Troubleshooting Intune for macOS management
This guide outlines key troubleshooting methods for managing macOS devices with Microsoft Intune. It covers common issues related to local group management, configuration profiles, compliance, and app deployment. Use these steps to identify, diagnose, and resolve problems efficiently during macOS device management.
Shell Commands
This section provides essential shell commands used in macOS Intune troubleshooting. These commands help verify system status, logs, profiles, and connectivity during device diagnostics.
Add User as Admin
In some troubleshooting or configuration scenarios, it's necessary to ensure that the local user account has administrative rights. This can be done manually or through scripting in a managed deployment.
dseditgroup -o edit -a "<username>" -t user admin
Remove User as Admin
For security or compliance reasons, you may need to revoke administrative privileges from a user account on a managed macOS device. This can be done manually or via command line.
dseditgroup -o edit -d "<username>" -t user admin
Review Group Membership
Use these commands to check if a user has admin rights and view current members of the admin group. Helpful for verifying permissions before making changes.
dscacheutil -q group -a name admin
Get Current Active User
Use these commands to identify the currently logged-in user, useful for scripts and remote troubleshooting.
dscl . -list /Users | grep -v -e '_' -e root -e nobody -e daemon
Search Filelocation of Bundle ID
This command uses macOS Spotlight search (via mdfind
) to locate the path of an app or bundle on the system by its bundle identifier.
In this case, it searches for the Microsoft Teams 2.0 app, whose bundle identifier is com.microsoft.teams2
.
mdfind "kMDItemCFBundleIdentifier = 'com.microsoft.teams2'"
Update Privacy Settings
macOS requires explicit user consent for apps to access sensitive system resources like Full Disk Access, Camera, Microphone, and automation controls. For managed devices, these permissions can be pre-approved using a configuration profile with the Privacy Preferences Policy Control (PPPC) payload.
PPPC settings are defined in a configuration profile (.mobileconfig
) using the com.apple.TCC.configuration-profile-policy
payload. This allows IT administrators to grant or deny specific permissions to apps without user interaction.
Jamf PPPC Utility is a free macOS tool that lets you build and export PPPC payloads through a user-friendly interface. It helps you:
-
Select an app and automatically extract its code signing information
-
Define specific services and permissions (e.g., Files and Folders, Automation, System Access)
-
Export the result as a
.mobileconfig
file ready for deployment via Intune or another MDM
This tool is especially useful when configuring permissions for third-party or custom apps.
Troubleshooting
Explore key diagnostic steps and resolution paths for frequent macOS management issues in Intune, helping you isolate causes and apply targeted fixes.
View live logs of Intune MDM Daemon
To monitor real-time activity from the Intune MDM agent, use the following command in Terminal:
tail -f /Library/Logs/Microsoft/Intune/*IntuneMDMDaemon*.log
No Comments