Just to add to this… I have a setup where I need to restrict local admin access but it looks like I have to go the script route for now until Intune supports it. I’ll update if I can get it working or not.

I’d like to see this as well! I’m also looking for a source describing the local admin config you mentioned. This is something we struggle with since all onboarded devices have the first user as local admin.

It was a frustrating moment in the video XD

@henchffs same!

@@IntuneTraining just have to say I really love what you guys are doing for the community! You’re awesome!

We can block it with Configuration profile or something else ?

​@@62128Kevin Correct, you should rely on separate configs to enable/disable items.. The Enrollment profile options at the beginning of this video with those Show/hide options, I like to think of this piece as modifying/expediting the initial first time experience within the Apple Set up Assistant steps. Example, you hide the "Apple Pay" or "Face ID/ Touch ID" option. This just hides the option to set up those features within the first initial Apple Set up Assistant experience, but the user can always go into the device later and set it up. Hope this helps..

We have a video on personally owned iOS device enrollment coming in a week or so. Essentially, you can configure your device enrollment restrictions to allow/prevent personal enrollment. Ideally, corporate devices are pre-registered in Apple Business Manager - then they will come in as Supervised devices. Otherwise users can enroll corporate or personal devices using Company Portal.

@@IntuneTraining, Thanks for the answer. Looking forward to that video. Is setting up apple business manager with federated access to entra ID still required for personal mobile iOS devices? My understanding was it is still needed for personal devices so that we can setup a separate business icloud account that we manage while not touching an end users' personal icloud settings/data.

MDM and MAM scope is only for Windows. MDM scope is allowing users to enrol a Windows device into Intune. MAM is primarily used if you intend to use Windows information protection

@@samsthoughts6867 Got it, thank you!

You would integrate your Apple Business (or School) Manager instance with your tenant in order to enable managed Apple IDs. The important thing to remember is that requires a user's UPN match their email address. UPN aliases and Alternate IDs are not supported. From personal experience I would not recommend managed Apple IDs unless you're ready to put up with users constantly requesting password resets. Managed Apple IDs are a huge pain.

@@dp4491 password reset is not an issue if you use the authentication federation but still the managed appleid restriction 😉

Because we’ve used this several times before and have uploaded things already.

Yeah we have now, but it was expired, and we used a different apple account 🤣

Apple works very hard to allow users to ignore updates, it's one of the most frustrating parts of managing Macs. There are a couple of software solutions (Nudge, S.U.P.E.R.M.A.N.) that help enforce updates but they're not true enforcement, they're really just bugging users to apply updates.

I’ve a change in now for Nudge but supposedly our IT head doesn’t like open source software so not sure how that’s going to play out. Also got another change for setting up ASM so maybe when they are supervised I will have more control. Tnx for clarifying though because I would have hated to go through all that and there was just a setting in Intune to extend the restart timer.

I saw that they did deploy that script to the “licenses” user group. So that’s why it worked. The company portal VPP app they hovered over in the video was actually for iOS, not macOS. 👍🏼

Was looking for this reply