Apple making device migration to Microsoft Intune easy with upcoming OS 26 release
By: Iris Yuning Ye – Product Manager | Microsoft Intune Apple recently announced a major update at their Worldwide Developers Conference 2025 that solves one of the biggest headaches for admins: migrating macOS and iOS/iPadOS devices from one mobile device management (MDM) solution to another without factory resets, manual re-enrollment, or missing configurations. With the new MDM Migration capability in macOS 26 and iOS/iPadOS 26, built directly into Apple Business Manager, IT admins are able to transition devices from third-party MDMs to Microsoft Intune seamlessly, and without user disruption. Migrating devices to Intune helps IT admins consolidate device management across platforms, enforce consistent security policies, and reduce operational complexity. In this blog, learn how to start using Apple’s MDM migration feature to easily move your macOS and iOS/iPadOS fleet to Intune. Prerequisite: macOS/iOS/iPadOS 26 and enrollment into a device management service is required to use the Apple MDM migration feature. 1. Pre-migration – preparation and set up Before starting the migration process, there are five major steps to follow for preparation. 1.1 Keep a record of your devices Start by creating a detailed inventory of all devices in your organization. This should include each device model, the version of OS it’s running, and whether it’s corporate-owned or user-owned. This step is critical because Apple’s new migration feature has specific OS version requirements. Knowing which devices are eligible helps you scope the migration accurately and avoid surprises later. 1.2 Document configurations in current MDM Before making any changes, document all existing configurations in your current MDM platform. This includes: Configuration profiles: Capture all profiles related to Wi-Fi, VPN, email, and certificates. These are essential for maintaining connectivity and access post-migration. Compliance policies: Note any rules that enforce password complexity, encryption, or device health checks. Security baselines: Record settings such as FileVault encryption, Gatekeeper, and the macOS firewall to ensure security standards are preserved. Custom scripts: List any scripts used for automation, monitoring, or maintenance tasks. Deployed applications: Document all apps currently deployed, including how they’re delivered (Volume Purchase Program, App Store, or custom packages). This documentation will serve as your blueprint for rebuilding these configurations in Intune. 1.3 Configure the Apple MDM push certificate Navigate to the Intune admin center, create and upload an Apple MDM push certificate. This certificate allows Intune to securely communicate with Apple devices. Without it, device management and policy enforcement can’t function. 1.4 Add Microsoft Intune to Apple Business Manager (ABM) or Apple School Manager (ASM) Next, integrate Microsoft Intune with ABM or ASM, by following these steps: Download the public key from Intune. Upload that key to ABM or ASM when creating a new MDM server. Then, download the server token from ABM or ASM and upload it back into Intune. This allows ABM to recognize Intune as a valid MDM server and enables device assignment. 1.5 Set up MDM Configurations in Intune Since migration is treated as a new device enrollment, you'll need to follow standard Intune ADE (Automated Device Enrollment) guidance to setup device enrollment profile. Some key steps include: Once the device is in ABM/ASM, token that must be created to link Intune with ABM. Then, the device needs to sync from ABM to Intune. There is an automatic sync every 12 hours, or admin can manually sync once every 15 min. After successfully synced device from ABM to Intune, you need to create the enrollment profile, and then manually assign it to the devices via device serial number, and then the device can power on and enroll through that assigned enrollment profile Using the configurations documented in step 1.2, begin replicating existing configurations in Intune. This includes but is not limited to: Rebuilding configuration profiles for network access and security. Reapplying compliance and security policies. Re-deploying applications. Rewriting or importing scripts as needed. Identify the other controls to implement that improves Zero Trust. Call to action: Please make sure testing the MDM configurations on a test device before assigning them to the devices you plan on migrating. And before initiating any migration, communicate with your endpoint users first, keeping them informed to avoid any confusion. 2. Migration – Admin step-by-step flow The admin experience starts from ABM or ASM. After logging into ABM or ASM, navigate to the Devices section. Select the device or group of devices targeted for migration to Intune. Selecting the ellipsis on the top right of device overview interface unveils the “Assign Device Management” button. Select the server you want to migrate the device to. In our case, it’s Intune. Confirm device assignment. 