Configuring and using Remote Help on MacOS devices
I was recently privileged to attend an in-person meeting with a number of Microsoft Intune product managers at Microsoft’s UK HQ. The meeting is under NDA, so I can’t share a lot of things but it is clear that Microsoft are very much aware that the current value proposition of Intune Suite is not there. Many features that are on the horizon need to release before organisations can seriously look to use Intune Suite.
I personally feel that there are several items coming that can help organisations remove 3rd party products and align to the vision of doing more with less.
One of the items I can talk about though, as it was released a few days ago, is Remote Help on MacOS.
Remote Help is part of the Intune Suite add-on license that enables IT to remotely control and support their end users. Until recently, this was very limited to Windows devices and Android devices, and Windows does not currently support unattended mode. On the 22nd Sept, Remote Help was expanded to include support for MacOS.
In this article, I’m going to use a Windows device to assist a MacOS user. We’ll go through getting it configured and using it.
Licensing Requirements
As mentioned, Remote Help is part of the Intune Suite license. For the purposes of this demo, I’m using a demo tenant and I’ll be using the Intune Suite license as I can delete this tenant once done. If you’re going to follow along with me in your organisation’s tenant, be aware that a trial license can normally only be used once. This means if you want to try just Remote Help, then you should use the Remote Help trial license, as Remote Help does have its own standalone license as well. The reason I say this, is that if you set up the Intune Suite trial license now so that you can test Remote Help, and then later down the line Microsoft release additional capabilities to Intune Suite that you’d like to use, you’ll be stuck. You won’t be able to get another trial.
With that caveat over, here’s what you’ll need:
Intune subscription (such as included in E3).
Intune Suite OR Remote Help license for the helper (the admin) and then sharer (the user).
Limitations
There are a few limitations to be aware of with Remote Help at time of writing. These are:
Remote Help isn’t supported in GCC or DoD tenants.
Its not possible to use Remote Help for a user outside of your tenant.
Remote Help on MacOS is limited to view only currently. Full Control and unattended access is not yet available.
Configuring Remote Help
Once you have your licenses, head over to the Intune admin centre and navigate to Tenant Administration > Remote Help > Settings.
Select the “Configure” button and then enable Remote Help with your preferences. You can enable/disable access to unenrolled devices and also disable/enable chat.
RBAC
In my example, I’m logged in as a user with the Intune Administrator role, therefore Remote Help will be available to me by default, however you do not (and in most cases, should not!) need to give your help desk staff Intune administrator privileges. RBAC is supported for Remote Help using Intune’s RBAC capabilities.
The “Help Desk Operator” role has access to Remote Help by default however you can use a custom role if preferred. For example, you might want a tier 1 team to only have view capability, and not have access to elevate sessions.
Assign Licenses
We’re going to need to assign the Intune Suite (or Remote Help) add-on.
Deploying the Remote Help app
While your helper and sharer can download and install Remote Help when needed, in a larger environment you’ll likely want to distribute Remote Help to your managed devices ahead of time. Remote Help for MacOS is purely web-based at this time, but you’ll likely want the Remote Help app installed for supporting Windows devices.
In this example, I’m going to deploy the Remote Help app for Windows.
The latest version of Remote Help can be downloaded at the following URL: https://aka.ms/downloadremotehelp
You’ll need the Microsoft Win32 Content Prep Tool as well, if you don’t have it already, you can download it from here: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool.
The install and uninstall command is below, although you will need to ensure that the executable name matches the name of the executable that was prepared using the Content Prep Tool.
Install
Uninstall
Once the Remote Help app is available on my helper’s device, we’re ready to provide support to our user.
Providing support with Remote Help
In my example scenario, Adele is unable to access company resources because she has not updated to the latest MacOS version required by Contoso’s compliance policies. Adele submits a support ticket, and Alex connects using Remote Help to guide her through updating to resolve the issue.
As we can see, the process is as follows:
Helper (support personnel) creates the remote help link and provides this to the sharer (end-user).
Sharer enters the link in their web browser, and is prompted to sign-in with their M365 identity if they’re not already signed in (I already was).
Helper starts the session when the sharer says they’re waiting for the session to start.
Helper connects and is shown the identity of the sharer. Helper must accept to proceed.
Sharer is shown the identity of the helper. Sharer must accept to proceed.
Helper is shown a message stating the device is non-compliant, and to exercise caution.
Sharer is prompted to share their microphone and screen.
Screen sharing session starts.
I did run into a few issues during my test, however I’m not sure if this is simply because I’m testing with virtual machines rather than physical machines. These were:
The Microsoft Enterprise SSO plug in had to be deployed. This allowed SSO using the user’s M365 identity. When this was not enabled, or using an inPrivate browsing session, the Remote Help service would state that the service was unavailable. If I were to guess, I would imagine this is because the browser is not able to send through the device compliance state to the service, but this isn’t stated in the documentation.
Screen sharing / window sharing did not work. It was enabled in the MacOS (sharer) device but nothing showed in the Windows (helper) device. This might be because I’m using a virtual Mac so I would be interested to hear from you if it worked well for you!
Wrapping Up
I think Microsoft’s increased investment in Remote Help is great to see, and adds more value to Intune Suite. There are still some limits, but I know these are items that Microsoft is working on. Examples of these limits are:
Unattended access for Windows and MacOS.
No support for iOS/iPadOS yet.
Limited support for Android (only supports Samsung or Zebra devices enrolled as Android Enterprise Dedicated).
There are some features that I think would be great to add to Remote Help to provide more feature parity with other remote support solutions. These are:
File sharing support - maybe underpinned by SmartScreen or Defender scanning of content?
Support for more platforms and access methods.
What do you think? Let me know in the comments below.
Until next time!