End-to-end guide to get started with macOS endpoints

Using Microsoft Intune, you can manage and secure macOS endpoints owned by your organization or school. When you or your organization manage the devices, you can deploy the apps your end users need, configure the device features you want, and use policies that help protect your devices & organization from threats.

This article applies to:

  • macOS devices owned by your organization

This article is an end-to-end guide to help you get started with your macOS endpoints. It focuses on:

  • Endpoints managed with Apple Business Manager or Apple School Manager
  • Devices enrolled in Intune using Automated Device Enrollment with user affinity. User affinity is typically used for devices with one primary user.

This article guides you through the end-to-end steps to create and manage your macOS endpoints using Microsoft Intune.

How to use this guide

This guide has seven phases. Each phase has a set of steps that help build your macOS endpoint configuration and deployment. Each phase builds on the previous phase.

A diagram that summarizes all the phases to onboard macOS devices, including testing, enrolling, securing, deploying policies, and supporting the devices using Microsoft Intune

Complete the phases and steps in order. The phases include:

At the end of this guide, you have a macOS endpoint enrolled into Intune and ready to start validating in your scenarios.

Phase 1 - Set up your environment

Before you build your first macOS endpoint, there are some requirements and configuration features that you configure.

In this phase, you check the requirements, integrate Intune with Apple Business Manager (or Apple School Manager), configure some features, and add some apps to Intune.

A diagram that lists the steps to setup your environment to support macOS devices in Microsoft Intune, including netowrk requirements, certificates, configuring single sign-on, and more

Step 1 - Network requirements

Set up your network

To successfully prepare and deploy your macOS endpoint, the endpoint requires access to several public Internet services.

  • Start your testing on an open network. Or, in your organization network, provide access to all the endpoints listed at Network endpoints for Microsoft Intune. Then, you can use your organization network to test your configuration.

  • If your wireless network requires certificates, you can start with an Ethernet connection during testing. The Ethernet connection gives you some time to determine the best approach for the wireless connections that devices need.

Caution

SSL inspection can cause access to Microsoft and Apple services to fail. For more information on Apple's requirements, go to Use Apple products on enterprise networks.

Step 2 - Enrollment and licensing

Create a new group, configure enrollment restrictions, and assign licenses

To get the endpoints ready for enrollment, you need to make sure the correct endpoints are targeted and that the endpoints are licensed correctly.

Specifically:

  • Create a new group

    Create a new Microsoft Entra test group, like Intune MDM Users. Then, add test user accounts to this group. To limit who can enroll devices while you set up your configuration, target the configurations to this group.

    To create a Microsoft Entra group, use the Intune admin center. When you create a group in Intune, you're creating an Entra group. You don't see the Entra branding, but that's what you're using.

    For more information, go to Create a group to manage users in Intune.

  • Enrollment Restrictions

    Enrollment restrictions allow you to control the types of devices that can enroll into Intune management. For this guide to be successful, in an enrollment restriction, make sure macOS (MDM) enrollment is allowed, which is the default configuration. Assign this enrollment restriction to the new group you created.

    If needed/wanted, you can also prevent specific devices from enrolling.

    For information on configuring Enrollment Restrictions, go to Set enrollment restrictions in Microsoft Intune.

  • Licensing

    Users enrolling macOS devices require a Microsoft Intune or Microsoft Intune for Education license. To assign licenses, go to Assign Microsoft Intune licenses. Assign the licenses to the test accounts you created.

    Note

    Both types of licenses are typically included with licensing bundles, like Microsoft 365 E3 (or A3) and higher. For more information, go to Compare Microsoft 365 Enterprise Plans.

Step 3 - Add the Apple MDM Certificate

Add the push certificate with a Managed Apple ID

  • To manage macOS devices, Apple requires the Intune tenant be configured with an MDM push certificate. If you currently manage iOS/iPadOS devices in this same tenant, then this step is done.

  • Make sure you use a Managed Apple ID with the Apple Business Manager (or Apple School Manager) instance.

    Don't use a personal Apple ID. Management of the Apple Push Notification Service certificate is critical over the life of your device management solution. Access with a personal Apple ID can become unavailable, as staff does change over time.

For information on configurating an Apple MDM push certificate, go to Get an Apple MDM Push certificate for Intune.

