cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Endpoint Manager support for macOS Big Sur
By
Intune_Support_Team
Published Nov 12 2020 08:00 AM 23.5K Views
Intune_Support_Team
Microsoft
‎Nov 12 2020 08:00 AM

Microsoft Endpoint Manager support for macOS Big Sur

‎Nov 12 2020 08:00 AM

Microsoft Intune is excited to support Apple in their launch of macOS 11. We are delighted to deliver new functionality enabled by the innovations on macOS 11 – ensuring that you enable productivity for your users wherever they are working or learning this fall.

 

We now support the following new device configurations on Intune-managed Macs running macOS Big Sur and later:

  • Non-OS software updates deferral
  • “Enable direct download” setting for associated domains · 4096-bit SCEP certificate keys
  • Prevent users from disabling automatic VPN
  • Excluded Domains for per-app VPN connections

 

Starting in macOS Big Sur, all user-approved enrollments are automatically considered supervised. All Mac enrollments in Microsoft Endpoint Manager except those enrolled using Automated Device Enrollment (ADE) are considered user-approved. As currently enrolled devices update to macOS Big Sur, IT will be able to exercise the same level of control on these devices as supervised macOS devices enrolled using Automated Device Enrollment or Apple Configurator.

 

A new restriction for managing non-OS software updates on macOS 11 is now available in the Microsoft Endpoint Manager admin center. You can now defer the visibility of non-OS software updates up to 90 days on supervised devices. This new setting enhances the existing software update delay restriction to provide IT greater manageability of software updates. Existing restrictions will automatically migrate to the new setting and remain unchanged.

 

macOS 11 also introduces support for managed apps that bring many new app management capabilities similar to what is already available with iOS and iPadOS. macOS 11 enables IT to convert installed apps to managed apps, remotely uninstall managed apps on a managed device, and automatically remove all managed apps when the device is no longer managed. You can now utilize many of these new app management experiences in Microsoft Endpoint Manager admin center when configuring VPP apps (purchased apps and custom apps provisioned using Apple Business Manager) and line-of-business apps running on macOS 11. All purchased and custom apps on macOS 11 are now automatically installed as managed, allowing you to configure for each Azure AD group whether the app would be removed when the Mac is no longer managed.

 

We are also introducing the “uninstall” assignment type for VPP and line-of-business apps on macOS 11 that is applicable when an app is installed as managed. When adding line-of-business apps for macOS, you will now notice a new setting that allows you to choose whether the app should be installed as managed on macOS 11. This gives you the flexibility to deploy enterprise apps that may not yet be ready to be installed as managed on macOS 11. It is important to note that a line-of-business app can only be installed as managed on macOS 11 or higher when the app distributable contains a single app without any nested packages and installs to the /Applications directory. Any line-of-business app that diverges from this requirement should be installed as unmanaged on macOS 11.

 

macOS Intune Company Portal and Intune MDM agent are supported on both Intel and Apple Silicon Macs running macOS 11. While we are excited to see the ability to run iOS/iPadOS apps on macOS 11, this is controlled by the app publisher and at this time, Microsoft will not be releasing the M365 apps built for iOS/iPadOS on macOS. Therefore, the Microsoft Intune App SDK for iOS is only supported on iOS/iPadOS. For the best M365 experience, we will continue to support M365 apps built natively for macOS. Learn more about M365 apps on Apple Silicon.

 

To ensure that the M365 apps for iOS/iPadOS apps only run on supported devices, Microsoft recommends that you set the Conditional Access policy’s “grant” rule to “require app protection policy”. This will block access in case any M365 app is installed by sideloading or by any other unsupported means.

 

In upcoming releases, we plan to add even more features to support your Apple management journey including skipping Accessibility pane during Automated Device Enrollments and associated domains for per-app VPN connections on macOS Big Sur and later.

 

Apple posted updated versions of operating system software license agreements to Apple Business Manager on September 16, 2020. Your organization won’t be able to enroll devices or deploy new apps until an administrator has signed into Apple Business Manager and accepted the new terms.

