10 ways Microsoft Intune improves Apple device management
Published Mar 14 2023 11:35 AM 42K Views

Further to the announcement we made last summer about our commitment to Apple device management, we are excited to share ten important ways Microsoft Intune makes macOS and iOS/iPadOS devices more secure and easier for you to manage and protect.

Our goal is to help organizations address the endpoint management needs across their entire estate. This approach, and feedback from our customers, drives us to continuously innovate to create the best possible experiences for users and IT administrators who choose Apple devices for work.

As an example, Intune now powers EY's macOS management. Through a two-year collaboration with their Desktop Configuration Product team, EY can now easily and efficiently manage their macOS devices alongside Windows in Intune. In addition to the hundreds of thousands of Intune managed Windows desktops, EY plans to add tens of thousands of macOS devices. Read EY's LinkedIn post on the launch of its next-gen “Mac@EY Now Powered by Microsoft Intune” program here.

We look forward to extending this value to the many end users and enterprise organizations that choose Apple devices to get work done every day. Here are some of the near-term Intune enhancements:

  1. DMG apps for macOS
  2. PKG installers for macOS
  3. macOS software updates
  4. JIT for macOS
  5. Local account management
  6. Account driven user enrollment for iOS
  7. ADE enrollment
  8. JIT enrollment for iOS
  9. Shared Device Mode provisioning for iOS
  10. DDM policy management for iOS

Simplify DMG app deployments for Mac devices

Converting apps to PKG format was cumbersome and required packaging expertise. The DMG app-install capability augments the native app management scenarios for Intune managed macOS devices by introducing a new application deployment pipeline that uses the Intune MDM agent to install, monitor, and report DMG-type applications. Since the preview announcement, we've listened to and addressed customer feedback. Now, we are adding the ability for you to deploy in-place DMG app upgrades. We expect to make the DMG app-install capability generally available in the coming months.

Flexible PKG installations

We heard time and again how the existing Mac line-of-business application workflow was hindering you from achieving organizational scenarios. We're actively working on a solution that will make it easier to deploy apps with custom scripts and apps that are unsigned. This solution will utilize the Intune MDM agent to deploy PKG-type installers. While we will continue to support and enhance the native PKG-type app management experiences for macOS, we believe the new Intune agent-based, PKG-type app delivery and monitoring experiences offer flexibility and customization.

Initially, we'll support PKG installations for the “required” assignment type; other assignment types will follow. We look forward to releasing the public preview of the ability to install PKG using Intune MDM agent in Q3 of this year so we can get your feedback.

Reduce vulnerabilities by keeping your macOS software up to date

Managing software updates is central to device security. By staying current with updates that remove software vulnerabilities, you can reduce the overall attack surface in your organization.

System update policies for macOS in Intune are built on Apple's MDM commands. This provides you with the native macOS software update client experience and reduces the dependency on scripts or manual, user-initiated installations.

Now generally available, Intune provides you with addition control of the type of updates you'd like to install, whether you need to update the built-in malware protection tools or the entire OS. You can also configure the behavior for each update type, such as forcing an update to install immediately to mitigate a vulnerability or scheduling a less urgent update at a time to minimize interruptions to user productivity.

Consistent onboarding for all Apple devices

Apple's platform SSO capability for macOS provides a great opportunity to reimagine the employee onboarding experience on Macs. Later this year, we plan to release a way to fundamentally change this experience, creating a familiar and consistent way to onboard new users across all Apple devices.

Our plans are founded on the new Just-In-Time (JIT) macOS/iPadOS enrollment experience that will help further streamline Mac device onboarding for users of organization-owned Macs. After enrollment, they will be able to log in on the Enterprise Single Sign-On extension to establish single sign-on across Azure AD-enabled apps and use their Azure AD password to log on to their Mac. With the JIT utility built into the Azure AD Enterprise Single Sign-On extension, authentication will not require the Company Portal app to access resources protected by Conditional Access.

We plan to also support an alternative authentication method that uses the Secure Enclave key when authenticating to the web or Azure AD-enabled apps. No matter which authentication method you choose, users will love this more seamless experience because it will look and feel like a native macOS experience.

Local account management on macOS

We are actively developing support for the local administrator account and local primary account creation during macOS ADE (automated device enrollment). The plan is to enable you to customize the local administrator settings within new and existing macOS enrollment profiles for devices enrolling with user-device affinity (Setup Assistant with modern authentication and Setup Assistant for legacy).

Please watch for an upcoming announcement about the public preview of Local account management for macOS, a critical piece of the macOS ADE flow.

