Intune & macOS management - Couldn't add your device. Your IT support doesn't allow OSX devices to be added to management

After creating Apple MDM push certificate in Intune portal and while testing in the macOS device, after you install the company portal and login and try to enrol, the app shows error as 

"Couldn't add your device.

Your IT support doesn't allow OSX devices to be added to management." 


First step is to check in Intune portal - devices - enrollment - monitor - enrollment failure for any entry for the affected user.


In this scenario, the issue was due to the device type restrictions that was blocking the macOS devices.

Solution:

Open intune portal -  Devices - Enrollment - click Apple.

Select device platform restrictions and switch to MacOS restrictions tab.

Your administrator would have created a device restriction to block the enrollment of MacOS earlier. If there are multiple restrictions created for devices open one by one and make sure the macOS platform is allowed for enrollment. 

When you edit the restrictions and go to the properties and under platform settings, you can find out whether the macOS devices are allowed to enroll or if they are blocked.

Linux - Intune portal shows unable to check status



After Intune installation and logging in to register the device, the intune app shows unable to check status error, and clicking retry does nothing. In Intune, the device got registered but it shows as not evaluated.

Solution:

  1. Remove the device entry from Intune.
  2. In the client end open the terminal and run sudo apt remove intune-portal && sudo apt purge intune-portal
  3. Run sudo rm -f /home/[username]/.config/intune

Restart the machine and retry Intune installation this time, after that the device should report compliant/non-compliant status.

Intune - Linux Password & Custom compliance policies

Microsoft has recently released Linux support in Intune with device enrollment and compliance policies.

To know more about enrollment check here - https://sccmentor.com/2022/10/19/first-steps-into-linux-management-via-microsoft-intune/

To understand the commands that are used to install Intune portal check here - https://joymalya.com/linux-management-with-microsoft-intune/

In this blog, I will cover how to create password and custom compliance policies and what needs to be done in client end to mark the device as complaint.

Password complexity:

When password complexity requirements are enforced, devices with weak passwords are marked as non-compliant in Intune. To resolve this issue, you need to change your device password so that it meets organization’s requirements for length and quality.

  • Basically, Intune checks pam_pwquality configuration for enforcement w.r.t Password policy in the client machine.

  • Install the following by running the command in the client terminal: sudo apt install libpam-pwquality

Next, check that pam_pwquality line in /etc/pam.d/common-password. It should be edited like below to match the password compliance policy as set in Intune.

# check that the pam_pwquality line in /etc/pam.d/common-password contains at least the required settings: password requisite pam_pwquality.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=8


Example common-password file:


If the /etc/pam.d/common-password file is not edited to match the Intune policy requirement then the machine will report non-compliant.

Custom Compliance

With custom compliance, we can use shell scripts to evaluate a Linux device.

Discovery scripts for Linux must be POSIX-compliant shell scripts, such as Bash. However, the scripts can call more complex interpreters from inside the script, like Python. To successfully use other interpreters, they must be correctly installed and configured on the devices in advance of receiving the discovery script.

About POSIX-compliant syntax: Because the custom compliance script interpreter for Linux supports only a POSIX-compliant shell, it’s important to use POSIX-syntax.

To know more, check here - Create a discovery script for custom compliance policy in Microsoft Intune | Microsoft Learn

Below is an example where we have created a shell script to check for a running process or not and if so, it outputs in JSON format. Intune checks the output with the JSON file and marks the device as complaint. If not it will mark as non-complaint.


For Select your discovery script in custom compliance in Intune , select Set reusable settings, and then specify a script that’s been previously added to the Microsoft Endpoint Manager admin center. This script must have been uploaded before you begin to create the policy.To add the script to MEM Admin center follow this article - Create a discovery script for custom compliance policy in Microsoft Intune | Microsoft Learn

Sample Script to check for running process:

#!/bin/sh
checkProcess() {
Process="processname"
if pgrep -x "$Process" >/dev/null
then
   Process="running"
   printf '{"Process": "%s"}\n' "$Process"
else
   Process="notrunning"
   printf '{"Process": "%s"}\n' "$Process"
fi
checkProcess
In the above script I have used printf to output the result in JSON format.