Step 4 - Add the Apple automated device enrollment token

Link Apple token for Automated Device Enrollment

To manage devices enrolled through Apple Business Manager (or Apple School Manager), you need to set up an MDM token and link the token with Intune.

This token is required for Automated Device Enrollment (ADE) in Intune. The token:

  • Lets Intune sync ADE device information from your Apple Business Manager (or Apple School Manager) account.
  • Allows Intune to upload enrollment profiles to Apple.
  • Allows Intune to assign devices to those profiles.

If you currently manage iOS/iPadOS devices in this same tenant using ADE, then some of these steps might be done.

For information on configuring Apple Business Manager with Intune, go to Enroll macOS devices - Apple Business Manager or Apple School Manager.

The high-level steps to configure Apple Business Manager (or Apple School Manager) with Intune are:

  1. Connect Intune to Apple Business Manager (or Apple School Manager).
  2. In Intune, create ADE profiles for the Apple Business Manager token.
  3. In Apple Business Manager, assign devices to your Intune MDM.
  4. In Intune, assign the ADE profiles to your macOS devices.

Step 5 - Target devices

Target specific groups using user groups, Intune filters or dynamic groups

macOS devices with user affinity can be targeted for profiles and apps using user or device groups. There are two common options for how organizations dynamically target devices:

  • Option 1 - All devices groups with an assignment filter on enrollmentProfileName

    For critical apps and policies that must apply immediately after enrollment (security settings, restrictions, the Company Portal app), you can assign the policies to the built-in Intune All Devices group. Create an assignment filter using the enrollment profile you created in Step 4 - Add the Apple automated device enrollment token.

    Policies and apps targeted to the All Devices group apply faster after enrollment than dynamic groups. Not all configuration profiles (like macOS scripts) support filters.

    For more information on assignment filters, go to Create filters in Microsoft Intune.

  • Option 2 – Microsoft Entra dynamic group based on enrollmentProfileName

    To limit the configurations from this guide to the test devices that you import through Apple Business Manager, create a dynamic Microsoft Entra group. You can then target all your configurations and apps to this group.

    1. Open the Microsoft Intune admin center.

    2. Select Groups > New Group, and enter the following details:

      • Group type: Select Security.
      • Group Name: Enter macOS endpoints.
      • Membership type: Select Dynamic Device.
    3. For Dynamic device members, select Add dynamic query and enter the following properties:

      • Property: Select enrollmentProfileName.
      • Operator: Select equals.
      • Value: Enter your enrollment profile name.
    4. Select OK > Save > Create.

    When you create apps and policies, you can target the policies to this new dynamic Microsoft Entra group.

    Note

    After changes occur, Dynamic groups can take several minutes to populate. In large organizations, it can take longer. After creating a new group, wait several minutes before you check if the device is a member of the group.

    For more information about dynamic groups for devices, go to Dynamic membership rules for groups in Microsoft Entra ID: Rules for devices.

Step 6 - Configure initial settings and single sign-on (SSO)

Optimize first run experience

Using Intune, you can optimize the first run experience using built-in settings within the ADE enrollment profile. Specifically, when you create the enrollment profile, you can:

  • Preconfigure end user information in Setup Assistant.
  • Use the Await final configuration feature. This feature prevents end users from accessing restricted content or changing settings until the Intune device configuration policies apply.

For more information on this feature and ADE enrollment, go to Automatically enroll Macs with Apple Business Manager or Apple School Manager.

Reduce app sign-in prompts with SSO

In Intune, you can configure settings that reduce the number of sign-in prompts end users receive when using apps, including Microsoft 365 apps. There are two parts to this configuration:

  • Part 1 - Use the Microsoft Enterprise SSO plug-in to provide single sign-on (SSO) to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365 apps.

    There are two options for configuring SSO for Mac - Enterprise SSO plug-in and Platform SSO.

    The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Microsoft Entra accounts on macOS across all applications that support Apple's enterprise single sign-on feature.

