Microsoft Remote Help native app with Full Control, Conditional Access, macOS - Bringing it altogether

-
In April 2024, Microsoft announced full support for Intune Remote Help on the macOS platform. This new enhancement brought remote assistance to the same level as Windows OS. It also meant that now remote sessions could be trusted with strong authentication like multi-factor and even leverage conditional access policies. Even though Remote Help is not part of the default Intune license, it does come as part of the Intune suite or can be purchased as a separate add-on.

Remote Help is available for macOS as both a native application, and as a Web App that runs within the user's web browser. As of writing this blog, Full Control feature is only supported with the client native app and that is what I'll be focusing on in this blog. But first, here is a quick glance on the capabilities of the Remote Help feature -

- Remote Help can be enabled to provide assistance on unenrolled devices

- Conditional access can be utilized for setting conditions for Remote Help.

- Compliance Warnings are shown during the Remote Help sessions.

- Enrollment status will be shown to the Helper during a Remote Help session.

- Remote Help includes enhanced chat that maintains a continuous thread of all messages.

If you want to restrict Remote Help to enrolled devices then there are two additional requirements:

1. Single sign-on (SSO). Note - If you are looking for my experience setting up SSO for macOS, then you can head over to this link.
2. Open and sign in to Company Portal.

I am enabling Remote Help for enrolled devices and here are the steps -

Enable Remote Help in the Intune Tenant

2. Go to Tenant administration > Remote Help > Settings > Configure.
3. Configure the settings as shown below for managed & enrolled devices.

4. The status of Remote Help will change to 'Enabled'.


Import & Deploy the Remote Help native app in Intune

As mentioned earlier, while web app is an option to provide Remote Help assistance, in order to support full control, Remote Help native app for macOS is required. To set this up in Intune, download the latest .pkg file from https://aka.ms/downloadremotehelpmacos.

2. Go to Apps > macOS > Add > Select App type as macOS app (PKG).
3. Select the .pkg downloaded from before and use the defaults as shown below.




4. Assign to a device based group.

Privacy Preferences settings catalog in Intune

Applications that access and control the screen on macOS may require additional permissions. While some of these permissions can be managed using Intune, users must accept these permissions when prompted to do so.

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -

Under Privacy > Privacy Preferences Policy Control > Services

Accessibility

Authorization - Allow
Identifier Type - bundle ID
Identifier - com.microsoft.remotehelp
Static Code - False
Code Requirement - identifier "com.microsoft.remotehelp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

Screen Capture

Authorization - Standard User To Set System Service
Identifier Type - bundle ID
Identifier - com.microsoft.remotehelp
Static Code - False
Code Requirement - identifier "com.microsoft.remotehelp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9

9. Assign to macOS devices as normal.

Conditional Access for Remote Help

Configuring and enabling conditional access for Remote Help is optional, but highly recommended to secure the authentication. To enable CA, the Remote Assistance Service enterprise application needs to be created manually in the tenant. This can be done by running the following commands -

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Application.ReadWrite.All"
New-MgServicePrincipal -AppId "1dee7b72-b80d-4e56-933d-8b6b04f9a3e2"
Disconnect-MgGraph


Now you can create a CA policy to add additional controls using the Remote Assistance Service cloud app. I created a policy to test for blocking access to Remote Help for testing. The results are covered later in the post.


Remote Help in action

The Remote Help native app for macOS will install automatically on the next device sync.


Open the Company Portal app to ensure SSO picks up the active session with the token. Then open the Remote Help app and the user's UPN should automatically populate. User should be able to authenticate when launching the Remote Help app. Accept the privacy settings if prompted to do so.



Permissions should automatically set for Accessibility & Screen & Audio recording



In circumstances where Screen recording requires additional admin permissions, then in this case the user may have to allow this manually when prompted to do so after opening the Remote Help app.



Once all set, Sharer can allow access using the code provided by Helper

Helper will need to navigate to Devices > All Devices<Device Name> Remote Actions by clicking the 3 dots and select New remote assistance session and provide the code to the Sharer.



Helper will need to navigate to https://aka.ms/rh?passcode=xxxx with xxxx being the passcode in order to provide assistance.


Helper can click on Screen sharing or Full control. For all intent and purposes, I am clicking on Full control.

The Sharer will see the prompt letting them know that helper is ready to take control and assist. At this stage the Sharer will need to allow permissions to use of Microphone in case of Full Control.






Helper's view -


With CA policy enabled, if a user is blocked from accessing Remote Help service, then they will not be allowed to do so.


This can be validated in Entra ID sign-in logs as well.




Final thoughts..

With the rise in help desk spoofing, a need for strong authentication built into Remote Help and security controls has become imperative. The current Remote Help offering by Microsoft has certainly ticked all the check boxes.

Comments

  1. David M.BlassAugust 30, 2024 at 2:29 PM

    Great article! I truly appreciated the clarity and depth you brought to this subject. Your insights are both valuable and thought-provoking. Thanks for putting so much effort into your writing—it really shows. I'm excited to read more of your work and gain further understanding from your unique perspective!
    Enrgtech
    Remote Controls

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more