Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.
First let’s look at MacOS enrollment options with Intune.
MacOS enrollment options
There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.
User driven enrollment
For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com
If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:
Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.
After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).
After sign-in is complete the device will begin the enrollment process.
For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp
Apple Device Enrollment Program
The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.
During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting. Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.
For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos
An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.
Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.
System integrity protection prevents malicious apps from modifying protected files and folders.
Specify which OS version and builds you’ll allow before accessing corporate resources.
Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.
Actions to take for non-compliance
Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.
Associating an Intune compliance policy with Azure AD conditional access policy
Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.
Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.
Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.
Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.
Intune supports PKCS certificates for general and S/MIME purposes.
Device and user-based certificates are both supported via SCEP
Many VPN settings are available including 3rd party VPN support.
Make note of On-demand and per-app VPN
Use a proxy server? No problem!
Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.
Customize with Apple Configurator
Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.
Both line of business and Office apps are supported right from the UI.
When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.
The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac
To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos
One of my peers Scott Duffey @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/
Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg
Microsoft + Jamf partnership
Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?
MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.
For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf
Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/
That’s it for now, however Microsoft is always releasing updates for Intune. Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development