Hi all,
A while ago attended the Workplace dudes Summit at Zoetermeer NL, here i was lucky enough to join a session given by MVP Oktay Sari (Check out his blog site) on MacOS Platform SSO. His session inspired me to create a guide from A to Z regarding MacOS management with Intune. In this guide i will try to explain all the steps needed to successfully enroll MacOS devices into Intune. It is not possible to explain all the available settings but i will give you a good start with Apple Business Manager, some configuration profiles, Platform SSO, … and in part 2 a few tips and tricks that i use in the field. I will also cover the enrollment for MacOS in Microsoft Defender, Declarative Device Management and Rapid Security Response. This will be a long guide, hence the name – The Complete Guide – But in my humble opinion it will give you enough stuff to get started with. There are a lot more policies that you can configure, i’m well aware of that but this guide is a good starting point.
As in all my guides and blogs, if you see some things that you think are not OK, or you have additions you feel they are important to share with the community let me know so i can add them to this guide.
Clear your mind, set your phone on mute, your teams on not disturb and let’s dive in!
I’ve also written a guide for a base set of intune policies, you can find this here.
You will notice that i use a lot of mobiel.config files, at the time of writing not all settings where available in configurable policies hence the use of the mobile.config files. It might be possible that in your deployment some of the settings are available in the configurable policies.
Apple Business Manager
Intro
I always recommend the use of Apple Business Manager. Why you could say, well Apple Business Manager is a free service provided by Apple that allows organizations to manage three things: devices, apps, and accounts. Simply put, if your organization owns Apple devices, you should be using Apple Business Manager (or its education-sector equivalent, Apple School Manager). There’s literally no downside to it. Apple Business manager offers many benefits—some well-known, others less so—and it doesn’t cost a thing.
First to define what we’re talking about: Apple Business Manager is an all-in-one portal designed to help organizations deploy Apple devices, manage organization-owned Apple IDs, and acquire apps and other content in volume. It coordinates closely with mobile device management solutions to automatically enroll and manage devices. Apple Business Manager is not an MDM solution itself, this just to be clear.
To use Apple Business Manager, your organization must first have an account. Applying is simple, and although it can take a couple of days for your application to be approved, it typically happens much faster. It just requires some basic information, including your DUNS number and contact information for someone at your company—not an IT admin, more likely someone higher up—who can vouch for you. Apple will then verify everything and, if it all checks out, confirm your account. (More information on all this can be found in Apple’s Getting Started guide.)
Why use Apple Business Manager, well some configuration can only be applied for supervised devices, only devices from Apple Business Manager are supervised devices, check table below
In the different Intune configuration profiles you will also notice that some settings only apply on supervised devices
Applying for Apple Business Manager
Go to https://business.apple.com/ and let’s assume you do not have an account here yet, click sign up now
Click Get Started
Fill in the necessary details and click continue
Create a password and enter a phone number for verification and click continue
A verification code will be sent to your email address. Enter it and click continue
Now a code will be sent to your mobile device, enter it and click continue
Accept the Terms and Conditions (You can always download them and read all the info, somebody has spent an aweful amount of time writing these down, so you would do him/her a big favor 😉 )
You will be presented with this screen, click Get Started
After you submit you request you will see this:
From now on you have to wait for your number to be received. After a few minutes you will receive an email like this
When you receive your D-U-N-S number click verify
Enter your details and click submit
Now your verification is pending
You will also receive an e-mail regarding this
Once your Apple Business Manager account has been approved you will get an email
Now your company is enrolled with Apple Business Manager. Let’s proceed to integrate this with Intune.
Integrate Apple Business Manager with Intune
Create the push certificate
You need an Apple MDM Push certificate to manage your iOS/iPadOS and macOS devices in Microsoft Intune. This token enables devices to enroll via Intune Comp Portal or ADE/ASM/AC2. Follow the steps below to create the Apple MDM push certificate and upload it to the Intune Portal. I’ve written a post on the renewal of the certificate, you can use this post also for the creation of the certificate. It it not that different and pretty easy to do.
Create the Apple Automated Device Enrollment Token
So the pre-requisite is done, but before you can enroll iOS/iPadOS devices, you would need an Apple Server Token (.p7m) file from Apple. This token syncs information from Intune to ADE devices that your corporation owns. It also allows Intune to assign enrollment profiles to Apple and to assign devices to those profiles.
Follow the steps below to create & upload the ADE token:
In Intune portal, select Devices – Enrollment – Apple – Enrollment Program Tokens
Click Add, tick the I agree box, click download your public key and save this key on your device. The .pem file is used to request a trust-relationship certificate from the Apple Business Manager portal.
Click on Create a token via Apple Business Manager to open the Apple Business Manager portal for creating your ADE token (MDM server).
Sign in with your company’s Apple ID in Apple Business Manager.
Click your name at the bottom of the sidebar – Preferences.
Then click “Add” to add MDM Server.
Name your MDM Server, tick the box Allow this MDM Server to release devices and upload the public key file you just downloaded and click save
Now download your MDM Server Token
You will get a warning, you can ignore this because this is our first token, just click Download MDM Server Token and save this on your device
Now back to the Intune Portal, fill in your apple ID, upload the newly downloaded token, click next and create
When this is done you will get this screen
Now your Apple Business Manager is connected to Intune.