 

For more information, see the Apple Support article: If Apple Business Manager or Apple School Manager asks you to approve new terms and conditions.

 

What should you do now?

  • If you haven’t been testing with the public beta releases, be sure to test your scenarios now that macOS 11 is releasing.

  • Test out new Endpoint Manager functionality and see how it might apply to scenarios in your organization.

  • If you haven’t already, accept Apple’s new versions of operating system software license agreements in Apple Business Manager.

 

Keep us posted on your favorite new feature and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam.

 

Blog post updates

12/2/20: With an update to clarify that Microsoft will not be releasing the M365 apps built for iOS/iPadOS on macOS. Therefore, the Microsoft Intune App SDK for iOS is only supported on iOS/iPadOS. For the best M365 experience, we will continue to support M365 apps built natively for macOS. Learn more about M365 apps on Apple Silicon.

32 Comments
OzymandiasTron
Copper Contributor
‎Nov 20 2020 01:37 AM
‎Nov 20 2020 01:37 AM

@Intune_Support_Team Will the new features include App-Protection-Policy support for macOS? Forcing the usage of Microsoft enlightened apps and restricting them with this policies would improve the protection from unintentional data loss a lot.

 

0 Likes
Like
Intune_Support_Team
Microsoft
‎Nov 24 2020 04:59 PM
‎Nov 24 2020 04:59 PM

Hi @OzymandiasTron, thanks for the question! M365 apps built for iOS/iPadOS are not available on macOS. Therefore, the Microsoft Intune App SDK for iOS is only supported on iOS/iPadOS. For the best M365 experience, we will continue to support M365 apps built natively for macOS. We'd appreciate your feedback in helping improve Intune! There is an existing UserVoice idea to support APP for macOS you may want to add your vote to.

Ed Hixon
Iron Contributor
‎Nov 25 2020 09:12 AM
‎Nov 25 2020 09:12 AM

When will Defender run natively, rather than with Rosetta 2?  Isn't this less-than-ideal security-wise?

0 Likes
Like
Intune_Support_Team
Microsoft
‎Dec 18 2020 06:02 PM
‎Dec 18 2020 06:02 PM

Hi @Ed Hixon, thanks for the question! MDE on Mac does not currently support the new ARM Apple silicon. The native support is on the roadmap. No timelines for the new ARM Apple silicon support can be shared at this time.

Sujith Suriya
Copper Contributor
‎Dec 22 2020 07:42 AM
‎Dec 22 2020 07:42 AM

 

Yesterday, I gave a try to enroll a new DEP MAC Book Air (macOS 11.1 (20C69)) (Intel-Based), everything went well except Intune "Microsoft 365 Apps for macOS".  I waited long time and it did not install on MacOS 11.1 but it works fine with macOS 10.15.7. 

 

As per Microsoft 365 and Office 2019 support for Apple Silicon , The December 2020 release (build 16.44) provides native support for both Apple Silicon and Intel-based Macs. Word, Excel, PowerPoint, Outlook, and OneNote are supplied as a Universal macOS binary, where the Mac operating system will dynamically load the most optimal app components for your device. This release of Office includes the latest optimizations for macOS Big Sur, which is the first operating system to support Apple Silicon.

 

In my case, it did not work. for your info its not a LOP app instead I used Microsoft 365 Apps which should work regardless of architecture. 

 

Yes offcourse, i can download the latest from https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac and deploy it as LOB app but its not a best practice to do when Microsoft provides Office App for Mac. 

Ed Hixon
Iron Contributor
‎Dec 22 2020 08:02 AM
‎Dec 22 2020 08:02 AM

Sujith, thanks for duplicating my problem !

The manual download solution solves the problem for a specific case, but I'm looking for resolution for all our future DEP enrollments, instead of a manual fix for each.

 

I'd also totally prefer not to build a custom LOB app, and use the native Intune Microsoft Office apps built-in, that would be expected to work.

 

 

Sujith Suriya
Copper Contributor
‎Dec 23 2020 12:46 AM
‎Dec 23 2020 12:46 AM

There is a work around to solve this problem. 

