Building a MacOS virtual Machine

Recently I’ve been working with using Apple Mac’s and Intune together, coming from the Microsoft world I’ve been using VM’s for over a decade. There has been a couple of times where I needed to have a Mac Virtual machines for documentation, and testing purposes.

Previous to owning a Mac I’ve attempted multiple times to use MacOS on ESX, Hyper-V VMware Workstation, each of them have always “worked” but always had an issue which would result in a less than ideal experience. With the purchase of my first MacBook Air I started playing around with VMware Fusion, and Parallels Desktop Lite, both of which appear to be quite functional. In the end I decided to invest in VMware Fusion for the ability to be able to define a custom serial number for the VM to facilitate testing of DEP solutions.

I’ve completed a screen capture of the process of creating a VM in VMware Fusion, it’s important to note that you MUST restart your Mac after installing the VMware Fusion software, but before creating your first VM. I call this out as VMware doesn’t during the installation process.

Note: I have removed parts of the video to speed it up, the process on my MacBook Air takes around 40 minutes to run end to end.

Good Luck

Steve

MacOS DEP enrolment with Intune – Part 4 (Erase/Wipe)

So you have your new Mac enrolled into the DEP Program, Signed in to the Mac during the out of box experience, and then renamed the Mac to allow you to know which device is which.

That’s great, now lets run through it again to validate that it wasn’t a once off. From the Intune Portal we can send a command to wipe a computer. When you do this with a Windows 10 device you send the command and in 30 minutes give or take the computer is ready for the end user to sign back in.

For MacOS, it’s slightly different, the wipe command is replaced with the Erase command in the Intune Portal. From a UI point of view you are now prompted to enter a recovery PIN, it is very important that you note down this PIN as once you hit the erase button you won’t be able to change it, and you can’t use the device until the PIN is entered.

Screen Shot 2019-04-13 at 3.16.09 pm.png

It is also important to note that as soon as you press the Erase button the Mac OS will be erased within a minute, obviously with a dependancy on being connected to the internet. The computer will then restart, and come to the screen below:

SH6_1764.JPG

This is where you enter the PIN from the Intune Portal, in my case when the MacBook Air is sitting next to me remembering the PIN was easy enough, but in the real world make sure you send this PIN to the person who has the device (Or to nobody if you are erasing the device as a result of being stolen or lost).

Once we have entered the PIN and select next (the button appears on the screen when you enter the code), the next screen you see (well after the loading spinning disc screen) is this scary looking one:

SH6_1765.JPG

This icon signifies that there is no OS on the device, unlike Windows when you Wipe the device and leaves the operating system on the device, when you Erase a Mac it not only removes your confidential files, but also the whole Operating System!

To get the MacBook Air (this doesn’t work for VM’s only physical devices) back to a useable state you need to select CommandR during the power on phase, if you select it correctly you will see this:

SH6_1766.JPG>

Once connected to your WiFi it’ll take a little while to download the MacOS ISO from the Apple CDN’s in my case around 10 minutes, at which point you’ll see this screen:

SH6_1767.JPG

Which will allow you to follow the standard process to Reinstall macOS by selecting well “Reinstall macOS” and selecting continue, as this is a standard process I’m not going to document it.

So this covers off the process to Erase macOS’s from Intune and the process which needs to be completed on the client side.

Good Luck

Steve

MacOS DEP enrolment with Intune – Part 3 (Change Display Name)

To carry on from the previous two blog posts you’ll find here and here we have a MacOS device enrolled into Intune, and a configuration baseline has been applied.

We then go and enrol our second device to complete testing new policies, validate application installations, along with any further system testing. You look in the Intune portal and you have multiple devices with a naming convention in my case of: Steven’s MacBook Air, and subsequent devices will have (2) etc appending to the end.

So the question comes back to how do I change this, well lets start at the “System Preferences” application where we are presented with this UI:

Screen Shot 2019-04-10 at 6.38.00 pm.png

With my Windows thinking I gravitated to the General icon, as the thinking is the computer name would be a general setting, no joy lets look some where else, next off was “Security & Privacy” as one could argue that it’s a Security setting, again no joy here. Finally I fired up my favourite search engine to figure it out, the answer came back that I needed to select Sharing which i was a little surprised by, but can see the logic as it’s the network name for the device.

Screen Shot 2019-04-10 at 6.45.01 pm.png

You can see i have changed the computer name to Bob. This will appear in the Intune portal the next time the computer sync’s, you can force this if you want from the Intune portal.