Applying for a VPP (Volume Purchase Program) Token
If you want to buy apps and books via Apple Business Manager you need a VPP token. I will show you how to create a VPP token in Apple Business Manager and afterwards add this token to Intune. Here we go.
Go to Apple Business Manager – Click App and Books – Choose your Tax-Status – and fill in yout VAT number. Click Continue
You will be presented with this message:
In most cases this takes less than 5 days. When this is ready you can download the token from Apple Business Manager. Click your name – preferences – Paynents and Billing – Download. Save this token on your device.
Now to connect this token to Intune go to the intune portal – Tenant Administration – Connectors and tokens
In connectors and tokens click Apple VPP Tokens – Create – Fill in the Token name – The apple ID that you use to log-in to Apple Business Manager and browse for the token file you just downloaded.
Click next and set your region – Type of VPP Account – if you want automatic updates and grant Microsoft permission
Click next, add scope tags if you want and click create. you will see that the token is now active and you can add apps and books from Apple Business Manager that will be synced to Intune.
Set the Default Device Assignment
This is the last step for Apple Business Manager, however not mandatory. Here you can add the types of devices to assign by default to your MDM server. To do this go to Apple Business Manager – Your name – Preferences – Click on your MDM Server – change
Now select the types of devices you want to assign by default to your MDM server.
–
Add a device to Apple Business Manager
To add devices to Apple Business Manager you have some options. You Apple reseller can add them for you when you order a device. You can also add a device yourself by using the Apple Configurator app on your phone, i’m going to explain this method. If you want your reseller to add the devices you can read this article: Manage device suppliers in Apple Business Manager – Apple Support
You can add the following devices using Apple Configurator to Apple Business Manager, even if they weren’t purchased directly from Apple or from an Apple Authorized Reseller or cellular carrier:
- iPhone, iPad, and Apple TV devices using Apple Configurator for Mac.
- iPhone, iPad, and Mac computers (running macOS 12.0.1 or later) with Apple silicon or the Apple T2 Security Chip using Apple Configurator for iPhone.
After you’ve set up the device or devices, they behave like any other device already in Apple Business Manager, with mandatory supervision and mobile device management (MDM) enrollment. The device can then be shut down and stored until needed or sent to the user. If the device is given to a user, they have a 30-day provisional period to release the device from Apple Business Manager, supervision, and MDM. This 30-day provisional period begins after the device is successfully assigned to and enrolled in:
- A third-party MDM server linked to Apple Business Manager.
Create the Enrollment Profile
First you will have to create an enrollment profile. Go to the Intune portal – Devices – Enrollment – Apple – Enrollment program tokens – click token name – click profiles – create profile – MacOS – name you profile e.g MacOS
Click next and fill in the details, click next again
Now you can alter the setup assistant, you can choose which screens appear during the setup, this is totally up to you. Fill in the department and department phone.
Click next and fill in the details
Click next and create. Now you enrollment profile has been created, we will add a device to it later on.
Install Apple Configurator on iPhone and configure it
Now it is time to add our device to Apple Business Manager with the use of the Apple configurator app on our iPhone. Download the app from the store and install it on your phone. I already got mine so i choose to open the app.
Open the configurator app and tap continue
Sign in with your apple id you used for Apple Business Manager and fill in the MFA code
In the network configuration section make sure that Share Wifi is selected and at the MDM Server Management your MDM server that you configured in Apple Business Manager is selected by selecting specific and selecting your MDM server
Tap Done
Now your Apple Configurator will look like this
Add your MacOS device to Apple Business Manager with Apple Configurator (iPhone)
Hold your iPhone with Apple Configurator open close to the Mac. You should see a screen that says “Assign this Mac to your Organization”.
From this screen, you have two options:
- Use the iPhone camera (with the Apple Configurator app open) to scan the image on the screen.
- Select “Pair Manually” on the iPhone and click “Pair Manually” on your Mac. You will be shown a 6-digit code and be prompted to enter it.
I will use the scan option, you will now see your device being added to Apple Business Manager. When it is finished you will be presented by this screen
Leave you Mac now for what it is and go to the Apple Business Manager and login. Click on the left hand side on devices and your device should appear. Click on it for the details.
Sync Apple Business Manager device to Intune
Now go back to the Intune portal – Devices – enrollment – Apple – Enrollment program tokens – click on your token name – click devices – click sync
Now the devices in your Apple Business Manager will be synced to Intune. You can click refresh a few times to check if the device appears, after a few seconds my device is there. If you have a lot of devices to syn the time will increase.
Now we can add this device to our enrollment profile. so go to the Intune Portal – Devices – Enrollment – Apple – Enrollment program tokens – click on your token name – click profiles – click on your profile name – click assign devices and click add devices – select your device to add it
When all went good you will get this notification
Now you have added a device into Apple Business Manager and synced it to Intune and assigned it to the Enrollment profile. Now it is time to configure our Mac. But wait, i still want to configure the enable FileVault during setup Assistant and MacOS Platform SSO so let’s do this first. If you don’t want to use FileVault or Platform SSO you can skip these steps.
Enable FileVault during the Setup Assistant
To enable FileVault encryption during the setup assistant do the following. Go to Devices – Macos – Enrollment – Enrollment progtam tokens – your token name – profiles – your profile name – properties. Here make sure to show FileVault.
Now we need to create a policy, to do this go to Devices – Macos – Configuration – create – new policy – settings catalog – name your policy – Add settings – Full Disk Encryption – FileVault. You can take the settings from the screenshot. You can of course play around with the rotation.
