Day zero support for iOS/iPadOS 18 and macOS 15
Published Sep 09 2024 09:30 PM 26.2K Views

With Apple's recent announcement of iOS/iPadOS 18.0 and macOS 15.0 Sequoia, we’ve been working hard to ensure that Microsoft Intune can provide day zero support for Apple’s latest operating systems so that existing features work as expected.

 

We’ll continue to upgrade our service and release new features that integrate elements of support for the new operating system (OS) versions.

 

Apple profile-based User Enrollment with Company Portal

Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: profile-based enrollment and account-driven enrollment. Apple has ended support for profile-based User Enrollment, known in Intune as User Enrollment with Company Portal. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for profile-based User Enrollment with Company Portal. Note that less than 1% of Intune enrolled Apple devices use this method. Users can no longer enroll devices targeted with this enrollment profile type. Devices already enrolled with this profile type aren't impacted by this change, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. 

 

There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected.

 

We recommend account-driven user enrollment as a replacement method for devices. For more information about your BYOD enrollment options in Intune, see:

 

 

For more information about the device enrollment types supported by Apple, see Intro to Apple device enrollment types in the Apple Platform Deployment guide.

 

New settings and payloads

We’ve continued to invest in the data-driven infrastructure that powers the settings catalog, enabling us to provide day zero support for new settings as they’re released by Apple. The Apple settings catalog has been updated to support all of the newly released iOS/iPadOS and macOS settings for both declarative device management (DDM) and mobile device management (MDM) so that your team can have your devices ready for day zero. New settings for DDM include:

 

Disk Management

  • External Storage: Control the mount policy for external storage
  • Network Storage: Control the mount policy for network storage

 

Safari Extension Settings

  • Allowed Domains: Control the domain and sub-domains that the extension can access
  • Denied Domains: Control the domain and sub-domains that the extension cannot access
  • Private Browsing: Control whether an extension is allowed in Private Browsing
  • State: Control whether an extension is allowed, disallowed, or configurable by the user

 

Software Update Settings

  • Allow Standard User OS Updates: Control whether a standard user can perform Major and Minor software updates

 

Software Update Settings > Automatic updates

  • Allowed: Specifies whether automatic downloads of available updates can be controlled by the user
  • Download: Specifies whether automatic downloads of available updates can be controlled by the user
  • Install OS Updates: Specifies whether automatic install of available OS updates can be controlled by the user
  • Install Security Update: Specifies whether automatic install of available security updates can be controlled by the user

 

Software Update Settings > Deferrals

  • Combined Period In Days: Specifies the number of days to defer a major or minor OS software update on the device
  • Major Period In Days: Specifies the number of days to defer a major OS software update on the device
  • Minor Period In Days: Specifies the number of days to defer a minor OS software update on the device
  • System Period In Days: Specifies the number of days to defer system or non-OS updates. When set, updates only appear after the specified delay, following the release of the update
  • Notifications: Configure the behavior of notifications for enforced updates

 

Software Update Settings > Rapid Security Response

  • Enable: Control whether users are offered Rapid Security Responses when available
  • Enable Rollback: Control whether users are offered Rapid Security Response rollbacks
  • Recommended Cadence: Specifies how the device shows software updates to the user

 

New settings for MDM include:

 

Extensible Single Sign On (SSO) > Platform SSO

  • Authentication Grace Period: The amount of time after a 'FileVault Policy', 'Login Policy', or 'Unlock Policy' is received or updated that unregistered local accounts can be used
  • FileVault Policy: The policy to apply when using Platform SSO at FileVault unlock on Apple Silicon Macs
  • Login Policy: The policy to apply when using Platform SSO at the login window
  • Non Platform SSO Accounts: The list of local accounts that are not subject to the 'FileVault Policy', 'Login Policy', or 'Unlock Policy'
  • Offline Grace Period: The amount of time after the last successful Platform SSO login a local account password can be used offline
  • Unlock Policy: The policy to apply when using Platform SSO at screensaver unlock

 

Extensible Single Sign On Kerberos

  • Allow Password: Allow the user to switch the user interface to Password mode
  • Allow SmartCard: Allow the user to switch the user interface to SmartCard mode
  • Identity Issuer Auto Select Filter: A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "*My CA2*"
  • Start In Smart Card Mode: Control if the user interface will start in SmartCard mode

 

Restrictions

  • Allow ESIM Outgoing Transfers
  • Allow Personalized Handwriting Results
  • Allow Video Conferencing Remote Control
  • Allow Genmoji
  • Allow Image Playground
  • Allow Image Wand
  • Allow iPhone Mirroring
  • Allow Writing Tools

 

System Policy Control

  • Enable XProtect Malware Upload

With the upcoming Intune September (2409) release, the new DDM settings will be:

 

Math

  • Calculator
  • Basic Mode
  • Add Square Root
  • Scientific Mode - Enabled
  • Programmer Mode - Enabled
  • Input Modes - Unit Conversion
  • System Behavior - Keyboard Suggestions
  • System Behavior - Math Notes

 

New MDM settings for Intune’s 2409 (September) release include:

 

System Extensions

  • Non Removable System Extensions
  • Non Removable System Extensions UI

 

Web Content Filter

  • Hide Deny List URLs

 

More information on configuring these new settings using the settings catalog can be found at Create a policy using settings catalog in Microsoft Intune.

 

Updates to ADE Setup Assistant screens within enrollment policies

With Intune’s September (2409) release, there’ll be six new Setup Assistant screens that admins can choose to show or hide when creating an Automated Device Enrollment (ADE) policy. These include three iOS/iPadOS  and three macOS Skip Keys that will be available for both existing and new enrollment policies.

 

  • Emergency SOS (iOS/iPadOS 16+)
    • The IT admin can choose to show or hide the iOS/iPadOS Safety (Emergency SOS) setup pane that is displayed during Setup Assistant.

  • Action button (iOS/iPadOS 17+)
    • The IT admin can choose to show or hide the iOS/iPadOS Action button configuration pane that is displayed during Setup Assistant.

  • Intelligence (iOS/iPadOS 18+)
    • The IT admin can choose to show or hide the iOS/iPadOS Intelligence setup pane that is displayed during Setup Assistant.

  • Wallpaper (macOS 14+)
    • The IT admin can choose to show or hide the macOS Sonoma wallpaper setup pane that is displayed after an upgrade. If the screen is hidden, the Sonoma wallpaper will be set by default.

  • Lockdown mode (macOS 14+)
    • The IT admin can choose to show or hide the macOS Lockdown Mode setup pane that is displayed during Setup Assistant.

  • Intelligence (macOS 15+)
    • The IT admin can choose to show or hide the macOS Intelligence setup pane that is displayed during Setup Assistant.

For more information refer to Apple's SkipKeys | Apple Developer Documentation.

 

Updates to supported vs. allowed versions for user-less devices

We previously introduced a new model for enrolling user-less devices (or devices without a primary user) for supported and allowed OS versions to keep enrolled devices secure and efficient. The support statements have been updated to reflect the changes with the iOS/iPadOS 18 and upcoming macOS 15 releases:

 

  • Support statement for supported versus allowed macOS versions for devices without a primary user.

 

If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam. Stay tuned to What’s new in Intune for additional settings and capabilities that will soon be available!

 

Updates
9/12/2024: Content updated for clarity on support of Apple User Enrollment.

9/19/2024: As comments to this post indicated, we have confirmed there's an issue with Stealth Mode and non-compliant devices, see the details and workaround on this post: https://aka.ms/macOS_stealth_mode 

17 Comments
Version history
Last update:
‎Sep 19 2024 07:15 PM
Updated by: