Day zero support for iOS/iPadOS and macOS 26
With Apple's release of iOS/iPadOS and macOS 26 Tahoe, we’ve been working hard to ensure that Microsoft Intune provides day zero support for Apple’s latest operating systems (OS) so that existing features work as expected. We’ll continue to upgrade our service and release new capabilities that integrate elements of the new OS versions. New settings With continued investments in the Intune data-driven infrastructure that powers the settings catalog, we’re able to provide day zero support for new OS settings as they’re released by Apple. The settings catalog has been updated to support newly released iOS/iPadOS and macOS settings for both declarative device management (DDM) and mobile device management (MDM) to empower your IT teams to have devices ready on day zero. New settings include: Audio Accessory Settings Configure temporary pairing behavior for AirPods and Beats audio accessories. Located under the Declarative Device Management (DDM) category. Temporary Pairing Disabled Temporary Pairing Unpairing Time Unpairing Policy Unpairing Hour Safari Settings Customize the Safari browsing experience. Located under the Declarative Device Management (DDM) category. Accept Cookies Allow Disabling Fraud Warning Allow History Clearing Allow JavaScript Allow Private Browsing Allow Popups Allow Summary Page Type Homepage URL Extension Identifier Restrictions Restrict specific features on devices. Located under the Restrictions category. Allow Safari History Clearing Allow Safari Private Browsing Allowed Camera Restriction Bundle IDs Denied ICCIDs For iMessage And FaceTime Denied ICCIDs For RCS Default Applications Restrict modifications to the default calling and messaging apps. Located under the Managed Settings category. Calling Messaging Web Content Filter Configure Safari History behavior when using content filtering. Located under the Web Content Filter category. Safari History Retention Enabled More information on configuring these new settings using the settings catalog can be found at Create a policy using settings catalog in Microsoft Intune. Intune Company Portal support for improved Purebred derived credentials flow With iOS 26, Purebred (version 3) is supporting a new and improved derived credentials user experience. As part of Intune’s day zero support, the Intune Company Portal for iOS/iPadOS will support Purebred's new experience. If your organization continues to use an older version of Purebred, there will be no changes to your Purebred and Company Portal derived credentials experience. If your organization is planning on upgrading to the new version of Purebred, be sure you have the latest Company Portal version (v5.2509.0). Support statement for “supported” versus “allowed” versions for user-less Apple devices As new operating system updates are released throughout the year by Apple, Intune plans to support critical functionality that comes with each new OS version. With the release of iOS/iPadOS and macOS 26, we’ll continue with our existing model for enrolling user-less devices for supported and allowed OS versions to keep enrolled devices secure and efficient. This includes devices enrolling without user affinity (user-less devices), such as shared iPads and devices enrolling through Automated Device Enrollment (ADE) without user affinity. We highly recommend updating your organization’s devices to the most recent Apple OS version publicly available to keep your devices secure and up to date. Supported OS versions means that user-less devices running the three most recent iOS/iPadOS versions will be fully supported by Intune. Devices running iOS/iPadOS 26.x, 18.x, and 17.x can enroll and take advantage of all Intune MDM functionality that is applicable to user-less devices, and all new eligible features will work on these devices. Allowed OS versions means that user-less devices running a non-supported iOS/iPadOS version (within three versions of the supported versions) will be able to enroll and take advantage of Intune’s eligible features supported by the MDM protocol but doesn’t guarantee that there won’t be breaking OS features, bugs, or issues. Devices enrolled with user affinity or apps that rely on user sign-in will continue to not be supported. User-less enrollment and feature support Supported Allowed Applicable Versions Three most recent versions (N-2): iOS/iPadOS 17.x and later macOS 14.x and later Up to three versions below the supported version (N-5): iOS/iPadOS 15.x and later macOS 12.x and later Can enroll Yes Yes User-less eligible Intune MDM Features Yes Yes. May be impacted by breaking OS features, bugs, or issues. User affinity enrollment Yes No Apps that require user sign-in Yes No For more details review the blog: Support statement for supported versus allowed versions for user-less Apple devices: Support statement for supported versus allowed versions for user-less Apple devices. If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam. Stay tuned to What’s new in Intune for additional settings and capabilities that will soon be available.New block screen capture for iOS/iPadOS MAM protected apps
