Levacloud Header Logo
Talk To Us
Maximize Your Microsoft Investment
Customized Security and Compliance
Instant Access to Security Experts

Managing MacOS Devices with Intune

Managing MacOS Devices with Intune

Intro To Managing MacOS Devices with Intune

Managing macOS devices in your organization doesn’t have to be complicated. This guide walks you through how to configure, secure, and maintain Macs using Microsoft Intune. Whether you’re onboarding devices for the first time or ensuring compliance across your fleet, Intune offers the tools you need to streamline device management.

By the end of this guide, you’ll be equipped to integrate Macs seamlessly into your existing device management workflows. From setting up Apple Business Manager to deploying compliance policies and securing access with Conditional Access, this guide ensures you’re leveraging the best practices and latest capabilities Intune has to offer.

Let’s get started.

Why Manage macOS Devices with Microsoft Intune?

Managing macOS devices through Intune offers a unified, scalable approach to endpoint management. With the increasing prevalence of hybrid environments and BYOD policies, incorporating Macs into your existing management framework ensures consistency, security, and efficiency.

Using Intune, you can:

  • Ensure Security Compliance: Apply and monitor compliance policies across macOS devices to meet regulatory and organizational security standards.
  • and is it the admin center rather than portal?
  • Centralize Management: Manage all endpoints—Windows, macOS, iOS, and Android—under a single platform for unified visibility and control.
  • Enable Zero Trust Principles: Enforce Zero Trust security measures, ensuring only compliant devices can access your corporate resources.

By integrating macOS management into Intune, you eliminate the need for disparate tools, reduce complexity, and strengthen your security posture.

 

Sign Up To Our Newsletter

We’ll keep you up to date on the latest in Microsoft Cybersecurity.

Prerequisites for Managing macOS Devices with Intune

Before you begin managing macOS devices with Intune, there are a few key prerequisites you need to have in place. Ensuring these are ready will streamline the setup process and avoid unnecessary interruptions.

1. Licensing Requirements

You’ll need an appropriate Microsoft Intune license. Check your current license plan and ensure it includes device management capabilities for macOS. Detailed licensing information can be found in Microsoft’s Intune documentation, or we can help you to make sure you’re on the right licensing skew, Intune plan or combination for your requirements.

2. Apple Business Manager (ABM)

If you’re managing corporate-owned macOS devices, integrating Apple Business Manager with Intune is essential. This allows for automated device enrollment, making it easier to deploy and manage devices right out of the box.

To set up ABM:

  1. Enroll your organization in Apple Business Manager.
  2. Configure the integration between ABM and Intune by adding Intune as your Mobile Device Management (MDM) server.
  3. Assign devices to Intune within the ABM portal for automatic enrollment.

3. Apple MDM Push Certificate

To enable Intune to manage macOS devices, you’ll need an Apple MDM Push Certificate.

  • Sign in to the Apple Push Certificates Portal.
  • Download and upload the certificate in the Intune admin center under “Devices > macOS > Enroll devices.”

4. Supported macOS Versions

Verify that the MacOS devices you’re managing are running a version supported by Intune. Keep your macOS fleet updated to ensure compatibility with the latest Intune policies and features.

5. Device Access Requirements

Ensure that enrolled macOS devices can connect to Intune endpoints.

6. Admin Access and Roles

Use Role-Based Access Control (RBAC) in Intune to assign appropriate permissions to administrators managing macOS devices. This minimizes risk by granting access only to the necessary features.

Ask Us A Question

Wondering if Levacloud can solve your Microsoft Cybersecurity related challenge? Drop us a message!

This field is for validation purposes and should be left unchanged.

Setting Up macOS Management in Intune

Once you’ve completed the prerequisites, you can begin setting up macOS management in Intune. Follow these steps to get started:

1. Configure the Apple MDM Push Certificate

The Apple MDM Push Certificate is essential for Intune to communicate with macOS devices.

  1. Go to the Intune admin center, navigate to Devices > macOS > macOS enrollment.
  2. Select Apple MDM Push Certificate and follow the prompts to upload the certificate you generated earlier.
  3. Confirm the certificate details and save the configuration.

2. Enroll macOS Devices

You can enroll macOS devices through Apple Business Manager (ABM), Apple Configurator, or manual enrollment via the Company Portal app, depending on the ownership model and device eligibility.

Automated Enrollment via Apple Business Manager (ABM):

For corporate-owned devices purchased directly from Apple or authorized resellers:

  1. In Apple Business Manager, assign macOS devices to the MDM server configured with Intune.
  2. In the Intune admin center, navigate to Devices > macOS > Enrollment Program Tokens.
  3. Create an enrollment profile and assign it to the devices.
  4. Devices will automatically enroll during the Setup Assistant process when powered on.

Enrollment via Apple Configurator:

For corporate-owned devices not purchased through ABM but needing automated enrollment:

  1. On a Mac running Apple Configurator, connect the device and select Prepare with Manual Configuration.
  2. Ensure Add to Apple School Manager or Apple Business Manager is checked.
  3. Complete the setup to add the device to ABM.
  4. In ABM, assign the device to the Intune MDM server.
  5. In Intune, go to Devices > macOS > Enrollment Program Tokens and sync to import the device.
  6. Assign an enrollment profile. The device will enroll automatically during the next startup.