Good Luck

Steven Hosking

MacOS DEP enrolment with Intune – Part 2 (the Out of Box Experience)

To follow on from the last post available here I’m going to focus on the end user experience of when the user receives there new Mac, in this case a MacBook Air 13 Inch which has been procured from the Apple ecommerce.apple.com site, which is different to Business.apple.com, and deploy.apple.com this will be something I blog about in the future.

So why is the Out of Box Experience something that is important to talk about, well the simple answer is that it is a different type of enrolment then what we have with MacOS devices which only have the Company Portal installed.

When enrolling a MacOS into Intune using DEP, the device will be adding into Azure AD as an “Azure AD Registered” device, this allows for the device to tagged as compliant or not for things like Conditional Access and alike.

The next thing to be aware of is that currently the MacOS DEP screen does not support an AAD account which has MFA setup, it will just return unknown user account or unknown password. You might think that with Azure AD MFA there is the ability to use App Password’s for just this case, well that doesn’t work either. So if you want to use MacOS DEP you will need to have Azure AD MFA not enabled on the account.

For those of you who don’t have a DEP enrolled MacOS I’ve used the VM created in the last blog post to capture a video of the process, on the Intune side all that is being applied is a simple “User Affinity” policy, with all of the default pages still shown (you can pick and chose which screens you see), in addition to this I have locked the policy from being removed for what it is worth.

Note there is no Audio on the video

In the video you will note I have connected it to my AppleID, but you can skip that step if you don’t want to install applications from the Apple Store, it can also be suppressed by the admin in Intune as a simple process to block staff from having there AppleID assigned to the Mac.

Good Luck

Steve.

MacOS DEP enrollment with Intune – Part 1 (The Setup)

With all of the Modern Desktop projects we have been working on recently we have been getting requests around the support of that executive/senior manager in the corner office Apple device.

These conversations have traditionally gone one of two ways, the all care no responsibility approach where we will setup office and give them emails with limited support, or just a flat no we will not support them.

Around 6 months ago I realized that I should spend some time to understand the platform to provide a rounded recommendation for my client. Starting with the cheapest MacBook Air I could find I pushed myself to first understand how the Operating System worked, then what we can use Intune to manage. For those of you who have seen me running around with it you have seen the great stickers I found for it, for those who haven’t seen it well.

AppleLid.jpg

So enough of the waffle around why an ardent Microsoft guy is blogging about Apple on an Intune blog. This is the first blog of a few which will detail my experiences enrolling Macs into Intune and then managing them.

With Microsoft we have Windows AutoPilot, this requires device registration either by the vendor at the factory then into your Intune tenant, or by harvesting the Hardware Hash for existing devices.

In the Apple world the equivalent system is called the Device Enrollment Program (DEP), the same one you use for your iPhone’s & iPad’s albeit with a very minor difference. Existing iPhone’s & iPad’s can be manually imported into the DEP system from an Apple MacOS using the Apple Configurator 2 application, which is a great solution to start companies onto the journey for MDM, on the other hand Mac devices can not be manually loaded into the DEP system.

It is even worse then this, the advice I have been able to get from multiple Apple stores is that the Mac’s can only be registered into the DEP system at factory. Thankfully Vigilant.IT has a company account with Apple that i was able to procure a Mac to validate this solution. The process to do this was reasonably painless, and once the order was accepted the new Mac’s serial number appeared in the DEP console.

What I found surprising was that I could create a VM with VMWare Fusion and assign the serial number and it would appear to be DEP Registered, and allows for high fidelity screen captures, as an aside i attempted the same process with Parallels and host VM Serial number was passed through which is less then ideal.

To set the Serial Number in VMWare I followed this process: https://kb.vmware.com/s/article/1014782 to edit the VMX file and add the following lines:

SMBIOS.use12CharSerialNumber = “TRUE”
serialNumber = “myserialnumb”
hw.model = “MacBookAir8,1”

This will set the Serial number to what you want it to be, in this case the serial number from the DEP system. You might ask what happens when the real device comes online, well for the Apple DEP system it doesn’t worry about what hardware is being used it just has a MacOS requesting it’s DEP Policy, while in Intune it is the last device that is registered into the system which will be fully managed.

Now we have the setup to test and validate the MacOS DEP solution, keep a look out for the next blogs in the series.

Cheers

Steve