Introduction

The macOS journey with Intune is omnipresent and I can confirm, that now is the right time to check out what's possible and do some exploration. 🧭 This post will be about how to set up a macOS VM and manage it with Intune. I will walk through the key steps to get your Mac instance, enroll it into Intune and deploy policies and apps. If you are new with macOS and Intune, please check out my introduction post:

Kickstart macOS management with Intune
Introduction The macOS journey with Intune is omnipresent and I can confirm, that now is the right time to check out what’s possible and do some exploration. 🧭 This post will be about how to set up a macOS VM and manage it with Intune. I will walk through the key

Scenario

This scenario forsees, that we have a virtual macOS machine to enroll, deploy, monitor, manage and test out features with. I recommend a VM to have an isolated environment and break nothing productive and be more flexible.

Prerequisites

  • Mac device > MacBook or iMac
  • UTM as virtualization tool (it's free and open-source and easy to use 👍)
  • Intune tenant and the Intune admin role (if you are new to Intune check out my full series)
  • Intune plan 1

 


Guide

This part is divided in 4 chapters:

  1. Set up macOS virtualized machine 🎁
  2. Prepare management with Microsoft Intune ⚙️
  3. Enroll your Mac! 🚀
  4. Manage the Mac 💻

 

1. MacOS virtual Machine

Download and install UTM and create your new virtual machine (the setup is very simple and takes about 30 minutes):

💡
UTM is a great software to emulate or virtualize a variety of computer architectures, including x86, ARM, MIPS. With that you can run Windows, Linux and macOS in different distributions. I think it is really practical for research, development and testing.

 


2. Prepare management with Intune

When I start to prepare an Intune tenant for macOS, I go thorugh the following items:

  1. MDM scope, device settings and mobility - Entra ID related settings that configure and allow Intune as MDM for your users

2. Device platform & limit restrictions - Configure device OS platform and enrollment limits

3. Apple MDM Push Certificate (APNs) - Required to install the management profile and manage any Apple device

⚠️
Always keep in mind that the APNs certificate expires after 365 days and must be renewed. Otherwise you need to reenroll all managed devices. Follow this guide

4. Create groups & filters - Create a group/filter where your Mac is automatically added to target policies and other contents

Entra dynamic group query

(device.deviceOSType -eq "macMDM")

Intune filter query

(device.model -contains "Mac")
💡
I recommend to use Intune filters, since the processing is faster than groups.

5. Compliance policy - Check system health and status to be compliant and access corporate resources (to be combined with Conditional Access)

6. Configuration profiles - Configure system aspects, look & feel

7. Deploy apps - Deploy different app types through to your endpoints

8. Shell scripts (optional) - Run shell scripts to do anything you want

9. Custom attributes (optional) - Collect custom inventory data

 


3. Enroll your Mac!

To enroll your Mac you need to:

  1. Download Company Portal on the Mac from aka.ms/enrollmymac
  2. Install Company Portal
  3. Launch Company Portal, sign in with your Entra account
  4. Go through the enrollment steps, including to install the management profile

 

Company Portal installation

 

Enrollment

ℹ️
The enrollment takes Intune about 10 minutes to fetch and display all data. The client-side on the Mac applies the policy almost instantly, usually within 1 minute.

 


4. Manage the Mac

After the enrollment I recommend to restart the Mac to apply all policies (especially FileVault and password policy) succesful and get compliant. Next step is to perform remote actions and monitor the endpoint through Intune:

 


Bonus: Intune - macOS repo

To kickstart your Intune management journey, I have created a little repo with some default Intune policies and profiles ready to import. Settings Catalog profiles can be imported directly and for the rest you need Graph or tools like IntuneManagement.

Oceanleaf/Intune - macOS at main · thenikk/Oceanleaf
Scripts & files for my blog. Contribute to thenikk/Oceanleaf development by creating an account on GitHub.

Next steps

Here is some inspiration on next steps, that I will feature in the upcoming blog posts:

  • Set up Declarative Device Management (DDM) policies for updating
  • Add more configuration profiles/settings catalog (including SSO like Platform SSO)
  • Enroll the Mac into Defender for Endpoint
  • Deploy & package apps
  • Add scripts + custom attributes
  • Conditional Access integration

powered by

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.