Manual Enrollment via Company Portal (for BYOD or Non-ABM Devices):

For personally-owned devices or those not eligible for ABM or Configurator enrollment:

  1. In the Intune admin center, navigate to Devices > macOS > macOS Enrollment > Enrollment Types.
  2. Share instructions with users to:
    1. Download and install the Company Portal app from the App Store.
    2. Sign in with their work or school account and follow the on-screen prompts to complete enrollment.
  3. The device will enroll in Intune and apply the necessary policies.

4. Configure macOS Profiles

Profiles allow you to deploy device configurations, such as network settings and security policies.

  1. Navigate to Devices > macOS > Configuration profiles in Intune.
  2. Select Create profile, choose the macOS platform, and configure the following:
    • Wi-Fi settings: Ensure seamless network connectivity.
    • VPN settings: Define corporate VPN configurations.
    • Security settings: Enable FileVault encryption and restrict administrative rights.
  3. Assign profiles to specific device groups or users.

5. Deploy Applications

Applications can be deployed through Intune for seamless installation on macOS devices.

  1. Navigate to Apps > All apps > Add in the Intune admin center.
  2. Upload the required macOS application package (.pkg or .dmg).
  3. Configure app deployment settings, such as device group assignments.
  4. Encourage users to download apps through the

6. Enable Conditional Access for macOS Devices

Secure access to corporate resources by enforcing Conditional Access policies.

  1. Go to the Microsoft Entra admin center, and navigate to Security > Conditional Access.
  2. Create a new policy and configure conditions for macOS devices, such as requiring compliant devices or Multi-Factor Authentication (MFA).
  3. Assign the policy to relevant user groups.

With these steps, your macOS devices will be fully integrated into Intune, providing centralized management and enhanced security. 

7. Enable Platform SSO for macOS Devices

To provide seamless authentication across apps and services, you can enable Platform Single Sign-On (SSO) for macOS devices. This integrates macOS with your organization’s identity provider and ensures that users only need to authenticate once to access multiple resources.

  1. Navigate to the Microsoft Entra admin center, and go to Devices > macOS>Configuration
  2. Follow the guidance here
  3. Configure the necessary settings, including the identity provider details and the authentication method.
  4. Assign the SSO configuration to the relevant user groups and devices.

By enabling Platform SSO, you enhance user experience and streamline access management across your macOS fleet.

Tips and Caveats for macOS Management in Intune

When managing macOS devices with Intune, there are some considerations and known issues that can help you avoid potential roadblocks and improve deployment efficiency:

1. Application Deployment Challenges 

  • Microsoft 365 Apps Behavior: Deploying Microsoft 365 applications as “Required” installations may cause the apps to close and restart unexpectedly without prior notification. To avoid this, consider assigning these applications as “Available” instead of “Required.” Learn more about this issue.
  • Line-of-Business (LOB) Apps Installation: Deploying LOB apps with multiple components may fail with error code 0x87D13BA2 if the app package lacks specific metadata. Ensure your .pkg files include the necessary metadata to prevent this issue. Read more about resolving LOB app errors.

2. macOS Version-Specific Issues

  • macOS 11.2.x Limitations: Devices running macOS 11.2.x may experience issues with app installations and script execution. Upgrading to macOS 11.3 or later resolves these problems. See additional details here.

3. Virtual Machine (VM) Enrollment

  • Enrolling macOS virtual machines in Intune can be challenging if enrollment restrictions block personal devices or if the VM is already assigned to another user. Ensure VMs have recognizable serial numbers and hardware models. Clean up stale device records in Intune to avoid conflicts. Find out how to troubleshoot VM enrollment.

4. Kernel Extensions on Apple Silicon

  • Kernel extensions are not compatible with macOS devices running on Apple Silicon (e.g., M1 or M2 chips). For devices running macOS 10.15 or newer, use system extensions instead of kernel extensions to ensure compatibility. Learn more about configuring system extensions.

5. Security Updates

  • Keeping macOS devices updated is critical for protecting against vulnerabilities. Apple regularly releases security updates for macOS versions like Sequoia, Sonoma, and Ventura. Ensure all managed devices receive the latest patches. See Apple’s latest security updates.

By addressing these considerations proactively, you can enhance the efficiency and reliability of your macOS management through Microsoft Intune. Staying ahead of these challenges will help you maintain a secure, compliant, and optimized environment for your macOS devices.

Are You Dealing With A Microsoft Cybersecurity Challenge?

You have a pressing issue, but you’re not sure if Levacloud can help. We get it. Everyone has unique challenges they face in their IT environments. Schedule a free call today and talk us through it.

We’ll let you know how we can best support you.

Schedule a Call

Managing macOS Devices in Intune

Once your macOS devices are enrolled in Intune, ongoing management ensures that they remain secure, compliant, and operational. Intune offers several features to help you manage macOS devices effectively:

1. Monitor Device Compliance

Compliance policies are critical for maintaining security standards.

