How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from Intune tenant and upload the same to the Apple portal.
Once uploaded successfully, you will get an option to download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process has been explained in the above video.
I assumed that Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.
Video about the setting up iOS/MAC OS MDM management via Intune
Please check the video link here.
Once the Apple MDM push cert setup has been completed then, we could proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.
Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you need to set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices here.
The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for Mac OS conditional Access policy). I would recommend doing this at the time of the initial setup of Intune. As you can see in the following screen capture, you have a couple of options.
Either you can select individual supported platforms for the Conditional Access policy, or you can select “All platforms (including unsupported).” Somehow my recommendation is to use the latter one, “All platforms (including unsupported).”
Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I would recommend deploying conditional access policies with compliance policies. So, the next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?
If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.
After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies are there to deploy security settings for the devices. Also, these types of policies can be used to enable or disable features of devices.
Details about different types of Intune configuration profiles are discussed here in my previous video blog post. Device restriction policies are nothing but security configuration policies in Intune Azure portal.
Conclusion – How to Get Intune Environment Ready for iOS Mac OS
Above mentioned policies are very basic policies that you want to configure if your organization has decided to manage iOS and MAC Os devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.
You can also create custom configuration policies for iOS devices if some of your security requirements are not available out of the box with Intune configuration policies. Apart from that, you can deploy Wi-Fi profiles, VPN profiles,s and Certs to iOS devices using Intune MDM.
Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.
In this scenario, your users don’t need to enroll in Intune MDM management. So, this is another decision point for each organization whether they should use MAM WE or the MDM channel of iOS management.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…