How to remove the certificate prompt from macOS which was caused by a CA policy

Question

How to remove the certificate prompt from macOS which was caused by a CA policy

Anish Bhowmick 0

Hi, We are currently working on deploying BYOD restrictions through Conditional Access policies. The policy is designed to check if anyone with a non-compliant (macOS) device logging into Office 365 will be unable to download anything from Office 365 (configured via session controls). The policy functions effectively with Windows devices, but for macOS, users are encountering a certificate prompt during the login process.

Users who click 'Allow' receive the following Keychain prompt.

User's image

The issue arises as only users with admin rights can allow the certificate to the Keychain. However, in our organization, the majority of users do not have admin rights on Mac. We attempted to push the certificate via Intune, but only users with admin rights are not receiving the prompts, while others are getting them. Can anyone suggest a way to address this issue? Is there a method to directly add these certificates to end-user Mac Keychains so that they won't need to accept them?

1 answer

Your answer

Answer 1

Hi,

Thank you for posting in Microsoft Q&A forum.

Are you also using Jamf Pro with Microsoft Intune? Based on my researching, In MacOS devices, when Azure AD identifies the device using a client certificate provisioned during device registration, the end user is prompted to select the certificate first before using the browser. Deploying the Microsoft Intune Company Portal app through Jamf Pro Self Service can help send the certificate to the Keychain.

If the user has already imported the certificate into their KeyChain with "Always Allow" at least once, they should not be requested to accept new certificates. However, launching the Company Portal app manually from the Applications or Downloads folders won't register the device. We recommend directing end users through email, Jamf Pro notifications, or any other method your organization uses to complete device registration.

References:

Enforce compliance on Macs managed with Jamf Pro

Common Conditional Access policy: Require a compliant device, hybrid Azure AD joined device, or multifactor authentication for all users

Learn about Conditional Access policy conditions for client apps

Thanks for your time. Have a nice day!

Best regards,

Simon

If the response is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Anish Bhowmick 0 Reputation points

2024-03-01T06:23:11.5333333+00:00

Hey @Simon Ren-MSFT

All of our devices are AD registered and marked as compliant/non compliant by the user.

From other posts I have found out the Microsoft SSO plugin would help with the prompts but this only works with Safari and Edge. Our organization mainly uses Chrome and FireFox for which the prompts stays the same.

Is there any other plugin or way for macOS users to not get these prompts and login directly?
Brian Margrave 0 Reputation points

2024-12-26T22:04:34.0233333+00:00

What about for devices that are registered with Intune and Entra? I have this happen to me on my mac everyday as well as several others who use Edge as their main browser. it only happens on a fresh launch of a Microsoft O365 page of a newley opened browser and then does not come back unless I have closed out the Edge Application.

Share via

How to remove the certificate prompt from macOS which was caused by a CA policy

1 answer

Your answer