New features in macOS Catalina and the consolidation of management of apps, devices and accounts under Apple Business Manager are transforming how apps are developed, verified and distributed on macOS. This article describes how Microsoft Intune is invested in macOS management capabilities to ensure that IT admins are ready to effectively manage their growing fleet of macOS devices.
We previously shared the new macOS management capabilities in Microsoft Intune such as support for FileVault disk encryption management and the evolution of macOS management capabilities. This article focuses on macOS apps landscape and improvements made for the deployment and management of macOS apps in Intune.
Over the last quarter, we have made great strides towards providing greater deployment choices to our Intune IT admins at scale and protect privacy for our end-users. These improvements in Microsoft Intune are aligned with key changes that macOS Catalina introduced to be more secure and provide greater privacy control to users. Following are some of the highlights of macOS-related improvements in Intune:
The rest of this article goes into further detail for each item above.
Apple announced a new requirement that all macOS software distributed outside Mac App Store be notarized by January 2020. Notarization indicates to Gatekeeper that the app is trusted and free from malware. This establishes a higher security standard for all apps to run on macOS and reduces the risk of users unintentionally running a malicious app. As more apps are notarized by developers, it will lower the barrier for developers to publish these apps to Mac App Store, therefore, paving the way for a richer app ecosystem for macOS devices that can be easily purchased using Apple Business Manager and deployed using Microsoft Intune.
The existing support for Apple VPP in Microsoft Intune for iOS and iPadOS devices, was made available for macOS platform in early October 2019. You can now deploy any app that is available in the App Store for macOS including core Microsoft Office apps such as Outlook, Word, Excel, PowerPoint, OneDrive and OneNote. VPP allows you the flexibility to deploy and assign individual apps as desired and manage them using licenses. The alternative method for deploying the preconfigured Microsoft Office 365 for macOS suite is still available, if desired.
In addition, internal apps (line-of-business apps) can now be distributed privately through App Store Connect as Custom Apps and licensed using Apple Business Manager. So, internal apps distributed to your organization’s Apple Business Manager account can now be deployed using Intune just like any other VPP app. This is a welcome gesture for IT admins looking to consolidate all their macOS app procurement and deployment needs using Apple Business Manager and Microsoft Intune.
Just like on iOS, VPP apps on macOS can be device-licensed or user-licensed. Device-licensing allows users to install assigned VPP apps without having to sign into App Store, user-licensing allows a user to use one license for up to 5 installs using the same Apple ID to sign into the App Store.
To see VPP apps for macOS in Intune, sync a VPP token in Intune admin console that has been used to purchase licenses for macOS apps. These apps will appear in Client apps > Apps on the Intune admin console. You can purchase VPP apps and download a location-token from Apple Business Manager or download a legacy VPP token from Apple VPP Portal.
With the release of macOS Catalina in October, Apple now supports only 64-bit binaries on macOS 10.15 and beyond. To continue to support customers preparing macOS line-of-business applications for deployment using Intune, the app wrapping tool (v1.2) on GitHub now supports the macOS 10.15 requirement.
The ability to run only 64-bits apps on macOS Catalina enables developers to build macOS apps to run more efficiently and take full advantage of the benefits of 64-bit architecture on macOS devices. This is especially applicable to apps that use a lot of memory and heavily depend on graphics.
Web clips can now be installed to the Dock of macOS desktop providing faster access to important or frequently visited webpages. Web clips assigned as required automatically install to the Dock, while web clips assigned as available can be installed using the Company Portal for macOS.
Web clips are installed as configuration profiles on the device, which can be found under System preferences > Profiles on a managed macOS device. If a user removes a web clip from the Dock, the corresponding configuration profile must be removed and re-installed for it to reappear on the Dock.
Working with large customers, such as those in the education sector, we heard feedback that a token limit of 256 per Intune tenant is restrictive to some customers. In the latest release, we overhauled our engineering systems to operate reliably at a greater scale and expanded support for Microsoft Intune to add and manage up to 990 Apple VPP tokens per Intune tenant. We are continuing to expand this scale to include even more tokens in future.
On managed macOS devices, Intune administrators could see full app inventory information under Devices > select a macOS device > Discovered apps. However, we heard customers ask for a way to protect personal app inventory on managed macOS devices. This is now applicable for newly enrolled macOS devices starting in October 2019. With this change, administrators can see app inventory information only pertaining to managed apps installed by Microsoft Intune and any apps that are installed by the user outside of Intune are not reported in the Intune console. Corporate devices will continue to report full app inventory information.
One of the technical challenges we faced while making the distinction between personal and corporate app inventory information is that macOS devices don’t distinguish between managed and unmanaged apps when reporting app inventory data. We built methods to evaluate other signals to determine what managed apps are deployed and installed on the personally-owned work device. This will build greater end-user trust in IT, and protect end-user privacy on bring-your-own (BYO) devices enrolled with Intune.
If you are attending Microsoft Ignite, make sure to add this session to your schedule or come say hi at our Microsoft Showcase booth in The Hub. For those who cannot make it in person to Orlando, the on-demand recording will be available shortly after the session. Microsoft Ignite is happening from November 4–8, 2019 in Orlando, USA.
Microsoft and Apple have a strong relationship for endpoint management, and we are always listening to customers to add the most requested capabilities for macOS, iOS and iPadOS management. We encourage you to share your feedback with the new features in the comments below, and suggest new feature requests using User Voice.
If you have any other suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter
(This blog is co-authored with Arnab Biswas, Program Manager, Microsoft 365)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.