That is it, now your device will be encrypted during the setup.
Configure MacOS Platform SSO
What is MacOS Platform SSO
Platform single sign-on (SSO) is a replacement for binding to directory services. It builds on enterprise SSO capabilities so SSO extensions can also perform single sign-on for apps and websites. It integrates with macOS and doesn’t use JavaScript or render webpages for authentication.
The system stores the SSO tokens in the keychain and only shares them with the SSO extension. The SSO extension then uses the SSO tokens to authenticate the user to their on-premises apps and on websites as needed. If the SSO tokens are missing, expired, or more than four hours old, platform SSO attempts to refresh or retrieve new tokens from the IdP.
Platform SSO supports the following authentication methods with an identity provider (IdP):
- Password and encrypted password
The IdP uses the local account password and keeps it in sync, including password updates from the login window and screensaver unlock. - Password with WS-Trust
A federated IdP, meaning an IdP that facilitates federated authentication across multiple security domains, can use the local account password for authentication. - User secure enclave key
A secure enclave-backed key can authenticate with the IdP without a password and without changing the local account password. - SmartCard
High-security customers can use a SmartCard to authenticate with the IdP.
Platform SSO can create new local user accounts on demand at the login window using IdP credentials, and also integrate IdP group membership with macOS. You can use network accounts for authorization, and groups can also authorize network accounts.
Use Device Management to securely configure platform SSO, including device and user registration, configuring groups, and managing account permissions.
The system can also retrieve Kerberos ticket-granting tickets (TGTs), import them to a credential cache, and optionally share them with the Kerberos SSO extension.
I will describe the config for Secure Enclave Key.
Please ensure that you have disabled Per-user MFA for that user, as it may cause password sync failure while setting up Platform SSO.
Configure Platform SSO With Secure Enclave Key
Prerequisites
- Devices must be macOS 13.0 and newer devices. –> For the best results upgrade to MacOS 14.x
- Microsoft Intune Company Portal app version 5.2404.0 and newer.
- Supported web browsers:
- Microsoft Edge
- Google ChromePlatform
- Safari
Create the Platform SSO policy
Go to Intune portal – Devices – MacOS – Configuration profiles – Create – New Policy – Platform MacOS – Profile type Settings Catalog – Name your policy e.g. MacOS – Platform SSO – Select Add Settings – Expand Authentication – Select Extensible Single Sign On (SSO)
Configure the profile for at the below keys: (these are minimum required settings for PSSO to work)
- Authentication Method (Deprecated) (only if you are deploying profile to macOS 13.x devices)
- Extension Identifier
- Authentication Method (macOS 14+)
- Use Shared Device Keys
- Registration Token
- Account Display Name
- Screen Locked Behavior
- Team Identifier
- Type
- URLs
- Token To User Mapping: Account Name
- Token To User Mapping: Full Name
Here you can find all the info that you need to fill in: Configure Platform SSO for macOS devices | Microsoft Learn
As there is apparently some confusion on the use of the URL’s needed in the PSSO profile see here (although this is stated in de Microsoft docs – see link above) here just to clarify:
These URL prefixes are the identity providers that do SSO app extensions. The URLs are required for redirect payloads and are ignored for credential payloads.
If your environment needs to allow sovereign cloud domains, then also add the following URLs:
- https://login.partner.microsoftonline.cn
- https://login.chinacloudapi.cn
- https://login.microsoftonline.us
- https://login-us.microsoftonline.com
For more information on these URLs, go to Microsoft Enterprise SSO plug-in for Apple devices.
Your profile will look like this
Assign the profile to your desired device or user group.
- The local account username isn’t changed and stays as-is.
- End users can use Touch ID to sign in to the device.
- After the unlock, the device gets the hardware-bound Primary Refresh Token (PRT) credential for Microsoft Entra ID SSO. The local account machine password isn’t completely removed from the device. This behavior is by design due to Apple’s FileVault disk encryption, which uses the local password as the unlock key.
Any Intune password policy you configure also affects this setting. For example, if you have a password policy that blocks simple passwords, then simple passwords are also blocked for this setting. Make sure your Intune password policy and/or compliance policy matches your Microsoft Entra password policy. If the policies don’t match, then the password might not sync and end users are denied access. See the warning box below!
- Compliance policy – no password settings specified – User group assigned
- Device restrictions Policy – password settings specified – Device group assigned
- PSSO Policy – Device group or user group assigned
If you want to enable smart card login you will also need to enable FIDO as an authentication method in Entra ID:
Configure Platform SSO With Password
Prerequisites
- Devices must be macOS 13.0 and newer devices. –> For the best results upgrade to MacOS 14.x
- Microsoft Intune Company Portal app version 5.2404.0 and newer.
- Supported web browsers:
- Microsoft Edge
- Google ChromePlatform
- Safari
Create the Platform SSO policy
Go to Intune portal – Devices – MacOS – Configuration profiles – Create – New Policy – Platform MacOS – Profile type Settings Catalog – Name your policy e.g. MacOS – Platform SSO – Select Add Settings – Expand Authentication – Select Extensible Single Sign On (SSO)
Configure the profile for at the below keys: (these are minimum required settings for PSSO to work)
- Authentication Method (Deprecated) (only if you are deploying profile to macOS 13.x devices)
- Extension Identifier
- Authentication Method (macOS 14+)
- Use Shared Device Keys
- Registration Token
- Account Display Name
- Screen Locked Behavior
- Team Identifier
- Type
- URLs
- Token To User Mapping: Account Name
- Token To User Mapping: Full Name
Here you can find all the info that you need to fill in: Configure Platform SSO for macOS devices | Microsoft Learn
As there is apparently some confusion on the use of the URL’s needed in the PSSO profile see here (although this is stated in de Microsoft docs – see link above) here just to clarify:
These URL prefixes are the identity providers that do SSO app extensions. The URLs are required for redirect payloads and are ignored for credential payloads.