 

This is what I did, used a shell script from this link to install Microsoft 365 App on Mac using this https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac which solved my problem and I believe this link will also take care of updates in future. 

 

 

0 Likes
Like
matwa
Brass Contributor
‎Dec 27 2020 02:28 AM
‎Dec 27 2020 02:28 AM

You say "macOS Intune Company Portal and Intune MDM agent are supported on both Intel and Apple Silicon Macs running macOS 11".

That's not true. The MDM agent is definitely not running on a Silicon Mac and thus no script, no further automation running without intervention:

 

sh: /Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmAgent: Bad CPU type in executable

 

Also Company Portal is running solely with Rosetta Support enabled. Rosetta Support cannot be enable via script, as the MDMD agent is also not working.

 

Sorry guys, but where is the Mac Silicon Support? Automated enrollment is not possible with this. 

matwa
Brass Contributor
‎Dec 27 2020 06:25 AM
‎Dec 27 2020 06:25 AM

@Intune_Support_Team

 

If I call 

/usr/sbin/softwareupdate --install-rosetta --agree-to-license

from a root terminal, Rosetta gets activated and the Microsoft Intune Agent can then be executed. I already made a script out of this, but it doesn't get deployed as the MDM Agent under Mac Silicon is not working.

 

Is there any possibility to run this command from Intune without a working MDM Agent? It looks like the typical chicken-and-egg problem to me.

Without Agent no Script can be run, without Script Rosetta can't be enabled remotely, without Rosetta the Agent won't run.

 

Imho the most reasonable solution should be a new release of the agent as a universal binary compatible with both worlds (Intel & Arm). And best of all the whole thing also for the Company portal. Would make life easier and deliver on the promise of real Silicon support.

 

Best

Matthias

Ed Hixon
Iron Contributor
‎Jan 27 2021 07:57 AM
‎Jan 27 2021 07:57 AM

Matthias has described well what's needed. 

 

It's frustrating to me that after this many months since M1 Silicon hardware, paired with BigSur OS, has been sold to us, that Microsoft has not yet

  • developed a solution for ADE Intune enrollment, or 
  • PUBLICIZED this shortcoming.

I've had a ticket open with MS Convergys in India for over 9 weeks on this topic.

 

Not feeling particularly supported, 

Ed

Ed Hixon
Iron Contributor
‎Jan 27 2021 08:29 AM
‎Jan 27 2021 08:29 AM

After 9 weeks, they still haven't been able to obtain the hardware and software platform to attempt to replicate my problem:


"Again, I apologize for all the inconvenience caused and appreciate the level of patience you have shown.
The major roadblock here had been arranging BigSur device enrolled using DEP with a Apple silicon in it as it’s a fairly new piece of hardware."

0 Likes
Like
salihzett
Iron Contributor
‎Feb 10 2021 01:14 AM
‎Feb 10 2021 01:14 AM

@Intune_Support_Team After more than 2 weeks and a lot of headaches and configuring exceptions for all apps in our Intune to find the reason why it is not working, I found this and know now, MS Intune can not handle this?

Shame.

So all new Macs come with BigSur, and also the first four M1 devices have the same issue:
High RAM memory for IntuneMDMAgent, on one device there is just a mdmclient and nothing more.

Both are M1.

 

Today in the morning I received the third case. There is no GB task issue with IntuneMDMAgent in the memory but nevertheless, the RAM has run out.

 

Screen Shot 2021-02-09 at 20.04.31.pngScreen Shot 2021-02-10 at 10.12.08.png

Intune_Support_Team
Microsoft
‎Feb 10 2021 05:02 PM
‎Feb 10 2021 05:02 PM

Hi @matwa and @Ed Hixon, thank you both for the feedback! We are actively working on a solution, though no dates to currently share. Stay tuned to this post and our In development docs for future updates.

Intune_Support_Team
Microsoft
‎Feb 10 2021 05:09 PM
‎Feb 10 2021 05:09 PM

Hi @salihzett, thanks for the info and sorry to hear about your recent Intune experience. Checking with the team, this does not sound as expected. Let's get you over to our support folks for further investigation into this issue. Please open a support request from within the MEM admin console, or any of the methods here. Once created, feel free direct message us with your support case number so we can have an eye on the case. Thanks!