Following the announcement of Microsoft Intune support for Apple Intelligence, we recently introduced support to block screen capture for mobile application management (MAM) protected apps. This blog provides details of the default screen capture behavior to help you understand how it affects your users and the settings available to change the default behaviour. Background Previously, for iOS/iPadOS, there were no controls to limit screen captures per application, per user or without device enrollment. this resulted in a gap for organizations with only MAM protection. As part of our secure-by-default commitment, the new default behavior for your MAM-protected app may have changed. Now, based on your Intune app protection policy settings, when a user attempts to screen capture or share the screen from a managed account within a MAM-protected app, a blank screen will be captured instead of the actual screen image. How the MAM block screen capture works In Intune, the screen capture is controlled using the existing Send Org data to other apps setting within the Data Protection section of the iOS app protection policy (APP) and is blocked if both the following conditions are met: The app (Microsoft apps, third-party apps, or your line-of-business (LOB) app) is updated to use Intune App SDK v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16. The app is targeted by APP and the setting Send Org data to other apps is set to “None” or any of the “Policy managed apps...” values. If Send Org data to other apps is configured to “All Apps”, the screen capture for your MAM protected apps isn’t blocked. Changing the default MAM screen capture block For some scenarios, you may wish to allow screen capture while retaining the existing APP configuration, such as allowing screen capture and sharing to policy managed apps. Therefore, we introduced a Managed app configuration key com.microsoft.intune.mam.screencapturecontrol = Disabled” to override the default behavior. To allow screen capture on iOS devices targeted with an app protection policy, follow these steps: Navigate to the Microsoft Intune admin center. Select Apps > App configuration policies > Create > Managed apps. On the Basics page, select the apps you wish to target. For this example we’ve selected Outlook (iOS/iPadOS), Teams (iOS/iPadOS) and an LOB app. On the Settings page, within the "General configuration settings” section, add the key "com.microsoft.intune.mam.screencapturecontrol" with the value "Disabled". Assign the configuration policy to the users who you want to target with the override setting. For more details, refer to Add an app configuration policy for managed apps on iOS/iPadOS and Android devices. Conclusion To keep your organizations secure, based on your policy, all screen capture attempts are blocked for MAM protected apps. The managed app configuration settings detailed in this blog allows you to override the default settings to meet any specific requirements within your organization. Stay tuned to What's new in Microsoft Intune for future improvements to the blocking screen capture capabilities and more Apple Intelligence features. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.From the frontlines: Frontline worker management with Microsoft Intune
So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal mobile devices, or corporate-owned productivity user based mobile devices. Maybe you just completed your migration efforts from another product to Intune for some portion of your device estate. Or this may be your first interaction with Intune. Regardless of where you’re starting from, managing frontline worker devices in Intune is simple, and you can even leverage existing Intune policies you already configured. So, get out that rugged bar code scanner, Android tablet, kiosk device, shared iPad, wearable device, or any other frontline worker device and let’s get started! My name is Dan Andersen, Principal PM Manager at Microsoft. My team partners directly with engineering to assist in product development and our worldwide team has assisted over 1,800 enterprises successfully onboard their device scenarios into Intune. In this post I’m introducing a blog series focused on frontline worker (FLW) device management. Why focus on FLW? This space represents a multitude of devices and use-cases that have enabled frontline workers, and we’ve worked with others like you to craft great FLW solutions. We will use this series to share these solutions and options with you and hopefully make your FLW journey with Intune seamless and exciting. Before getting into the series, if you’re looking for some background on FLW usage examples, check out the Microsoft Intune Blog: Microsoft Intune empowers frontline workers in retail and beyond. Throughout this year we’ll deliver monthly blogs delving into FLW use-cases and how to manage these devices. We’ll dive into key scenarios and explain how to approach them and at times, specifically how to configure them. Instead of rewriting product documentation, we’ll include links to more details when applicable, and keep the posts focused on enabling success. Each blog post will be published here in the Microsoft Intune Customer Success blog and include “From the Frontlines:” in the title for easy searching. For quick reference, we’ll keep this table updated as we publish the series, so stay tuned here or follow us @IntuneSuppTeam on X for more in the coming months! Blog Topics Publish date From the frontlines: Revolutionizing healthcare worker experience February 28, 2025 From the frontlines: Accelerating retail worker shared device experience (Part one) March 25, 2025 From the frontlines: Accelerating retail worker shared device experience (Part two) April 23, 2025 From the frontlines: Delivering great dedicated device experiences for retail workers May 28, 2025 From the frontlines: Managing warehouse devices with Microsoft Intune July 01, 2025 From the frontlines: Managing common kiosk scenarios in your business August 28, 2025 From the frontlines: Delivering critical early responder device management September 30, 2025Apple making device migration to Microsoft Intune easy with upcoming OS 26 release
