Event banner

AMA: Securely manage iOS/iPadOS and macOS endpoints with Intune

Event Ended
Thursday, Jun 22, 2023, 08:30 AM PDT
In-Person

Event details

Let’s chat about the latest and greatest in Intune Apple device management! With the introduction of Just-In-Time (JIT) functionality, your users will be able to enjoy a more seamless onboarding experience on bring your own device (BYOD) scenarios. The iOS Company Portal app will no longer be required for Azure AD registration and allow you to move towards a web-based device enrollment flow for BYOD scenarios. Similarly, the updated Account-Driven User Enrollment flow enables faster user enrollment for BYOD scenarios utilizing JIT registration without requiring the iOS Company Portal app. We are streamlining DMG app deployments and reducing vulnerabilities in your Mac environment by keeping macOS devices updated with the latest software updates. We are bringing the ability to use your Azure AD password to log in to your Intune-managed Macs.

Have questions? We’re here to answer them! Ask Microsoft Anything!

Post your questions in the Comments below. We'll have experts responding in the live stream and others in chat.

 

This AMA is part of a Microsoft Intune edition of Tech Community Live. Visit https://aka.ms/TCL/Intune for the full agenda.

Heather_Poulsen
Updated Jun 22, 2023
AMA
Tech Community Live

95 Comments

Sort By
Show More
  • deets's avatar
    deets
    Copper Contributor
    Jun 22, 2023
    Using filters, we occasionally see issues where the filter won't apply due to conflicts, despite no obvious conflicts. Is there any way you can see what exactly the conflict is? Something similar to the conditional access 'What If?' tool. This would be helpful to troubleshoot where filters are not applying.
    • Char_Cheesman's avatar
      Char_Cheesman
      Bronze Contributor
      Jun 22, 2023

      Thanks for participating in today's AMA on Securely manage iOS/iPadOS and macOS endpoints with Intune! For reference, the panel covered this topic at around 14:00.

  • gschroot's avatar
    gschroot
    Brass Contributor
    Jun 22, 2023
    In Education we have a lot of shared macOS devices where students login with their AD account. A standard non-admin useraccount is created on the fly. But we need Jamf and Jamf Connect to achieve this. Will there be a similar streamlined experience available for Intune and Azure AD?
  • gschroot's avatar
    gschroot
    Brass Contributor
    Jun 22, 2023

    Is enrolling macOS devices with your Azure AD account, in stead of creating a local machine account, on the roadmap? And is there a timeline for that?

  • keithchalmers's avatar
    keithchalmers
    Copper Contributor
    Jun 22, 2023
    Will it ever be possible to specify multiple iOS major versions in app protection policy launch conditions? iOS 15 and 16 are both currently supported, but it's only possible to specify one for each action, e.g. Block.
  • SchiefVanCleef's avatar
    SchiefVanCleef
    Brass Contributor
    Jun 22, 2023
    With Winget we are able to import and publish apps into Intune, without hunting down the packages — including EXEs and MSIs. We can offer self-install apps from the Company Portal and using the Windows Store for Business. Are there any plans to offer Winget or equivalent to for macOS?
  • saundy_88's avatar
    saundy_88
    Copper Contributor
    Jun 22, 2023
    Why when you manually enrol macOS devices does the devices status comes as not evaluated? It clearly is being evaluated as when you click on the device properties it reports even compliant or not. Can the status be changed from not evaluated to reflect the actual compliance for macOS devices?
  • Ebuke_Okwese's avatar
    Ebuke_Okwese
    Brass Contributor
    Jun 21, 2023
    We need more reporting information for Mobile Devices in the Intune GUI. Just like Windows has Update Rings, Android, iOS/iPadOS, and macOS devices should also have an update rings section within Intune. It's very tedious and time consuming to try and aggregate that data to present it in a meaningful way manually. When will Intune implement a section like that where we can get a breakdown of device count across different OS versions? Other MDM tools like WorkSpace One provide this functionality. The section should be linked to an auto sort that only shows those devices on that OS version. The GUI does not even provide a filter for OS version.
    • Clay_Taylor's avatar
      Clay_Taylor
      Icon for Microsoft rankMicrosoft
      Jun 22, 2023

      You should be able to filter by OS in the devices blade by clicking "add filter" here:

       