For Select your rules file, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy.

The JSON you enter is validated and any problems are displayed. Sample JSON to match the script output.If not what to display in Intune portal application as non-complaint.

{
	"Rules": [{
		"SettingName": "Process",
		"Operator": "IsEquals",
		"DataType": "String",
		"Operand": "running",
		"MoreInfoUrl": "https://abc.com/",
		"RemediationStrings": [{
			"Language": "en_US",
			"Title": "Process is missing",
			"Description": "Process is not running."
		}]
	}]
}

Automate Convertion of old App-V 4.6 packages into App-V 5.1 using Powershell

App-V 5.1 is out now. There might be a case where you need to convert old App-V 4.5 or App-V 4.6 applications to new App-V 5.1 format.If there are one or two packages it will be easy to create. But what if suppose there are some 100's of App-V 4.x apps? It will be quite complex and time consuming. 
This powershell script will make this scenario very easy. Just provide the folder where the old packages (App-V 4.5 or App-V 4.6) are kept and run the powershell script. Within some minutes, new App-V 5.1 packages will be created in the output folder. 
For Example: Create a single folder named App-V packages in C:\ drive (C:\App-V packages). Copy all the old App-V 4.x packages to this folder. Edit the powershell script and give this main folder as input to the  $appv46folder variable.

# specify the folder where bulk App-V 4.6 packages are kept

$appv46folder = "C:\App-V packages"  

NOTE: Do not create subfolders inside the main folder as it has not been handled in the PS.
Run this script where App-V 5.1 sequencer has been installed.Prior to conversion it is good to test the packages for its conversion using Test-AppVLegacyPackage
Convereted App-V 5.1 packages can be found in  C:\AppV5convertedpackages folder.
Check this link to know about converting of old App-V 4.x applications to new App-V 5.1 format – 
NOTE: If you are running a computer with a 64-bit architecture, you must use the x86 version of PowerShell to run this script. Also execution policy has to be enabled to allow this script to be run.
This script can also be used to convert old App-V packages into App-V 5.0 format too. 
Disclaimer: This script is designed only for testing purpose and hence I do not own any responsibility for any system failures or issues. Test the script in your environment before you do any mass conversion.
To download the script click HERE

MSIX Packaging Tool- 0x80131500 when building

Recently tested converting TortoiseSVN msi package to MSIX using MSIX Package converter. Everything worked fine during monitoring phase and during build the tool struck up and showed an error code 0x80131500.


Capture.PNG


When checked for the msix log file it showed error stating duplicate ID's in the Appx manifest file.


[3/7/2019 6:38:14 AM] [Error] ERROR: PRI191: 0x80080204 - Appx manifest not found or is invalid. Please ensure well-formed manifest file is present. Or specify an index name with /in switch.

[3/7/2019 6:38:14 AM] [Error]

[3/7/2019 6:38:14 AM] [Error] error C00CE1A1: App manifest validation error: The app manifest must be valid as per schema: Line 20, Column 2554, Reason: 'f26e2640-0cff-43dc-8325-575a3261d885' is a duplicate key for the unique Identity Constraint '{http://schemas.microsoft.com/appx/manifest/foundation/windows10}Class_Id'.

[3/7/2019 6:38:14 AM] [Error]

Since there was no output generated other than the log file, it was hard to find a solution. So when checked in MSIX Techcommunity it seems it is an issue with MSIX tool build v1.2019.110.0. This issue is resolved in latest insider build v1.2019.304.0.


Thanks to JamesPike & Tim Mangan for confirming this issue and its resolution.


Release Notes : https://docs.microsoft.com/en-us/windows/msix/packaging-tool/release-notes/history


Download Free MSIX Packaging Insider Tool : https://docs.microsoft.com/en-us/windows/msix/packaging-tool/insider-program


Join MSIX TechCommunity : https://techcommunity.microsoft.com/t5/MSIX/ct-p/MSIX