By: Iris Yuning Ye – Product Manager | Microsoft Intune Apple recently announced a major update at their Worldwide Developers Conference 2025 that solves one of the biggest headaches for admins: migrating macOS and iOS/iPadOS devices from one mobile device management (MDM) solution to another without factory resets, manual re-enrollment, or missing configurations. With the new MDM Migration capability in macOS 26 and iOS/iPadOS 26, built directly into Apple Business Manager, IT admins are able to transition devices from third-party MDMs to Microsoft Intune seamlessly, and without user disruption. Migrating devices to Intune helps IT admins consolidate device management across platforms, enforce consistent security policies, and reduce operational complexity. In this blog, learn how to start using Apple’s MDM migration feature to easily move your macOS and iOS/iPadOS fleet to Intune. Prerequisite: macOS/iOS/iPadOS 26 and enrollment into a device management service is required to use the Apple MDM migration feature. 1. Pre-migration – preparation and set up Before starting the migration process, there are five major steps to follow for preparation. 1.1 Keep a record of your devices Start by creating a detailed inventory of all devices in your organization. This should include each device model, the version of OS it’s running, and whether it’s corporate-owned or user-owned. This step is critical because Apple’s new migration feature has specific OS version requirements. Knowing which devices are eligible helps you scope the migration accurately and avoid surprises later. 1.2 Document configurations in current MDM Before making any changes, document all existing configurations in your current MDM platform. This includes: Configuration profiles: Capture all profiles related to Wi-Fi, VPN, email, and certificates. These are essential for maintaining connectivity and access post-migration. Compliance policies: Note any rules that enforce password complexity, encryption, or device health checks. Security baselines: Record settings such as FileVault encryption, Gatekeeper, and the macOS firewall to ensure security standards are preserved. Custom scripts: List any scripts used for automation, monitoring, or maintenance tasks. Deployed applications: Document all apps currently deployed, including how they’re delivered (Volume Purchase Program, App Store, or custom packages). This documentation will serve as your blueprint for rebuilding these configurations in Intune. 1.3 Configure the Apple MDM push certificate Navigate to the Intune admin center, create and upload an Apple MDM push certificate. This certificate allows Intune to securely communicate with Apple devices. Without it, device management and policy enforcement can’t function. 1.4 Add Microsoft Intune to Apple Business Manager (ABM) or Apple School Manager (ASM) Next, integrate Microsoft Intune with ABM or ASM, by following these steps: Download the public key from Intune. Upload that key to ABM or ASM when creating a new MDM server. Then, download the server token from ABM or ASM and upload it back into Intune. This allows ABM to recognize Intune as a valid MDM server and enables device assignment. 1.5 Set up MDM Configurations in Intune Using the configurations documented in step 1.2, begin replicating existing configurations in Intune. This includes but is not limited to: Rebuilding configuration profiles for network access and security. Reapplying compliance and security policies. Re-deploying applications. Rewriting or importing scripts as needed. Identify the other controls to implement that improves Zero Trust. Call to action: Please make sure testing the MDM configurations on a test device before assigning them to the devices you plan on migrating. And before initiating any migration, communicate with your endpoint users first, keeping them informed to avoid any confusion. 2. Migration – Admin step-by-step flow The admin experience starts from ABM or ASM. After logging into ABM or ASM, navigate to the Devices section. Select the device or group of devices targeted for migration to Intune. Selecting the ellipsis on the top right of device overview interface unveils the “Assign Device Management” button. Select the server you want to migrate the device to. In our case, it’s Intune. Confirm device assignment. iew page – Assign Device Management pop-up window – confirm device management service change. 