This guide provides instructions for you to offboard your macOS device onboarded to SEED.
- Users who need to offboard their macOS device from SEED.
Before you begin, make sure you have the following:
- An active TechPass account
- A SEED onboarded device
- [Optional] Your Intune Device ID
You need your Intune Device ID during the offboarding process. Here is how to find it:
?> Click the triangle to view more details.
Method 1: Retrieve Intune Device ID from your macOS device
- Open the Terminal and execute the following commands:
intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"<blob>=.+MICROSOFT INTUNE MDM DEVICE CA' | grep alis | cut -d '"' -f 4)"
if [ -z "$intune_id" ]
then
echo "Intune ID not found"
return
fi
num_candidates="$(echo "$intune_id" | wc -l | xargs echo -n)"
if [ "$num_candidates" -eq 1 ]
then
echo "$intune_id"
return
fi
old_ifs="$IFS"
IFS='\n'
actual_id="Intune ID not found"
curr_latest_end_date_unix=0
while read id
do
end_date="$(security find-certificate -c "$id" -p /Library/Keychains/System.keychain | openssl x509 -noout -enddate | cut -d '=' -f 2)"
end_date_unix="$(date -j -f "%b %e %H:%M:%S %Y %Z" "$end_date" "+%s")"
if [ "$end_date_unix" -ge "$curr_latest_end_date_unix" ]
then
actual_id="$id"
curr_latest_end_date_unix="$end_date_unix"
fi
done <<< "$intune_id"
IFS="$old_ifs"
echo "$actual_id"
- Note down the Intune Device ID that is displayed on the Terminal window.
Method 2: Retrieve Intune Device ID from the TechPass portal
-
On your non-SE GSIB device, go to the TechPass portal.
-
On the TechPass portal, at the top right, go to your user name and click My Account. Your Profile details are displayed.
-
Take note of the Intune Device ID from the Profile page.
Method 3: Raise a service request to retrieve Intune Device ID.
Note: Use this method if you cannot log in to your GMD or TechPass portal.
- Raise a service request to retrieve your Intune Device ID.
Note: For more information, refer to Offboarding FAQ.
- Go to Terminal and run
mdatp health.
-
Take note of the value displayed for org_id.
-
Refer to the following table and identify your Defender organisation and download the respective offboarding package.
| org_id | Defender organisation | Offboarding package |
|---|---|---|
| faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | Download offboarding package |
| 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | Download offboarding package |
| 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact Hive support to get the offboarding package. |
Important
If your Defender organisation is Hive, please disregard the remaining steps in this document. Instead, you should obtain the offboarding package from Hive support and unenroll your device from Defender. Refer to Offboarding FAQ for guidance on unenrolling your device from Defender using the Hive offboarding package.
If your Defender organisation is either WOG or TechPass, you should use your TechPass account to download the offboarding package and proceed with the remaining steps.
If your Defender organisation is none of the above, please reach out to the IT support of the organization that provided you with the device for further assistance.
- Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files.
Note: The file names vary with the organisation.
- On your Terminal, run the following command:
sudo mdatp config tamper-protection enforcement-level --value audit
-
On your Terminal, go to the folder where you extracted the files. For example, if they are in the Downloads > Offboarding_local_wog_mac folder, go to that folder.
-
Copy the below and run it on the same Terminal.
sudo chmod +x local_mac_offboarding.sh -
When prompted for a Password, enter your device password.
-
Copy and run the following command on your Terminal.
sudo ./local_mac_offboarding.shWhen you see the following success message on your Terminal, you will be automatically directed to the SEED Offboarding: Device Record Removal form to submit the Intune Device ID.
Note: Ensure you complete the steps in Phase B immediately after Phase A. Failure to do so may result in your device update policy reinstalling the latest version of the removed SEED components.
- Successful completion of Phase A: Offboard device from SEED components.
- Intune Device ID: Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the SEED Offboarding: Device Record Removal form. If it is not displayed, see Get Intune Device ID.
- [Optional] If you had raised a support request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information.
To submit Intune Device ID:
-
Ensure your Intune Device ID is displayed on the form. If it is not displayed, provide it.
-
Enter your organizational email address in Organizational Email Address and click Verify.
-
Enter the OTP.
-
Indicate if you had any issues while completing Phase A.
-
[Optional] If you had issues completing Phase A, we encourage you to provide the Support ticket number.
-
Click Submit. When this request is processed successfully, we send a notification via email.
Note:
- We require up to 30 minutes to process your server-side offboarding request.
- If you are still waiting to receive an email after 30 minutes, please raise a service request.
The device clean-up policy applies to SEED users with TechPass IDs belonging to the TechPass Entra ID. You can identify a TechPass Entra ID account if your TechPass ID's domain is techpass.gov.sg. For example, [email protected] is associated with the TechPass Entra ID.
The primary objective of this policy is to remove inactive device records from the Intune portal.
Note:
- The device clean-up policy does not apply if your TechPass ID belongs to the WOG Entra ID.
- A TechPass ID in the WOG Entra ID typically aligns with your organizational email address, which is in the format <your_name>@<acronym for your agency>.gov.sg. For example, [email protected].
If your TechPass ID belongs to the TechPass Entra ID and you have not logged into your GMD for 90 consecutive days, the GMD becomes inactive, and its records are soft deleted from the Intune portal.
It is essential to note that when your device records are soft deleted, it does not wipe or retire the device. Instead, the device record is temporarily removed from Intune.
As a result, SEED administrators will not be able to access details such as the device's health status, and they can no longer manage it from the SEED Dashboard.
You can restore your device records on Intune by simply logging in to your GMD device the next time, provided that:
- Your TechPass account is still active.
- Your MDM certificate is still valid or within 180 days after its expiry.
When you onboard your Internet Device to SEED, you receive an MDM certificate that is valid for one year from the date of onboarding. The certificate is automatically renewed if you are logged in to your GMD when it expires.
If the MDM certificate expires, it can be automatically renewed by logging in to your device within 180 days from the expiration date. In such cases, re-onboarding your device to SEED is not required.
If the certificate remains expired for over 180 days, your device record is permanently deleted, preventing access to SGTS products.