Microsoft Intune is excited to support Apple in their launch of macOS 11. We are delighted to deliver new functionality enabled by the innovations on macOS 11 – ensuring that you enable productivity for your users wherever they are working or learning this fall.
We now support the following new device configurations on Intune-managed Macs running macOS Big Sur and later:
Non-OS software updates deferral
“Enable direct download” setting for associated domains · 4096-bit SCEP certificate keys
Prevent users from disabling automatic VPN
Excluded Domains for per-app VPN connections
Starting in macOS Big Sur, all user-approved enrollments are automatically considered supervised. All Mac enrollments in Microsoft Endpoint Manager except those enrolled using Automated Device Enrollment (ADE) are considered user-approved. As currently enrolled devices update to macOS Big Sur, IT will be able to exercise the same level of control on these devices as supervised macOS devices enrolled using Automated Device Enrollment or Apple Configurator.
A new restriction for managing non-OS software updates on macOS 11 is now available in the Microsoft Endpoint Manager admin center. You can now defer the visibility of non-OS software updates up to 90 days on supervised devices. This new setting enhances the existing software update delay restriction to provide IT greater manageability of software updates. Existing restrictions will automatically migrate to the new setting and remain unchanged.
macOS 11 also introduces support for managed apps that bring many new app management capabilities similar to what is already available with iOS and iPadOS. macOS 11 enables IT to convert installed apps to managed apps, remotely uninstall managed apps on a managed device, and automatically remove all managed apps when the device is no longer managed. You can now utilize many of these new app management experiences in Microsoft Endpoint Manager admin center when configuring VPP apps (purchased apps and custom apps provisioned using Apple Business Manager) and line-of-business apps running on macOS 11. All purchased and custom apps on macOS 11 are now automatically installed as managed, allowing you to configure for each Azure AD group whether the app would be removed when the Mac is no longer managed.
We are also introducing the “uninstall” assignment type for VPP and line-of-business apps on macOS 11 that is applicable when an app is installed as managed. When adding line-of-business apps for macOS, you will now notice a new setting that allows you to choose whether the app should be installed as managed on macOS 11. This gives you the flexibility to deploy enterprise apps that may not yet be ready to be installed as managed on macOS 11. It is important to note that a line-of-business app can only be installed as managed on macOS 11 or higher when the app distributable contains a single app without any nested packages and installs to the /Applications directory. Any line-of-business app that diverges from this requirement should be installed as unmanaged on macOS 11.
macOS Intune Company Portal and Intune MDM agent are supported on both Intel and Apple Silicon Macs running macOS 11. While we are excited to see the ability to run iOS/iPadOS apps on macOS 11, this is controlled by the app publisher and at this time, Microsoft will not be releasing the M365 apps built for iOS/iPadOS on macOS. Therefore, the Microsoft Intune App SDK for iOS is only supported on iOS/iPadOS. For the best M365 experience, we will continue to support M365 apps built natively for macOS. Learn more about M365 apps on Apple Silicon.
To ensure that the M365 apps for iOS/iPadOS apps only run on supported devices, Microsoft recommends that you set the Conditional Access policy’s “grant” rule to “require app protection policy”. This will block access in case any M365 app is installed by sideloading or by any other unsupported means.
In upcoming releases, we plan to add even more features to support your Apple management journey including skipping Accessibility pane during Automated Device Enrollments and associated domains for per-app VPN connections on macOS Big Sur and later.
Apple posted updated versions of operating system software license agreements to Apple Business Manager on September 16, 2020. Your organization won’t be able to enroll devices or deploy new apps until an administrator has signed into Apple Business Manager and accepted the new terms.
If you haven’t been testing with the public beta releases, be sure to test your scenarios now that macOS 11 is releasing.
Test out new Endpoint Manager functionality and see how it might apply to scenarios in your organization.
If you haven’t already, accept Apple’s new versions of operating system software license agreements in Apple Business Manager.
Keep us posted on your favorite new feature and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam.
Blog post updates
12/2/20: With an update to clarify that Microsoft will not be releasing the M365 apps built for iOS/iPadOS on macOS. Therefore, the Microsoft Intune App SDK for iOS is only supported on iOS/iPadOS. For the best M365 experience, we will continue to support M365 apps built natively for macOS. Learn more about M365 apps on Apple Silicon.