3. Migration – Endpoint step-by-step flow After completing the device management assignment, the device user receives a notification informing them that a management change is required. macOS iOS/iPadOS When the user selects the notification, they are guided through a simple approval process. If the user doesn’t initiate enrollment before the admin set enrollment deadline, an enforced migration occurs, which results in a non-dismissible and full-screen prompt that must be completed by the user before using the device. Regular migration Enforced migration (past deadline) Once the user approves the migration, the device communicates with Apple’s servers to get its new device management assignment. It then downloads and installs the new MDM profile. This migration process happens without rebooting the device. 4. Post-migration – Verification Lastly, verify the migration and enrollment successfully completed by navigating to the Intune admin center and confirming the new devices are listed. evice. Please note, it's important to have test device verifying required configurations running smoothly before migrating large number of devices and test your devices after migration to ensure everything is working smoothly. If you run into any issues, further adjustments may be needed. Special thanks to our Intune MVP, Somesh Pathak, whose content we leveraged in this blog! For more details and a video demo, check out Somesh’s blog at: https://intuneirl.com/mac-admins-your-migration-glow-up-just-dropped Summary In short, Apple’s new MDM migration in macOS and iOS/iPadOS 26 makes moving Mac, iPhone or iPad devices to Intune now easier than ever. With careful planning and a few simple steps, you can make the switch smoothly to manage your Apple devices all in one place. For Mac devices that aren’t running OS 26, you can check out our Intune Github for migration scripts and review the blog Managing and migrating Macs with Microsoft Intune. Let us know how your Mac journey is going by leaving a comment below, reaching out to us on X @IntuneSuppTeam, or join our Mac Admins Community on LinkedIn! Post updates: 12/04/25: Updated section "1.5 Set up MDM Configurations in Intune". 12/11/25: Updated MDM Migration URL.New Platform SSO with registration during Automated Device Enrollment on macOS
By Iris Yuning Ye, Product Manager – Microsoft Intune & Justin Ploegert, Principal Product Manager – Microsoft Entra A new setting ‘Enable Registration During Setup’ for Platform single sign-on (PSSO) during Automated Device Enrollment (ADE) is now generally available for macOS devices in Microsoft Intune. With this new setting and a compatible version of the Intune Company Portal (5.2604.0 and newer), this feature enables users sign in with their Microsoft Entra account during Setup Assistant, complete device registration before reaching the desktop, and get immediate access to work resources and ready to be productive sooner. Why this matters Previously, Platform SSO registration occurred only after users completed Setup Assistant and reached the desktop. They then had to notice and act on a separate notification to finish Platform SSO registration. When Platform SSO registration isn't completed, it can cause issues with app authentication or lead to noncompliance, delaying users from getting started on the device: Missed notifications - Users dismiss or ignore the post-enrollment PSSO prompt, leaving devices in an incomplete device registration state. Broken app authentication - Apps like Microsoft Outlook could fail to authenticate because SSO isn’t fully configured. Compliance gaps - Devices are flagged as noncompliant in the Intune Company Portal because Platform SSO registration isn’t completed. Helpdesk burden - IT teams field repeated tickets for issues that should have been handled automatically during provisioning. Migration blocker - Incomplete Platform SSO setup slows down migrating macOS devices to Intune. Platform SSO during ADE with EnableRegistrationDuringSetup key eliminates these issues. Device registration, identity bootstrap, and credential setup all happen inline during Setup Assistant before the user ever reaches the desktop. What the feature enables Capability Details Microsoft Entra device registration during ADE The device registers with Microsoft Entra ID before the user reaches the desktop. A hardware-bound Workplace Join certificate is issued and stored securely. Early device identity Device identity is established early in the provisioning process, enabling immediate access to resources protected by Conditional Access. Platform SSO credentials during initial setup When configured with Secure Enclave, credentials are stored in the device's Secure Enclave, providing hardware-bound, phishing-resistant protection aligned with Zero Trust principles. Minimized delays Users arrive at the desktop already signed in. No additional prompts, no waiting for policies, no broken apps. How it works This feature requires three policies that work together. All three must be configured correctly before enrollment starts and assigned to the same static user groups: A Platform SSO