Configure Microsoft OneDrive on macOS using Intune

-

I have recently been testing and  familiarizing myself with Microsoft Single-sign on (SSO) extensible configuration for websites and apps on macOS. While the feature is still in preview, it has immense potential and has already proved to be a worthy edition in the management of Apple devices in general. While exploring the configuration, I felt the need to configure Microsoft 365 apps, particularly Microsoft OneDrive. In this blog, I will cover the configuration required to setup and manage Microsoft OneDrive on macOS devices using Intune.

Intune Configuration

Part 1 - As the first step, I will encourage to configure the SSO extension on the macOS devices to make the sign-in as seamless as possible. If you are interested in knowing how to go about this, then I recently blogged about Reduce app sign-in prompts with SSO on macOS using settings catalog in Intune which covers the steps and details.

Part 2 - As the second step, Microsoft OneDrive app needs to be installed on the macOS. You can either do this by setting it up separately in Intune, or deploy it as part of Microsoft 365 Apps. I covered the steps as in the blog post Reduce app sign-in prompts with SSO on macOS using settings catalog in Intune so feel free to refer to it.

Part 3 - Next step is to configure Microsoft OneDrive policies using Intune. Just like Windows, where you can configure the known folder move (KFM), automatic sign-in settings using settings catalog, the same can be done for the supported settings for macOS. Microsoft have really made things simple by extending and building the settings catalog for other OS platforms like macOS. Steps are as follows -

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -




Should look something like below -


Note: If you're deploying the VPP version of OneDrive, then you must use com.microsoft.OneDrive-Mac.FinderSync as the value instead.

During Microsoft OneDrive configuration, end users may be prompted to allow sync icons by enabling the Finder Sync extension. In such a case, you can use this script to configure for the users. I haven't been asked during my testing so I have not configured it.

9. Assign to macOS devices as normal.

End Results

After the device syncs with Intune, the policies should get enforced on the device. The same can be verified under Settings>Privacy and Security > Profiles.



The user should see the prompt of OneDrive app starting at logon. Also, the OneDrive wizard will open for first time configuration. User's Entra ID UPN should be pre-populated.



User may be asked to give permissions for syncing.



Once the configuration is complete, you can open the finder to confirm the location setup for Microsoft OneDrive.


Syncing should commence automatically at this stage.


As an admin, you can validate whether the applied settings are reporting compliant on Intune or not.


Final thoughts..

Intune manages macOS devices using the built-in operating system MDM capabilities and the Intune Management Extension (IME) agent. While Enrollment is managed through Apple Business Manager, MDM is managed through the Apple Push Notification Service (APNS), and the IME communicates directly with Intune. The end user experience may not be a like for like as Windows, but it is good to know that Microsoft OneDrive as part of Microsoft 365 apps can be setup and managed using enterprise client management tools like Intune.

References:

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more