3. Migration – Endpoint step-by-step flow After completing the device management assignment, the device user receives a notification informing them that a management change is required. macOS iOS/iPadOS When the user selects the notification, they are guided through a simple approval process. If the user doesn’t initiate enrollment before the admin set enrollment deadline, an enforced migration occurs, which results in a non-dismissible and full-screen prompt that must be completed by the user before using the device. Regular migration Enforced migration (past deadline) Once the user approves the migration, the device communicates with Apple’s servers to get its new device management assignment. It then downloads and installs the new MDM profile. This migration process happens without rebooting the device. 4. Post-migration – Verification Lastly, verify the migration and enrollment successfully completed by navigating to the Intune admin center and confirming the new devices are listed. Please note, it's important to have test device verifying required configurations running smoothly before migrating large number of devices and test your devices after migration to ensure everything is working smoothly. If you run into any issues, further adjustments may be needed. Special thanks to our Intune MVP, Somesh Pathak, whose content we leveraged in this blog! For more details and a video demo, check out Somesh’s blog at: https://intuneirl.com/mac-admins-your-migration-glow-up-just-dropped Summary In short, Apple’s new MDM migration in macOS and iOS/iPadOS 26 makes moving Mac, iPhone or iPad devices to Intune now easier than ever. With careful planning and a few simple steps, you can make the switch smoothly to manage your Apple devices all in one place. For Mac devices that aren’t running OS 26, you can check out our Intune Github for migration scripts and review the blog Managing and migrating Macs with Microsoft Intune. Let us know how your Mac journey is going by leaving a comment below, reaching out to us on X @IntuneSuppTeam, or join our Mac Admins Community on LinkedIn!Managing and migrating Macs with Microsoft Intune
By: Neil Johnson – Principal Product Manager | Microsoft Intune A lot has changed in Intune Mac management over the last few years. As we’ve adapted to the changing needs of our customers the number of requests for Mac projects has steadily grown. These range from ‘How do I get started with a Intune Mac proof of concept?’ to ‘I’ve done my POC but now I’ve got thousands of Macs to migrate to Intune, what next?’. This article is aimed at organizations that are new to managing Mac with Intune. It provides a list of tools, resources and links that we use on most of our Mac projects from design through to migration. The idea is to provide a springboard into Mac management with Intune. Planning When planning your Mac migration project, a solid understanding of your requirements is a critical dependency to be successful, we tend to think of Mac migration projects in four phases: Requirements: Setting clear goals and objectives is essential to the success of any project. Goals are broad strategic aims—such as reducing costs, strengthening security, or simplifying IT management. From these goals, you can derive specific, measurable requirements. For instance, a goal to reduce costs might translate into a requirement to consolidate onto a single device management platform. A security goal might lead to a requirement to implement single sign-on across all Macs. These requirements provide the foundation for the rest of the project. Design: In the design phase, we translate the requirements into a practical and achievable solution. This includes selecting the right technologies, defining configurations, and outlining how the solution will be implemented. The aim is to create a blueprint that fully addresses the project’s requirements while remaining scalable and maintainable. Test: The test phase ensures that the proposed design meets the original requirements. This involves validating the solution in a controlled environment to identify any gaps or issues before moving into pilot. Testing helps confirm that the solution is functional, reliable, and ready for broader deployment. Pilot: Once the solution has passed testing, we move into the pilot phase. This is a limited rollout in a production environment, typically involving a small group of users or devices. The goal is to gather real-world feedback and make any final adjustments before scaling the solution across the organization. Migrate: With a validated pilot, we transition into full migration. New devices are enrolled into the new service from day one, while existing devices are moved over in a phased and structured approach. This ensures continuity, minimizes disruption, and completes the journey to the new platform. Design, Test and Pilot are often cyclical phases, which means as we go through each one, we’re likely to learn new things and need to make changes to prior phases. For example, the first time we run through the testing phase, it’s likely that we’ll need to adjust our design, and similarly with the pilot phase. We only progress to the migration phase when we’re satisfied that our solution has been tested to meet the core requirements that were identified in the outset. This is an example of how we might begin our requirements definition, stating our clear goals with matching requirements to meet them: Reduce costs Make use of the licenses you already own. Reduce IT