settings catalog policy with “Enable Registration During Setup” configured to Enabled. Intune Company Portal (version 5.2604 or newer) deployed as a line-of-business (LOB) app, which provides the Microsoft Enterprise SSO extension. An ADE enrollment profile configured with Setup Assistant with modern authentication and Await final configuration = Yes. When a device enrolls with these three policies in place, here's what happens: The device powers on and begins the ADE enrollment flow. Intune delivers the Platform SSO settings catalog policy with Enable Registration During Setup enabled. Intune Company Portal is installed automatically as a LOB app, providing the Microsoft Enterprise SSO plug-in. During Setup Assistant, the user signs in with their Microsoft Entra credentials. This first sign-in starts the regular enrollment process. A second sign-in authenticates the identity in Intune Company Portal and fetches the SSO extension. The device registers with Microsoft Entra ID, and a Microsoft Entra device registration certificate is issued. The user arrives at the desktop fully authenticated, with SSO active and Conditional Access satisfied. Note: During enrollment, users are prompted to enter their Microsoft Entra credentials at least twice. We're working on improvements to reduce the number of sign-ins in a future update. Prerequisites Requirement Details macOS version macOS 26 and newer Enrollment method ADE via Apple Business Intune Company Portal Version 5.2604.0 or newer, deployed as a LOB app. Download from https://go.microsoft.com/fwlink/?linkid=853070 Intune role for configuration Admin account with at least the Policy and Profile Manager built-in role Group type Assigned (static) user groups only. Dynamic groups and device groups are not supported. Important: Review the full Platform SSO prerequisites in the Platform SSO configuration guide before you begin. High level step-by-step configuration Step 1: Create or update the Platform SSO settings catalog policy In the Microsoft Intune admin center, go to Devices > Manage devices > Configuration. If this is your first time configuring Platform SSO, follow the full Platform SSO configuration guide. Add and configure the following setting: Setting Value Description Authentication > Extensible Single Sign On > Platform SSO > Enable Registration During Setup Enabled Enables the Platform SSO registration process during Setup Assistant. If using the Password authentication method, it’s recommended to add for password sync function: Setting Value Description Authentication > Extensible Single Sign On > Platform SSO > Enable Create First User During Setup Enabled Enables the password synchronization experience during Setup Assistant. This configuration is recommended for Password authentication method. Tip: Microsoft recommends using Secure Enclave as the authentication method for the strongest hardware-backed security. Assign the policy to your static user groups. Filter is also supported with correct static group setting. Step 2: Install Intune Company Portal as a LOB app Download the Company Portal for macOS PKG from https://go.microsoft.com/fwlink/?linkid=853070. In the Intune admin center, go to Apps > All Apps > Create. Add Intune Company Portal as a macOS LOB app. Make it a required app and assign it to the same groups as the Platform SSO policy from Step 1. Important: Company Portal 5.2604.0 and newer is required. If you install an older version, Platform SSO fails. When Intune detects Company Portal as a deployed policy, it sends it with priority during enrollment. And clean up the App bundle ID that are not related to Company Portal, make sure only com.microsoft.CompanyPortalMac as the relevant App bundle ID is kept. Step 3: Set up the enrollment profile In the Intune admin center, go to Devices > Device onboarding > Enrollment > Apple tab. Create or edit an Automated Device Enrollment profile with these Management settings: Setting Value User affinity Enroll with User Affinity Authentication Setup Assistant with modern authentication Await final configuration Yes Locked enrollment Yes Assign the profile to the devices afflicated with the users targeted as Steps 1 and 2. Critical: You must assign all three policies to the devices afflicated with the users targeted. If any policy is assigned to a different group, or if any step is misconfigured, enrollment will fail. In that case, wipe the device and re-enroll with all steps correctly configured. Key things to remember ✅ Three policies, one group: Settings catalog, Company Portal LOB app, and ADE enrollment profile, all assigned to the same static groups or devices/users affliated with the groups. ✅ Static groups only: This feature does not work with device groups or dynamic groups. ✅ One SSO policy per device: If you already have a Platform SSO policy assigned to enrolled devices, make sure device is wiped appropriately before kicking of enrollment with new PSSO flow. ✅ Latest Intune Company Portal: Version 5.2604.0 or newer is required. ✅ macOS 26 required: This feature is supported on macOS 26 and newer. ✅ Secure