    To create these policies, in the Intune admin center, go to:

    • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Authentication > Extensible Single Sign On (SSO): Add and configure the following settings:

      Name Configuration
      Extension Identifier com.microsoft.CompanyPortalMac.ssoextension
      Team Identifier UBF8T346G9
      Type Redirect
      URLs https://login.microsoftonline.com
      https://login.microsoft.com
      https://sts.windows.net
      https://login.partner.microsoftonline.cn
      https://login.chinacloudapi.cn
      https://login.microsoftonline.us
      https://login-us.microsoftonline.com
    • Configure the following optional settings:

      Key Type Value
      AppPrefixAllowList String com.apple.,com.microsoft
      browser_sso_interaction_enabled Integer 1
      disable_explicit_app_prompt Integer 1

    For more information on the Enterprise SSO plug-in, including how to create the policy, go to Configure macOS Enterprise SSO plug-in with Intune.


  • Part 2 - Use the Intune settings catalog to configure the following settings that reduce sign-in prompts, including Microsoft AutoUpdate (MAU) and Microsoft Office.

    • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Microsoft AutoUpdate (MAU): Add and configure the following settings:

    • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Microsoft Office > Microsoft Office: Add and configure the following settings:

      • Office Activation Email Address: Enter {{userprincipalname}}.
      • Enable automatic sign-in: Select True.

      These settings streamline the sign in process when opening Office apps for the first time. For more information on these settings, go to Set suite-wide preferences for Office for Mac.

    For more information on the settings catalog, including how to create a policy, go to Use the settings catalog to configure settings in Microsoft Intune.

Step 7 - Add and assign must-have apps

Add a minimum set of apps to Intune

Your organization might have some apps that your macOS devices must have. Your organization can require these apps be installed on all devices managed by Intune.

In this step, add these apps to Intune and assign them to your group.

Some must-have apps include:

Phase 2 - Enroll a test endpoint

The next phase enrolls a test macOS device into Intune. This phase gets you familiar with the initial steps so you're ready when it's time to enroll all your macOS devices in Intune.

A diagram that lists the steps to enroll a test macOS device using Microsoft Intune, including registering a device, assigning a profile, and more

To enroll your first organization macOS endpoint, make sure the macOS device is:

The high-level steps to enroll your first macOS endpoint with Intune are:

  1. Erase or reset the macOS endpoint. This step is required for existing devices. If you enroll a macOS device that is already set up, then the device is considered a personal device. So, you must erase or reset the device before you can enroll it into Intune.

    For new devices that aren't set up, you can skip this step. If you aren't sure if the device is set up, then reset the device.

  2. Go through Setup Assistant.

  3. Open the Company Portal app and sign in with your organization account (user@contoso.com).

When the user signs in, the enrollment policy applies. When it completes, your macOS endpoint is enrolled in Intune.

Phase 3 - Secure your macOS endpoints

In this phase, you configure security settings and features that help protect your endpoints, including keeping devices current with updates.

A diagram that lists the steps to secure macOS devices using compliance policies, software updates, and more in Microsoft Intune

This section focuses on the different endpoint security features in Microsoft Intune, including:

  • Compliance and Conditional Access policies
  • Microsoft Defender for Endpoint
  • FileVault, Firewall, and Gatekeeper endpoint security
  • Software Updates
  • Guest account
  • Idle login
  • Mac Evaluation Utility

Compliance and Conditional Access policies

Create compliance policies and enforce compliance with Conditional Access

  • Compliance policies verify the device settings you configure and can remediate some settings that aren't compliant. For example, you can create compliance policies that check password complexity, jailbroken status, threat levels, enrollment status, and more.

    If there are configuration settings that conflict between compliance policies and other policies, then the compliance policy takes precedence. For more information, go to Compliance and device configuration policies that conflict.

  • Conditional Access can be used to enforce the compliance policies you create. When combined, end users can be required to enroll their devices and meet a minimum security standard before accessing organization resources. If a device is noncompliant, then you can block access to resources, like email, or require the user to enroll their device and fix the issue.

Note

To confirm you're enforcing the proper device controls, work with your team that manages your Entra Conditional Access policies.

You can create compliance and Conditional Access policies in the Intune admin center.

For more information, go to:

Microsoft Defender for Endpoint

Use Microsoft Defender for Endpoint for threat defense

Microsoft Defender for Endpoint is a mobile threat defense solution that helps protect your devices from security threats.

In Intune, you can connect to your Microsoft Defender for Endpoint service, create Intune policies using Microsoft Defender for Endpoint settings, and then deploy the policies to your devices.