overhead by shipping devices directly from Apple to your device users. Improve security Deploy Microsoft Entra and Intune for Conditional Access and compliance policies without third-party connectors. Consolidate endpoint and data loss prevention tools, for Windows and Mac, such as Microsoft Purview and Microsoft Defender for Endpoint. Simplify management Consolidation of security and management tooling. Simplify your configuration and remove deprecated payloads. Getting started with Design, Test and Pilot phases The best place to start your journey learning about how to design Mac management with Microsoft Intune is through our end to end guide to get started with macOS endpoints. It walks you through getting your environment up and running to enroll your first Mac and then how to secure and apply more complex configurations. As you learn more about Mac management, you may find that you need more complex solutions or custom tooling. It’s beyond the scope of this article to go into depth, but here’s a list of some of our favorite Mac resources that you should find valuable: Intune Team GitHub Shell Samples Repository: GitHub repo full of sample shell scripts to accomplish common tasks with Intune. Note: Microsoft supports the ability to run scripts but doesn’t support the script itself, remember to always test! The macOS Security Compliance Project: Comprehensive security baseline project for macOS. AppleSeed for IT Resources: Apple’s Enterprise software portal and the home of the Mac Evaluation Utility, which is highly recommended during testing. Mac Admins Foundation: Mac Admin community resources. Common issues These are the most common problems we see when working with our customers new to managing Macs with Intune. Issue Possible cause Solution Unable to enroll Enrollment Restriction blocking macOS The most common issue we see here are old enrollment restrictions blocking macOS. These need to be removed or modified before you can enroll. Missing Apple MDM push certificate For organizations new to Apple device management, it’s very common for them not to have an installed. Without this you’ll not be able to manage any Apple devices. User targeted by compliance connector If you’ve been using Intune for compliance with another MDM service, you’ll need to ensure that users are excluded from the targeting of this connector before enrolling into Intune. Policies/Apps take a long time to arrive Policy or app assignments to dynamic device groups For Intune policy assignment it’s best to use static device or user groups where possible. Microsoft on Mac Microsoft has many products specifically developed for Mac. Your organization might already own licenses for Microsoft products that work on Mac, but perhaps you’re not fully using them. It’s important to check which licenses you already have—this could help you save money, simplify management, and improve the experience for your Mac users. Product Function Learn more Microsoft Intune Endpoint management https://learn.microsoft.com/intune/intune-service Microsoft Defender for Endpoint Endpoint security platform https://learn.microsoft.com/defender-endpoint/microsoft-defender-endpoint Microsoft 365 Productivity app suite https://www.microsoft.com/microsoft-365/mac/microsoft-365-for-mac Microsoft Teams Collaboration https://www.microsoft.com/microsoft-teams/group-chat-software Microsoft Edge Enterprise browser for Mac https://www.microsoft.com/edge/mac Windows 365 Run Windows in the cloud https://www.microsoft.com/windows-365 Microsoft Purview Data protection and governance https://learn.microsoft.com/purview/device-onboarding-macos-overview Microsoft Entra Identity and compliance https://www.microsoft.com/security/business/microsoft-entra Universal Print Enterprise cloud printing https://learn.microsoft.com/universal-print/discover-universal-print Microsoft Copilot App for Mac Enterprise AI companion app https://apps.apple.com/app/microsoft-copilot/id6738511300 Windows App Mac remote desktop protocol client https://learn.microsoft.com/windows-app/get-started-connect-devices-desktops-apps Migration Planning Once you’ve finished your solution design, testing and pilot phases it’s time to start thinking about migration. There are many ways to approach migration, but we tend to think about it in five phases. Design: Designing your migration process is critical. You need to think through how you’re going to get new devices enrolled to Intune, how you’re going to handle opt-in migrations and how you’re going to handle remaining devices at the end. Communicate: Once you know how you’re going to approach migration it’s critical to communicate that across your business. Communicate clearly and simply what the project is going to do, when it’s going to happen and if there any actions required. New Devices: As soon as practical, it’s important to ensure that all new devices purchased are enrolled into Intune. This creates a better end user experience and means that we don’t have to migrate them unnecessarily. Opt-In: Your colleagues are busy doing their roles, so it’s important that we are as flexible as possible with them. Our experience suggests that if you provide a guided migration experience that they can start at a suitable time then they are much more likely to migrate themselves. Deadline Mode: Sometimes we