Enclave recommended: For the strongest hardware-backed credential protection. For more details, refer to Configure Platform Single Sign-On (PSSO) during Automated Device Enrollment for macOS devices. Looking ahead: Reducing Platform SSO sign-in prompts Signing in multiple times during enrollment isn't the ideal experience, and we're actively working to streamline it with a new enrollment setting that enables users to complete both Intune enrollment and Platform SSO device registration with a single sign-in. This will further simplify the onboarding experience, reduce friction for users, and bring macOS enrollment closer to a truly seamless, zero-touch provisioning flow. Stay tuned to What’s new in Intune for the release. Related resources SSO in ADE profile (new article): Add Platform SSO policy to ADE Profile on macOS devices SSO scenarios: Platform SSO scenarios for macOS devices Platform SSO configuration guide for macOS devices using Microsoft Intune Common Platform SSO scenarios for macOS devices Install Company Portal for macOS as a macOS LOB app Set up automated device enrollment (ADE) Troubleshoot the Microsoft Enterprise SSO Extension plugin on Apple devices macOS Platform single sign-on known issues and troubleshooting As always, we'd love your feedback. If you've piloted Platform SSO during Setup Assistant, share your tips and lessons learned in the comments below or reach out to us on X @IntuneSuppTeam. Post Updates: 6/8/26: Refreshed guidance recommending this configuration for the Password authentication method and clearer targeting language around devices and users affiliated with the groups targeted.
OneDrive for macOS documentation issue. DefaultFolder plist example is missing array wrapper
Hi everyone, The Microsoft Learn documentation for configuring the OneDrive sync app on macOS currently contains an incorrect plist example for the DefaultFolderLocation setting. Documentation page: https://learn.microsoft.com/en-us/sharepoint/deploy-and-configure-on-macos#defaultfolderlocation In the “DefaultFolderLocation” section, the current plist example shows the DefaultFolder key as a dictionary: <key>DefaultFolder</key> <dict> <key>Path</key> <string>(DefaultFolderPath)</string> <key>TenantId</key> <string>(TenantID)</string> </dict> This format does not work correctly when deployed as a managed preference/configuration profile. The setting starts working when the DefaultFolder dictionary is wrapped in an array, like this: <key>DefaultFolder</key> <array> <dict> <key>Path</key> <string>(DefaultFolderPath)</string> <key>TenantId</key> <string>(TenantID)</string> </dict> </array> Please update the Microsoft Learn documentation to include the array wrapper in the DefaultFolder plist example. The current Microsoft Learn example is confusing because administrators may deploy the documented plist exactly as shown, but the setting does not appear to work correctly until the array wrapper is added.Intune macOS ADE: support for minimum macOS version enforcement before Platform SSO registration
Hi everyone, I would like to ask whether Microsoft Intune has any supported method, roadmap, or recommended workaround for enforcing a minimum or target macOS version during Automated Device Enrollment before Setup Assistant continues. The scenario is macOS zero-touch deployment with Intune, Automated Device Enrollment, Setup Assistant with modern authentication, Await final configuration, and Platform SSO registration during ADE. Platform SSO registration during Setup Assistant depends on newer macOS capabilities. In addition, some macOS deployment scenarios, such as Platform SSO password sync and macOS LAPS, may require or strongly benefit from a specific macOS version being installed before the user completes enrollment. Today, Intune can manage macOS software updates after enrollment using Declarative Device Management software update policies. However, that does not fully solve the issue where the Mac starts ADE on an older macOS version. In that case, the device may begin Setup Assistant and Platform SSO registration before the required macOS version is installed. What I am looking for is an Intune-native equivalent of enforcing a minimum or target macOS version during ADE, before Setup Assistant continues. Ideally, the macOS ADE enrollment profile in Intune would support options such as: - Minimum required macOS version - Target specific macOS version - Target specific build, if supported - Latest eligible macOS version for the device - Apply the OS update before Platform SSO registration and final configuration - Reporting in Intune showing whether the ADE OS update was required, started, completed, skipped, or failed Without this capability, organizations using Intune-only macOS deployment may still need manual IT staging or macOS restore/update before handing devices to users. This weakens the zero-touch deployment model, especially when adopting Platform SSO registration during Automated Device Enrollment. 1. Is there currently any supported way in Intune to enforce a minimum or target macOS version during ADE before Setup Assistant continues? 2. Is this capability on the Intune roadmap? 3. Are there any recommended workarounds for organizations deploying Platform SSO registration during ADE where a specific macOS version is required? Thanks in advance for any guidance from the Intune team or the community.New iOS/iPadOS, visionOS, tvOS and macOS ADE enrollment policies experience