For more information, go to:

Built-in endpoint security

Encrypt devices with FileVault disk encryption

FileVault is a whole-disk encryption feature that helps prevent unauthorized access. The FileVault settings are built into the Intune settings catalog and are available as compliance policies.

So, you can configure FileVault, check for compliance, and deploy the policies to your devices.

To create these policies, in the Intune admin center, go to:

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Full Disk Encryption
  • Devices > Manage devices > Compliance > Create policy > System security > Require encryption of data storage on device

For more information about FileVault, go to:

Configure the firewall

The firewall is an application firewall and helps prevent incoming attacks. The firewall settings are built into the Intune settings catalog and are available as compliance policies.

So, you can configure the firewall, check for compliance, and deploy the policies to your devices.

To create these policies, in the Intune admin center, go to:

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog:

    • Networking > Firewall
    • Security > Security preferences
  • Devices > Manage devices > Compliance > Create policy > System Security > Firewall

For more information about the macOS firewall, go to:

Configure Gatekeeper

Gatekeeper makes sure that only trusted software runs on the device. The Gatekeeper settings are built into the Intune settings catalog and are available as compliance policies.

So, you can configure Gatekeeper, check for compliance, and deploy the policies to your devices.

To create these policies, in the Intune admin center, go to:

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > System policy > System Policy Control:

    • Allow Identified Developer: Select True.
    • Enable Assessment: Select True.
  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > System policy > System Policy Managed:

    • Disable Override: Select True.
  • Devices > Manage devices > Compliance > Create policy > System Security > Gatekeeper

For more information about Gatekeeper, go to:

Software Updates

Configure Software Updates

On devices, software updates are critical and you must determine how the updates are installed. You have some options.

When you configure these settings, you enforce and restrict the behavior in the Settings app > Software Update node on the device.

  • Option 1 - macOS 14.0 and newer devices (recommended) - On macOS 14.0 and newer devices, use the Intune settings catalog to create a managed software updates policy. This feature uses Apple's declarative device management (DDM), and is the recommended approach to update macOS devices.

    Specifically, in the Intune admin center, you configure the following settings:

    • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Declarative Device Management > Software Update

    • Optional - At Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Restrictions, you can use the following settings to delay how long after an update is released that users can manually install the updates. These settings use Apple's MDM settings:

      • Enforced Software Update Minor OS Deferred Install Delay: 0-30
      • Enforced Software Update Major OS Deferred Install Delay: 0-30
      • Enforced Software Update Non OS Deferred Install Delay: 0-30

      The Settings Catalog > Declarative Device Management > Software Update settings take precedence over the Settings Catalog > Restrictions settings. For more information, go to Precedence of settings in macOS updates policy.

  • Option 2 - macOS 13.0 and older (recommended) - On macOS 13.0 and older devices, you can use a combination of the Intune settings catalog and an Intune software updates policy. These features use Apple's MDM settings.

    Specifically, in the Intune admin center, you can configure the following settings:

    • Devices > Manage updates > Apple updates > macOS updates policy

    • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Software Update

    Some of the settings in both policy types (Software updates vs. Settings catalog) can overlap. So, pay attention to what you configure in each policy. The settings in the macOS updates policy take precedence over the Settings Catalog > Software Update settings. For more information, go to Precedence of settings in macOS updates policy.

  • Option 3 (not recommended) - End users manually install the updates. This approach relies on end users to decide when to install the updates. And, they can install an update that your organization doesn't approve.

For more information on planning your macOS update strategy, go to Software updates planning guide for managed macOS devices in Microsoft Intune.

Guest account

Disable the guest account

You should disable the guest account on macOS endpoints. You can disable the guest account using the Intune settings catalog:

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > Accounts > Accounts:
    • Disable Guest Account: Select True.