If your environment needs to allow sovereign cloud domains, then also add the following URLs:
- https://login.partner.microsoftonline.cn
- https://login.chinacloudapi.cn
- https://login.microsoftonline.us
- https://login-us.microsoftonline.com
For more information on these URLs, go to Microsoft Enterprise SSO plug-in for Apple devices.
Assign the profile to your desired device or user group.
- The Microsoft Entra ID password replaces the local account password, and the two passwords are kept in sync.
- The local account username isn’t changed and stays as-is.
- There are fewer passwords for users and admins to remember and manage. -Users must enter their Microsoft Entra ID password after a device reboots. After this initial machine unlock, Touch ID can unlock the device.
- After the unlock, the device gets the hardware-bound Primary Refresh Token (PRT) credential for Microsoft Entra ID SSO. The local account machine password isn’t completely removed from the device. This behavior is by design due to Apple’s FileVault disk encryption, which uses the local password as the unlock key.
Any Intune password policy you configure also affects this setting. For example, if you have a password policy that blocks simple passwords, then simple passwords are also blocked for this setting. Make sure your Intune password policy and/or compliance policy matches your Microsoft Entra password policy. If the policies don’t match, then the password might not sync and end users are denied access. See the warning box below!
- Compliance policy – no password settings specified – User group assigned
- Device restrictions Policy – password settings specified – Device group assigned
- PSSO Policy – Device group or user group assigned
Insights
- Before setting up PSSO you should think about your approach and communication with the enduser. While your Security Department could expect you to implement the most secure Authentication Method, in this case this is Secure Enclave, your users and the IT Department would expect to use a single password for the local and online (EntraID) accounts.
- Secure Enclave only provides this additional security layer by NOT storing the keys and tokens in the Keychain like the Password method does.
- Secure Enclave could still be the best user experience because users do not need to technically use a password when they use touch id for the sign-in. This way a missing password sync will not be that important anymore but still be phishing resistant.
- Tokens and Keys stored in the Secure Enclave are Hardware Bound (Phishing Resistant). You can not export Tokens or Sync them via iCloud which makes this the most secure way.
- Secure Enclave with PSSO and TouchID has a very similar User Experience feeling like Windows Users have with Windows Hello for Business.
- The Password Method is storing Keys in the KeyChain which is software based. Users or Attackers could export the tokens and reuse them on a different device. This is why Microsoft and Apple is recommending to use Secure Enclave.
Install the Company Portal app for MacOS as a MacOS LOB app
Company Portal for macOS can be downloaded and installed using the macOS LOB apps feature. The version downloaded is the version that will always be installed and may need to be updated periodically to ensure users get the best experience during initial enrollment.
Download Company Portal for macOS from here
Add the app by going to the Intune portal – Apps – Add – App Type Line-of-business app – select
Browse to your downloaded CompanyPortal-installer.pkg file and fill in the empty required fields
Assign it to your desired group
For macOS devices running 10.15 and later, when creating an Automated Device Enrollment profile, you can now choose a new authentication method: Setup Assistant with modern authentication, what we have done. The user has to authenticate using Microsoft Entra credentials during the setup assistant screens. This will require an additional Microsoft Entra login post-enrollment in the Company Portal app to gain access to corporate resources protected by Conditional Access and for Intune to assess device compliance.
Users must sign into the Company Portal to complete Microsoft Entra authentication and gain access to resources protected by Conditional Access. User affinity is established when users complete the enrollment and reach the home screen of the macOS device. If the tenant has multi-factor authentication turned on for these devices or users, the users will be asked to complete multi-factor authentication during enrollment during Setup Assistant. Multi-factor authentication is not required, but it is available for this authentication method within Conditional Access if needed.
User Experience on a MacOS Device
Remember that we left our Mac device after we enrolled it in Apple Business Manager, reboot it. Now just follow the setup assistant to continue onboarding you Mac into Intune With Platform SSO. These are the screenshots during enrollment. Apparently there is a limit on the screenshots you can make during the setup assistant so i missed some. But i think you will get the complete overview of what is going on. My apologies for this.
Select Country or region
Click Continue
Click not now
Connect to Wifi
Click Continue
Now you can see that your device has got the Company enrollment profile, click enroll
Sign in with your Entra ID credentials and accept the MFA request if needed
Now all Intune profiles are being installed, just watch the progress
Now i had to take a picture with my phone, pretty amateuristic i know…. 🙂
From now on you will go to the desktop of the Mac, check the message in the top right corner, click it
Now enter your local user password or use touch id
Enter your Entra ID credentials and approve MFA if needed
Preparing your device
Toggle on Company Portal and click open System Settings
Toggle on Company Portal and click close
Go to Finder – Applications – Company Portal – Click sign in
Check the SSO page, this is what we want to see, click continue
Now all is configured
You can check if all is OK by going to settings – users & groups and clicking on the Entra ID user
In the next window you can see that everything is ok
Now you have successfully enrolled your device via platform SSO to Intune. Congratulations!!!