0 Likes
Like
salihzett
Iron Contributor
‎Feb 11 2021 03:18 AM
‎Feb 11 2021 03:18 AM

@Intune_Support_Team I already did.

Ed Hixon
Iron Contributor
‎Feb 11 2021 10:28 AM
‎Feb 11 2021 10:28 AM

Case has been open and unresolved since November 2020.

salihzett
Iron Contributor
‎Feb 11 2021 12:18 PM
‎Feb 11 2021 12:18 PM

@Ed Hixon Same case or another issue? (just interest)

0 Likes
Like
harrys80
Copper Contributor
‎Feb 27 2021 08:33 PM
‎Feb 27 2021 08:33 PM

@Intune_Support_Team  This has been a major issue for now. We have reports from our users on this issue starting last week and have already case opened [Case #:24417763] with support team. Mac's get frozen due to High memory usage from IntuneMdmAgent. Users are not able to work till we remove the Company portal Application and remove the registration from the device. We have over 250 mac devices do not want to remove the company profile and re-add. 

 

harrys80_1-1614486667218.png

 

This need to fix as a high priority. Also, please update if there is any temporary solution to it without removing the application and company profiles. 

 

HiltonT_Quark
Copper Contributor
‎Mar 09 2021 03:38 PM
‎Mar 09 2021 03:38 PM

10th March 2021 now, and we've still not got a successful deployment of M365 Apps or Edge through InTune on any M1 Macs.  Come on Microsoft, you're starting to drag the chain in the way we expect of Adobe.  :(

salihzett
Iron Contributor
‎Mar 15 2021 01:04 PM
‎Mar 15 2021 01:04 PM

@harrys80 you have the same issue like me and u are the prove that this issue is not only for our company. Thanks

the MS Intune support told me, this is not regarding Company Portal or IntuneMDMAgent also after I proved this with logs and screenshots and a lot of emails. They suggested to me to read an article “how I can make BigSur faster-10 tips”, lol. This a shame by the way @Intune_Support_Team .

 

I found a way to troubleshoot this issue. Currently it works for me and a lot of others.

I will not share this here. Why? Because I resolved this by my own. Next to my job. Spend hours and days with wiping, trying, DEP etc.

And the Intune Support didn’t help or support. Just wasting my time.

Anyway, It is a pleasure to help others directly, so contact me via MacSysAdmin Slack channel, user: salihzett or via email: hello(at)Salih-Zengin.com

 

Best

0 Likes
Like
salihzett
Iron Contributor
‎Mar 15 2021 01:25 PM
‎Mar 15 2021 01:25 PM

Btw, maybe the new universal version from Company Portal and hopefully IntuneMDMAgent will resolve this. I would not bet cuz I read only about a new version for Company Portal.

0 Likes
Like
Intune_Support_Team
Microsoft
‎Apr 05 2021 03:24 PM
‎Apr 05 2021 03:24 PM

@HiltonT_Quark, thank you for the feedback. We're happy to share that in the March (2103) service release, the Intune management agentMicrosoft 365 Apps, and Microsoft Edge for macOS devices are now universal apps!

0 Likes
Like
Martijn_van_Loenen
Copper Contributor
‎Jun 29 2021 08:00 AM
‎Jun 29 2021 08:00 AM

@Intune_Support_Team 
Within our company we are already testing the successor of macOS Big Sur, macOS Monterey (Beta 2) but we ran into this issue during Intune enrollment :

Screenshot 2021-06-17 at 11.23.36.png

The error "Profile installation failed" appears while trying to install the profile.

Details: Invalid profile: the PayloadIdentifier “www.windowsintune.com.credentials” is used more than once in the profile.

We have reported this issue to Apple Feedback and they came with this :
26/06/2021, 00:37:06 CEST

Apple Feedback

Your MDM is trying to install a profile which contains two payloads with the same PayloadIdentifier ("www.windowsintune.com.credentials"). 
This has always been discouraged but became a hard error on macOS 12.0 (iOS has rejected such profiles for several years now). 
Contact your MDM vendor and make them aware of the issue.

