By: Neil Johnson – Principal Product Manager | Microsoft Intune
A lot has changed in Intune Mac management over the last few years. As we’ve adapted to the changing needs of our customers the number of requests for Mac projects has steadily grown. These range from ‘How do I get started with a Intune Mac proof of concept?’ to ‘I’ve done my POC but now I’ve got thousands of Macs to migrate to Intune, what next?’.
This article is aimed at organizations that are new to managing Mac with Intune. It provides a list of tools, resources and links that we use on most of our Mac projects from design through to migration. The idea is to provide a springboard into Mac management with Intune.
Planning
When planning your Mac migration project, a solid understanding of your requirements is a critical dependency to be successful, we tend to think of Mac migration projects in four phases:
A requirements chart outlining the Design, Testing, Pilot, and Migration phases.
Requirements: Setting clear goals and objectives is essential to the success of any project. Goals are broad strategic aims—such as reducing costs, strengthening security, or simplifying IT management. From these goals, you can derive specific, measurable requirements. For instance, a goal to reduce costs might translate into a requirement to consolidate onto a single device management platform. A security goal might lead to a requirement to implement single sign-on across all Macs. These requirements provide the foundation for the rest of the project.
Design: In the design phase, we translate the requirements into a practical and achievable solution. This includes selecting the right technologies, defining configurations, and outlining how the solution will be implemented. The aim is to create a blueprint that fully addresses the project’s requirements while remaining scalable and maintainable.
Test: The test phase ensures that the proposed design meets the original requirements. This involves validating the solution in a controlled environment to identify any gaps or issues before moving into pilot. Testing helps confirm that the solution is functional, reliable, and ready for broader deployment.
Pilot: Once the solution has passed testing, we move into the pilot phase. This is a limited rollout in a production environment, typically involving a small group of users or devices. The goal is to gather real-world feedback and make any final adjustments before scaling the solution across the organization.
Migrate: With a validated pilot, we transition into full migration. New devices are enrolled into the new service from day one, while existing devices are moved over in a phased and structured approach. This ensures continuity, minimizes disruption, and completes the journey to the new platform.
Design, Test and Pilot are often cyclical phases, which means as we go through each one, we’re likely to learn new things and need to make changes to prior phases. For example, the first time we run through the testing phase, it’s likely that we’ll need to adjust our design, and similarly with the pilot phase. We only progress to the migration phase when we’re satisfied that our solution has been tested to meet the core requirements that were identified in the outset.
This is an example of how we might begin our requirements definition, stating our clear goals with matching requirements to meet them:
- Reduce costs
- Make use of the licenses you already own.
- Reduce IT overhead by shipping devices directly from Apple to your device users.
- Improve security
- Deploy Microsoft Entra and Intune for Conditional Access and compliance policies without third-party connectors.
- Consolidate endpoint and data loss prevention tools, for Windows and Mac, such as Microsoft Purview and Microsoft Defender for Endpoint.
- Simplify management
- Consolidation of security and management tooling.
- Simplify your configuration and remove deprecated payloads.
Getting started with Design, Test and Pilot phases
The best place to start your journey learning about how to design Mac management with Microsoft Intune is through our end to end guide to get started with macOS endpoints.
It walks you through getting your environment up and running to enroll your first Mac and then how to secure and apply more complex configurations.
As you learn more about Mac management, you may find that you need more complex solutions or custom tooling. It’s beyond the scope of this article to go into depth, but here’s a list of some of our favorite Mac resources that you should find valuable:
- Intune Team GitHub Shell Samples Repository: GitHub repo full of sample shell scripts to accomplish common tasks with Intune. Note: Microsoft supports the ability to run scripts but doesn’t support the script itself, remember to always test!
- The macOS Security Compliance Project: Comprehensive security baseline project for macOS.
- AppleSeed for IT Resources: Apple’s Enterprise software portal and the home of the Mac Evaluation Utility, which is highly recommended during testing.
- Mac Admins Foundation: Mac Admin community resources.