Idle timeout

Set an idle timeout

Using the Intune settings catalog, you control the time period after idle that macOS prompts for a password:

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > System Configuration > Screensaver:

    • Ask for Password: Select True.
    • Login Windows Idle Time: Enter something like 300, which is 5 minutes.
    • Ask for Password Delay: Enter something like 5.
    • Module Name: Enter the name of the screensaver module, like Flurry.
  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > User Experience > Screensaver User:

    • Idle Time: Enter something like 300, which is 5 minutes.
    • Module Name: Enter the name of the screensaver module, like Flurry.
  • For your desktop and laptop devices, there are settings that can help save energy:

    Devices > Manage devices > Configuration > Create > New policy > Settings catalog > System Configuration > Energy Saver:

    • Desktop Power > Display Sleep Timer
    • Laptop Battery Power > Display Sleep Timer
    • Laptop Power > Display Sleep Timer

Tip

To find the screensaver module name, set the screensaver, open the Terminal app, and run the following command:

defaults -currentHost read com.apple.screensaver

macOS Evaluation Utility

Use the macOS Evaluation Utility

The Mac Evaluation Utility confirms that your Mac has the configuration and settings recommended by Apple. To access the Mac Evaluation Utility, sign into Apple Seed for IT (opens Apple's website) > Resources.

Phase 4 - Apply organization specific customizations

In this phase, you apply organization-specific settings and apps, and review your on-premises configuration.

A diagram that lists some features to customize you macOS devices using apps, device settings, certificates and more using Microsoft Intune

The phase helps you customize any features specific to your organization. Notice the various components of macOS. There are sections for each of the following areas:

  • Apps
  • Device configuration for the dock, notifications, preference files & custom policies, and wallpaper
  • Device name
  • Certificates
  • Wi-Fi

Apps

Add more apps to Intune

In Phase 1 - Set up your environment, you added some apps that the devices must have. In this step, add other apps that can improve the end user experience or productivity.

Device Configuration

The settings catalog simplifies how you create a policy, and how you can see all the available settings. In different phases and steps in this guide, you use the Intune settings catalog to configure device features and settings.

For example, we used the settings catalog to configure the following feature areas:

  • Microsoft Edge browser settings
  • Microsoft AutoUpdate
  • Microsoft Office
  • Software Updates
  • User Experience

There are many device settings you can configure using the settings catalog, including:

Dock

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > User Experience > Dock

You can also add or remove items from the dock using a GitHub - Microsoft Intune dock shell sample or partner command line tools like GitHub - DockUtil.

Notification prompts

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > User Experience > Notifications > Notification Settings

    You should enter the bundle ID for each application you want to control notifications for.

For more information, go to Notifications MDM payload settings for Apple devices (opens Apple's website).

Preference files and custom policies

  • Preference files define app properties or settings that you want to preconfigure. In the Intune settings catalog, there are many built-in settings for apps, like Microsoft Edge and Microsoft Office. So, you might not need a preference file.

    Microsoft recommends you use the built-in settings in the settings catalog. If the settings catalog doesn't have the settings you need, then add a preference file to Intune.

    For more information, go to Add a property list file to macOS devices using Microsoft Intune

  • Custom profiles are designed to add device settings and features that aren't built in to Intune.

    Microsoft recommends you use the built-in settings in the settings catalog. If the settings catalog doesn't have the settings you need, then use a custom profile.

    For more information, go to custom profiles.

Wallpaper

You can enforce a wallpaper on macOS using a combination of a sample script and the settings catalog:

  • Devices > Manage devices > Configuration > Create > New policy > Settings catalog > User Experience > Desktop:
    • Override Picture Path: 'Enter the <path of the image>'.

The image file must exist on the macOS endpoint. To download a picture from a web location, you can use a sample script at GitHub - Microsoft Intune wallpaper shell sample. You can also use an app package tool to copy a file and then deploy it using the unmanaged PKG deployment feature.

Device name

Rename devices

Using a shell script, you can rename the devices to include specific information, like the device serial number combined with the country/region code.

For more information, go to GitHub - Microsoft Shell scripts to rename Mac devices.

Certificates

Add certificates for certificate based authentication

If you use certificate based authentication for a password-less experience, then you can use Intune to add and deploy certificates.

For more information, go to Types of certificate available in Microsoft Intune.

Wi-Fi

Preconfigure a Wi-Fi connection

Using Intune, you can create a Wi-Fi connection that includes your network information, and then deploy the connection to your macOS devices. If your devices connect to the organization using Wi-Fi, then create a Wi-Fi connection policy.

For more information, go to Configure Wi-Fi settings for macOS devices in Microsoft Intune.

