Check For Mdm Profile Macos

| Posted on by

Remove a configuration profile in iOS or macOS However, be aware that removing a profile will remove all settings associated with it. If the profile was used to configure your email or wireless connection, removing it will remove those settings, and you will no longer have access to those services.

-->

To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs.

Download the MDM Diagnostic Information log from Windows 10 PCs

  1. Mac os x 10.11 el capitan. On your managed device go to Settings > Accounts > Access work or school.

  2. Click your work or school account, then click Info.

  3. At the bottom of the Settings page, click Create report.

  4. A window opens that shows the path to the log files. Click Export.

  5. In File Explorer, navigate to c:UsersPublicDocumentsMDMDiagnostics to see the report.

Collect logs directly from Windows 10 PCs

Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location:

  • Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider

Here's a screenshot:

In this location, the Admin channel logs events by default. However, if you need more details logs you can enable Debug logs by choosing Show Analytic and Debug logs option in View menu in Event Viewer.

To collect Admin logs

  1. Right click on the Admin node.
  2. Select Save all events as.
  3. Choose a location and enter a filename.
  4. Click Save.
  5. Choose Display information for these languages and then select English.
  6. Click Ok.

For more detailed logging, you can enable Debug logs. Right click on the Debug node and then click Enable Log.

To collect Debug logs

  1. Right click on the Debug node.
  2. Select Save all events as.
  3. Choose a location and enter a filename.
  4. Click Save.
  5. Choose Display information for these languages and then select English.
  6. Click Ok.

You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update.

Collect logs remotely from Windows 10 PCs

When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this. The DiagnosticLog CSP can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:

  • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
  • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug

Example: Enable the Debug channel logging

Macos mojave for macbook 2011. Apr 24, 2020  Your Mac also needs at least 2GB of memory and 12.5GB of available storage space, or up to 18.5GB of storage space when upgrading from OS X Yosemite or earlier. MacBook introduced in 2015 or later MacBook Air introduced in 2012 or later MacBook Pro introduced in 2012 or later Mac mini introduced in 2012 or later iMac introduced in 2012 or later.

Example: Export the Debug logs

Collect logs from Windows 10 Mobile devices

Since there is no Event Viewer in Windows 10 Mobile, you can use the Field Medic app to collect logs.

To collect logs manually

  1. Download and install the Field Medic app from the store.

  2. Open the Field Medic app and then click on Advanced.

  3. Click on Choose with ETW provider to use.

  4. Check Enterprise and un-check the rest.

  5. In the app, click on Start Logging and then perform the operation that you want to troubleshoot.

  6. When the operation is done, click on Stop Logging.

  7. Save the logs. They will be stored in the Field Medic log location on the device.

  8. You can send the logs via email by attaching the files from Documents > Field Medic > Reports > .. folder.

The following table contains a list of common providers and their corresponding GUIDs.

GUIDProvider Name
099614a5-5dd7-4788-8bc9-e29f43db28fcMicrosoft-Windows-LDAP-Client
0f67e49f-fe51-4e9f-b490-6f2948cc6027Microsoft-Windows-Kernel-Processor-Power
0ff1c24b-7f05-45c0-abdc-3c8521be4f62Microsoft-Windows-Mobile-Broadband-Experience-SmsApi
10e4f0e0-9686-4e62-b2d6-fd010eb976d3Microsoft-WindowsPhone-Shell-Events
1e39b4ce-d1e6-46ce-b65b-5ab05d6cc266Microsoft-Windows-Networking-RealTimeCommunication
22a7b160-f6e8-46b9-8e0b-a51989c85c66Microsoft-WindowsPhone-Bluetooth-AG
2f94e1cc-a8c5-4fe7-a1c3-53d7bda8e73eMicrosoft-WindowsPhone-ConfigManager2
331c3b3a-2005-44c2-ac5e-77220c37d6b4Microsoft-Windows-Kernel-Power
33693e1d-246a-471b-83be-3e75f47a832dMicrosoft-Windows-BTH-BTHUSB
3742be72-99a9-42e6-9fd5-c01a330e3625Microsoft-WindowsPhone-PhoneAudio
3b9602ff-e09b-4c6c-bc19-1a3dfa8f2250Microsoft-WindowsPhone-OmaDm-Client-Provider
3da494e4-0fe2-415C-b895-fb5265c5c83bMicrosoft-WindowsPhone-Enterprise-Diagnostics-Provider
3f471139-acb7-4a01-b7a7-ff5da4ba2d43Microsoft-Windows-AppXDeployment-Server
4180c4f7-e238-5519-338f-ec214f0b49aaMicrosoft.Windows.ResourceManager
4637124c-1d40-4b4d-892f-2aaecf24ff06Microsoft-Windows-WinJson
4d13548f-c7b8-4174-bb7a-d7f64bf22d29Microsoft-WindowsPhone-LocationServiceProvider
4eacb4d0-263b-4b93-8cd6-778a278e5642Microsoft-Windows-GenericRoaming
4f386063-ef17-4629-863c-d71597af743dMicrosoft-WindowsPhone-NotificationService
55404e71-4db9-4deb-a5f5-8f86e46dde56Microsoft-Windows-Winsock-NameResolution
59819d0a-adaf-46b2-8d7c-990bc39c7c15Microsoft-Windows-Battery
5c103042-7e75-4629-a748-bdfa67607facMicrosoft-WindowsPhone-Power
69c1c3f1-2b5c-41d0-a14a-c7ca5130640eMicrosoft-WindowsPhone-Cortana
6ad52b32-d609-4be9-ae07-ce8dae937e39Microsoft-Windows-RPC
7263516b-6eb0-477b-b64f-17b91d29f239Microsoft-WindowsPhone-BatterySense
7dd42a49-5329-4832-8dfd-43d979153a88Microsoft-Windows-Kernel-Network
ae4bd3be-f36f-45b6-8d21-bdd6fb832853Microsoft-Windows-Audio
daa6a96b-f3e7-4d4d-a0d6-31a350e6a445Microsoft-Windows-WLAN-Driver
4d13548f-c7b8-4174-bb7a-d7f64bf22d29Microsoft-WindowsPhone-LocationServiceProvider
74e106b7-00be-4a55-b707-7ab58d6a9e90Microsoft-WindowsPhone-Shell-OOBE
cbda4dbf-8d5d-4f69-9578-be14aa540d22Microsoft-Windows-AppLocker
e595f735-b42a-494b-afcd-b68666945cd3Microsoft-Windows-Firewall
e5fc4a0f-7198-492f-9b0f-88fdcbfded48Microsoft-Windows Networking VPN
e5c16d49-2464-4382-bb20-97a4b5465db9Microsoft-Windows-WiFiNetworkManager

Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices

For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the DiagnosticLog CSP.

You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:

Add a collector node

Add the ETW provider to the trace

Start collector trace logging

Stop collector trace logging

After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see DiagnosticLog CSP.

View logs

For best results, ensure that the PC or VM on which you are viewing logs matches the build of the OS from which the logs were collected.

  1. Open eventvwr.msc.

  2. Right-click on Event Viewer(Local) and select Open Saved Log.

  3. Navigate to the etl file that you got from the device and then open the file.

  4. Click Yes when prompted to save it to the new log format.

  5. The new view contains traces from the channel. Click on Filter Current Log from the Actions menu.

  6. Add a filter to Event sources by selecting DeviceManagement-EnterpriseDiagnostics-Provider and click OK.

  7. Now you are ready to start reviewing the logs.

Collect device state data

Check For Mdm Profile Macos Software

Here's an example of how to collect current MDM device state data using the DiagnosticLog CSP, version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.

-->

Get answers to common questions when working with device profiles and policies in Intune. This article also lists the check-in time intervals, provides more detains on conflicts, and more.

Why doesn't a user get a new profile when changing a password or passphrase on an existing Wi-Fi profile?

You create a corporate Wi-Fi profile, deploy the profile to a group, change the password, and save the profile. When the profile changes, some users may not get the new profile.

ProfileCheck

To mitigate this issue, set up guest Wi-Fi. If the corporate Wi-Fi fails, users can connect to the guest Wi-Fi. Be sure to enable any automatically connect settings. Deploy the guest Wi-Fi profile to all users.

Some additional recommendations:

  • If the Wi-Fi network you're connecting to uses a password or passphrase, make sure you can connect to the Wi-Fi router directly. You can test with an iOS/iPadOS device.
  • After you successfully connect to the Wi-Fi endpoint (Wi-Fi router), note the SSID and the credential used (this value is the password or passphrase).
  • Enter the SSID and credential (password or passphrase) in the Pre-Shared Key field.
  • Deploy to a test group that has limited number of users, preferably only the IT team.
  • Sync your iOS/iPadOS device to Intune. Enroll if you haven't already enrolled.
  • Test connecting to the same Wi-Fi endpoint (as mentioned in the first step) again.
  • Roll out to larger groups and eventually to all expected users in your organization.

How long does it take for devices to get a policy, profile, or app after they are assigned?

Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up to a few hours. These notification times also vary between platforms.

If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts. An offline device, such as turned off, or not connected to a network, may not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. The same applies to checks for non-compliance, including devices that move from a compliant to a non-compliant state.

Estimated frequencies:

PlatformRefresh cycle
iOS/iPadOSAbout every 8 hours
macOSAbout every 8 hours
AndroidAbout every 8 hours
Windows 10 PCs enrolled as devicesAbout every 8 hours
Windows PhoneAbout every 8 hours
Windows 8.1About every 8 hours

If the device recently enrolled, the compliance, non-compliance, and configuration check-in runs more frequently, which is estimated at:

PlatformFrequency
iOS/iPadOSEvery 15 minutes for 1 hour, and then around every 8 hours
macOSEvery 15 minutes for 1 hour, and then around every 8 hours
AndroidEvery 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
Windows 10 PCs enrolled as devicesEvery 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
Windows PhoneEvery 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
Windows 8.1Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours

At any time, users can open the Company Portal app, Settings > Sync to immediately check for policy or profile updates.

