Share via

GSA installations in MAC

RSI_Raguvaran M 0 Reputation points
2026-05-21T13:02:03.67+00:00

User's image

GSA was installed, but I can't sign in without  Intune MDM. I'm currently using Addigy MDM.

Microsoft Security | Microsoft Entra | Microsoft Entra Internet Access

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yousif Suliman Sayed Suliman 80 Reputation points
    2026-05-21T13:05:58.24+00:00

    🧠 What’s happening

    • GSA (Google Secure Access / or similar secure agent) was installed successfully
    • But sign-in is blocked because it requires Microsoft Intune MDM enrollment
    • Your device is currently managed by Addigy MDM (not Intune)

    👉 Many enterprise/security apps will only allow sign-in if the device is enrolled in the correct MDM system.

    So this is not a password issue or a consent issue — it’s a policy enforcement issue.

    🔒 Why you can’t sign in

    The app is checking:

    • “Is this device managed by Intune MDM?”

    It sees:

    • ❌ Addigy MDM instead
    • ❌ No Intune compliance signal

    So it blocks authentication.

    ⚠️ Important reassurance about your files

    This part is important based on what you were worried about earlier:

    • This issue does NOT affect your personal files
    • It does NOT delete anything from your computer
    • It only affects whether the app lets you sign in

    Your:

    • Pictures
    • School files
    • Documents

    are still safe locally unless you manually remove them.

    🛠 What you can do next

    Option 1 — If this is a school/work device (most likely)

    You cannot fix this yourself. You need to contact:

    • Your school IT admin OR
    • Whoever manages Addigy

    Tell them:

    “GSA requires Intune MDM enrollment, but the device is currently managed by Addigy MDM. I cannot sign in because device compliance is failing.”

    They may:

    • Enroll the device in Intune
    • Or whitelist Addigy-managed devices
    • Or provide a different login method

    Option 2 — If this is your personal device

    Then something is wrong because:

    • You should NOT be forced into Intune MDM unless your organization requires it

    You may need to:

    • Remove the GSA app
    • Reinstall using the correct setup method
    • Or sign in with a personal (non-managed) account

    🚨 Key takeaway

    • This is a device management policy block
    • Not a login failure
    • Not a file/data risk
    • Not something you caused

      🧠 What’s happening

      • GSA (Google Secure Access / or similar secure agent) was installed successfully
      • But sign-in is blocked because it requires Microsoft Intune MDM enrollment
      • Your device is currently managed by Addigy MDM (not Intune)
      👉 Many enterprise/security apps will only allow sign-in if the device is enrolled in the correct MDM system. So this is not a password issue or a consent issue — it’s a policy enforcement issue.

      🔒 Why you can’t sign in

      The app is checking:
      • “Is this device managed by Intune MDM?”
      It sees:
      • ❌ Addigy MDM instead
      • ❌ No Intune compliance signal
      So it blocks authentication.

      ⚠️ Important reassurance about your files

      This part is important based on what you were worried about earlier:
      • This issue does NOT affect your personal files
      • It does NOT delete anything from your computer
      • It only affects whether the app lets you sign in
      Your:
      • Pictures
      • School files
      • Documents
      are still safe locally unless you manually remove them.

      🛠 What you can do next

      Option 1 — If this is a school/work device (most likely)

      You cannot fix this yourself.
      You need to contact:
      • Your school IT admin OR
      • Whoever manages Addigy
      Tell them:

      “GSA requires Intune MDM enrollment, but the device is currently managed by Addigy MDM. I cannot sign in because device compliance is failing.”

      They may:
      • Enroll the device in Intune
      • Or whitelist Addigy-managed devices
      • Or provide a different login method

      Option 2 — If this is your personal device

      Then something is wrong because:
      • You should NOT be forced into Intune MDM unless your organization requires it
      You may need to:
      • Remove the GSA app
      • Reinstall using the correct setup method
      • Or sign in with a personal (non-managed) account

      🚨 Key takeaway

      • This is a device management policy block
      • Not a login failure
      • Not a file/data risk
      • Not something you caused

    Was this answer helpful?

    0 comments
  2. RSI_Raguvaran M 0 Reputation points
    2026-05-21T13:04:42.9733333+00:00

    User's image

    if try install Intune i got this error

    Was this answer helpful?

    0 comments

  3. AI answer

    2026-05-21T13:02:28.0033333+00:00

    The Global Secure Access (GSA) client on macOS doesn’t require Microsoft Intune specifically, but it does require that the Mac is:

    1. Registered to Microsoft Entra through a Company Portal app, and
    2. Managed by an MDM that deploys the required system extension and transparent application proxy approvals.

    In the current setup, the device state shows as Unregistered, so the ZTNA Policy Service Client sign-in is blocked.

    To use Addigy instead of Intune:

    1. Ensure the Mac is Entra-registered
      • Install the Company Portal app for macOS on the device.
      • Sign in with the user’s Microsoft Entra account so the device is registered to the tenant.
      • Confirm registration in Entra (device appears as a registered device).
    2. Deploy the GSA client with Addigy
      • Download GlobalSecureAccessClient.pkg from the Microsoft Entra admin center (Global Secure Access > Connect > Client download > macOS).
      • Use Addigy to deploy this .pkg to the macOS devices.
    3. Approve system extensions via Addigy MDM
      • In Addigy, create a configuration profile for macOS that allows the GSA system extensions.
      • Under the System Extensions payload, add the following allowed extensions:
        • Bundle identifier: com.microsoft.globalsecureaccess.tunnel, Team identifier: UBF8T346G9
        • Bundle identifier: com.microsoft.globalsecureaccess, Team identifier: UBF8T346G9
      • Assign this profile to the target Macs.
    4. Allow the transparent application proxy
      • Create a custom configuration profile in Addigy that mirrors the Intune “Custom” profile used to allow the transparent application proxy for GSA.
      • Deploy this profile to the same devices.
    5. (Optional but recommended) Deploy Microsoft Enterprise SSO plug-in
      • Use Addigy to deploy the Microsoft Enterprise SSO plug-in for Apple devices and ensure the Company Portal app is installed.
      • This enables SSO so the user can sign in to GSA using the same Entra credentials without repeated prompts.
    6. Retry sign-in
      • After the profiles and client are deployed and the device is registered, restart the Mac.
      • Launch the Global Secure Access client and sign in again. The device state should now be recognized, and sign-in should succeed.

    If Addigy doesn’t yet have the required system extension and proxy approvals in place, the client will continue to show the device as unregistered and block sign-in, even though the GSA app is installed.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.