  • Use the Intune admin center to check device compliance status under Devices > Monitor > Device compliance.
  • Non-compliant devices can be flagged for remediation, such as requiring users to update their passwords or enable FileVault encryption.

2. Deploy Updates and Patches

Keeping macOS devices updated reduces vulnerabilities and improves performance.

  • Automate macOS updates by configuring update policies in Devices > macOS > Update policies for macOS.
  • Ensure users are prompted to install updates and verify compliance through the Intune admin center.

3. Enforce Conditional Access Policies

Conditional Access ensures only compliant macOS devices can access corporate resources.

  • In the Azure AD admin center, navigate to Security > Conditional Access to create policies.
  • For example, enforce Multi-Factor Authentication (MFA) or require device compliance before granting access to applications like Microsoft Teams or SharePoint.

4. Manage Security Settings

Secure your macOS devices with the following configurations:

  • FileVault Encryption: Enforce disk encryption to protect data.
  • Firewall Settings: Ensure macOS firewalls are enabled and properly configured.
  • Application Restrictions: Use Intune app protection policies to prevent unauthorized apps from running on managed devices.

5. Utilize Remote Actions

Intune provides tools for taking remote action on macOS devices when necessary:

  • Wipe: Completely reset a device to factory settings.
  • Retire: Remove a device from Intune while keeping the user’s data intact.
  • Remote Lock: Lock a device remotely to protect it in case of loss or theft.
  • Access these options under Devices > All Devices > [Select a Device] > Remote actions in the Intune admin center.

6. Monitor and Troubleshoot

Regular monitoring helps you identify and resolve issues quickly:

  • Use Device logs in the Intune admin center to troubleshoot enrollment or compliance issues.
  • Review reports under Reports > Device compliance > macOS devices to gain insights into compliance trends and take corrective action where necessary.

Best Practices for Managing macOS Devices with Intune

To get the most out of managing macOS devices with Intune, it’s important to follow best practices that enhance security, streamline operations, and improve the end-user experience. Here’s what you should consider:

1. Regularly Review Compliance Policies

Keep compliance policies up to date with evolving security requirements.

  • Enforce secure password policies, FileVault encryption, and system integrity protection.
  • Schedule periodic reviews of compliance reports under Devices > Monitor > Device compliance in the Intune admin center.

2. Use Role-Based Access Control (RBAC)

Restrict administrative access to Intune features using RBAC.

  • Assign roles to IT administrators based on their responsibilities.
  • Limit access to sensitive features, such as device wipe and app deployment, to prevent accidental or unauthorized actions.

3. Configure Profiles for Optimal Performance

Use configuration profiles to ensure consistency across macOS devices.

  • Deploy Wi-Fi and VPN profiles to simplify connectivity.
  • Customize security profiles to disable unused services and enforce restrictions on administrative rights.
  • Test profiles before deployment to ensure compatibility and avoid disruptions.

4. Leverage Conditional Access

Enhance your security posture by using Conditional Access policies to block or restrict access from non-compliant devices.

  • Require Multi-Factor Authentication (MFA) for high-value resources.
  • Combine Conditional Access with compliance policies for a Zero Trust approach.

5. Plan for Application Deployments

Avoid unnecessary disruptions when deploying or updating applications.

  • Schedule deployments during non-peak hours to minimize impact on users.
  • Use phased rollouts for critical applications to test stability before full deployment.
  • Regularly update apps through Intune to address vulnerabilities and improve functionality.

6. Proactively Monitor and Troubleshoot

Stay ahead of potential issues by regularly monitoring devices and configurations.

  • Use the Device Compliance Report to identify trends and remediate non-compliance.
  • Analyze logs for failed enrollments, app installations, or update issues.
  • Establish a workflow for troubleshooting and resolving common issues quickly.

7. Educate End Users

Provide users with clear instructions on how to use the Intune Company Portal app and access support when needed.

  • Share guidelines on reporting lost or stolen devices.
  • Ensure users understand the security benefits of compliance policies, such as FileVault encryption.

Conclusion

Managing macOS devices through Microsoft Intune enables you to centralize control, enhance security, and simplify operations across your organization. By following the steps in this guide, you can ensure your macOS devices are properly enrolled, compliant with organizational policies, and equipped with the latest security configurations.

As you implement these practices, don’t forget to stay informed about new Intune updates and features to continually optimize your macOS management strategy. Leveraging tools like Conditional Access, compliance policies, and configuration profiles not only improves device security but also supports a seamless user experience.

If you’re looking for further assistance with setting up or optimizing Intune for macOS management, Levacloud offers hands-on support and expert guidance to ensure you’re fully utilizing Microsoft tools to secure your environment.

LinkedIn
Avatar photo
Laura Young
Formerly a Palliative Care Registered Nurse in Scotland, with a BSN from Dundee University. Laura created Levacloud’s branding at its inception and has since joined the team in a multifaceted position, assisting with business development, web design and marketing.

Related Posts