all need a little encouragement. During the final phase of migration consider reminders and even a final deadline date where devices will just be migrated. Migration design is unique to each project and organization, what is acceptable for one may not be suitable for another. Migration tooling That’s all very well, but how exactly do you get your devices from one mobile device management service (MDM) to another? Handily the Intune Customer Experience Engineering (CxE) team has developed an open-source script that might help: https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Tools/Migration There are many more options from our partners and MVPs to achieve migration. To learn more why not join our Microsoft Mac Admins community on LinkedIn and find out how others are handling migration. Example Migration experience Here’s an example of what the migration might look like for your users. The video below is based on the Intune Engineering sample script in opt-in mode where the user can choose when they want to perform their migration. Reach out for help If any of this has piqued your interest, there are a couple more things you can do. Join our Microsoft Mac Admins community on LinkedIn. Our product teams are there, plus thousands of others who’re using Intune to manage their Apple devices in a Microsoft Enterprise environment. If you have a question about Microsoft and Mac, someone in here will likely have the answer. If you have 150 M365 licenses or more, you can also Request FastTrack assistance. Our FastTrack team are experts at helping our customers make the most of their investment in Microsoft technologies. Lastly, if you are looking for a deeper engagement, consider finding a Microsoft partner to support your migration needs. If you have any questions or want to share how you’re managing and migrating your Apple macOS devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked .Understanding Apple enrollment methods in Microsoft Intune
By: Rishita Sarin – Product Manager | Microsoft Intune Microsoft Intune, together with Microsoft Entra ID, facilitates a secure, streamlined process for registering and enrolling devices to access your organization’s resources. Once users and devices are registered within your Microsoft Entra ID (also called a tenant), then you can utilize Intune for its endpoint management capabilities. The process that enables device management for a device is called device enrollment. During enrollment, Intune installs a mobile device management (MDM) certificate on the enrolling device. The MDM certificate communicates with the Intune service, and enables Intune to start enforcing your organization's policies, like: Enrollment policies that limit the number or type of devices someone can enroll. Compliance policies that help users and devices meet your organization’s requirements. Configuration profiles that configure work-appropriate features and settings on devices. This blog aims to provide an overview of Microsoft Intune’s enrollment methods for Apple devices to help you make informed decisions about device management. Enrollment methods Personal owned devices (BYOD) To get started with enrolling personally owned devices navigate to the Intune admin center, Devices > Enrollment > Apple > Enrollment types > Create. Apple’s name since 2019 Intune’s name When to use it Profile-based Device Enrollment (Previously known as User Enrollment) Device enrollment with Company Portal Secures entire personal device. Supports app takeover. Web enrollment Secures entire personal device. Supports app takeover. We recommend enabling web-based enrollment for devices running iOS/iPadOS 15 and later because it doesn't require employees and students to install the Company Portal app. Post-enrollment functionality remains the same as with app-based enrollment. Profile-based User Enrollment (Support ended in 2024) User enrollment with Company Portal (Support ended in 2024) Do not use this (Support ended in 2024) Account-driven User Enrollment Account-driven user enrollment Secures only work-related apps on a personal device. No support for app takeover. Account-driven Device Enrollment Not supported Not supported N/A Determine based on user choice Gives users the option to select if they want to secure their entire device or only work-related apps. Corporate owned devices Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create Apple’s name since 2019 Intune’s name When to use it Automated Device Enrollment (ADE) (Previously known as Device Enrollment Program (DEP)) Automated Device Enrollment (ADE) for iOS/iPadOS Automated Device Enrollment (ADE) for macOS Secures entire corporate device. Enroll with User Affinity: Select this option for devices that belong to users who want to use the Company Portal for services like installing apps. Enroll without User Affinity: Select this option for devices that aren't affiliated with a single user. Use this option for devices that don't access local user data. This option is typically used for kiosk, point of sale (POS), or shared-utility devices. Enroll with Microsoft Entra ID shared mode (only iOS/iPadOS): Select this option to enroll devices that will be in shared mode. 