      • Ebuke_Okwese's avatar
        Ebuke_Okwese
        Brass Contributor
        Jun 23, 2023
        I know that there is an OS filter, but to specify, I'm referring to an OS version number filter. Filtering by version numbers is really important for certain data gathering scenarios. Right now, the only way to do that is to download a CSV, create a table, and filter it out myself. I think it should be built into the GUI. A quick reporting dashboard that displays device counts for OS version numbers with an auto filter when you click on it would be wonderful.
    • Dr_Snooze's avatar
      Dr_Snooze
      Brass Contributor
      Jun 21, 2023
      With regard to updates, MS can only do so much. If the OS itself can't reliably update itself, or provide information about its update status, then there isn't much MS can do. Apple has recently had to revamp its automatic updates because vital security patches weren't getting installed. You can deploy a Configuration Policy in Intune that will force Apple to update, and so far, it seems to be working for me. https://learn.microsoft.com/en-us/mem/intune/protect/software-updates-macos I'm not aware of any way to mass deploy updates to Android or iOS devices, though someone can correct me there. Again, this is a limitation of the OSes, not MS. With regard to device counts, the latest Device page in Intune does exactly what you want. Go to endpoint.microsoft.com -> Devices and you'll see all your OSes with a count of the devices using each one. You might need to flip a toggle button at the top of your page to get the new view, though.
      • Ebuke_Okwese's avatar
        Ebuke_Okwese
        Brass Contributor
        Jun 21, 2023
        iOS/iPadOS and macOS both have update policies you can apply to force automatic updates on check-in. That's not my issue though. It on the data collection/reporting side. The GUI does not have a good dashboard that where I can easily grab numbers for how many devices are on what version. This is really important for situations where we need to track update deployment or determine the organization impact of a problematic OS update.
  • Jonathon's avatar
    Jonathon
    Copper Contributor
    Jun 21, 2023
    macOS: With many enterprise grade apps requiring customization and configurations as part of their installation, have enhancements been considered to the deployment of pkg and dmg files to allow pre-run and post-run scripts or even modifications of additional arguments to be added to the installer command that is being called? The shell scripting examples on GitHub provide a good framework for what can be done, but rolling this directly into the platform would help lessen the burden on each individual admin to maintain the framework of the scripts from iteration to iteration. Are there any best practices you've seen when it comes to app management overall?
  • SchiefVanCleef's avatar
    SchiefVanCleef
    Brass Contributor
    Jun 21, 2023
    In order of the implementation of O365/M365 and with it Microsoft Intune, Outlook for iOS has become the standard mail client on iOS devices for many customers today. This is due to the excellent user experience and the constant stream of new features implemented by Microsoft. From a security perspective, in addition to the provision on managed devices (managed by Intune), the secure use on unmanaged devices with MAM or App Protection Policies (APP) is a big argument for using Outlook for iOS.
     
    Currently, many ouf our customers are working on a BYOD setup for blue collar worker, who typically have a maximum of one email inbox. A big pain point for many users who use Outlook for iOS in an MAM-only setup (and for MDM setup with Intune, too) is the missing caller identification of Exchange Online (EXO) contacts (automatic synced GAL Contacts, not personal contacts). There are already several paid app solutions that close exactly this gap which offer more or less the same range of functions. The app builds a container and downloads the managed address books (GAL, personal) of the user and then enables the resolution of the CallerID or identification of the caller via the so-called Apple CallKit integration.
     

    Will there be a Apple CallKit Directory Extension for Outlook and/or Teams?

     

    With the possibility of using Apple CallKit in combination with Outlook or Teams for iOS and the contact synchronization (personal/GAL) of a managed EXO mailbox, the use of M365 in a BYOD scenario for customers Blue Collar workers will massively increase. Furthermore, the use of contact synchronization is then also possible for devices managed by Intune. This creates an outstanding user experience while increasing user adoption!

     

    Find the Full Articel here: Outlook for iOS (MAM only Call Identification) - Microsoft Community Hub

  • RobertHammen's avatar
    RobertHammen
    Copper Contributor
    Jun 21, 2023
    When exactly will Microsoft support declarative MDM for fully-managed iOS/iPadOS devices? Announced by Apple in iOS/iPadOS 16 over 12 months ago, shipped 9 months ago. When will Microsoft support the new declarative MDM features announced in iOS/iPadOS 17 (and macOS 14) that were announced two weeks ago, and will ship this fall? Hopefully soon as well. One of the biggest challenges with trying to leverage Intune to manage iOS/iPadOS, compared to other popular MDM solutions, is that it's very much a "black box". No easy way to view pending or historical MDM commands. Also, not being able to export a config profile is frustrating...
    • paddy_braun's avatar
      paddy_braun
      Copper Contributor
      Jun 26, 2023
      Hi Robert, there is an option to export config profiles (and others) via Graph API. There are already existing solutions that back up almost all of your configs/policies/apps but to my experience not 100% complete (e.g. AppConfigs are missing). And there is an option to restore this as well. Have a look here: https://github.com/jseerden/IntuneBackupAndRestore If you are looking for a more granular way to backup/export individual config profiles, try this: https://github.com/microsoftgraph/powershell-intune-samples/blob/master/DeviceConfiguration/DeviceConfiguration_Export.ps1
    • benjamin_flamm's avatar
      benjamin_flamm
      Icon for Microsoft rankMicrosoft
      Jun 22, 2023
      Hi Robert! We announced day 0 support for DDM this past year and have supported it since last year's OS releases: https://techcommunity.microsoft.com/t5/intune-customer-success/day-zero-support-for-ios-16-ipados-16-and-macos-13-ventura/ba-p/3624891 We built it directly into the settings catalog so we can more easily support day 0 configurations going forward. We have plans to fully roll it out to all tenants over the next few months and we're super excited about all of the new announcements for DDM and are heavily investing into advancing it this year. Which MDM commands are you looking to get more info for? We have a Device actions report under Devices > Monitor that displays historical device action data. What scenario are you wanting to achieve by exporting a configuration profile?
Location
Microsoft Tech Community
Date and Time
Jun 22, 20238:30 AM - 9:30 AM PDT