 2FA services are now blocking obvious VOIP numbers for verification codes :-(

Can you do a video on how to register without user affinity?

Hi Intune Training
You can you handle changing password in MacOS account with AD account
is there solution for that

AppleID is a big question as you didn’t discussed about Managed AppleID. Platform SSO is another one

How are you differentiating between Company devices and BYOD devices? Do you have a video summarizing the need to manage both corporate devices (fully) and personal BYOD devices (partially)?

BTW you video is really helpful
Please answer my below question if you have an answer of
if you didn't happen to understand my question
Let me explain again
How user will change the password
Like in window CTRL + Alt + Delete change password Boom
Password changed in login password and AD password as well.
How can I handle this behavior in macOS

You're talking about platform sso.. but that's not supposed to be a just in time account creation. You still need a form of making an account first

I don't quite understand MDM user scope and MAM user scope. Do you just have to use that if you want to work with scopes? We just use groups never used scopes for anything.

Anyone know how to give the user more notice when forcing macOS updates without a 3rd party tool?

Why do you already have device in the Apple Business account?

@7:06 I just wanted to yell WAIT STOP, THERE IS A RENEW BUTTON

Strange that the Company Portal worked, because when you interrupted the recording, it was not assigned to anyone...

for the single line command to work you just needed to add shebang at the start of the script. I tried posting full scrip but my comment got removed.
shebang is this line below
#!/bin/sh