By: Anya Novicheva – Sr. Product Manager | Microsoft Intune Coming with the 2606 service release (end of June), iOS/iPadOS and macOS automated device enrollment (ADE) profiles will move to a new infrastructure which enables Intune to speed up the delivery of new features. These will be the new enrollment policies experience for Apple devices enrolling through ADE. With this update, you’ll notice the authentication methods are better organized, there’ll be no Company Portal authentication method or automatic deployment of the Company Portal application, Apple-deprecated settings have been removed, and there’ll be more granular admin controls for the policies page. All newly created enrollment policies for iOS/iPadOS/macOS will automatically be part of the new experience. Existing enrollment profiles won’t be affected. You’ll be able to delete, edit, and assign existing enrollment profiles but you’ll no longer be able to create them with the old experience. We recommend creating a new enrollment policy and setting it as the default as soon as this feature releases so new enrollments will use the new policy as soon as possible. All new features releasing after will be part of the new enrollment policies experience moving forward and will not be added to the old enrollment profiles. Coming with the 2604 service release (end of April), you'll be able to create visionOS and tvOS automated device enrollment (ADE) policies with enrollment time grouping. Go to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new visionOS and tvOS enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy. Create a new enrollment policy for iOS/iPadOS and macOS ADE In the Microsoft Intune admin center, navigate to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy. Benefits of the new experience: Enrollment time grouping support - Enrollment time grouping in Microsoft Intune The columns control can be used to select which columns should be default, which one should be the primary column, and which ones to show or hide. The search bar can be used to search by any column field contents and isn’t case sensitive. The filters control can be used to filter the policies by platform. We’ll add more filtering for the other columns soon. Sort each column by the ascending or descending order by clicking on the column header. No more automatic Company Portal app deployment from the enrollment policy itself or Company Portal as an authentication method option in the drop-down setting. The Company Portal app can still be used and sent down as a required or available app to the device depending on your organization’s needs. We always recommend using Setup Assistant with modern authentication for ADE policies with user affinity as it is the most secure method. However, if you still want to deploy the Company Portal authentication method your users or devices, you can do userless authentication (Enroll with no user affinity for authentication) and deploy the application as needed along with the required app configuration policy to the targeted devices. Note that this is not recommended. The “Install Company Portal”, “Install Company Portal with VPP, and “Run Company Portal in single app mode until authentication” settings aren’t supported and have been removed from the enrollment policy for iOS/iPadOS ADE. For more details refer to the blog: Move to Setup Assistant with Modern Authentication for Automated Device Enrollment Shared iPad for iPadOS ADE has its own authentication method for devices with no user device affinity. Setup Assistant with modern authentication is the default and recommended authentication method for ADE enrollment policies. Assigning new enrollment policies to devices The device assignment flow for ADE policies is the same. Within the policy, navigate to the Devices tab to select a device(s) and select Assign policy. Ensure that you’re assigning a new enrollment policy to the devices. Existing (old) enrollment profiles (only applies to iOS/iPadOS and macOS) Existing enrollment profiles will remain in Devices > Enrollment > Apple > Enrollment program tokens > select a token > Profiles. New enrollment profiles within Profiles cannot and should not be created. Existing enrollment profiles can be deleted, edited, assigned to devices, and viewed. Their device assignments will not be affected or changed. We recommend you migrate your ADE devices from being assigned to old enrollment profiles over to new enrollment policies and always have the Await final configuration setting set to Yes. Additionally, we recommend you set your default enrollment policy to one of your newly created ones from the Enrollment policies tab. Important: If you delete an old enrollment profile, the device rename is no longer enforced (that is if someone changes the device name). Sending the Company Portal app to ADE devices with user device affinity (optional) - iOS/iPadOS only Previously within enrollment profiles, the Company Portal app was sent down automatically to devices with the creation of Setup Assistant with modern authentication and Company Portal authentication profiles. With new enrollment policies, the Company Portal application will never be sent down automatically from the creation or assignment of the enrollment policy. For enrollment policy with user device affinity, we strongly recommend you set the authentication method to Setup Assistant with modern authentication as the most secure and seamless method. For Setup Assistant with modern authentication, the Company Portal is no longer required because of Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune. However, if you still want to send replicate the Company Portal authentication method for your users or devices, you can choose to Enroll without user affinity (userless) and then deploy the application as needed, along with the required app configuration policy to the targeted devices. Assigning the correct app configuration policy based on the authentication method is critical if you’re sending the Company Portal app to ADE devices without user device affinity. Otherwise, the Company Portal will cause issues on the device and won’t auto-update correctly. However, we highly recommend Setup Assistant with modern authentication as the ADE authentication method for your Apple devices with user affinity. Based on the Company Portal authentication method you use, send the following XML for the app configuration policy: If you're using the Company Portal on an ADE device enrolled without user affinity (also known as Device Staging): <dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict> If you're using the Company Portal on an ADE device enrolling with user device affinity, such as the Company Portal authentication method: <dict> <key>IntuneCompanyPortalEnrollmentAfterUDA</key> <dict> <key>IntuneDeviceId</key> <string>{{deviceid}}</string> <key>UserId</key> <string>{{userid}}</string> </dict> </dict> Stay tuned to What’s new in Intune for the release! If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam and we'll provide updates in the blog on the timing of this release. Post Updates: 06/26/25: Updated post with a new ETA of Q4 CY25 (previously Q2 CY25). Also revised the content to better clarify the new experiences and authentication scenarios. 09/12/25: Updated post with a new ETA of Q1 CY26 (previously Q4 CY25). 02/26/26: Updated post with a new ETA of Q2 CY26 (previously Q1 CY26) and expanded scope to include macOS ADE alongside iOS/iPadOS. 04/30/26: Updated post with new ETAs - 2606 (end of June) for iOS/iPadOS and macOS, and 2604 (end of April) for visionOS and tvOS. Title and content updated to reflect the expanded OS scope.Intune my Macs: Accelerating macOS proof of concepts with Microsoft Intune
By: Neil Johnson and Chris Kunze - Principal Product Managers | Microsoft Intune Intune provides a broad and mature set of capabilities for managing macOS devices across security, compliance, applications, and user onboarding. Many customers, however, aren’t always aware of just how much functionality is available or how to bring it all together. We've developed a starter kit to make it easy to explore and set up macOS configurations in Intune: Intune my Macs. Intune my Macs helps bridge that gap by making it easy to explore some recommended macOS configurations and quickly set up a successful proof of concept using Intune. What is Intune my Macs? Intune my Macs is an open-source project from the Microsoft Intune Customer Experience Engineering team that allows you to deploy a complete macOS proof of concept in minutes. This starter kit brings together over 31 enterprise-grade configurations - identified by Apple’s Mac Evaluation Utility - along with policies, scripts, and applications, all of which can be deployed using a single PowerShell script. The project operates in dry-run mode by default, letting you preview exactly what will be created before committing any changes to your Intune tenant. When you're ready, simply add the --apply flag to the command-line to commit changes. Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy PowerShell scripts. However, Microsoft does not support the scripts themselves, even if they are on our GitHub repository. They’re provided for example only. You are responsible for anything that they may do within your environment. Always test! See it in action Want a quick walkthrough before you dive in? Watch the video below to see a deep-dive on Intune my Macs - from authentication to policy creation, app deployment, and beyond. Why would you use it? 1. Jumpstart your macOS management Instead of building macOS configurations from scratch, Intune my Macs provides a ready-to-use baseline of production quality Intune artifacts. These configurations are designed to help you quickly evaluate Microsoft Intune for macOS management while also serving as reference implementations you can adapt to your environment. Below is an overview of what Intune my Macs deploys into your tenant, organized by category. Category Example configurations Security FileVault configuration, firewall enablement, Gatekeeper policies, Microsoft Edge policies Compliance Minimum macOS version (15.0), SIP enforcement, encryption requirements Identity Platform SSO via Secure Enclave with Microsoft Entra ID Applications Intune Company Portal, Microsoft 365, Remote Help, Intune Log Watch, Microsoft 365 Copilot, Windows App, and Edge Scripts Dock customization, FileVault key escrow (Escrow Buddy), onboarding automation Custom Attributes Hardware compatibility checks, Intune agent version reporting 2. Learn by example Each configuration in the repository serves as a practical reference implementation. The naming conventions follow a consistent pattern (for example, pol-sec-001-filevault, scr-app-100-install-company-portal), and detailed documentation explains what each setting does and why it's configured that way. 3. Reduce time to value Tasks that typically require extensive research, configuration, and testing can now be completed in just about 5 minutes, thanks to this streamlined approach. The script handles: Microsoft Graph SDK authentication Policy creation via Intune settings catalog and custom configuration profiles Script deployment with proper execution settings PKG application uploads Optional group assignments Optional Microsoft Defender for Endpoint integration If you're evaluating Microsoft Defender for Endpoint on macOS, the project includes an optional --mde command-line flag that deploys the full Defender for Endpoint configuration, including system extensions, privacy preferences, network filter settings, and a script that can be used to install the client. How it works This starter kit is driven by XML manifest files that define each configuration artifact. The main PowerShell script reads these manifests, resolves the associated JSON/mobileconfig/script files, and creates the corresponding objects in Intune via the Microsoft Graph API. You can scope this starter kit to specific artifact types using command-line flags like --apps, --config, --compliance, --scripts, or --custom-attributes. A custom naming prefix defined using the –prefix command-line flag) keeps your deployed objects easily identifiable, and the --remove-all command-line flag provides a clean way, based on the custom naming prefix, to delete everything created by an earlier run. For more information on how to use this project, be sure to review the prerequisites and instruction in the readme file. Bonus: Utility tools The project also includes several analysis and documentation tools: Export-MacOSConfigPolicies.ps1 - Back up existing Intune macOS policies to JSON Find-DuplicatePayloadSettings.ps1 - Detect conflicting settings across all your Mac configuration files Generate-ConfigurationDocumentation.py - Create Markdown or Word documentation from the manifests Get-IntuneAgentProcessingOrder.ps1 - Understand script and app processing sequence Get-MacOSGlobalAssignments.ps1 - List Mac policies assigned to All Devices or All Users Summary Intune my Macs isn't meant to be a one-size-fits-all production starter kit, but it’s a great way to get started. Use it to quickly implement a proof of concept, learn from the configuration patterns, and adapt the policies to your organization's specific requirements. Whether you're evaluating Intune for macOS management, setting up a new tenant, or just looking for reference implementations of common security configurations, this project can save you significant time and effort. Resources GitHub Repository Full Configuration Documentation Microsoft Defender for Endpoint Setup If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam! Post Updates 03/30/26: A video walkthrough has been added above. Watch to see Intune my Macs deploy a complete macOS proof of concept in minutes.Support tip: Move to declarative device management for Apple software updates
By: Benjamin Flamm – Product Manager | Microsoft Intune Apple recently announced at the Worldwide Developer Conference (WWDC) in June 2025 that mobile device management (MDM) software updates are deprecated in the upcoming Apple OS 26 versions. Instead, software updates will need to use declarative device management (DDM). In this blog, we want to provide you with everything you need to know to navigate this transition and easily manage software updates in DDM. What is DDM? DDM is an enhancement to Apple’s device management protocol that makes devices more proactive and autonomous, and this is perfectly highlighted by the major improvements that DDM brings to managing software updates. Previously, Intune had to send update commands and repeatedly check for the update status. With DDM, Intune simply tells the device the required OS version and the installation deadline, while the device proactively updates Intune on its progress from download to installation. Move to DDM for software updates The MDM software update features in Intune