Enroll MacOS in Microsoft Defender
Prerequisites
To successfully enroll your MacOS (or any other OS for that mater) you will need to setup all connections between Intune and Defender. You can read about it here. Of course you will need the correct licenses:
- Defender for Endpoint Plan 1 and Plan 2 (standalone or as part of other Microsoft 365 plans)
- Microsoft Defender for Business (for small and medium-sized businesses)
To onboard servers to the standalone versions of Defender for Endpoint, server licenses are required. You can choose from:
- Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for Cloud) offering
- Microsoft Defender for Endpoint for Servers
- Microsoft Defender for Business servers (for small and medium-sized businesses only)
Enable Microsoft Defender in Intune
Sign in to the Microsoft Intune admin center. Select Endpoint security – Microsoft Defender for Endpoint, and toggle the Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations box to On.
Select Endpoint security > Microsoft Defender for Endpoint, and then select Open the Microsoft Defender Security Center.
In Microsoft Defender portal (previously the Microsoft Defender Security Center) Select Settings (at the bottom of the left column) – Endpoints – Advanced features.
For Microsoft Intune connection, choose On and click Save preferences.
Go back to the Microsoft Intune admin center. Select Endpoint security – Microsoft Defender for Endpoint and you will see that the connection status is set to enabled. (this can take a few minutes, please refresh periodically)
Now on the same screen toggle both Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint and Block unsupported OS versions to the On state.
Now you have enabled the connection between Microsoft Defender and Intune. Now let’s continue to create the different configuration profiles needed.
Create system configuration profiles
The System Extensions Policy
Check out this Microsoft article for more info.
You now will need to configure these settings in the settings catalog policy.
- Under Platform, select macOS.
- Under Profile type, select Settings Catalog.
- Name your policy e.g MacOS – Defender Extensions.
- Search for extensions – Select System Configuration > System Extensions – Allowed System Extensions
Cick Edit instance and fill in the details like in the screenshot:
Allowed System Extensions
- com.microsoft.wdav.epsext
- com.microsoft.wdav.netext
Team Identifier
- UBF8T346G9
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
This is also documented in this Microsoft article:
The next step is to create system configuration profiles that Microsoft Defender for Endpoint needs. In the Microsoft Intune admin center, open Devices – MacOS – Configuration profiles. We will need a lot of policies configured for this so make sure you have some spare time for this 😉
On the Policies tab, select Create > New Policy.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Extensions, and then select Create.
- Name your policy e.g MacOS – Defender Extensions
On the Configuration settings tab, expand System Extensions and add the following entries in the Allowed system extensions section:
| Bundle identifier | Team identifier |
|---|---|
com.microsoft.wdav.epsext |
UBF8T346G9 |
com.microsoft.wdav.netext |
UBF8T346G9 |
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Network Filter Policy
As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.
First we need to download the netfilter.mobileconfig file – Unzip the file somewhere on your PC.
To configure network filter:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom.
- Select Create.
- On the Basics tab, Name the profile e.g. MacOS – Network Filter
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Network Filter
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Full Disk Access Policy
Starting with macOS Catalina (10.15) or newer, in order to provide privacy for the end-users, it created the FDA (Full Disk Access). Enabling TCC (Transparency, Consent & Control) through a Mobile Device Management solution such as Intune, will eliminate the risk of Defender for Endpoint losing Full Disk Access Authorization to function properly.
This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.
First we need to download the Fulldisk.mobileconfig file – Unzip the file somewhere on your PC.
To configure Full Disk Access:
- In the Intune admin center, under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom. Then select Create
- Select Create.
- On the Basics tab, Name the profile e.g. MacOS – Full Disk Access
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Background Services Policy
macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background. This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Intune, we recommend you update the deployment with this configuration profile.
First we need to download the BackgroundServices.mobileconfig file – Unzip the file somewhere on your PC.
To configure background services:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom, and then select Create.
- On the Basics tab, Name the profile e.g. MacOS – Background Services
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Background Services
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Notifications Policy
This profile is used to allow Microsoft Defender for Endpoint on macOS and Microsoft AutoUpdate to display notifications in UI.
First we need to download the Notifications.mobileconfig file – Unzip the file somewhere on your PC.
To turn off notifications for the end users, you can change Show NotificationCenter from true to false in the file.
To configure background services:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom, and then select Create.
- On the Basics tab, Name the profile e.g. MacOS – Notifications
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Notifications
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Accessibility Settings Policy
This profile is used to allow Microsoft Defender for Endpoint on macOS to access the accessibility settings on Apple macOS High Sierra (10.13.6) and newer.
First we need to download the Accessibility.mobileconfig file – Unzip the file somewhere on your PC.
To configure background services:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom, and then select Create.
- On the Basics tab, Name the profile e.g. MacOS – Accessibility Settings
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Accessibility Settings
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Bluetooth Permissions Policy
macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications cannot access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control.
Bluetooth granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Bluetooth.
First we need to download the Bluetooth.mobileconfig file – Unzip the file somewhere on your PC.
To configure background services:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom, and then select Create.
