Microsoft is excited to announce that Mac Scripting capabilities on Apple macOS are now available in public preview, allowing administrators to automate routine tasks on hundreds and thousands of devices. Whether you are a business looking to extend employee device-choice program options or simply bringing all device management under one solution, Microsoft Endpoint Manager has you covered. As most of you know, Microsoft Endpoint Manager is our new unified platform that includes Microsoft Intune and Configuration Manager.
Microsoft continues to invest in enterprise Mac management scenarios that are critical to businesses and employees choosing Macs. This article will explore how macOS management in your organization will benefit from the ease of use, accuracy and time savings over many frequently performed administrative tasks.
Why automation scripting matters for macOS administration
Scripting is a versatile tool that allows admins to quickly achieve several management goals. Whether it is force-restarting a Mac, mounting a network share, deleting a user keychain or configuring the Dock or menu bar icons, scripting can provide admins with the ease of configuration and flexibility that they need to do their jobs well.
Scripting for enrolled Mac devices uses a new Intune MDM agent for macOS, which extends Mac management capabilities beyond what's enabled by the macOS operating system. This is a significant architectural change that will allow us to innovate faster and brings Mac management benefits to our customers.
Helping you succeed by respecting end user trust and privacy
Scripting in Microsoft Endpoint Manager is built with user trust in mind. The Intune MDM agent for Mac is only deployed on the device when scripts are assigned to the device. The MDM agent removes itself from the device if scripts are not assigned to the device or the agent is unable to connect to the Intune service for 24 hours of device-awake time. This way, Microsoft Endpoint Manager helps administrators efficiently run the tasks needed to protect the organization's data and assets and does not outstay its welcome on the end-user’s device. Based on in-depth customer research, we believe that this fosters necessary trust between IT systems and end-users for successful digital transformation.
You are probably curious about how it works behind the scenes. At a high-level, the scripting workflow is as follows:
Overview of Mac scripting with Intune
When you create a shell script and assign it to an Azure AD device group, an app deployment for Intune MDM agent is automatically created in the background with matching group assignments. The agent app is not visible to the admin in the list of apps. When the macOS devices within the assigned group sync with Microsoft Intune service, they receive the Intune MDM agent app deployment and it is silently installed on the Mac with no user interaction. Once installed, the agent establishes a secure link with the Intune service to receive the shell scripts. The agent then starts receiving assigned shell script policies along with the IT-configured script settings. The scripts are executed on the macOS and the result status sent back to Intune service.
Each script is run as a separate process and the status is reported to Intune service so that IT admins can monitor successful execution and error codes of the script from the admin center. If the scripts are meant to be run on a pre-set frequency configured by admins, the scripts are stored locally on the Mac and re-run as needed.
Our scripting capabilities allow admins to deploy any type of script that starts with #! (colloquially known as "shebang") and can be run on macOS with the appropriate interpreters pre-installed.
How to use scripts in Microsoft Endpoint Manager
Now let’s have a quick walk-through and see how it works. Check out “shell scripts” for macOS by logging in to Microsoft Endpoint Manager Admin Center and navigating to Devices > macOS > Shell scripts.
You can configure the following settings for each script to suit your needs:
Upload script: any script that begins with #! and point to a valid location (such as #!/bin/sh or #!/usr/bin/env zsh) can be uploaded.
Run script as signed-in user: by default, the script runs as root user. But you can choose to run the script as the signed-in user.
Hide script notifications on devices: by default, script notifications are shown for each script on run. End users see “IT is configuring your computer” notification from Intune Company Portal on macOS devices.
Script frequency: by default, scripts are run only once. You can choose how frequently a script is run on a device using this setting. Your choices are every 15 minutes, 30 minutes, 1 hour, 2 hours, 3 hours, 6 hours, 12 hours, 1 day or 1 week.
Max number of times to retry if script fails: by default, scripts are run only once. A script is considered to have failed if it returns a non-zero exit code on run. In case of failures, you can choose to automatically retry a script-run up to three times.
Once you have uploaded your script and configured the script settings, you can assign it to Azure AD device groups. For example, to assign a script to all Mac devices enrolled using a specific DEP enrollment profile, you can create an Azure AD security group and set the dynamic device membership rule to filter by enrollmentProfileName property.
Once the script has run on the device, it reports status back to Microsoft Endpoint Manager at Devices > macOS > Shell scripts > select assigned script > Device status or User status.
We heard from several customers that automation scripting is an important capability for macOS management, and we decided to support this as the first capability using the new Intune MDM agent for macOS. Based on customer feedback, we have plans to support more capabilities in future. Over the last few months, Microsoft Endpoint Manager has made exponential strides in expanding Mac app management capabilities including Apple volume-purchased (VPP) apps support on macOS, 64-bit macOS support for the app wrapping tool, web clip installation to Dock, and scale improvements to support up to 3,000 Apple VPP tokens.
If you have not been managing Macs so far, this is a great opportunity for you to experience the power of unified endpoint management from a single console using Microsoft Endpoint Manager.