 

Are you aware of this issue, and are there plans to solve it before macOS Monterey will be released ?

thanks in advance, Martijn

Ed Hixon
Iron Contributor
‎Jun 29 2021 08:14 AM
‎Jun 29 2021 08:14 AM

Thanks, Martijn !

It's good to bump this so MS and Apple can begin resolving it.

 

It took 5 months after BigSur's initial release - v11.3 - before they were able to collaborate enough to allow required apps to install as designed with Intune enrollment through DEP/ADE.

Intune_Support_Team
Microsoft
‎Jul 02 2021 03:13 PM
‎Jul 02 2021 03:13 PM

Hi @Martijn_van_Loenen and @Ed Hixon, thanks for the report and the feedback! We are aware of this issue and are rolling out a fix with the July (2107) service release. We provide day zero support but continue testing/making updates/prepping for beta releases ourselves. You'll often see updates before the latest macOS ships. We're testing too!

Ryan Morash
Iron Contributor
‎Jul 27 2021 06:56 AM
‎Jul 27 2021 06:56 AM

The duplicate PayloadIdentifier issue appears to be resolved now

Martijn_van_Loenen
Copper Contributor
‎Jul 28 2021 02:42 AM
‎Jul 28 2021 02:42 AM

Also in our tenant this seems to be solved, but we are still on Intune Service release 2106.
@Intune_Support_Team You mentioned you would rollout a fix with the July (2107) Service release, but now it's already solved ?

What has happened ?

0 Likes
Like
Intune_Support_Team
Microsoft
‎Jul 28 2021 11:01 AM
‎Jul 28 2021 11:01 AM

Hi @Ryan Morash and @Martijn_van_Loenen, thanks for confirming that this is now resolved for you both!

 

@Martijn_van_Loenen - The July (2107) service release started rolling out this week and should complete by the end of this week across all tenants and regions. Once your tenant has been updated to the latest service release, your tenant details should be updated under the Tenant admin | Tenant details blade in the Microsoft Endpoint Manager admin center.

 

Check out our post: staying up to date on Intune new features, service changes, and service health on how to stay up to date with service changes!

0 Likes
Like
Martijn_van_Loenen
Copper Contributor
‎Jul 28 2021 11:15 PM
‎Jul 28 2021 11:15 PM

@Intune_Support_Team that's why I mentioned we were still on Intune Service release 2106, according to the Tenant details blade.
But today it says 2107 so perhaps it was displaying the old release while it was already updated..... ?

0 Likes
Like
Intune_Support_Team
Microsoft
‎Jul 29 2021 10:48 AM
‎Jul 29 2021 10:48 AM

Hi @Martijn_van_Loenen, we roll-out the Intune service release in a phased approach for all our service deployments. Once all tenants have been successfully updated, we update the Microsoft Endpoint Manager admin center UI. This phased approach lets us identify issues before they impact the service or our customers. You may see some features light up in the UI before others, however just note that until the tenant details blade is updated, the current service release may still be rolling out to your tenant :smile:.

 

Check out: How we built (rebuilt!) Intune into a leading globally scaled cloud service | Microsoft 365 Blog for a behind the scenes look into the architecture and how we built Intune. Hope this helps!

mohamedjasem
Copper Contributor
‎Sep 14 2021 09:41 AM
‎Sep 14 2021 09:41 AM

Dear Gents ,

We are using endpoint manager -Intune to push Apps for Mac 11.5 big sur through company portal & we wrapped following apps in win32 wrapper tool under LOP mode 

*Google Drive 

*Slack

*Teamswork desktop 

Above apps are pushing and status showing installed in assigned devices  but not showing in devices ....

0 Likes
Like
fourstar922
Copper Contributor
‎Feb 17 2022 05:42 PM
‎Feb 17 2022 05:42 PM

@Intune_Support_Team Can i update from Catalina to BigSur using InTune?

0 Likes
Like
Version history
Last update:
‎Dec 19 2023 01:24 PM
Updated by: