Evolution of macOS management capabilities in Microsoft Intune

Server Man

Well-Known Member
May 17, 2015
Windows 7
Chrome 72.0.3626.121
Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.



First let’s look at MacOS enrollment options with Intune.



MacOS enrollment options

There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.



User driven enrollment

For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com



If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:


031119_2202_intunemacos1.png



Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.



After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).



After sign-in is complete the device will begin the enrollment process.



For more details on user driven Mac enrollment please visit: Enroll your macOS device in Intune with Company Portal



Apple Device Enrollment Program

The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.



During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or no you’ll all users to remove the enrollment profile via the “Locked enrollment” setting. Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.



For more details on the Apple enrollment token process with Intune please visit: Enroll macOS devices - Device Enrollment Program or Apple School Manager



Conditional access

An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.

031119_2202_intunemacos2.png



Compliance

Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.


Device Health


System integrity protection prevents malicious apps from modifying protected files and folders.

031119_2202_intunemacos3.png


Device Properties


Specify which OS version and builds you’ll allow before accessing corporate resources.

031119_2202_intunemacos4.png


System Security


Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.

031119_2202_intunemacos5.png


Actions to take for non-compliance


Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.

031119_2202_intunemacos6.png



Associating an Intune compliance policy with Azure AD conditional access policy

Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.

031119_2202_intunemacos7.png



Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.



Device features

031119_2202_intunemacos8.png



Device restrictions

031119_2202_intunemacos9.png

031119_2202_intunemacos10.png

031119_2202_intunemacos11.png

031119_2202_intunemacos12.png

031119_2202_intunemacos13.png

031119_2202_intunemacos14.png

031119_2202_intunemacos15.png

Endpoint protection

Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.

031119_2202_intunemacos16.png

Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.

031119_2202_intunemacos17.png

Certificates

Intune supports PKCS certificates for general and S/MIME purposes.

031119_2202_intunemacos18.png

031119_2202_intunemacos19.png

Device and user-based certificates are both supported via SCEP

031119_2202_intunemacos20.png

VPN

Many VPN settings are available including 3rd party VPN support.

031119_2202_intunemacos21.png

Make note of On-demand and per-app VPN

031119_2202_intunemacos22.png

Use a proxy server? No problem!

031119_2202_intunemacos23.png

Wi-Fi

Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.

031119_2202_intunemacos24.png

Customize with Apple Configurator

Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.



031119_2202_intunemacos25.png

App deployment

Both line of business and Office apps are supported right from the UI.

031119_2202_intunemacos26.png

When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.



The tool is available on GitHub: msintuneappsdk/intune-app-wrapping-tool-mac



To learn more about Mac app deployment with Intune please visit: How to add macOS line-of-business apps to Microsoft Intune



One of my peers Scott Duffy @Scottduf has a great post on this topic: Deploying Apps to Mac’s using Microsoft Intune

Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg



Microsoft + Jamf partnership

Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?



MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.



For more details about Intune and Jamf integration please visit: Integrate Jamf Pro with Microsoft Intune for compliance



Jamf also has a whitepaper about Intune integration: Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf Pro



That’s it for now, however Microsoft is always releasing updates for Intune. Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: In development - Microsoft Intune



Article re-posted from Intune MacOS management capabilities

Continue reading...
 
Back
Top Bottom