- On the Basics tab, Name the profile e.g. MacOS – Bluetooth Permissions
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Bluetooth Permissions
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
The Microsoft Auto Update Policy
This profile is used to update the Microsoft Defender for Endpoint on macOS via Microsoft AutoUpdate (MAU). If you’re deploying Microsoft Defender for Endpoint on macOS, you have the options to get an updated version of the application (Platform Update) that are in the different channels mentioned here:
- Beta (Insiders-Fast)
- Current channel (Preview, Insiders-Slow)
- Current channel (Production)
First we need to download the AutoUpdate.mobileconfig file – Unzip the file somewhere on your PC.
To configure background services:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom, and then select Create.
- On the Basics tab, Name the profile e.g. MacOS – Auto Update
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Auto Update
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Create.
Microsoft Defender for Endpoint Configuration Settings
Set the Microsoft Defender Portal Onboarding Policy
Go through Configure Microsoft Defender for Endpoint in Intune before setting the security policies using Microsoft Defender for Endpoint Security Settings Management.
In the Intune portal, go to Endpoint Security – Endpoint Detection and Response
- Click Create policy
- Choose MacOS as platform
- Choose Endpoint Detection and Response
- Click Create
- Name your policy e.g. MacOS – Endpoint Detection and Response, click next
- Add your Device Tags
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select Save.
Set the Microsoft Defender Antivirus Policy
In this policy you will configure the settings of Microsoft Defender itself. These settings are not carved in stone and you can set these for your own needs.
In the Intune portal, go to Endpoint Security – Antivirus
- Click Create policy
- Choose MacOS as platform
- Choose Microsoft Defender Antivirus
- Click Create
- Name your policy e.g. MacOS – Microsoft Defender Antivirus , click next
Select Next. On the Assignments tab, assign the profile to a group where the macOS devices and/or users are located, or select the Add all users and Add all devices options. Then select Next. Review the configuration profile. Select create.
User Experience Enrolling a device in Intune & Defender (The manual way)
In this part i will show you how to enroll you MacOS device into Intune and Defender by using the Company portal app. I have created a dynamic device group for MacOS devices, this group is assigned to all different policies and configurations.
Get the Microsoft Defender ATP app for MacOS
Go to the intune portal – apps – MacOS – Add – select app type – Microsoft Defender for Endpoint – MacOS
Click Select – Next – Assign the app to your desired group(s) – Create
You will see the app in the list op apps for your Mac
Get the Microsoft Defender onboarding package for MacOS
To download the onboarding packages from Microsoft 365 Defender portal:
- In the Microsoft 365 Defender portal, go to Settings > Endpoints > Device management > Onboarding.
- Set the operating system to macOS and the Connectivity type to standard and the deployment method to Mobile Device Management / Microsoft Intune.
This profile contains license information for Microsoft Defender for Endpoint.
To deploy the onboarding package:
- Under Configuration profiles, select Create Profile.
- Under Platform, select macOS.
- Under Profile type, select Templates.
- Under Template name, select Custom.
- Select Create.
- On the Basics tab, Name the profile e.g. MacOS – Onboarding Package
- Select Next.
- On the Configuration settings tab, enter a Custom configuration profile name e.g. Onboarding Package
- Deployment Channel: Device Channel (we are going to scope all Defender policies on device groups)
- Configuration profile file: Browse for the downloaded file
- On the Basics tab, Name the profile e.g. MacOS – Auto Update
Install the Company Portal app – You can skip this if you have enrolled your device with Apple Business Manager
- Go to Enroll My Mac. and click Allow
- Wait while the Company Portal installer .pkg file downloads. Open the installer when it’s ready.
- On the Introduction page, select Continue.
- On the License page, read through the Microsoft Application License Terms. Select Continue.
- Select Agree to agree to the terms of the software license agreement.
- On the Installation Type page, select Install.
- Enter your device password or registered fingerprint. Then select Install Software.
- Wait for Company Portal to finish installing.
- Open the Company Portal app.
Enroll your Mac -You can skip this if you have enrolled your device with Apple Business Manager
- Sign in to the Company Portal app with your work or school account. (Approve your MFA)
- On the Set up access page, select Begin.
- Review the privacy information. Then select Continue.
- On the Install management profile page, select Download profile.
- Your macOS system settings open in a new window. The management profile you just downloaded is shown.
- Select the profile to open it.
-
- Select Install…
-
- When asked to confirm installation, select Install.
- Enter your device password to allow the profile to enroll your device. Then select Enroll.
- Wait while the management profile installs and then enrolls your device.
- Return to the Company Portal app and verify that there’s a green checkmark next to Install management profile.
- Your organization may require you to update your device settings. On the Checking device settings page, review the list of settings you need to change. Select How to resolve this to view related help documentation in a web browser.
- After you make all changes, select Retry. Wait while Company Portal rechecks your device settings.
After some time you can check the Intune portal if your device is there, almost immediately my devices shows up as compliant.
A few minutes later my device is getting al its configuration profiles which we have configured in the previous steps
After a few minutes you will receive a pop-up and notice the Defender icon.
When you open the Defender app and you see this all is good.
Now you can go to the security portal – Assets – Devices and you will see your device listed in the Defender portal
And that’s it, congratulations you have just enrolled your Mac in Intune and onboarded it in Defender.
This concludes the setup of Microsoft Defender for MacOS. Now let’s dive into some other cool stuff in part 2.
