Hello techies! This week, I want to discuss a helpful topic on the Best Way to Troubleshoot macOS Configuration profiles and policies deployed through Intune, as we have already published multiple articles on creating and deploying macOS device profiles.
Today’s article will focus solely on troubleshooting, so once the configuration profile or policies get deployed on the end-user device, if an error occurs in the portal or on a particular end-user device, let us try to figure out, how to troubleshoot on the Intune portal.
Suppose you’re unfamiliar with configuration profiles and their use and purpose. In that case, I recommend reading my article “Configure Device Restriction Settings for macOS Devices using Intune,” Where I explain what configuration profiles are and why they’re useful. Additionally, I walked through creating a sample device restriction configuration profile and deploying it to a macOS device within an organization. Finally, I provide an overview of the end-user results.
In the same way for Intune Policies, I recommend reading my article “Configure macOS Compliance Policy in Intune for macOS Device,” Where I explain what a compliance policy is and its purpose to implement for macOS devices using Intune. I also created a sample compliance policy for macOS devices within an organization.
Before jumping into the topic, In case you missed it, check out my previous article on How to manage System Integrity Protection for macOS devices using Intune. The article explained what SIP is and whether enabling or disabling SIP can be beneficial based on organizational use cases.
Also, we discussed how to check SIP status on a device using various methods and how to manage SIP settings using the Intune MDM Platform by editing a sample configuration profile in a test environment. Additionally, we discussed the Mac device use cases in organizations.
If you enjoy reading my articles on How to manage macOS devices with Microsoft Intune, you might also find my previous posts interesting; you can check them in a recently published video here. I talked about How to upgrade to macOS Sonoma and get familiar with its latest features that can boost productivity for end-users. Check out the video below and give us your feedback in the comments section.
Troubleshoot macOS Configuration Profiles in Intune Portal
As we have now understood what configuration profiles and compliance policies are, let us first discuss how we can troubleshoot the profiles/ policies from the Intune portal by going under the Troubleshooting+Support pane in the portal.
- Sign in to the Microsoft Intune admin center: https://intune.microsoft.com/.
- On the left sidebar, select the Troubleshooting + support pane.
- Under the Troubleshoot blade, select the User Account to continue.
- Make user Intune license must be assigned to the user account, as shown in the screenshot below.
Note! IT Admins need to provide the user account with whom the macOS device is tagged where the User is facing an issue with the deployed profile/policy in Intune.
In the Summary tab, administrators can easily view all device details associated with the end user, including assigned licenses, roles, scopes, installed apps, and applied policies and profiles. To check-in details, Admins can click on each tab as shown above and troubleshoot them individually.
Suppose the details are inaccurate or maybe old due to the last sync date being very old. In that case, Admins may click on the Epislion option and click on refresh to get the latest report related to the end-user in case it gets changed after the latest device sync.
In an alternate case, Admins can refresh by clicking each tab and the Refresh button, as shown below.
If the user faces any issue with their device, they can go to the Devices tab. If the user has multiple devices assigned to them, such as a Windows computer, MacBook, and a company-owned smartphone, they should select the device that has the problem and needs to be reviewed.
Note! We are troubleshooting a Mac device in this case, but the same steps can be applied to other platforms.
Once we click on the particular device, it redirects to the page with device details shown; let us review if the below things are followed correctly or if there is any issue with any of these steps.
|Check if the device is managed under the properties tab. If it’s not, then the device is not enrolled and won’t receive compliance or configuration profiles.
|MDM / EAS or MDM
|Azure AD Join Type
|Please check if the status is showing as “Registered” or “Not registered”. If it shows as “Not registered”, it could indicate that either the device has an issue with enrollment or Azure AD Join has not yet been performed and enrollment is in progress on the user’s side.
|Registered / Not registered
|To ensure the device is compliant, check its compliance status. If the status is non-compliant, the end-user device may have failed one or more of the policies set under compliance by Admins.
|Compliant / Non-Compliant
|Intune devices are set to check in every 8 hours by default. However, if the Last check-in date is older than 24 hours or more, it may indicate a problem with the device sync status. An Admin can perform a force check-in to resolve the issue in such cases.
|Date and Time
|Check Device Compliance to see if the assigned policies are displayed correctly. If policies are missing or the status is non-compliant, open the policy and ensure it is targeted to the correct group of devices.
|Check the status for each assigned Compliance Policy (Status: Compliant / Non-Compliant)
|Device Configuration displays the status of assigned configuration policies. If policies are missing, check if they are targeted correctly. Assign the policy to the correct user or device if needed.
|Check the status for each assigned configuration profile (Status: Succeeded / Error)
Note! Just to make Admins aware, end users don’t need to enroll their devices to use App protection policies. This is great if they are using their own device for work stuff, also known as BYOD (Bring-Your-Own-Device). They can easily access all the company’s resources without any hassle.
Check Tenant Status
When checking the device status in the portal, it’s important not to overlook the tenant status. Neglecting this aspect can lead to deployment issues, causing failure to reach the end-user device for various reasons. Therefore, administrators must closely monitor the tenant status to ensure its health and enable smooth daily deployments.