💡 Tip: If you’re enrolling Apple devices for frontline worker scenarios, make sure to check out this detailed guide: Get started with iOS/iPadOS frontline worker devices. Improvements Based on customer feedback, Intune introduced a faster and more intuitive version of device enrollment with the Intune Company Portal called web enrollment in 2023. Web enrollment retains all the benefits of device enrollment with added benefits of reduced latency and without requiring installation of the Company Portal app. We strongly encourage you to take advantage of web enrollment for a faster and more efficient enrollment process for your users. Additionally, turning on just-in-time (JIT) registration and compliance remediation (automatically set up as part of JIT registration setup) for all iOS/iPadOS enrollments can significantly improve the registration and compliance remediation experience. By bringing the enrollment experience to where the user is, we help them get productive faster and ensure a smoother transition. This applies to both iOS/iPadOS bring-your-own-device (BYOD) web enrollment and corporate Automated Device Enrollment (ADE), specifically for Setup Assistant with modern authentication within ADE. For more information on JIT registration and compliance remediation, check out this blog post: Use JIT registration and JIT compliance remediation for all your iOS/iPadOS enrollments. As a result of recent enhancements to our enrollment workflows, the Company Portal app is no longer required for some enrollment methods. However, we recognize the use cases for the Company Portal go beyond enrollment, and we’ll continue to support and invest in improvements for the app. One example of upcoming improvements to the Company Portal is the addition of the user-less app catalog. This enhancement opens the doors for future frontline worker (FLW) scenarios, allowing for more flexible and efficient device management without the need for user-specific configurations. Stay tuned to What’s new in Intune for the release and more! If you have any questions or want to share how you’re using Apple enrollment across your organization in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked.Deploying macOS FileVault with Microsoft Intune
By: Marc Nahum – Senior Product Manager | Microsoft Intune FileVault is Apple's built-in disk encryption technology for macOS. To deploy FileVault securely and effectively in an enterprise setting, it requires a deeper understanding. Originally launched in 2005 with Mac OS X 10.3 Panther, FileVault has evolved significantly. The release of FileVault 2 in 2011 with Mac OS X Lion marked a major upgrade. Since then, Apple has continued to improve its capabilities. For example, macOS Sequoia now supports unlocking FileVault using Microsoft Entra ID credentials through Platform SSO. In this blog, you'll learn how to: Enable FileVault for macOS using Microsoft Intune Use and manage recovery keys Manually import FileVault recovery keys into Intune Troubleshoot FileVault issues during device migration to Intune Although FileVault has been around for nearly 20 years, much of the guidance available online is outdated or based on older versions of macOS. This blog focuses on current best practices for enterprise deployment, specifically for: Devices running macOS Sonoma (version 14) or later Apple silicon hardware Microsoft Intune as the mobile device management (MDM) solution for policy enforcement and recovery key escrow Legacy methods, such as Institutional Recovery Keys, are now considered obsolete and won’t be covered. Instead, we focus on building a modern, secure, and maintainable FileVault deployment strategy. Are recent Mac devices encrypted by default? Yes. Apple silicon Macs,and Intel-based Macs with a T2 Security Chip, are encrypted by default at the hardware level. This encryption uses a unique identifier stored in the Secure Enclave. However, the encryption becomes user-aware and policy-enforceable only when FileVault is enabled. Once activated, FileVault enhances security by linking the encryption to the user’s login password in addition to the hardware-based key. This ensures that access to the data requires proper user authentication. Apple provides detailed information on this process in their Apple Platform Security Guide. Enabling FileVault with Intune FileVault is a key component of macOS security and should be considered a mandatory requirement for organizations except where local laws explicitly prevent it. Intune offers several ways to configure FileVault, but the settings catalog is the recommended approach. It helps avoid policy conflicts and ensures consistent, reliable behavior across devices. It’s also the most future-proof method, as it aligns with ongoing platform and Intune updates. 