Last weekend, a friend called me, frustrated. His Mac needed admin access. What should have been a five-minute fix turned into a two-hour ordeal. "Technology isn't the problem," he said. "It's the time it takes to chase these credentials so I can help my team." His experience mirrors what I hear from help desk managers: Time-to-remediate suffers when credential retrieval becomes the longest step.
When teams spend more time retrieving passwords than fixing actual issues, both productivity and end-user satisfaction decline. This month, we’re addressing these challenges—particularly for Apple device management and privilege management across platforms.
Eliminate Mac credential delays for faster support
IT help desks face a specific challenge with macOS devices. They need secure admin access to troubleshoot problems, but traditional approaches either compromise security or create administrative overhead. Organizations struggle with giving help desk teams the access they need while maintaining proper credential control.
This month we made Local Admin Password Solution (LAPS) integration generally available for macOS automated device enrollment. Now, when organizations configure a macOS ADE profile, Intune can provision devices with a local administrator account for new enrollments via ADE only. The administrator account includes a strong, encrypted, and randomized password that's automatically rotated every six months. Alongside a standard user account with naming conventions and account details configured exactly how the admin wants.
The workflow is simple. The IT help desk admin retrieves the password from Intune, completes their tasks, rotates the password, and returns the device without compromising security. The user account can now be set as standard by default and can be configured with new dynamic variables like {{username}}, {{serialNumber}}, {{partialupn}}, {{onPremisesSamAccountName}}, and {{managedDeviceName}} to match organizational naming and security requirements.
Simplify endpoint privilege management with flexible elevation rules for Windows devices
Just as LAPS and real-time DDM reporting ease Mac work, Windows admins face their own time drain: rewriting elevation rules every time an installer or updater rolls to a new build. To reduce that workload, we're adding wildcard support to Microsoft Intune Endpoint Privilege Management (EPM) for Windows endpoints. Instead of creating separate rules for every versioned executable, administrators can use wildcards to match dynamic file names or version patterns. This represents one of those quietly powerful capabilities that automates rule creation while maintaining strict security precision.
Organizations can create a single rule covering all versions of an updater application in Program Files. They can match setup files with varying version numbers in Downloads folders. These well-crafted wildcard rules can replace dozens of version-specific entries. This makes rule sets both more maintainable and more resilient to application updates.
Customize device cleanup for different platforms
After addressing Apple device management and Windows privilege controls, there's one more cross-platform challenge: keeping device inventories current. Different platforms have different usage patterns and lifecycle requirements, but traditional cleanup rules treat all devices the same way.
We've expanded device clean-up capabilities with per-platform rules, allowing organizations to configure different cleanup criteria for Windows, iOS/iPadOS, macOS, and Android devices. Organizations can now use the Audit logs to track and review which devices have been concealed by cleanup rules, providing complete visibility into device management hygiene processes.
Stories like my friend's weekend credential hunt are exactly why these capabilities matter—reducing the friction that gets in the way of the work IT teams actually want to do.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Microsoft