Howdy. Thanks for this very detailed instruction guide. It’s extremely helpful. One thing I am stuck on, and there isn’t a description here in your guide, is in the Extensible Single Sign On (SSO) section. You have added that the “Account Display Name” be added and in your guide you have it grayed out for what you input as the value. Can you please explain to me why this entry is needed and what I should be using for the value? I apologize for not knowing this, but I’m very green to using MacBooks and Intune. Thank you for your help. I look forward to continuing on with the guide once I understand the answer to this.
-matt
Hi Matt, it’s just a display name. I usually enter the tenant name so that the user knows from which tenant the notifications or authentication requests come from.
hello, thank you for this excellent tutorial, I’m glad because before arriving on this tuto I had already set up quite a few things for macOS enrollment and policies.
There’s one point that bothers me, I’ve set up the sso for mac, it works very well for accessing the various windows applications on mac! however, I’d like to make sure that my users can also connect to the macbook with the entra ID password. i’ve tried a lot of things, but i’m stuck. what method should i use? i’ve tried device feature (single sign-on app extension) which didn’t work, and also sso mac extension with no results. do you have any ideas? or did i not pay attention and it’s already in to tutorial?
thanks in advance
Hi,
Thank you for the comment. And yes you are correct this is not yet in the manual, i need to update it. Instead of secure enclave key you should use password. Witj these settings your entra password will sync back to the macos device. Test it and let me know.
Hi Seba, i did the update on the post. Password authentication is now in place.
hi, I’m so happy, all I needed was the authentication mode to make it work. (In fact I’d already tried it, but the ‘registration required’ message was looping.
When I found your article, I saw that I hadn’t put too much nonsense into the configuration.
BUT the password is perfectly linked to the entra ID password.
On some workstations, I still have intune profiles that don’t connect, and the portal is connected but not functional. I’ll keep investigating.
Thank you very much for your help. I’ll be your new faithful reader!
Translated with DeepL.com (free version)
Nice to know. Good job!
Hello,
following my request, I’m trying to enable my users to connect to the macbook with their mail addresses from the entra id.
I used: the federation of managed apple accounts that I synchronized with entra > which ‘normally’ allows apple ID email addresses to be those of apple ID accounts.
I also applied the password strategy for local accounts synchronized with Entra ID.
when registering my test device, the strategies, profiles, + company portal generate synchronize well.
I enter my apple id at startup (end of oobe)+ mandatory creation of a local account.
later, i configure password synchro with entra id: functional,
however, despite all my other efforts, only the local user created is visible, and i’m still unable to use apple id + synchronized password instead of the apple id (entra) e-mail address + synchro password.
I’ve looked at the Microsoft + apple docs… not much description there.
Would you have an idea? It would be great if you could give me some idea.
thanks in advance for your help.
regards
Cool
New follower, thanks!
Thank you
This tutorial is phenomenal. I’m following it almost to the letter, but I can’t use the company portal at all.
When I open it, it’s asking to enrol the device into Intune (asking to install management profile), but the mac has already been enrolled into Intune (has a management profile installed), and it’s compliant. It appears as though there’s 2 competing management profiles.
The only solution I’ve found so far is if I unlock enrolment, I can use the company portal as intended, but this is a horrible OOBE for the end user and we don’t necessarily want our end users to have local admin. Any advice?
Hi Troy,
It’s somewhat difficult to give you a straight-up answer to your question without having more detail. Preferably i would like to check your config so i can give you the correct advise.
Hi,
Thanks for this detailed guide. So I started with a new Macbook out of the box. I made an account and then I directly enrolled the device usng the company portal.
I’ve setup SecureEnclave. However when using my account I can only login with the local admin password (so not my M365 password). When logging in with another user account I can use the M365 password.
Why would that be?
Ideally I’d like to login using the fingerprint scanner.
Thank you!
Hi Michael, thank you for the comment. To use the M365 password you need to configure psso with the password setting instead of enclave key. Check the Microsoft docs, there is a good comparison between enclave and password.
Just saw that I forgot to answer! Thank you for your answer. I read the docs and it’s working now :).
I have been browsing on-line greater than three hours these days, but I never found any fascinating article like yours.
It is beautiful value enough for me. In my view, if
all site owners and bloggers made excellent content as you did, the net will likely be a lot
more useful than ever before.
I am reaching out regarding an issue we have encountered with our Mac enrollment to Intune. As part of our enrollment process, we have configured the device enrollment profile to display the account creation window. Initially, we were successfully getting the account creation page right after enrollment. However, for the past few days, we have noticed that the account creation page is no longer appearing. Instead, it is taking us directly to the login page. And there is no changes on settigs on our end
We would appreciate your guidance and assistance on this matter, as the Microsoft functionality does not seem to be working as expected.
Hi Sam, i need to test this. If there was a change i was not aware of this. As soon as i have time i will do some testing and let you know.
Hi Sam, are you using await final configuration?
Hi Sam, just enrolled some mac’s today, i did get the account creation screen every time.
Hi,
I’ve done some more testing today and I’m confused…
So I have two MacBook Pro’s that will be used by multiple users.
I want to install Logic Pro with a device license.
Having read multiple guides (like yours 🙂 and the Microsof docs I thought I had to select Enroll without user affinity in the enrollment profile.
The same MS docs say that the company portal app won’t work when you chose Without user affinity. My testing has shown that the Company portal app HAS to be installed in order for platform SSO to work (once the company portal app is installed I get the notification to register for Platform SSO if not, nothing happens and users can’t login user their M365 credentials).
