With Netskope client enabled, macOS machines are failing to sync to Intune. When I disable the client the sync works as normal. I have all of the predefined cert pinned app exceptions for both Windows and macOS in place, and Windows machines have no issues.
I found this thread in the community pages that discusses this issue on Windows, and one comment briefly discusses macOS but the thread is closed and I can’t see any of the replies so not even sure if there is more info in here I that can’t get to. I did create and additional custom cert pinned app for macOS and included the below processes, and added ‘*’ to bypass all domains. Nothing is working though.
company portal
omadmclient
intunemdmagent
mdmclient
company portalmdmclientwdavdaemon_enterprise
Has anyone figured out how to get Netskope to not interfere with Company Portal on macOS?
Intune Company Portal on macOS fails to sync
I’d take a look at the nsdebuglog.log file and see if there’s any other processes or domains that are missing.
Typically Intune fails due to certificate pinning. Happy to take a look at the logs if you want to DM me.
I was able to resolve this though.
TL;DR - I created a custom cert pinned app and used the below configs.
Processes:
company portal, omadmclient, intunemdmagent, mdmclient, company portalmdmclientwdavdaemon_enterprise, IntuneMdmDaemon
Domains:
*.adl.windows.com
*.api.flightproxy.skype.com
*.attest.azure.net
*.azureedge.net
*.cdn.storeedgefd.dsx.mp.microsoft.com
*.certauth.enterpriseregistration.windows.net
*.clientconfig.passport.net
*.config.edge.skype.com
*.displaycatalog.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.dm.microsoft.com
*.do.dsp.mp.microsoft.com
*.ecs.communication.microsoft.com
*.edge.microsoft.com
*.edge.skype.com
*.ekcert.spserv.microsoft.com
*.ekop.intel.com
*.endpoint.microsoft.com
*.enterpriseregistration.windows.net
*.events.data.microsoft.com
*.fd.api.orgmsg.microsoft.com
*.ftpm.amd.com
*.gov.teams.microsoft.us
*.graph.microsoft.com
*.has.spserv.microsoft.com
*.intune.microsoft.com
*.lgmsapeweu.blob.core.windows.net
*.licensing.mp.microsoft.com
*.manage.microsoft.com
*.monitor.azure.com
*.notify.windows.com
*.portal.manage-beta.microsoft.com
*.portal.manage-ppe.microsoft.us
*.portal.manage-selfhost.microsoft.com
*.portal.manage.microsoft.us
*.purchase.md.mp.microsoft.com
*.remoteassistanceprodacs.communication.azure.com
*.remoteassistanceprodacseu.communication.azure.com
*.remoteassistanceweb.usgov.communication.azure.us
*.remotehelp.microsoft.com
*.ris.prod.api.personalization.ideas.microsoft.com
*.s-microsoft.com
*.storeedgefd.dsx.mp.microsoft.com
*.support.services.microsoft.com
*.time.windows.com
*.trouter.communication.microsoft.com
*.trouter.skype.com
*.trouter.teams.microsoft.com
*.tsfe.trafficshaping.dsp.mp.microsoft.com
*.update.microsoft.com
*.wcpstatic.microsoft.com
*.webpubsub.azure.com
*.windowsphone.com
*.windowsupdate.com
*.wns.windows.com
autologon.microsoftazuread-sso.com
in.appcenter.ms
secure.aadcdn.microsoftonline-p.com
winatp-gw-eus.microsoft.com
I found an article that was specific for iOS and mentioned needing to remove the existing predefined cert pinned app, and then add it back and it would have updates. So I thought I would try that and I could see it did add a ton more domains than the previous one. That still did not resolve the issue.
I then ran activity monitor while reproducing the issue and found a few more processes that are involved. These are not included in the predefined cert pinned app. I added these to my custom one and it still didn’t fix.
I then combed through all the logs I could get my hands on, even the transaction logs in advanced analytics. I wasn’t finding anything else to add.
So, I created a support ticket and they gave me two more domains that “the backend engineers had just discovered and provided to them.” I added these two new domains and that finally resolved it.
Sign up
Already have an account? Login
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Login to the community
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.