What’s new in macOS management: Platform SSO and more

Endpoint management used to be famous for being nearly invisible, unless something goes wrong. Now that work has spilled out of the office and moved away from the desktop computer, users are increasingly aware of endpoint management, or at least to how it impacts their productivity. How quickly does their laptop boot up? How seamless is the sign on to corporate resources? How easy is it to use their preferred device to do their work?

Over the last six months, we've been working hard to make it easier for end users to enroll Mac devices with Microsoft Intune and more powerful for administrators to manage them. We've had great results from customers who have ditched duplicative tools and moved their macOS management to Intune.

See what's new with Intune's macOS device management capabilities and hear about a case study on a company that moved their Macs to Intune.

More capable Mac management

Giving users and administrators a more secure, productive experience is what Intune is all about. Here are some of the new capabilities we are most excited about.

Platform Single Sign-On (SSO) is now officially in public preview

Platform SSO is a win for security and productivity alike. From a security standpoint, SSO integrates with Apple's Secure Enclave technology. This means that organizations can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune. For organizations implementing Zero Trust, this is a big win, especially since Intune is cloud native.

End users get a more seamless out-of-the-box experience, now needing only one set of credentials, their Entra ID password, to set up their device.

Unique to Microsoft Intune, this SSO experience also signs users in to their Outlook, Teams, and other Microsoft 365 apps at the same time.

For users accustomed to entering separate passwords for their device and to access corporate resources, and sometimes entering those passwords multiple times, this streamlines productivity. Users even have the option to forego passwords and set up Touch ID to unlock their device and sign in to Entra ID. See the documentation to learn how to set it all up for your users. Then, read this blog post from the Entra ID team to dive a little deeper into the technology and watch this demo to see it in action:

Await final configuration for macOS Automated Device Enrollment

Intune admins can enable the Await final configuration setting to further enhance device security. When set to yes, users will not be able to access the desktop until critical policies have been applied.

While in Setup Assistant, Intune checks in with the device, and at that time, the device configuration policies start coming down. This benefits both end users who can use the configured device when they land on the home page without confusion and admins who ensure the device is secure with the deployed settings. We recommend always having the Await final configuration setting to yes.

Setup Assistant Screens configuration

In addition to improving security, admins can customize the enrollment process to offer a better experience for end users. The ability to hide or show screens allows organizations to create the ideal enrollment experience for users. We suggest allowing users to set up Touch ID and enabling accessibility settings. For a more comprehensive guidance on configuring macOS devices on Intune see our documentation.

Universal Print on macOS is in public preview

MacOS users can print from any app with this integration. Get the details in the announcement blog post. We also have further documentation to help you roll it out and watch this interactive demo to see what the end user experience is like.

Microsoft Intune Remote Help for macOS devices is available

The same secure, trusted help desk-to-user connections that you get with Windows devices are now available to your macOS device users. To read more about it, see Microsoft Intune Remote Help adds full control for Mac. Then, watch this video that highlights some capabilities of Remote Help and see this interactive guide to get even more insight. The product page also offers details on all the capabilities and pricing.

Coming soon: device attestation

Even more robust security features are coming to Mac management in the form of device attestation. This blog post goes into more details and talks about the timeline—but the headline is that Intune will include Apple's Automated Certificate Management Environment (ACME) protocol in device attestation and reporting.

Help shape the next phase of Apple device enrollment

If you have a testing tenant with iOS, iPadOS, or macOS devices, we want you to help us develop the next set of enrollment capabilities. Sign up to join the private preview.

Also, take advantage of this great opportunity to connect with over 350 other IT professionals during MacADUK. From May 23-24, 2024, you can expect informative sessions, compelling conversations, and (we hear) some epic parties. Microsoft will be there and we'd love to hear about your experiences managing Macs for enterprise. Buy your tickets today!

Now is the time to manage your Macs with Intune

The list of capabilities being added to Intune for Mac management keeps growing! So, keep up to date and bookmark our blog post and follow our social media channels @MSIntune on X and on LinkedIn. For help getting started, check out the new end-to-end guide to macOS endpoints. Now, see this customer story about how one firm agreed that now is the time to manage macOS devices with Intune.

A professional services firm's macOS device management to Microsoft Intune journey

In the professional services sector, competition for individual talent is fierce. High performing individuals can often dictate the terms of their engagement as individual productivity makes a huge difference to the bottom line.

So, when one of the world's largest professional services firms wanted to cut their endpoint management costs, they couldn't simply mandate a reduction in the type of devices they would support. Rather, they had to find a more efficient way to help keep their hundreds of thousands of employees productive and secure on the devices they prefer. The current solution is maintaining distinct endpoint management solutions, which was untenable. The Associate Director and Desktop Configuration Manager explains, "When we first merged with a business that managed Mac devices, we felt the need to bring them into our infrastructure effectively. We adopted a popular mobile device management tool for those devices, but the costs became prohibitive."

The preferred solution to those prohibitive costs? A single plane of glass, allowing IT visibility and management of their entire device estate.

Doing more Mac device management with less

The search for that solution didn't take long. The company was already managing more than 300,000 devices with Microsoft Intune. In addition to licensing costs, there were productivity costs for administrators and end users alike in maintaining parallel management solutions. Device provisioning with Automatic Device Enrollment and Platform SSO cut hours from the hands-on time IT admins had to spend on setup for macOS devices and time users had to spend on sign in—thanks to their Entra ID credentials.

Interoperability with the second management tool was cumbersome and impeded user and administrator productivity. But unifying management under Intune smoothed a once-bumpy road. Consolidating solutions removed the need for the on-site servers and their maintenance the parallel solution provided.

IT teams no longer need training on a new system nor do they have a distinct support portal and the associated service contract. Security management with Microsoft Defender for Endpoint improved reporting and reduced the chance for errors inherent in maintaining dual systems.

The added value of working with Microsoft

On paper the choice to switch to Intune wasn't obvious. "Our Mac-specific management solution had a lot of bells and whistles," says the Desktop Configuration Product Manager. The team had to take a wider view of not only the capabilities of their solutions, but how they related to the needs of the organization, the IT department, and their end users now and into the future. The result of that process, according to the company was, "Many of those features, we discovered, provide little to no long-term value to the user. For those that do, more cost-effective alternatives exist." Upon realizing that those "bells and whistle" weren't worth what they were paying, the company sought to verify Microsoft's own assertions that we are committed to developing our Mac management capabilities. Of their inquiry, the company says: "We reached out to Apple, who confirmed for us that Microsoft follows their best practices very closely. Together with its commitment to zero-day support for updates and launches, that convinced us that Microsoft was our best option for endpoint security."

With their previous solution provider, the total cost to lease a MacBook Air was roughly the same as a comparable Windows laptop. However, by eliminating the added cost of the separate macOS MDM tool, the company reduced the overall three-year cost of each Mac by $150. The savings in time allowed the IT team to solve more interesting challenges. For example, the team was able to create a bespoke macOS app store in collaboration with Microsoft. Thanks to this solution, the Associate Director and Desktop Configuration Product Manager says, "It helps add new value to our mobile device management without the costs our prior tool would have required… I've been in IT for 20 years, and I've never had the kind of direct engagement with a product group as we experienced with Microsoft."

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.