With Netskope client enabled, macOS machines are failing to sync to Intune. When I disable the client the sync works as normal. I have all of the predefined cert pinned app exceptions for both Windows and macOS in place, and Windows machines have no issues.
I found this thread in the community pages that discusses this issue on Windows, and one comment briefly discusses macOS but the thread is closed and I can’t see any of the replies so not even sure if there is more info in here I that can’t get to. I did create and additional custom cert pinned app for macOS and included the below processes, and added ‘*’ to bypass all domains. Nothing is working though.
company portal
omadmclient
intunemdmagent
mdmclient
company portalmdmclientwdavdaemon_enterprise
Has anyone figured out how to get Netskope to not interfere with Company Portal on macOS?
Intune Company Portal on macOS fails to sync
Best answer by joe.caudill-9bc11a4d
I was able to resolve this though.
TL;DR - I created a custom cert pinned app and used the below configs.
Processes:
company portal, omadmclient, intunemdmagent, mdmclient, company portalmdmclientwdavdaemon_enterprise, IntuneMdmDaemon
Domains:
*.adl.windows.com
*.api.flightproxy.skype.com
*.attest.azure.net
*.azureedge.net
*.cdn.storeedgefd.dsx.mp.microsoft.com
*.certauth.enterpriseregistration.windows.net
*.clientconfig.passport.net
*.config.edge.skype.com
*.displaycatalog.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.dm.microsoft.com
*.do.dsp.mp.microsoft.com
*.ecs.communication.microsoft.com
*.edge.microsoft.com
*.edge.skype.com
*.ekcert.spserv.microsoft.com
*.ekop.intel.com
*.endpoint.microsoft.com
*.enterpriseregistration.windows.net
*.events.data.microsoft.com
*.fd.api.orgmsg.microsoft.com
*.ftpm.amd.com
*.gov.teams.microsoft.us
*.graph.microsoft.com
*.has.spserv.microsoft.com
*.intune.microsoft.com
*.lgmsapeweu.blob.core.windows.net
*.licensing.mp.microsoft.com
*.manage.microsoft.com
*.monitor.azure.com
*.notify.windows.com
*.portal.manage-beta.microsoft.com
*.portal.manage-ppe.microsoft.us
*.portal.manage-selfhost.microsoft.com
*.portal.manage.microsoft.us
*.purchase.md.mp.microsoft.com
*.remoteassistanceprodacs.communication.azure.com
*.remoteassistanceprodacseu.communication.azure.com
*.remoteassistanceweb.usgov.communication.azure.us
*.remotehelp.microsoft.com
*.ris.prod.api.personalization.ideas.microsoft.com
*.s-microsoft.com
*.storeedgefd.dsx.mp.microsoft.com
*.support.services.microsoft.com
*.time.windows.com
*.trouter.communication.microsoft.com
*.trouter.skype.com
*.trouter.teams.microsoft.com
*.tsfe.trafficshaping.dsp.mp.microsoft.com
*.update.microsoft.com
*.wcpstatic.microsoft.com
*.webpubsub.azure.com
*.windowsphone.com
*.windowsupdate.com
*.wns.windows.com
autologon.microsoftazuread-sso.com
in.appcenter.ms
secure.aadcdn.microsoftonline-p.com
winatp-gw-eus.microsoft.com
I found an article that was specific for iOS and mentioned needing to remove the existing predefined cert pinned app, and then add it back and it would have updates. So I thought I would try that and I could see it did add a ton more domains than the previous one. That still did not resolve the issue.
I then ran activity monitor while reproducing the issue and found a few more processes that are involved. These are not included in the predefined cert pinned app. I added these to my custom one and it still didn’t fix.
I then combed through all the logs I could get my hands on, even the transaction logs in advanced analytics. I wasn’t finding anything else to add.
So, I created a support ticket and they gave me two more domains that “the backend engineers had just discovered and provided to them.” I added these two new domains and that finally resolved it.
I’d take a look at the nsdebuglog.log file and see if there’s any other processes or domains that are missing.
Typically Intune fails due to certificate pinning. Happy to take a look at the logs if you want to DM me.
I was able to resolve this though.
