MFA Baseline Policies & InTune MDM Incompatibility
Under the new Partner Center security requirements, the requirement to enforce MFA for all users is incompatible with the available functionality of InTune with MacOS
Our organisation has a 50/50 split between Windows and macOS devices. We use the Device Enrolment Program to enrol MacOS devices out of the box. We use an enrolment profile with user-affinity to ensure we can link devices to end-users and to allow for continued use of the Company Portal application. However, when using such a profile, the user is required to sign in using their UPN within the macOS Setup Assistant. This process has no support for users with MFA and as such the process reports any sign-in attempt as a failure. Previous support cases with InTune have simply told us that "the option of MFA for enrolling MAC OS devices via DEP is not available in Intune" and that was the end of it, with no clear indication on whether it was being addressed.
Our current workaround requires us to add an exclusion group to Conditional Access and disable their MFA from within the O365 Portal. Once the user has enrolled their device we remove them from the group and MFA is once again enforced and configured on next sign in. Under the new baseline policy, the grace period fo 14 days for new users still allows us to use this process for new staff, but not for existing staff being issued with a spare or replacement device.
Any guidance/resolution on this would be greatly appreciated, our alternative options at this point don't look great.