Microsoft Intune and Apple Mac Management

The Microsoft Intune team recently announced the ability to enroll and manage the Apple Mac. I’m happy to say that the feature has been deployed as part of the recent Intune release. Today’s post will focus on Mac enrollment and management via Intune.

For details you can read more about the update and what management features are offered for Mac here: &


  • A Mac running OS X 10.9 or later
  • An Intune Subscription
  • User(s) assigned an Intune license so they can enroll



Let’s get started

On the Mac navigate to

Log in with an Azure Active Directory (Azure AD) user credential (someone who also has an Intune license assigned):


Notice the customization of the login page, this can all be changed via Azure Active Directory in the Azure portal.


Select “This device is either not enrolled or the Company Portal can’t identify it.”

Note: if you cancel out of the enrollment and go back later and don’t see the option to enroll, clear browsing history and close down Safari then reopen Safari, login, and the option should show up again.


Select “ENROLL” to begin the Intune enrollment process.


Select “Install” to install the Intune management profile.


Select “Show Profile” to view more about the profile being installed and select “Install” to continue with the installation. Depending on your settings you may be promoted to type in your Mac account password.


Another install prompt may appear, select “Show Profile” again to show the new information and rights being deployed. When finished reviewing, select “Continue” and “Install”.


Once the profiles are installed you’ll see a screen similar to the following:



After installation is complete, the enrollment windows in Safari will remain open. Go ahead and close those out and refresh the page that has “My Devices” on it. After the reload is complete, the Mac will show up with a check box.




Select the Mac to view whether or not it’s in compliance:


Once Mac’s are enrolled they’ll download and apply policies whether created before or after enrollment.


Intune Mac Policies

Policies available for Mac in this release are as follows (more info:

To set up a new Mac policy navigate to select Intune –> Device configuration –> Profiles –> Create profile



Select the type of Profile you’d like to deploy:

Overview of Mac OS X configuration policies with Intune:



Note: for custom configuration you’ll need to utilize download and utilize Apple Configurator on a Mac: 


Classic Intune Portal


In addition to the policies above Intune will track and report on Hardware and Software:



Need to deploy apps and go beyond Intune Mac management features?  Have a look at Mac management with System Center Configuration Manager (SCCM).

Need to manage devices beyond Mac? Intune will manage Android, iOS, Windows Phone, and Windows as well. Read more here:

Keep an eye out for new Intune updates here:

Microsoft Advanced Threat Analytics

Tracking down security vulnerabilities has always been a game of cat and mouse. Certain safeguards can be put in place to prevent security vulnerabilities such as blocking firewall ports, requiring multi-factor authentication and so on. Granted, no system can capture every single security vulnerability, however if a layered security approach is taken, there’s a better chance of catching security vulnerabilities and threats.

There’s also those deep vulnerabilities you’ve only read about but don’t have the necessary tools in place to capture or even check if they are occurring inside your network. Did you know that the average time attackers stay in a network before detection is over 200 days? If that is the case, then there is a lot to worry about including stolen passwords, confidential company data, customer data, and much more.

We’ve all seen the news where highly visible companies are compromised where credit card and customer information is stolen, and worse yet, published online. Have you been one of those affected? If not, what if it happened to the company you worked for? Would you be affected then? My guess is probably, one way or another.

What if you had a solution that was simple to deploy and began learning about your environment within minutes? Look no further, Microsoft Advanced Thread Analytics has a lot to offer, even with your existing security systems in place.

What is Microsoft Advanced Threat Analytics (ATA)?

Microsoft ATA is an on-premises solution that begins by learning about your environment, analyzing behaviors, and alerting on anomalous activity, attacks, and threats. Microsoft ATA will also integrate with existing SIEM’s.

How does ATA work?

Microsoft ATA works by capturing network traffic from domain controllers and by using machine learning, learns about behaviors within your network and alerts on abnormal behaviors.

There are four steps ATA takes: 

  1. Analyze – analyzes all Active Directory traffic as well as SIEM events.
  2. Detect – looks for anomalies and known security attacks and issues.
  3. Learn – leans about users and user behavior, devices, and resources then builds a graph mapping common behaviors.
  4. Alert – ATA raises alerts on suspicious activities and provides a timeline of activities of who, what, where, and when.

What types of issues are alerted by ATA?

ATA detects the following:

  • Abnormal user behavior: e.g. Anomalous logins, Password sharing, Lateral movement.
  • Malicious attacks: e.g. Pass-The-Ticket, Pass-The-Hash, Golden Ticket, Bruteforce attacks, remote execution, a much more.
  • Known security issues and risks: e.g. Broken Trust, Weak Protocols, Known protocol vulnerabilities.

What do alerts look like?

The following are a few example of actual alerts:

Reconnaissance Using DNS


Massive Object Deletion (from Active Directory)


Sensitive Credentials Exposed


Pass-The-Ticket Attack


What about architecture?

The architecture of ATA is very simple. It consists of a “Central Server” and one or more “Gateway Servers”.  Both can be deployed to VMs or physical machines. Again, ATA is currently an on premises solution.

  • Central Server: Central admin console (http) and the database (MongoDB).
  • Gateway Server(s): Destination for port mirrored network traffic from domain controllers.

Additionally, ATA uses self-signed certificates to communicate securely from the Gateway Server to the Central Server. Lastly, port mirroring is required from your domain controllers (source) to the Gateway Server(s) (destination).

For example, it took me about 10 minutes to set up, end-to-end, in my environment where I have two domain controllers.

Links to deployment information is under Additional Resource below.

The following is a sample architecture of ATA:


Download and try ATA today, because having more information about attacks, threats, and behaviors across your network is better than guessing.

Additional Resources

Learn more here:

Additional ATA resources such as release notes, deployment guides, operational guides , FAQ’s and more are located here: