Bonjour à tous! This post will discuss the Enhancements in Microsoft Intune to Manage Apple Devices. This article will explore how Microsoft Intune empowers organizations to improve security and accessibility for their Apple devices, paving the way for a safer and more efficient digital future.
Microsoft Intune is a single Mobile Device Management solution that helps organizations manage all their endpoints on 6 platforms, including macOS, Windows, Android, iOS/iPadOS, ChromeOS, and Linux. The platform uses a feedback system to improve user and IT administrator experiences with Apple devices for work.
As we know, multiple MDM solutions are already available in the market for managing Apple devices, such as Jamf Pro, Workspace One, Kandji, ManageEngine, etc. Thus, we will be discussing how Intune is better with its recent enhancements and what features it provides for the organization to manage end-user devices.
In addition, our previous articles discussed Microsoft Intune Vs Jamf macOS Device Management Enhancements. In the article, author Anoop C Nair compared the MDM solutions and tried to comprehend which is better for Apple device management and its features. It also covers if a Co-management (Jamf Pro + Intune) scenario is possible according to the organization’s requirement for complex Designs.
Before jumping into the topic, In case you missed it, go through my previous article on the Best Way to Troubleshoot macOS Configuration Profiles and Policies in the Intune Portal. The article explained Configuration Profile and how to troubleshoot them from Intune Portal.
We also discussed the Tenant, how to check tenant status and details and how it can help troubleshoot from the Portal to understand where the issue is, either on the portal side or the end-user device. Check out the post and give us your feedback in the comments section.
If you enjoy reading my articles on managing macOS devices with Microsoft Intune MDM Solution, you might find all my posts interesting. You may go through them here. In my recently published video, I talked about upgrading to macOS Sonoma and getting familiar with its latest features that can boost productivity for end-users.
10 Best Enhancements in Microsoft Intune to Manage Apple Devices
Without further ado, let’s dive into the topic of Intune enhancements. These 10 enhancements have significantly impacted the management of Apple devices for organisations and their end-users, improving the overall IT Support and End-User Experience. They are as below:
- Managing DMG app deployments for macOS
- Allowing unmanaged PKG app installations
- Sustaining the macOS software update
- Smooth User Onboarding experience
- Local account management on macOS
- Improved user enrollment for BYOD devices
- Secure ADE enrollment
- Quicker iOS enrollments
- Zero-touch provisioning for iOS-shared devices
- Ease device migration with DDM
Let us delve into each enhancement in detail and explore how they can simplify device management for Intune admins while providing a seamless user experience.
Managing DMG App Deployments for MacOS
In the past, IT admins had a challenging time converting applications to PKG format with specific organizational standards, requiring technical packaging expertise whenever they needed to deploy an application to the production environment as per user demands.
Thanks to Intune, admins can now manage native apps on Intune-managed macOS devices more efficiently than ever before. The Intune MDM agent allows DMG-type applications to be easily installed, monitored, and reported, saving admins time and effort.
Moreover, Intune’s DMG app upgrade feature is a game changer as it allows admins to monitor and upgrade the app under their supervision, ensuring that users have the latest version and are protected from malware or cyberattacks. This feature not only enhances the security of the system but also saves time and effort for the IT team.
To understand in detail with steps on how to deploy, manage and upgrade DMG apps using Intune Portal, check out our post here on How to deploy DMG apps in macOS using Intune
Allowing Unmanaged PKG App Installations
We’ve previously discussed the usage of Macbooks in organizations and which type of employees benefit from them. Developers mainly use Macbooks and sometimes try to install and test unsigned or unauthorized apps as part of the development process.
This was inaccessible in the past, which caused problems in the Mac line-of-business application workflow for organizations. Fortunately, the latest Intune enhancements have made deploying custom scripts and unsigned apps easier.
The Intune MDM agent is now available to deploy PKG-type installers. Intune continues to support and enhance the native PKG-type app management experience for macOS. However, the new Intune agent-based PKG-type app delivery and monitoring experiences offer even greater flexibility and customization.
Initially, Intune only supports PKG installations for the “required” assignment type, but other assignment types will follow. These improvements provide organizations with more options to manage their application deployments and achieve their desired outcomes.
To know the detailed steps on how to deploy and install unmanaged macOS devices, follow our article Deploy Unmanaged macOS App using Intune
Sustaining the MacOS Software Update
Regularly updating software is a crucial aspect of maintaining the security of any device. In order to reduce the risk of potential attacks, organizations should keep all of the devices up-to-date, mainly by removing known vulnerabilities.
Intune’s system update policies for macOS are built using Apple’s MDM commands and provide a seamless macOS software update experience. This eliminates the need for scripts or manual installations initiated by Admins, freeing up valuable time and resources.
With Intune, Admins now have greater control over the type of updates users install, ranging from updating the built-in malware protection tools to the entire OS. Admins can also configure the behaviour for each update type, such as prioritizing the installation of critical updates to mitigate vulnerabilities or scheduling less urgent updates to minimize interruptions to user productivity.
By leveraging Intune’s powerful update management tools, organizations can ensure their devices remain secure and up-to-date, saving time and resources while reducing the overall attack surface.
To configure the macOS software update configuration using Intune, follow our article Enable Automatic Updates for macOS Devices Using Intune
Smooth User Onboarding Experience
Apple’s platform’s SSO capability for macOS offers an exciting opportunity to enhance the employee onboarding experience on Macbooks. Intune’s introduction of the Microsoft Enterprise SSO for macOS simplifies the process and creates a consistent and familiar onboarding experience across all Apple devices.
The plan is to introduce a Just-In-Time (JIT) macOS/iPadOS enrollment experience that will help streamline the onboarding process for users of organization-owned Macs. After enrollment, users can log in to the Enterprise Single Sign-On extension to establish single sign-on across Azure AD-enabled apps. They can use their Azure AD password to log in to their Mac without requiring the Company Portal app to access resources protected by Conditional Access.
This SSO experience will look and feel like a native macOS experience, providing users with a more seamless and natural experience. This will be greatly appreciated by users and will help to improve the overall onboarding experience.
We have covered this in our previous article on how to configure MS Enterprise SSO using Intune, for more details, follow the article How to setup Microsoft Enterprise SSO plug-in for Apple macOS Devices using Intune
Local Account Management on macOS
Intune is developing a new feature that allows you to create local Admin and Primary accounts during automated device enrollment (ADE) for macOS. This will give Users more control over the local Admin settings for new and existing macOS enrollment profiles. Admins can use this feature when enrolling devices through user-device affinity, including modern authentication and legacy setup assistance.
Improved User Enrollment for BYOD devices
Great news for iOS users! A new and improved version of User Enrollment, called Account-Driven User Enrollment, is now available. This updated flow provides a seamless onboarding experience, utilizing Just-in-Time (JIT) registration. With this new process, the iOS Company Portal app is no longer required as an enrollment prerequisite.
In addition to this, Using Enrollment Single Sign-On (SSO), Users are only authenticating once throughout the entire flow to complete enrollment and establish SSO on their device, saving a lot of human effort and creating a smooth user experience.
This enrollment process targets iOS/iPadOS 15+ devices in Intune. For User Enrollment with the Company Portal method, continue to target devices with earlier versions of iOS/iPadOS. This update will not affect devices running iOS/iPadOS 14.8.1 and below, and they can continue to use the current User Enrollment method with Company Portal.
We have covered in detail the steps to configure Account Driven User enrollment of iOS devices using Intune, check them here at Account-Driven Apple User Enrolment in Intune
Secure ADE Enrollment
Intune has introduced exciting new updates that are designed to make the automated device enrollment (ADE) process more efficient and customized for administrators. These updates allow for greater flexibility in securing and streamlining the device configuration process, making it easier for organizations to optimize their resources and enhance productivity.
One of the most important updates is the iOS/iPadOS Configuration command support during ADE with the Intune release 2303 release or later. This feature will help ensure that devices are configured according to the targeted admin profiles, keeping them secure and customized based on the organization’s policies.
Another significant update is the introduction of a new Intune setting for iOS/iPadOS Setup Assistant with modern authentication. This setting allows administrators to configure most device configuration policies on the corporate device before the end-user is released from the Setup Assistant. It is available for both new and existing enrollment profiles, providing even greater flexibility in device enrollment.
Overall, these updates are designed to enhance the ADE process and ensure that devices are configured precisely as intended by the organization from the moment end-users land on their home screen. Organizations can optimise their resources and enhance productivity by making it easier for administrators to customize and secure the ADE process.
Quicker iOS Enrollments
Intune has been actively exploring ways to improve the enrollment experience for iOS and iPadOS devices. With Just-In-Time (JIT) functionality, the iOS Company Portal app is no longer necessary for AAD registration. This significant breakthrough allows Users to move towards a web-based device enrollment flow for BYOD scenarios.
The Web Device Enrollment provides a much faster and streamlined enrollment process by reducing the need to switch between apps and simplifying the authentication process. Users can initiate enrollment, check device compliance, and review remediation steps on a new web-based Company Portal. This positive development will benefit users and improve their experience with Intune.
We have covered the step-by-step guide to perform iOS device enrollment, you can find the details in our article on Enroll iOS/iPadOS Devices in Intune Step-by-Step Guide
Zero-touch Provisioning for iOS-shared Devices
Shared Device Mode (SDM) is a powerful tool that greatly simplifies the deployment of iOS-shared devices, providing a more seamless and user-friendly experience for both users and administrators. With the introduction of zero-touch provisioning (ZTP), end-users no longer need to provide input during device setup, making the process faster and more efficient.
Configuring an iOS device into a shared device through the Intune portal is now a breeze. Once deployed, the device will automatically be set up with SDM, offering a seamless single sign-in and sign-out experience for all supported applications, including Microsoft Teams and any application that uses the Microsoft authentication library (MSAL) and Shared Device Mode.
Intune offers additional capabilities to SDM, such as applying App Protection Policies for iOS devices in Shared Device Mode, making the environment more secure and providing an extra layer of protection for users and sensitive data.
Overall, SDM is an excellent tool for iOS-shared devices that greatly simplifies the deployment process, making it more user-friendly, efficient, and secure.
Ease Device Migration with DDM
In 2021, Apple introduced the Declarative Device Management (DDM) protocol, which focuses on bringing policy management to the device rather than through the server and in August 2022, they announced support for DDM with the ability to configure policies using the iOS/iPadOS settings catalogue and A month later, DDM was extended to the macOS settings catalogue.
One of the most significant benefits of DDM is that it works alongside the standard MDM protocol without affecting the user experience. With Intune, Admins can send the policy created in the settings catalogue and a DDM-based approach to DDM-enabled devices and send the standard MDM-based policy to those devices still using the older protocol.
This flexibility makes it easier for users to migrate to Apple’s new DDM protocol seamlessly. It improves policy delivery performance and enables users to build more device compliance, app inventory, and other capabilities in the future.
Also, Intune brought advanced endpoint management functionality to macOS with Microsoft Intune Remote Help, advanced application management, advanced Endpoint analytics, and existing capabilities of Microsoft Tunnel for Mobile Application Management for iOS in the Intune Suite.
Conclusion
Microsoft Intune is a versatile Mobile Device Management (MDM) solution that empowers Admins to manage multiple platforms from a single portal, offering a convenient and efficient approach. The platform constantly evolves with new features and enhancements; end-user feedback is instrumental in improving it.
As per our discussion article, Intune can be used for macOS device management either wholly or in complex scenarios and can be managed in a co-management with tools like Jamf Pro, depending on the organization’s specific requirements.
Therefore, when setting up MDM solutions for organizations, Solution Architects should consider the capabilities and feature enhancements that provide better device management across all platforms, ensuring a seamless experience for all end-users.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here.
Author
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his Apple Mac Devices Support knowledge. He is an M.Tech graduate in System Engineering. Do check out his profile on Twitter & Linkedin.