TL;DR - I created a custom cert pinned app and used the below configs.
Processes:
company portal, omadmclient, intunemdmagent, mdmclient, company portalmdmclientwdavdaemon_enterprise, IntuneMdmDaemon
Domains:
*.adl.windows.com
*.api.flightproxy.skype.com
*.attest.azure.net
*.azureedge.net
*.cdn.storeedgefd.dsx.mp.microsoft.com
*.certauth.enterpriseregistration.windows.net
*.clientconfig.passport.net
*.config.edge.skype.com
*.displaycatalog.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.dm.microsoft.com
*.do.dsp.mp.microsoft.com
*.ecs.communication.microsoft.com
*.edge.microsoft.com
*.edge.skype.com
*.ekcert.spserv.microsoft.com
*.ekop.intel.com
*.endpoint.microsoft.com
*.enterpriseregistration.windows.net
*.events.data.microsoft.com
*.fd.api.orgmsg.microsoft.com
*.ftpm.amd.com
*.gov.teams.microsoft.us
*.graph.microsoft.com
*.has.spserv.microsoft.com
*.intune.microsoft.com
*.lgmsapeweu.blob.core.windows.net
*.licensing.mp.microsoft.com
*.manage.microsoft.com
*.monitor.azure.com
*.notify.windows.com
*.portal.manage-beta.microsoft.com
*.portal.manage-ppe.microsoft.us
*.portal.manage-selfhost.microsoft.com
*.portal.manage.microsoft.us
*.purchase.md.mp.microsoft.com
*.remoteassistanceprodacs.communication.azure.com
*.remoteassistanceprodacseu.communication.azure.com
*.remoteassistanceweb.usgov.communication.azure.us
*.remotehelp.microsoft.com
*.ris.prod.api.personalization.ideas.microsoft.com
*.s-microsoft.com
*.storeedgefd.dsx.mp.microsoft.com
*.support.services.microsoft.com
*.time.windows.com
*.trouter.communication.microsoft.com
*.trouter.skype.com
*.trouter.teams.microsoft.com
*.tsfe.trafficshaping.dsp.mp.microsoft.com
*.update.microsoft.com
*.wcpstatic.microsoft.com
*.webpubsub.azure.com
*.windowsphone.com
*.windowsupdate.com
*.wns.windows.com
autologon.microsoftazuread-sso.com
in.appcenter.ms
secure.aadcdn.microsoftonline-p.com
winatp-gw-eus.microsoft.com
I found an article that was specific for iOS and mentioned needing to remove the existing predefined cert pinned app, and then add it back and it would have updates. So I thought I would try that and I could see it did add a ton more domains than the previous one. That still did not resolve the issue.
I then ran activity monitor while reproducing the issue and found a few more processes that are involved. These are not included in the predefined cert pinned app. I added these to my custom one and it still didn’t fix.
I then combed through all the logs I could get my hands on, even the transaction logs in advanced analytics. I wasn’t finding anything else to add.
So, I created a support ticket and they gave me two more domains that “the backend engineers had just discovered and provided to them.” I added these two new domains and that finally resolved it.
For us, our fix was a custom cert pinned app for the following applications:
company portal, omadmclient, intunemdmagent, mdmclient, intunemdmdaemon, wdavdaemon_enterpriseand a Custom App Domain list of:
in.appcenter.ms, enterpriseregistration.windows.net, graph.microsoft.com, agents.manage.microsoft.com, agents.msud01.manage.microsoft.com, manage.microsoft.com, i.manage.microsoft.com, config.edge.skype.com, ocsp.digicert.com, edr-eus.us.endpoint.security.microsoft.com, self.events.data.microsoft.com, mobile.events.data.microsoft.comSome of these might not be strictly necessary but it works. Don’t delete the default Intune exception.
We don’t have access to wildcards in steering exceptions so the above list is verbose and should work for any customer.
For anyone interested, the “self.events.data.microsoft.com” and “mobile.events.data.microsoft.com” domains that intunemdmdaemon was accessing were the last we added and for all we know may have been the only two required to get this working - we haven’t gone back and tried to find the minimal set.
Sign up
Already have an account? Login
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Login to the community
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.