will initially be marked as ‘deprecated’ in the Intune admin center and support will end shortly after Apple OS 26 releases. Devices will ignore MDM update settings when DDM update settings are being enforced, so the only steps you need to do are to create your DDM update policies using the settings catalog. The following table lists the MDM software update features that’ll be unsupported later this year, along with the matching DDM feature that is currently available or coming soon. Legacy MDM feature New DDM feature iOS/iPadOS update policies Software Update or Software Update Enforce Latest settings, located in the settings catalog under Declarative Device Management (DDM): macOS update policies iOS update installation failures report Apple software update failures (Devices > Monitor) which is expected to release with Intune’s August (2508) service release. macOS update installation failures report Software updates report (macOS per-device) macOS software updates (Devices > All devices, select a macOS device > macOS software updates) which is expected to release with Intune’s August (2508) service release. macOS Settings catalog > Software Update payload and settings Software Update Settings located in the settings catalog under Declarative Device Management (DDM): Settings in the iOS or macOS ‘Device restrictions’ template Settings catalog > Restrictions, software update delay settings How do I manage software updates using Intune? With Apple deprecating MDM software updates, DDM is the recommended method to manage software updates in your organization. For a thorough guide that highlights the differences between MDM and DDM, along with how to configure DDM software updates review: Managed software updates with the settings catalog. Useful resources Apple announcements: Announcement of DDM software updates at WWDC 2023 Introduction of Software Update Settings at WWDC 2024 Announcement of MDM update deprecation at WWDC 2025 Intune Apple settings catalog configuration list | Microsoft Learn Apple Platform Deployment guide for managing updates | Apple Support Stay tuned to this post for updates! If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. Updates: 7/25/2025: Updated the expected release timeline of the new per-device software update report for macOS.
Zoom with Scroll + Modifier Key Not Working in Edge on macOS
Hello, I am using Microsoft Edge on macOS and I would like to zoom in and out of web pages using a modifier key (Command, Option, or Control) together with scroll Currently, Command + Scroll does not zoom the page. I understand that macOS may override this behavior through accessibility settings, but I would like to enable this functionality specifically in Edge without affecting system-wide behavior. Could you please advise: Is it possible to enable zoom using Scroll + Modifier Key in Edge on macOS? If not, are there any recommended workarounds or planned features for this? Thank you for your help DanceLens!
macOS: SSO no longer fully functional on AVD (Win11 25H2)
Hello everyone, Since updating our Test Azure Virtual Desktop Session Hosts from Windows 11 23h2 to 25H2 (26200.7462) , we've been experiencing an SSO issue that exclusively affects macOS clients. Symptoms For macOS users (Windows App), the following issues occur: Example Teams Teams shows the user as "Unknown User" Chat and collaboration features fail to load Error message: "You need to sign in again. This may be a requirement from your IT department or Teams, or the result of a password update. - Sign in" After clicking "Sign in," only a window appears with "Continue with sign-in" (no PW/MFA prompt) After this, all other applications work without further authentication Technical Details macOS Device: AppleM4 Pro macOS Tahoe 26.2 Installed WindowsApp version: 11.3.2 (2848) dsregcmd /status: No errors detected PRT is active and was updated for sign-in Entra Sign-In Logs: Error code: 9002341 EventLog on Session Host (AAD-Operational): Event ID: 1098 Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS9002341: User is required to permit SSO. Event ID: 1097 Error: 0xCAA90056 Renew token by the primary refresh token failed. Logged at RefreshTokenRequest.cpp, line: 148, method: RefreshTokenRequest::AcquireToken. Observations Affects: Both managed (internal) and unmanaged (external) macOS devices Does NOT affect: Windows clients connecting via Windows App Interesting: If a macOS user starts the session (with the error) and then reconnects on a Windows device, authentication works automatically there Workaround The issue can be resolved for macOS clients by removing the "DE" flag from "Automatic app sign-in" in the following file: C:\Windows\System32\IntegratedServicesRegionPolicySet.json Questions Is this a known issue? Has anyone experienced similar issues with macOS clients after the 25H2 update? Why does this issue only occur with macOS clients? Why does SSO only work after removing the "DE" flag for macOS devices, and why are Windows devices not affected? I would appreciate any insights or confirmation of this issue! Thank you and greetings FT_1