Phase 5 - Caching (optional)

There are some caching features you can use to help reduce your network bandwidth.

A diagram that describes using content caching and AutoUpdate local cache app on macOS devices using Microsoft Intune

Use content caching

If you have a large number of macOS or iOS/iPadOS devices on your network, you can deploy Apple Content Cache to help reduce your Internet bandwidth. Apple Content Cache can cache content that is hosted on Apple services, like Software Updates and VPP apps.

For more information, go to Intro to content caching (opens Apple's website).

AutoUpdate local cache

Many Microsoft apps on macOS are updated using the Microsoft AutoUpdate application. This app can reference a different URL for content.

You can use the GitHub - Microsoft AutoUpdate Cache Admin to configure a local cache for Microsoft AutoUpdate.

For more information, go to GitHub - Microsoft AutoUpdate Cache Admin.

Phase 6 - Enroll your remaining macOS endpoints

So far, you created your configuration and added apps. Now you're ready to enroll all your macOS endpoints with an Automated Device Enrollment policy using Microsoft Intune.

A diagram that tells you to enroll all your macOS endpoints with an Automated Device Enrollment policy using Microsoft Intune

Create the Automated Device Enrollment policy

The enrollment policy is assigned to your new group. When the devices receive the enrollment policy, the enrollment process starts, and the app & configuration policies you created are applied.

For more information on Automated Device Enrollment, and to get started, go to Automatically enroll Macs with Apple Business Manager or Apple School Manager.

Phase 7 - Support, maintenance, and next steps

The final phase is to support and maintain your macOS devices. This phase includes using Intune features, like remote help, monitoring your Apple certificates, and more.

A diagram that lists the steps to support and maintain your macOS devices, including using remote help, adding custom attributes, and configuring Apple Business Manager using Microsoft Intune

Intune manages macOS devices using the built-in operating system MDM capabilities and the Intune Management Extension (IME) agent.

These two components offer separate functionality and communicate with the macOS device through different channels. Enrollment is orchestrated through Apple Business Manager, MDM is orchestrated through the Apple Push Notification Service, and the IME communicates directly with Intune.

A diagram that shows how the macOS MDM and the Intune Managemnt Extension work together to support management of macOS devices using Microsoft Intune

For more information about the Intune Management Extension, go to Understanding Microsoft Intune management agent for macOS.

macOS enrollment maintenance

Renew Apple certificates and sync ADE tokens

For your Mac devices to maintain their connection to Intune and continue enrolling, there are several important areas you should check in the console periodically and take action as needed:

  • Apple Push Notification Service certificate expiry

    Apple's Push Notification Service certificate must be renewed yearly. When this certificate expires, Intune can't manage devices that enrolled using that certificate. Make sure you renew this certificate every year.

    For more information, go to Get an Apple MDM Push certificate for Intune.

  • Apple Automated Device Enrollment certificate expiry

    When you set up a connection between Apple Business Manager (or Apple School Manager) and Intune, a certificate is used. This certificate must be renewed yearly. If this certificate isn't renewed, changes from Apple Business Manager (or Apple School Manager) can't sync to Intune.

    For more information, go to Enroll macOS devices - Apple Business Manager or Apple School Manager.

  • Apple Automated Device Enrollment sync status

    Apple suspends syncing of ADE tokens when the terms and conditions are changed in Apple Business Manager (or Apple School Manager). They can change after a major OS release, but it can happen anytime.

    You should monitor the sync status for any problems that require attention.

    For more information, go to sync managed devices.

Remote Help

Enable remote help

Remote Help is a cloud-based solution for secure help desk connections that use role-based access controls. With the connection, your support staff can remote connect to end user devices.

For more information, go to:

Custom attributes

Use custom properties to get reporting information

In Intune, you can use shell scripts to collect custom properties from managed macOS devices. This feature is a great way to get custom reporting information.

For more information, go to Use shell scripts on macOS devices in Microsoft Intune.

Configure Apple Business Manager for automatic user provisioning

Use Entra user accounts for ABM administration and Managed Apple IDs

Microsoft Entra ID can be configured to automatically provision and deprovision users to Apple Business Manager (ABM) using the Microsoft Entra provisioning service.

For more information, go to Tutorial: Configure Apple Business Manager for automatic user provisioning.