Exploring Microsoft Intune's Remote Help on macOS: A Hands-On Guide
In today's digital age, remote assistance has become an essential tool for providing technical support to users. Microsoft Intune offers a powerful solution for secure help desk connections through its Remote Help feature. Designed specifically for macOS users, Remote Help allows support staff to remotely connect to a user's device and provide assistance. In this comprehensive guide, we will explore the capabilities, requirements, and step-by-step instructions for using Remote Help on macOS with Microsoft Intune.
Introduction to Remote Help with Microsoft Intune
Remote Help is a cloud-based solution offered as an add-on to Microsoft Intune. It enables secure help desk connections with role-based access controls, allowing support staff to remotely connect to a user's device. In this context, users who provide help are referred to as "helpers," while users who receive help are called "sharers." Both helpers and sharers sign in to their organization's web app using Azure Active Directory (Azure AD) credentials.
During a Remote Help session, the helper has the ability to view the sharer's device display, enabling them to diagnose and resolve technical issues remotely. To ensure security and control, Remote Help uses Intune role-based access controls (RBAC) to define the level of access a helper is allowed. Through RBAC, administrators can determine which users can provide help and the extent of help they can offer.
Remote Help on macOS
Remote Help on macOS offers several key capabilities that enhance the support experience. These capabilities include:
Help users on unenrolled devices
By default, the Remote Help feature is turned off for devices not enrolled in Intune. However, as an Intune admin you can choose to enable this function for unenrolled devices as well. This adaptability allows for a broader spectrum of devices to receive support, irrespective of whether they’re enrolled in Intune or not.
Conditional Access
You can also take advantage of conditional access features when configuring policies and criteria for Remote Help. This functionality allows for more nuanced control over who is eligible for Remote Help and the specific conditions under which it can be accessed.
Compliance Warnings
Prior to initiating a Remote Help session, helpers receive a non-compliance alert if the device sharing the screen doesn’t meet the set policies. Although this warning doesn’t prevent access, it offers visibility into potential security risks, like the exposure of administrative credentials, that may arise during the session.
Chat during remote support session
Remote Help comes with an advanced chat function that keeps a running log of all messages sent and received throughout the session. This chat feature accommodates special characters and supports multiple languages, such as Chinese and Arabic.
Prerequisites for Remote Help on macOS
Before using Remote Help on macOS, there are several general prerequisites that need to be met. These prerequisites include:
- Proper licensing and configuration of Microsoft Intune.
- Access to the Microsoft Intune admin center.
- User accounts with the necessary permissions to provide or receive help.
- In addition to the general prerequisites, there are specific requirements for using Remote Help on macOS. These requirements include:
- macOS versions: 11 Big Sur, 12 Monterey, and 13 Ventura.
- Safari (version 16.4.1+), Chrome (version 109+), and Microsoft Edge (version 109+).
Enable Remote Help
- Sign in to Microsoft Intune admin center and go to Tenant administration > Remote Help.
- Set Enable Remote Help to Enabled to allow the use of remote help. By default, this setting is Disabled.
- Set Allow Remote Help to unenrolled devices to Enabled if you want to allow this option. By default, this setting is Disabled.
- Set Disable chat to Yes to remove the chat functionality in the Remote Help app. By default, chat is enabled and this setting is set to No.
- Select Save.