I also read a post that said that even on a device with User affinity multiple users can login but only the primary account can use the company portal app.
So this is where I’m confused for my use case it seems like I could use both with or without user affinity and have the same result?
Can you give me some advice on how to set up my environment for my specific use case?
Thank you!
Also want to add that in the enrollment profile (and enroll without user affinity selected) I enabled to show FileVault during the setup process though this screen didn’t show. Not sure if this only works when with user affinity is selected..
Noticed the same things to but need to do some more testing. Because of lack of time and being sick i did not yet had the chance to.
No worries, thanks for your answer and get well!
Hi Joery,
Hope you’re feeling better. I wonder if you had the time to check this out further? I’m a bit stuck on what configuration I’d use best for my use case.
Thanks!
Hi, thanks for your guide—it’s incredibly helpful! On my end, I’m looking for clarifications on the BitDefender configuration.
1. For point 6.4.1, “Set the Microsoft Defender Portal Onboarding Policy,” the only configuration setting I see is the Type of tag set to GROUP (Default) and a tag value to enter. You mentioned “MacOS”, while I entered “macOS”, but I don’t understand what this refers to and where I’m supposed to review this information.
2. I think some UI elements have changed since the article was published, especially in section 6.4.2 “Set the Microsoft Defender Antivirus Policy”. I tried to adjust the settings accordingly.
3. In its documentation, Microsoft provides a configuration profile for the Background Services section, which includes an additional rule value for com.microsoft.wdav (in addition to com.microsoft.fresno and com.microsoft.dlp) compared to the profile available in the article. The “AssociatedBundleIdentifiers” key of the LaunchDaemon “com.microsoft.dlp.install_monitor.plist” refers to “com.microsoft.wdav”.
In the end, the recommended detection tests for EICAR and MDATP macOS DIY work, but honestly, I don’t feel like I fully understand the settings applied.
Let’s dive into part 2!
Hi Franck, thank you for pointing this out to me. I will check if there are any changes in the screens.
Hi!
Thanks for an awesome guide, I have followed it to the letter – except for choosing password authentication for SSO.
However, I cannot get Defender to work properly. I have tried deploying the onboarding package twice, and it succeeds both times, yet Defender reports that no license is in place.
Also, the Management Profile is installed but not showing as verified. Don’t know if theres a connection. Apart from this, everything seems to be working. Any idea why the Defender license is not properly configured?
Hi Lars,
It appears there is a json missing in my zip file. Check the Microsoft doc on this and get the missing file from there. I will update the zip file shortly.
Hi,
Thank you so much for creating this guide. It is super detailed and has all the information required to setup the MAC to be managed via Intune.
I have followed the process, and all looks good but had a question regarding the setup of an additional user. I have setup the platform SSO using password. The initial account I logged in with is my company admin account and this has been setup as admin. To assign the MAC to the end user, I have created the additional user with standard privileges in the User and Groups section. Will the SSO work for this account as well once the user logs in or is there anything else to be done?
Best regards,
Gerrald
Hi,
The additional user will have to go trought the same process of registering.
This comprehensive guide is incredibly helpful for managing macOS devices with Intune. The detailed steps on Apple Business Manager integration and Platform SSO setup are particularly valuable for streamlining device enrollment and enhancing security.
Thank you!
Hi – thank you very much for your guide, super helpful!
One question, the macOS Extensions are depreciated, any new workaround?
https://learn.microsoft.com/en-us/intune/intune-service/configuration/kernel-extensions-settings-macos
Hi,
Yes, like the MS doc stated you now need to configure this with a settings catalog policy, just search for extensions and you will get the setting to configure. I’ve updated the article to reflect the new settings. Thank you for letting me know. Appreciate this.
Hi.
Again, great article.
Is there a way to configure Gatekeeper, to allow execution of files downloaded from the Internet? With wildcard domain or white list?
There seems to have been a template for this, but it is deprecated. Can it be done using custom template?
Hi,
Great article and thanks a lot for putting this together. I have one question regarding firewall. How can we manage the firewall rules like if we want to enable all incoming traffic for Java for example?
Thanks
Hi, you can have separate rules in intune for that.
Thank you so much for this guide! We’re a Windows shop but we have one partner that will only use a Mac. QQ, after the Mac has been registered to an Entra ID user, can it be registered to a different user without wiping the Mac? Also, I ran into an issue when registering the user. It wouldn’t accept their M365 password. When i checked the logs, it said MFA was required. I had to disable MFA for that user temporarily in order to register it. Not sure why that is.
Hi, can you please provide guide for device control for mac os, specifically USB drive control. i.e block unknown external drives, allow specific drives by SN.
Hi, great guide, thank you for publishing. Very informative and detailed, will share with my team. I have one question if possible. Is there a way to prioritize the configurations to be pushed down to the Macs before any apps get installed by Intune? I don’t see any way to configure that? I obviously have a lot of permissions set through the configurations for “standard” users in my environment. They have to be pushed down before the apps are installed. We just started managing our Macs using Intune and it seems like once the Mac is added to the Is there any way to accomplish this?
Thank you,
JT
Anyone having success with using Groups (Other and Admin) and Authorization Groups, specifically with Intune? I believe I seen notes out there that this isn’t supported or not expected to work as advertised…but I’m hoping its fixed. i can confirm Intune PSSO policy will create the groups i define, but automagic user to group assignment is not