Microsoft Intune has always had comprehensive support for managing modern devices (Android, iOS, and Windows) using the MDM framework. As announced last week, I’m excited to share that we’ve extended our MDM management platform to include support for managing Mac OS X devices. These capabilities are built on the same robust MDM infrastructure used for managing iOS devices. With the introduction of Intune support for Mac OS X, you can now use Intune to manage every major platform through a consistent IT Admin experience. Let’s explore how Intune can help you easily configure, secure, and report on your Mac devices.
You can enroll a Mac device in Intune in just a few clicks – using Safari browser, go to the Intune Company Portal website (portal.manage.microsoft.com) and click the notification bar to kick off the enrollment process. Any Mac device on OS X 10.9 or later that can connect to the Internet can be enrolled in Intune – no special software or infrastructure required!
Just like on iOS, enrolling a Mac device requires installation of a Management Profile. End-users will automatically be prompted to install the profile via the Mac OS X System Preferences app (the Mac equivalent of Settings). After successful enrollment, Mac devices will appear in the Company Portal website alongside the user’s other enrolled devices.
You can configure Mac devices to easily connect to your corporate environment with the necessary resource access profiles including:
- Wi-Fi profiles for zero-touch end-user access to wireless networks
- VPN profiles to allow Macs to remotely access company resources
- Certificate profiles to help secure access to company resources
All of these configuration options (and more) are available through a brand new “Mac OS X” policy node we’ve added to the Intune admin console.
Can’t find a setting that you need in one of these templates? You can use a Custom Configuration Policy to configure any settings on the Mac device supported by the Apple MDM framework. You can use the Apple Configurator tool to export a custom .mobileconfig file and upload it to Intune. Alternatively, you can consult the Configuration Profile Reference to craft your own XML file based on the documented schema.
Ensuring Macs are compliant with your organization’s security policies can be accomplished using the General Configuration Policy template. This policy includes baseline settings for password requirements and screensaver timeouts.
This policy also includes options for defining App Compliance Lists, which allow you to generate reports on Mac devices which have installed apps that may be non-compliant (as defined by the IT Admin).
And lastly, one of the core foundations of device-level security is full-disk encryption. You can use Intune to query the status of disk encryption (File Vault II) on enrolled Mac devices and ensure that company data is encrypted at rest.
Reporting and Auditing
Intune helps you keep track of all your Mac devices by providing comprehensive hardware and software inventory reporting capabilities. You can go to the Reports workspace to view the new Mac OS X inventory reports available.
The Hardware Report provides all the important details about the device and its configuration state, including critical information about the OS X version (to help ensure all your Mac devices have the latest OS patches), the serial number (for auditing and inventory), the last time the device checked-in to Intune, and whether or not File Vault encryption is enabled.
The Software Report details all of the apps installed on Mac devices, including the unique app identifier, the exact version number, and the app friendly name. This report can help you confirm the latest software is installed on Mac devices.
What about Hybrid?
All the screenshots in this post have described the IT Admin experience for Intune standalone (cloud only) customers. For our customers using System Center Configuration Manager integrated with Intune to manage devices in a hybrid deployment, we’re excited to announce that all these same Mac OS X management features will be available in the upcoming major update to Configuration Manager. Look for the announcement on the ConfigMgr team blog.
Once you upgrade to the next version of Configuration Manager, you’ll notice that you now have two options for managing Mac OS X devices – client management and MDM. The client management features remain unchanged from prior versions of Configuration Manager, you can learn more about them here. All the new MDM-based Mac management features described in this post can be accessed using the same interface you’re familiar with for managing iOS devices.
In the deployment wizard for Configuration Items and Resource Access Profiles, you’ll see a new option to target “All Mac OS X MDM Clients” which enables deployment of settings and resources to MDM-enrolled Mac devices.
And of course, you can use Resource Explorer to view the hardware and software details of any enrolled Mac device and generate reports based on this inventory data.
What you see here is just the beginning. This is v1 of Intune support for managing Mac OS X devices through the modern MDM channel. We are committed to leveraging the MDM framework to extend management capabilities for Mac devices. As we’ve seen with Windows 10, there is an industry convergence on managing mobile and modern devices using a standard communication protocol with the platform-provided MDM agent. Based on our discussions with Apple, it’s been made clear that while legacy client-based management of Macs will continue to serve niche functionality, the future direction of device management for iOS and Mac platforms will come through the evolution of MDM. As we continue to build more management capabilities for Mac devices, we’ll share the latest updates here on this blog.
So go ahead and enroll your Mac devices in Intune, and provide feedback directly to the engineering team at our Intune feedback site – tell us what additional Mac management capabilities you’d like to see added to the Intune service.
Kieran Gupta, Program Manager
Microsoft Intune Device Experiences Team