Network Requirements
Remote Help depends on network connectivity to create and sustain secure links between helpers and those sharing their screens. Communication between devices happens over port 443 (https) and uses the Remote Desktop Protocol (RDP). For a smooth connection, the following endpoints must be reachable via port 443:
| Domain/Name | Description |
|---|---|
| *.aria.microsoft.com | Accessible Rich Internet Applications (ARIA) service for providing accessible experiences to users |
| *.cc.skype.com | Required for Azure Communication Service |
| *.events.data.microsoft.com | Microsoft Telemetry Service |
| *.flightproxy.skype.com | Required for Azure Communication Service |
| *.registrar.skype.com | Required for Azure Communication Service |
| *.support.services.microsoft.com | Primary endpoint used for the Remote Help application |
| *.trouter.skype.com | Used for Azure Communication Service for chat and connection between parties |
| *.aadcdn.msauth.net | Required for logging in to the application Microsoft Azure Active Directory |
| *.aadcdn.msftauth.net | Required for logging in to the application Microsoft Azure Active Directory |
| *.edge.skype.com | Used for Azure Communication Service for chat and connection between parties |
| *.login.microsoftonline.com | Required for Microsoft sign-in service. Might not be available in preview in all markets or for all localizations |
| *.remoteassistanceprodacs.communication.azure.com | Used for Azure Communication Service for chat and connection between parties |
| *.turn.azure.com | Azure Communication Service |
| *.remotehelp.microsoft.com | Primary endpoint for Remote Help Web App |
| *.trouter.teams.microsoft.com | Allows for the Remote Help Web App to become directly addressable within the web browser |
| *.trouter.communication.microsoft.com | Allows for the Remote Help Web App to become directly addressable within the web browser |
| *.alcdn.msauth.net | Required to sign in to the application Microsoft Azure Authentication Library |
| *.wcpstatic.microsoft.com | Used to confirm cookie compliance in accordance with various laws |
To Request Help as a Sharer
To request assistance as a sharer using Remote Help, you’ll first need to contact the support team to get the process started. Here’s a detailed guide on how to go about it:
- Contact your IT Team to request assistance.
- Once both you and the helper are ready to start the session, the helper will send you a Remote Help session link. This link will be in the format:
- Open your browser and navigate to the provided session link. If required, sign in with your Azure AD credentials.
- After signing in, you will see information about the helper, including their full name, job title, company, profile picture, and verified domain.
- At this point, the helper can only request a screen sharing session. You will be prompted to allow remotehelp.microsoft.com to use your microphone. Select "Allow" to continue.
- To proceed with the session, select "Share screen" Again, you may see a prompt to allow remotehelp.microsoft.com to share your screen. Select "Allow" to continue.
- Once the session is established, the helper will be able to assist you in resolving any issues on your device.
- If your device is unenrolled with Intune and your administrator allows help on unenrolled devices, you may need to enter a security code provided by the helper during the session setup process.
Providing Help
As a helper, your role is essential in offering remote support to sharers. Here’s how to go about it step-by-step:
- Navigate to the device you're trying to help from within the Microsoft Intune admin center
- Sign into Microsoft Intune admin center and go to Devices > All devices and select the macOS device on which assistance is needed.
- From the remote actions bar across the top of the device view, select New remote assistance session and select Remote Help, and then Continue.
- Copy and share session link with the sharer that you're trying to help, before selecting Start to launch a new Remote Help session.
- When the sharer navigates to the session link with the passcode embedded, they're able to directly get to the specific session. As an alternative, you can copy and share the 8-digit passcode with the sharer. The sharer can navigate to aka.ms/rh and follow the steps
- When Remote Help opens in a new tab, you must sign in to authenticate to your organization.
- After the sharer navigates to the Remote Help session, as the helper you'll see information about the sharer, including their full name, job title, company, profile picture, and verified domain. The sharer sees similar information about you.
- At this time, you can only request a screen sharing session of the sharer's device. The sharer can choose Allowor Decline the request.
You can also configure Conditional access allows administrators to define policies and conditions for accessing Remote Help. By configuring conditional access, administrators can ensure that only authorized users can utilize Remote Help and that specific conditions are met.
Video Tutorial
Known Issues
While Remote Help is a powerful tool for remote assistance, there are a few known issues to be aware of. One such issue is that if the sharer exits a Remote Help session early, the helper may not be notified for 60+ seconds. Additionally, when using Microsoft Edge, the sharer may need to sign in to the browser before starting a session, or the device may be reported as unenrolled.
Conclusion
This is just the beginning! Currently, Remote Help on macOS only supports session viewing, but it's poised to become an indispensable resource for delivering secure and effective tech support. Whether you're on the receiving end of help or the one providing it, Remote Help promises a smooth and efficient support experience on macOS devices.