The minimum requirement is to confirm the tenant status as a healthy and active subscription for deployments to occur. Additionally, admins can view details of active incidents and advisories that may affect profile deployment and policies.
This article will cover how to confirm the status of the primary tenant for successful deployments. Admins must take quick action to minimize service disruption in case of any failure.
Note! Each organization subscribing to Intune is hosted by an instance of Azure AD, known as a tenant. This ensures the security of the data and prevents access by third parties. Therefore, each organization has its own Azure AD tenant, making sure that the data is secured and not accessible to any unauthorized parties.
Let us check the basic tenant status by proceeding to Tenant Administration > Tenant Status in Intune Portal, and we will review 3 tabs to check the status.
- Tenant details
- Connector status
- Service health and message center
The Tenant Details section provides a quick overview of information about the organization’s tenants. It lets Admins view details such as the tenant’s name and location, MDM authority, and tenant service release number.
In addition, Admins can also find basic information about available licenses, including the number of licenses assigned to users. Note that licenses for devices are not displayed. The “Total Licensed Users” count refers to all users with a single license containing an Intune SKU. Whether the Intune SKU is enabled or disabled, users with this license are still considered authorized users.
The Connector Status page is an overview of all connectors. On this page, we can see the status of all the connections to external services, like the Apple VPP (Volume Purchase Program) or Windows Autopilot, and certificates or credentials required for unmanaged services, like APNS certificates.
The status of connectors is determined by the last successful Sync time or the certificate’s or credential’s expiry timestamp, as shown above. Connector Status are categorized into 3 types, let us review each of them and their importance accordingly.
|The certificate or credential is valid for at least seven more days, and the last synchronization occurred less than 24 hours ago
|The credential has expired, and Sync is overdue by three or more days
|The certificate or credential will expire in less than a week. The last Sync occurred over 24 hours ago
Once the status are figured out, Admins can click on each of the COnnector and review the properties set previously, and in case any changes or attention are required can review them accordingly.
Note! Admins can open a case with Microsoft support to investigate issues with connectors that report a status of Healthy or Connected but are not functioning correctly.
Service Health and Message Center
Admins can view the Intune Service Health, Issues in your environment, and Message Center posts by accessing the Service Health and Message Center page.
To customize communication or notification preferences for the Intune Message Center, Admins need to sign in to the Microsoft 365 admin center, go to Health > Service health, and select Customize. Select “Send me email notifications about service health” on the Email tab and configure additional preferences as needed.
As shown above, On this page, there are 3 categories for status update. Let us discuss one by one each of the categories below.
Under this category, Only incidents that affect your tenant are shown, To view incident details, select an incident on the Tenant Status page. Also, to view service health status, the Admin should have access as Global Administrator or service support Administrator.
Issues in Your Environment that Require Action
Admins can navigate to this section to view messages about issues that require attention. Additionally, Admin should have access as Global Administrator or service support Administrator to view this information.
Intune Message center
In this section, the Intune service team can configure notification setup easily without navigating to the Office Message Center. Messages include recent and upcoming changes to the Intune service. By default, only the 10 most recent and active messages are shown.
Select “See Past Messages” in the Microsoft 365 admin center to view older messages. To view Intune messages, Admins need the Global Administrator or Service Support Administrator role in Azure Active Directory.
Troubleshooting Configuration Profile in Intune Portal
Please follow the steps to troubleshoot if the configuration profile is properly deployed on the end-user device.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- On the left sidebar, select Devices > macOS > macOS devices.
- Check for the device that needs to be troubleshooted, and click on it to check the status.
- Click on the Device Configuration blade on the left side, and check the status if all the profiles are successful.
While verifying the profiles, there are five possible status can be as below:
- Succeeded: Policy is deployed successfully on the Mac.
- Error: The policy was pushed to the device and tried to get installed but failed with an error code. Check the error code that links to an explanation.
- Conflict: Similar type settings are applied to the same device, due to which Intune can’t sort out the conflict. In this case, Admins can simply remove any of the policies making it distinct to be working on the end-user device.
- Pending: The device hasn’t checked in with Intune yet, and hasn’t received the policy yet.
- Not applicable: The device can’t receive the policy due to being ineligible.
Note! As a sample, we have tried to troubleshoot the failed configuration in my device with error code -2016336110, which is due to a conflict with another configuration profile deployed earlier. Hence, as a duplicate profile, it failed.
Intune is a powerful tool that can help Admins manage multiple configuration profiles and deploy them on their macOS devices in organizations. Hence as an Administrator, ensuring a smooth deployment process with no conflicts and a good deployment success rate is important to keep the environment healthy. In this article, we’ve covered detailed troubleshooting steps that are easy to follow. We encourage you to review these steps actively to avoid any issues and make the most of Intune.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his Apple Mac Devices Support knowledge. He is an M.Tech graduate in System Engineering. Do check out his profile on Twitter & Linkedin.