Common issues
These are the most common problems we see when working with our customers new to managing Macs with Intune.
|
Issue |
Possible cause |
Solution |
|
Unable to enroll |
Enrollment Restriction blocking macOS |
The most common issue we see here are old enrollment restrictions blocking macOS. These need to be removed or modified before you can enroll. |
|
Missing Apple MDM push certificate |
For organizations new to Apple device management, it’s very common for them not to have an installed. Without this you’ll not be able to manage any Apple devices. | |
|
User targeted by compliance connector |
If you’ve been using Intune for compliance with another MDM service, you’ll need to ensure that users are excluded from the targeting of this connector before enrolling into Intune. | |
|
Policies/Apps take a long time to arrive |
Policy or app assignments to dynamic device groups |
For Intune policy assignment it’s best to use static device or user groups where possible. |
Microsoft on Mac
Microsoft has many products specifically developed for Mac. Your organization might already own licenses for Microsoft products that work on Mac, but perhaps you’re not fully using them. It’s important to check which licenses you already have—this could help you save money, simplify management, and improve the experience for your Mac users.
|
Product |
Function |
Learn more |
|
Microsoft Intune |
Endpoint management | |
|
Microsoft Defender for Endpoint |
Endpoint security platform |
https://learn.microsoft.com/defender-endpoint/microsoft-defender-endpoint |
|
Microsoft 365 |
Productivity app suite |
https://www.microsoft.com/microsoft-365/mac/microsoft-365-for-mac |
|
Microsoft Teams |
Collaboration |
https://www.microsoft.com/microsoft-teams/group-chat-software |
|
Microsoft Edge |
Enterprise browser for Mac | |
|
Windows 365 |
Run Windows in the cloud | |
|
Microsoft Purview |
Data protection and governance |
https://learn.microsoft.com/purview/device-onboarding-macos-overview |
|
Microsoft Entra |
Identity and compliance | |
|
Universal Print |
Enterprise cloud printing |
https://learn.microsoft.com/universal-print/discover-universal-print |
|
Microsoft Copilot App for Mac |
Enterprise AI companion app | |
|
Windows App |
Mac remote desktop protocol client |
https://learn.microsoft.com/windows-app/get-started-connect-devices-desktops-apps |
Migration Planning
Once you’ve finished your solution design, testing and pilot phases it’s time to start thinking about migration. There are many ways to approach migration, but we tend to think about it in five phases.
- Design: Designing your migration process is critical. You need to think through how you’re going to get new devices enrolled to Intune, how you’re going to handle opt-in migrations and how you’re going to handle remaining devices at the end.
- Communicate: Once you know how you’re going to approach migration it’s critical to communicate that across your business. Communicate clearly and simply what the project is going to do, when it’s going to happen and if there any actions required.
- New Devices: As soon as practical, it’s important to ensure that all new devices purchased are enrolled into Intune. This creates a better end user experience and means that we don’t have to migrate them unnecessarily.
- Opt-In: Your colleagues are busy doing their roles, so it’s important that we are as flexible as possible with them. Our experience suggests that if you provide a guided migration experience that they can start at a suitable time then they are much more likely to migrate themselves.
- Deadline Mode: Sometimes we all need a little encouragement. During the final phase of migration consider reminders and even a final deadline date where devices will just be migrated.
Migration design is unique to each project and organization, what is acceptable for one may not be suitable for another.
Migration tooling
That’s all very well, but how exactly do you get your devices from one mobile device management service (MDM) to another? Handily the Intune Customer Experience Engineering (CxE) team has developed an open-source script that might help:
https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Tools/Migration
There are many more options from our partners and MVPs to achieve migration. To learn more why not join our Microsoft Mac Admins community on LinkedIn and find out how others are handling migration.
Example Migration experience
Here’s an example of what the migration might look like for your users. The video below is based on the Intune Engineering sample script in opt-in mode where the user can choose when they want to perform their migration.
Reach out for help
If any of this has piqued your interest, there are a couple more things you can do.
Join our Microsoft Mac Admins community on LinkedIn. Our product teams are there, plus thousands of others who’re using Intune to manage their Apple devices in a Microsoft Enterprise environment. If you have a question about Microsoft and Mac, someone in here will likely have the answer.
If you have 150 M365 licenses or more, you can also Request FastTrack assistance. Our FastTrack team are experts at helping our customers make the most of their investment in Microsoft technologies.
Lastly, if you are looking for a deeper engagement, consider finding a Microsoft partner to support your migration needs.
If you have any questions or want to share how you’re managing and migrating your Apple macOS devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked .
Microsoft
