MacOS Device Certificate when using Conditional Access olicy

James Seddon 6 Reputation points
2023-06-19T08:34:48.4666667+00:00

We are in the process of enabling conditional access policies (CAP) in Azure and have hit a snag when it comes to MacOS users. As expected and described in the KB's (and even warned in the UX) when applying CAP's to MacOS devices the end user will be prompted for a device certificate in order to complete the SSO journey. All good there, however, we understood (maybe mistakenly) that deploying Company Portal to all devices and having the users complete the setup and import the portal certificate into their KeyChain (with "Always Allow") they would no longer be requested to accept new certificates. This unfortunately means our end users are up in arms about the "constant" requests in their browsers to accept certificates, and we haven't yet tried to touch more complex SSO scenarios such as GCP and AWS federation where users may be using impersonation and command line based SSO.

It's worth noting that we also use JamfPro, and all MacOS devices are "Azure AD Registered" and enrolled into Intune with a valid Compliance Policy.

Is there a solution to this problem?

Pictures for reference:

image (2)

image (1)

Microsoft Intune MacOs
Microsoft Intune MacOs
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.MacOs: A family of Apple operating systems for the Apple Mac line of computers.
93 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 50,676 Reputation points Microsoft Vendor
    2023-06-20T05:57:34.92+00:00

    @James Seddon, Thanks for posting in Q&A. Based on my researching, In MacOS devices, when Azure AD identifies the device using a client certificate provisioned during device registration, the end user is prompted to select the certificate first before using the browser. Deploying the Microsoft Intune Company Portal app through Jamf Pro Self Service can help send the certificate to the Keychain. If the user has already imported the certificate into their KeyChain with "Always Allow" at least once, they should not be requested to accept new certificates. However, launching the Company Portal app manually from the Applications or Downloads folders won't register the device. We recommend directing end users through email, Jamf Pro notifications, or any other method your organization uses to complete device registration. Finally, consider creating a common Conditional Access policy to require a compliant device, to enhance your organization's security.

    References:


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.