This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Hello there,
Looking for an advise on how to best overcome the following limitation.
We're trying to enroll Mac devices with DEP enrollment and Intune. When binding the Mac to a user during install, it tries to log on and verify membership and licenses.
This is known issue: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/17163317-mfa-doesn-t-work-with-apple-dep-with-intune (it's marked as release in progress since 2018 but it doesn't seem to have progressed ever since)
In our scenarion we have a trust between Office365\Azure and our on-prem ADFS 2016 (Farm in 4.0 mode)
So all authentications are forwarded from Intune to on-prem ADFS, where we enforce MFA (DUO). Now, since DEP with Intune doesn't support MFA (still!), we need a way to bypass MFA but only for auth requests coming from DEP\Intune enrollment.
Before this task, we had a following Access Control Policy for Azure\Office365 trust
What I gathered from failed auth attempts from DEP is that it uses Endpoint "/adfs/services/trust/2005/usernamemixed" so I tried to a few ways to bypass auth requests with this endpoint in claims but it seems I can't build the right rule.
So I have two questions:
Any help is much appreciated.
Note that if you are using ADFS for your Azure AD integration only to be able to use DUO, you might be able to do without ADFS. You could use Azure AD Connect Seamless SSO and use the Azure AD/DUO integration.
We can create such rule. It would use the "legacy" way to do it and not the current Access Control Policies. But it would affect other clients. Enterprise Active Sync can use the same endpoint, and so are other legacy applications. So by white-listing this scenario you might allow others.
Ideally we would do everything is Azure AD in Conditional Access Policies. That is the recommended way. Anything else than this is really a gadget workaround with security risks.
That said, in order to minimize the exposure as much as we can, we can try to fine tune the exclusion to a User Agent String, or other connection metadata. In order to do this, you will need to capture all the claims you get on one of this request and share it here. In order to have all the claims of your request in the eventlogs, you will need to enable the verbose audit. You will find the info here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging.
Hi, thanks for taking time to help us with this.
I have gathered verbose logs, which I'm not comfortable sharing in a public post. How can I safely share it with you?
Thank you.
You can sanitized the logs, replace IP addresses by x.x.x.x and usernames by XXXX. If you don't find a way to do it, you can find me on LinkedIn.
There are quite a few log events for a single login attemp.
I sent you an invite in LinkedIn.
Thanks.
Hi there.
Any luck with those logs?
Thank you.
I looked at them right away, I emailed you right away too :) that the logs we need is the security logs (with verbose audit). Those are the ones which contain the user agent strings and other connection artifacts.
Hi Pierre,
I did send extended logs to you some time ago, and re-sent it just now, please check if you received them?
Thank you!
My bad! You did! I'll have a look!
Hi Pierre,
Just in case, I sent you some new logs this morning.
Thank you.