Using Microsoft Intune to Manage Mac Endpoints

We’ve explored Microsoft Intune before – but, for those who may have missed my initial article or would like to refresh their mind – Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). It allows organisations to manage and secure devices (such as smartphones, tablets, and laptops) that employees use to access company data and resources. 

Microsoft Intune consolidated Microsoft’s existing endpoint management products into one cloud-based product family and one user interface (formerly known as Microsoft Endpoint Manager or MEM). This simplifies the admin process for organisations by giving them one location from which admins can secure endpoints, data, access, and help end users. 

Some key features of Microsoft Intune include: 

Device management

Intune allows administrators to manage a diverse range of devices, including iOS, Android, Windows, and macOS devices. They can enrol devices, configure settings, and remotely manage them.

Application management

Intune enables administrators to manage and deploy applications to enrolled devices. This includes both company-provided apps and apps from public app stores. Administrators can control app installation, updates, and usage policies.

Intune helps protect company data by enforcing policies such as encryption, data loss prevention (DLP), and selective wipe. This ensures that sensitive information remains secure even if a device is lost or stolen.

Conditional access

Intune integrates with Azure Active Directory to provide conditional access policies. These policies allow administrators to control access to company resources based on factors such as device compliance, user identity, and network location.

Endpoint security

Intune offers features to enhance endpoint security, including antivirus and malware protection, as well as integration with Microsoft Defender for Endpoint for advanced threat protection.

A Microsoft product for… Macs?

Great news for organisations (or even the odd employee – yes, there’s some here at Littlefish!) that use macOS devices rather than PCs, recently Microsoft have transformed the experience of Mac management using Intune to help secure access to work email, data, and apps on macOS devices. Microsoft Entra ID passwords can even be used to log in to Mac devices.

Largely a response to customer appetite, as well as a purportedly close working relationship with Apple, the transformation of Intune to manage Mac devices means the platform is now truly a unified solution from which organisations can manage all endpoints from.

Microsoft have created a deployment guide for organisations wishing to manage macOS devices in Microsoft Intune, including information on:

Planning for deployment

Using the Microsoft Intune planning guide, organisations can define their device management goals, how they plan to use Intune, and their requirements in doing so. This guide also helps organisations plan for the roll-out of Intune, communicate with employees about the platform, and support, test, and validate devices.

Enrolling devices

This step allows organisations to configure the enrolment method and experience for company-owned and personal macOS devices – in other words, how these devices will be enrolled in Intune and how they will receive Intune policies and configurations (remember, Intune also supports Bring Your Own Device (BYOD) enrolment, Apple Automated Device Enrolment, and direct enrolment for corporate devices).

Creating compliance rules

Here, organisations can create policies and define rules/conditions that users – and the devices they have – must meet. This is how Intune helps ensure that all Mac devices will meet the company’s standards when it comes to accessing data. Should a device fail to meet these standards, actions can be automatically taken (e.g., restricting access).

Configuring device setting

Intune can be used to either enable or disable settings and features on Mac devices by creating device profiles and enforcing them across all or some company devices (different groups may have different configurations, for example).

Configuring endpoint security

Intune’s endpoint security features can be used to configure device security and manage security tasks for devices found to be at risk.

Setting up authentication methods

To ensure that only authorised people can access your organisation’s data and resources, Intune can be used to support multi-factor authentication, certificates, and derived credentials.

Deploying apps

Intune can be used to manage devices but also (or just) the apps on those devices. To this end, the platform can be used to ensure users have access to the apps they need, that the apps are configured correctly, and that app security is consistent across all devices.

Running remote actions

After devices are set up, you can use remote actions in Intune to manage and troubleshoot macOS devices remotely.

Key features of Microsoft Intune for Macs 

There are numerous highlights in Microsoft Intune that administrators at organisations that use Macs can utilise to make life easier. Not an exhaustive list by any means, but below are some key features that will enable admins to secure macOS devices and operate efficiently.

Using Intune for macOS devices, administrators can:  

• Enable data protection whether enrolment is via Automated Device Enrolment (ADE) or end user BYOD self-serve enrolment 
• Deploy and update apps with flexible tools that support a broad array of macOS app types 
• Use templates verified by Apple 
• Configure security settings like FileVault encryption, Firewall, and Gatekeeper 
• Manage Conditional Access policies and multifactor authentication
• Deploy and manage Microsoft Edge 
• Integrate with Microsoft Defender 
• Enforce compliance for device health, properties, and security settings 

Microsoft Intune can also help streamline the process of setting-up and working securely on Mac devices, making life easier for both users and admins alike. <

Some of these user-centric features include: 

• Single sign-on (SSO) to help reduce password fatigue and make device setup easy 
• Microsoft Entra ID passwords can be used to log in to Mac 
• SSO can pre-configure user accounts in Office apps 
• SSO enables conditional access to company resources, eliminating the need to launch the Intune Company Portal app 
• Local primary account creation during provisioning will be automated 
• Apple-native apps are optimised for Apple processors: Microsoft Teams, Microsoft Edge, Office apps, Microsoft Defender, Company Portal, and the Intune agent 
• Remote Help for macOS is part of the Microsoft Intune Suite or available separately as an Intune add-on 

Some admin-centric features include:  

• Declarative Device Management (DDM) protocol-capable 
• Configure SSO with a simple user interface
• SSO improves security by using platform hardware to bind secrets
• Provision users’ apps from Intune—SSO can be expanded to additional apps
• Awaiting final configuration support during Setup Assistant will ensure that the most critical device configuration policies get to the device before the end user lands on the home screen 
• Custom Setup Assistant screens for ADE Macs
• Being able to deploy remote actions like restart, merge, wipe, or erase
• Microsoft Cloud public key infrastructure (PKI) will include certificate lifecycle management for Mac when it launches as part of the Intune Suite 

Final word

Microsoft Intune provides a comprehensive solution for managing Mac devices inside organisations, offering benefits such as unified management, enhanced security, streamlined app management, conditional access controls, remote management capabilities, and compliance reporting.
These features make it an extremely attractive choice for organisations seeking to efficiently manage and secure their Mac endpoints alongside other device types and reduces the expense of multiple solutions (not to mention additional training) for endpoint management.

To find out more about how Microsoft Intune, or any of the Microsoft technology stack, might benefit your organisation, please get in touch with our Microsoft experts using the green ‘get in touch’ button on this page.