Faster user enrollment for BYOD

Account-Driven User Enrollment is a new version of User Enrollment. This updated flow utilizes Just-in-Time (JIT) registration, removes the iOS Company Portal app as an enrollment requirement and provides users with a seamless onboarding experience. Users can initiate enrollment directly in the iOS/iPadOS Settings app, complete the process in just a few steps, and access the corporate resources from their personal devices.

With this release coming in the next few months, we'll also introduce Enrollment Single Sign-On (SSO). Users will only be required to authenticate once in the entire flow to complete enrollment and establish SSO on the device.

In Intune, you can target iOS/iPadOS 15+ devices for Account-Driven User Enrollment and continue to target devices with earlier versions of iOS/iPadOS for User Enrollment with the Company Portal method. Devices running iOS/iPadOS 14.8.1 and lower will be unaffected by this update and can continue to use the current User Enrollment with Company Portal.

We're excited to bring this enhanced experience to our end users to help them get productive as quickly as possible. Look out for updates on specific timelines in our What's New documentation.

Secure ADE enrollment

To further improve and secure ADE (automated device enrollment) through admin customization, Intune will support the iOS/iPadOS Awaiting Final Configuration command during ADE in public preview with the 2303 release of Intune.

For iOS/iPadOS Setup Assistant with modern authentication, enrolling devices with no user-device affinity and Azure AD shared-device mode, a new Intune setting will be available for you to configure ensure that the majority of device configuration policies are on the corporate device prior to the end user being released from Setup Assistant. This setting will be available for both new and existing enrollment profiles.

The benefit of this feature is that the device will be mostly configured based on the targeted admin profiles that keep the device secure and customized based on the organization's policies when an end user lands on their device home screen. By enabling ADE devices to be used exactly as intended by the organization from the moment end users land on their home screen; they can immediately be productive on the configured device. Support for this command (Apple MDM doc).

Reduce iOS enrollment time

We continue to explore new ways to improve enrollment experiences on iOS/iPadOS devices. With the introduction of Just-In-Time (JIT) functionality, the iOS Company Portal app will no longer be required for AAD registration. This allows us to move towards a web-based device enrollment flow for bring-your-own-device (BYOD) scenarios.

Web Device Enrollment will provide a much quicker end-to-end enrollment process, reducing the need to switch back and forth between apps and fewer steps to authenticate. Users will be guided to a new web based Company Portal to initiate enrollment, check device compliance, and review remediation steps.

We plan to release this new experience by August 2023 to help improve the end-user onboarding experience. More updates will follow in our In Development and What's New documentation.

Zero touch provisioning for iOS shared devices

To address the growing need for iOS shared devices, the public preview of Shared Device Mode (SDM) introduces zero-touch provisioning (ZTP) experience. You can configure a device to be a shared device through the Intune portal. After deployment, the device will be set up with SDM without end-user input. The public preview supports Microsoft Teams and any application that implements the Microsoft authentication library (MSAL) and Shared Device Mode. Users on a shared device have a single sign-in and sign-out experience for all supported applications. Intune is working on adding the capability to apply App Protection Policies for iOS devices in Shared Device Mode later this year.

Ease migration to Declarative Device Management

Apple introduced the new Declarative Device Management (DDM) protocol in 2021. It focuses on bringing policy management to the device rather than through the server. In August 2022, we announced first-in-the-market support for DDM with the ability to configure DDM policies using the iOS/iPadOS settings catalog. A month later, we extended DDM to the macOS settings catalog.

One of the most useful things about DDM is that it co-exists alongside the standard MDM protocol without impacting the user experience. Intune enables you to send the policy you create in the settings catalog and a DDM-based policy to DDM enabled devices as well as send the standard MDM-based policy to those devices still using the older protocol.

With this flexibility provided in Intune, it will be easier for you to seamlessly migrate to Apple's new DDM protocol over time. We're delighted to continue to integrate DDM capabilities in Intune. Not only because this will improve policy delivery performance but it will enable us to build more device compliance, app inventory, and other capabilities in the future.

Earlier this month, you may have seen the news about the launch of the Microsoft Intune Suite, unifying mission-critical advanced endpoint management and security capabilities in Intune. It focused on Microsoft 365 and Microsoft Security services integration and benefits for organizations needing to simplify endpoint management, strengthen security, and reduce costs. In the coming months, we will announce more plans to expand the advanced endpoint management functionality to macOS with Microsoft Intune Remote Help, advanced application management, advanced Endpoint analytics in addition to existing capabilities of Microsoft Tunnel for Mobile Application Management for iOS in the Intune Suite. Learn more about this recent announcement here.

[1] IDC Quarterly Personal Computing Device Tracker Q4 2022.

Version history
Last update:
‎Mar 20 2023 10:00 PM
Updated by: