Microsoft Remote Help native app with Full Control, Conditional Access, macOS - Bringing it altogether
In April 2024, Microsoft announced full support for Intune Remote Help on the macOS platform. This new enhancement brought remote assistance to the same level as Windows OS. It also meant that now remote sessions could be trusted with strong authentication like multi-factor and even leverage conditional access policies. Even though Remote Help is not part of the default Intune license, it does come as part of the Intune suite or can be purchased as a separate add-on.
Remote Help is available for macOS as both a native application, and as a Web App that runs within the user's web browser. As of writing this blog, Full Control feature is only supported with the client native app and that is what I'll be focusing on in this blog. But first, here is a quick glance on the capabilities of the Remote Help feature -
- Remote Help can be enabled to provide assistance on unenrolled devices
- Conditional access can be utilized for setting conditions for Remote Help.
- Compliance Warnings are shown during the Remote Help sessions.
- Enrollment status will be shown to the Helper during a Remote Help session.
- Remote Help includes enhanced chat that maintains a continuous thread of all messages.
If you want to restrict Remote Help to enrolled devices then there are two additional requirements:
1. Single sign-on (SSO). Note - If you are looking for my experience setting up SSO for macOS, then you can head over to this link.
2. Open and sign in to Company Portal.
I am enabling Remote Help for enrolled devices and here are the steps -
Enable Remote Help in the Intune Tenant
1. Navigate to Microsoft Intune admin center.
2. Go to Tenant administration > Remote Help > Settings > Configure.
3. Configure the settings as shown below for managed & enrolled devices.
4. The status of Remote Help will change to 'Enabled'.
Import & Deploy the Remote Help native app in Intune
As mentioned earlier, while web app is an option to provide Remote Help assistance, in order to support full control, Remote Help native app for macOS is required. To set this up in Intune, download the latest .pkg file from https://aka.ms/downloadremotehelpmacos.
1. Navigate to Microsoft Intune admin center.
2. Go to Apps > macOS > Add > Select App type as macOS app (PKG).
3. Select the .pkg downloaded from before and use the defaults as shown below.
4. Assign to a device based group.
Privacy Preferences settings catalog in Intune
Applications that access and control the screen on macOS may require additional permissions. While some of these permissions can be managed using Intune, users must accept these permissions when prompted to do so.
1. Navigate to Microsoft Intune admin center.
2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -
Under Privacy > Privacy Preferences Policy Control > Services
Accessibility
Authorization - Allow
Identifier Type - bundle ID
Identifier - com.microsoft.remotehelp
Static Code - False
Code Requirement - identifier "com.microsoft.remotehelp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
Screen Capture
Authorization - Standard User To Set System Service
Identifier Type - bundle ID
Identifier - com.microsoft.remotehelp
Static Code - False
Code Requirement - identifier "com.microsoft.remotehelp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
9. Assign to macOS devices as normal.
Conditional Access for Remote Help
Configuring and enabling conditional access for Remote Help is optional, but highly recommended to secure the authentication. To enable CA, the Remote Assistance Service enterprise application needs to be created manually in the tenant. This can be done by running the following commands -
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Application.ReadWrite.All"
New-MgServicePrincipal -AppId "1dee7b72-b80d-4e56-933d-8b6b04f9a3e2"
Disconnect-MgGraph
Now you can create a CA policy to add additional controls using the Remote Assistance Service cloud app. I created a policy to test for blocking access to Remote Help for testing. The results are covered later in the post.
Remote Help in action
The Remote Help native app for macOS will install automatically on the next device sync.
Open the Company Portal app to ensure SSO picks up the active session with the token. Then open the Remote Help app and the user's UPN should automatically populate. User should be able to authenticate when launching the Remote Help app. Accept the privacy settings if prompted to do so.
Permissions should automatically set for Accessibility & Screen & Audio recording
In circumstances where Screen recording requires additional admin permissions, then in this case the user may have to allow this manually when prompted to do so after opening the Remote Help app.
Once all set, Sharer can allow access using the code provided by Helper.
Helper will need to navigate to Devices > All Devices<Device Name> Remote Actions by clicking the 3 dots and select New remote assistance session and provide the code to the Sharer.
Helper will need to navigate to https://aka.ms/rh?passcode=xxxx with xxxx being the passcode in order to provide assistance.
Helper can click on Screen sharing or Full control. For all intent and purposes, I am clicking on Full control.
The Sharer will see the prompt letting them know that helper is ready to take control and assist. At this stage the Sharer will need to allow permissions to use of Microphone in case of Full Control.
Helper's view -
With CA policy enabled, if a user is blocked from accessing Remote Help service, then they will not be allowed to do so.
This can be validated in Entra ID sign-in logs as well.
Final thoughts..
With the rise in help desk spoofing, a need for strong authentication built into Remote Help and security controls has become imperative. The current Remote Help offering by Microsoft has certainly ticked all the check boxes.
Great article! I truly appreciated the clarity and depth you brought to this subject. Your insights are both valuable and thought-provoking. Thanks for putting so much effort into your writing—it really shows. I'm excited to read more of your work and gain further understanding from your unique perspective!
ReplyDeleteEnrgtech
Remote Controls
Such an informative post Thanks for sharing. We are providing the best services click on below links to visit our website.
ReplyDeleteAzure Data Engineer Training in Hyderabad
Azure Data Engineer Online Training
Microsoft Azure Data Engineer Training
Azure Data Engineer Training Online in Hyderabad
Azure Data Engineer Training
Data Engineer Training Hyderabad
Azure Data Engineer Course in Hyderabad
Azure Data Engineering Training in Ameerpet
Azure Data Engineer Training Institute in Hyderabad
MS Azure Data Engineer Online Training
Azure Data Engineering Certification Course