What actions cause Intune to immediately send a notification to a device?

There are different actions that trigger a notification, such as when a policy, profile, or app is assigned (or unassigned), updated, deleted, and so on. These action times vary between platforms.

Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. When you target a device or user with an action, such as lock, passcode reset, app, profile or policy assignment, then Intune immediately notifies the device to check in to receive these updates.

Other changes, such as revising the contact information in the Company Portal app, don't cause an immediate notification to devices.

The settings in the policy or profile are applied at every check-in. The Windows 10 MDM policy refresh blog post may be a good resource.

Macos

If multiple policies are assigned to the same user or device, how do I know which settings gets applied?

When two or more policies are assigned to the same user or device, then the setting that applies happens at the individual setting level:

  • Compliance policy settings always have precedence over configuration profile settings.

  • If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.

  • If a configuration policy setting conflicts with a setting in another configuration policy, this conflict is shown in Intune. Manually resolve these conflicts.

What happens when app protection policies conflict with each other? Which one is applied to the app?

Conflict values are the most restrictive settings available in an app protection policy except for the number entry fields, such as PIN attempts before reset. The number entry fields are set the same as the values, as if you created a MAM policy using the recommended settings option.

Conflicts happen when two profile settings are the same. Mac os catalina for windows. For example, you configured two MAM policies that are identical except for the copy/paste setting. In this scenario, the copy/paste setting is set to the most restrictive value, but the rest of the settings are applied as configured.

A policy is deployed to the app and takes effect. A second policy is deployed. In this scenario, the first policy takes precedence, and stays applied. The second policy shows a conflict. If both are applied at the same time, meaning that there isn't preceding policy, then both are in conflict. Any conflicting settings are set to the most restrictive values.

What happens when iOS/iPadOS custom policies conflict?

Intune doesn't evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy. It merely serves as the delivery mechanism.

When you assign a custom policy, confirm that the configured settings don't conflict with compliance, configuration, or other custom policies. If a custom policy and its settings conflict, then the settings are applied randomly.

What happens when a profile is deleted or no longer applicable?

When you delete a profile, or you remove a device from a group that has the profile, then the profile and settings are removed from the device as described:

  • Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.

  • All other profile types:

    • Windows and Android devices: Settings aren't removed from the device

    • Windows Phone 8.1 devices: The following settings are removed:

      • Require a password to unlock mobile devices
      • Allow simple passwords
      • Minimum password length
      • Required password type
      • Password expiration (days)
      • Remember password history
      • Number of repeated sign-in failures to allow before the device is wiped
      • Minutes of inactivity before password is required
      • Required password type – minimum number of character sets
      • Allow camera
      • Require encryption on mobile device
      • Allow removable storage
      • Allow web browser
      • Allow application store
      • Allow screen capture
      • Allow geolocation
      • Allow Microsoft account
      • Allow copy and paste
      • Allow Wi-Fi tethering
      • Allow automatic connection to free Wi-Fi hotspots
      • Allow Wi-Fi hotspot reporting
      • Allow wipe
      • Allow Bluetooth
      • Allow NFC
      • Allow Wi-Fi

    • iOS/iPadOS: All settings are removed, except:

      • Allow voice roaming
      • Allow data roaming
      • Allow automatic synchronization while roaming

I changed a device restriction profile, but the changes haven't taken effect

Once set, Windows Phone devices don't allow security policies set using MDM or EAS to be reduced in security. For example, you set a Minimum number of character password to 8. You try to reduce it to 4. The more restrictive profile is already applied to the device.

To change the profile to a less secure value, then reset security policies. For example, in Windows 8.1, on the desktop, swipe in from right > select Settings > Control Panel. Select the User Accounts applet. In the left-hand navigation menu, there's a Reset Security Policies link (toward the bottom). Select it, and then choose Reset Policies.

Other MDM devices, such as Android, Windows Phone 8.1 and later, iOS/iPadOS, and Windows 10 may need to be retired, and re-enrolled in to Intune to apply a less restrictive profile.

Some settings in a Windows 10 profile return 'Not Applicable'

Some settings on Windows 10 devices may show as 'Not Applicable'. When this happens, that specific setting isn't supported on the version or edition of Windows running on the device. This message can occur for the following reasons:

  • The setting is only available for newer versions of Windows, and not the current operating system (OS) version on the device.
  • The setting is only available for specific Windows editions or specific SKUs, such as Home, Professional, Enterprise, and Education.

To learn more about the version and SKU requirements for the different settings, see the Configuration Service Provider (CSP) reference.

Next steps

What Is Mdm Profile Iphone

Need extra help? See How to get support for Microsoft Intune.