Mac PSSO Registration Intune

[Matt Strickland]

Hi All,

Just would like to know here who uses Intune for their MDM with their Tela macOS devices, and particularly User Affinity with Secure Enclave (for those single teacher use)

I have an annoying error on the last step after setup assistant and the enrolment process (when you finally register your mac - for our non affinity devices this works fine, but uses password for credential as they are not hardware bound)

I do not usually give end users bind entra ID as the mac is already bound via ADE from Apple School Manager (with all the usual Platform SSO settings etc)

I read there has been some changes lately in the process chain so maybe there is something broken now?

Matt

[Carl Gamble]

Hi Matt

I would suggest that you have a look at this article from Microsoft as you can now register the Mac in the Setup Assistant - this removes some complexity from device setup. We have been waiting for Microsoft / Entra to support this since the launch of macOS 26:

This article was published just a few days ago and I tested this out yesterday with great success - it’s pretty good but you need to make sure you read the ‘before you begin’ section thoroughly. 

The only downside that I’ve seen so far is that when you go through setup, you have to wait in the Setup Assistant for Company Portal to be downloaded in the background and you’ll get errors if you try to proceed before it’s installed.

Happy to help if you need to jump on a call.

Regards

Carl Gamble

Systems Engineer - Apple NZ

+64 220 421949

On 20 May 2026, at 15:06, 'Matt Strickland' via Techies for schools <techies-f...@googlegroups.com> wrote:

Hi All,

Just would like to know here who uses Intune for their MDM with their Tela macOS devices, and particularly User Affinity with Secure Enclave (for those single teacher use)

I have an annoying error on the last step after setup assistant and the enrolment process (when you finally register your mac - for our non affinity devices this works fine, but uses password for credential as they are not hardware bound)

<Screenshot 2026-05-20 at 1.38.48 PM.png>

I do not usually give end users bind entra ID as the mac is already bound via ADE from Apple School Manager (with all the usual Platform SSO settings etc)

I read there has been some changes lately in the process chain so maybe there is something broken now?

Matt

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/94f17995-be79-46a0-9e34-0fdc41cc12d4n%40googlegroups.com.

[Matt Strickland]

Hi Carl,

Thanks - I've tried that this morning the flow is different, but I'm still not quite there. I believe its taking too long for the required Company Portal app to be pushed to the mac (I've waited >1hour on the setup screen, but still get a Mac does not have the necessary SSO application or extension)....

I'm just about to try again with a whole new static user group, only those three profiles attached and see what happens.

I'm also reading the same blog post mentioning it. https://techcommunity.microsoft.com/blog/intunecustomersuccess/new-platform-sso-with-registration-during-automated-device-enrollment-on-macos/4519846

Matt

[Matt Strickland]

Amazingly, 2 minutes after I posted it installed and registration was completed within setup assistant.

Now the only issue is the Token To User Mapping setting I have which is setting the home folder to the full UPN, ill change it back to name to see what happens (as I am also combining Kerberos SSO for local auth) so trying to get both to play together. I have a working flow for non-affinity, but getting user affinity both psso and kerberos has just been a bit more of a challenge.

Matt