📋 Steps to configure FileVault via settings catalog Login tothe Microsoft Intune admin center Navigate to Devices > macOS Create a new configuration profile: Profile type: Settings Catalog Name the profile and provide a clear description In the Settings Picker, locate Full Disk Encryption and configure the following in the subsections FileVault Defer → Enabled Enable → On (default) Force Enable In Setup Assistant → True Recovery Key Rotation in Months → (e.g., 6 months) FileVault Options Prevent FileVault From Being Disabled → True FileVault Recovery Key Escrow Location → Your Enterprise Name Note: The Defer setting was mandatory in certain versions of macOS. While this might not be required in the latest releases, it’s still recommended to enable it for added security and a more predictable user experience. Proceed through Scope tags and Assignments. It’s recommended to assign the profile to All devices (interpreted here as “all Macs”), use filters if needed. The usage of static groups of devices is also an option but dynamic device groups are not compatible with the “Force Enable In Setup Assistant” option, which is needed for enforcing encryption during the setup assistant without user intervention. If you’re using Platform SSO with Password synchronization you can use the FileVault Policy setting to force the device, connected to the network, to check Microsoft Entra ID password when a device is turned back on (macOS 15 and later). This setting can be found in the setting catalog under Authentication / Extensible Single Sign On (SSO) / Platform SSO And must be set to: AttemptAuthentication Refer to this article to properly configure Platform SSO and select the method to use it: Configure Platform SSO for macOS devices in Microsoft Intune. Once the profile is deployed and the device receives the configuration, FileVault will be activated and the recovery key securely escrowed in Intune. The key is stored in the device properties, Recovery Keys section and is accessible only to admins with proper role-based access. All access is audited. If the device is set as “Personal” in Intune, the recovery key will not be visible in the admin center. Enrolled with Automated Device Enrollment with the device in Apple Business Manager Enrolled from Intune Company Portal as a bring-your-own device In cases where FileVault isn’t enabled during Setup Assistant, such as in bring-your-own-device (BYOD) scenarios using the Intune Company Portal, the same policy will trigger FileVault activation after the next reboot, prompting the user to take the necessary actions. Using the FileVault recovery key The FileVault recovery key serves as a secure fallback for users who forget their login password. When used properly, it allows access to the Mac without requiring a password reset or device re-enrollment. While Apple documents the recovery key process on their support site, one useful detail is often overlooked: If the ”?” icon doesn’t appear on the Mac login screen, users can select Shift + Option + Return to manually bring up the recovery key prompt. This can be particularly helpful during support scenarios where the user is locked out, but the device is still enrolled and reachable via Intune. At this stage, the Mac has completed booting and can still receive remote commands such as running scripts or executing device actions. Manually escrowing an existing recovery key If FileVault is already enabled on a Mac before it’s enrolled in Intune, users can manually escrow their personal recovery key using the Intune Company Portal. This is especially useful in bring-your-own-device (BYOD) scenarios or in loosely managed enrollment flows, where FileVault may have been activated outside of the IT admins control. Steps to import the recovery key: Verify FileVault status Launch Terminal and run: fdesetup status This confirms whether FileVault is currently enabled. Rotate and display the recovery key Run the following command to generate a new personal recovery key: sudo fdesetup changerecovery -personal The user must have administrator privileges to execute this command. Upload the recovery key to Intune using the Company Portal website. Open a browser and navigate to: https://portal.manage.microsoft.com Select the corresponding Mac device (if prompted) Choose “Store Recovery Key” and paste the new key from the Terminal output On the same page, users can also retrieve an existing recovery key if it has already been escrowed. This manual method ensures that devices encrypted outside the MDM provisioning flow can still benefit from secure recovery key escrow and retrieval through Intune. Migrating to Intune A common challenge when migrating to Intune from another MDM is that FileVault may already be enabled. Aside from the manual steps, organization’s might consider another approach which is to automate the escrow of existing recovery keys using tools like Escrow Buddy, an open-source tool developed by Netflix. For all considerations of migrating to Intune we wrote another blog on it: aka.ms/Intune/mac-migration. Reach out for help If you’re interested in learning more about FileVault and other Mac scenarios, there are a couple more things you can do. Join our Microsoft Mac Admins community on LinkedIn. Our product teams are there, plus thousands of others who’re using Intune to manage their Apple devices in a Microsoft Enterprise environment. If you have a question about Microsoft and Mac, someone in this community will likely have the answer. If you have 150 Microsoft 365 licenses or more, you can also Request FastTrack assistance. Our FastTrack team are experts at helping our customers make the most of their investment in Microsoft technologies. Lastly, if you’re looking for a deeper engagement, consider finding a Microsoft partner to support your migration needs. If you have any questions or want to share how you’re managing and migrating your Apple macOS devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked.
