Browse all topics
All guidesGlossary

Intune macOS management

How Intune manages Mac devices — enrolment via Apple Business Manager, configuration, app deployment, and compliance.

Intune supports macOS management with feature parity good enough for most Microsoft 365 customers to standardise on it rather than running Jamf, Mosyle, or another macOS-specific MDM. The model is similar to Windows but the integrations are Apple-specific.

Enrolment

Two main paths into Intune:

  • Apple Business Manager (ABM) + Automated Device Enrolment (ADE) — corporate-owned devices procured through resellers integrated with ABM. The Mac auto-enrols at first boot, with a customised Setup Assistant.
  • Company Portal user-driven enrolment — user installs the Intune Company Portal app and enrols their device.

ADE is the right path for company-owned fleet. It supports zero-touch deployment, locked enrolment (the user can't unenroll), and automatic Wi-Fi/VPN configuration.

Configuration profiles

Intune for macOS supports:

  • Built-in setting catalogues for common controls — disk encryption (FileVault), firewall, gatekeeper, login window, restrictions, software updates.
  • Settings catalog with the full library of Apple-supported MDM settings.
  • Custom configuration profiles as .mobileconfig files for anything outside the catalogue.
  • Preference files delivered as .plist for app-specific configuration (Office for Mac, Edge, Chrome).
  • Shell scripts for one-shot remediation actions.
  • Platform SSO — Entra ID single sign-on for the Mac login window and all apps.

App deployment

Intune deploys macOS apps as:

  • DMG / PKG packages uploaded directly.
  • Microsoft 365 Apps as a first-party deployment type.
  • Microsoft-built apps (Edge, Defender for Endpoint, Teams) as first-party deployment types.
  • Volume Purchase Program (VPP) apps purchased through Apple Business Manager.
  • Web links for browser-accessed apps.

For third-party apps, the Privileged Helper Tool model and deployment as .pkg is the modern standard.

Compliance and Conditional Access

Compliance policies for macOS evaluate:

  • OS version.
  • FileVault state.
  • System integrity protection.
  • Defender for Endpoint risk score.
  • Local password requirements.
  • Custom compliance via shell scripts.

The state flows to Entra ID and Conditional Access in exactly the same way as Windows — a non-compliant Mac is blocked from Office 365 by the standard CA policy.

Defender for Endpoint on macOS

Defender for Endpoint on macOS is fully featured: real-time antivirus, EDR, attack surface reduction, network protection, web protection. Deployed via Intune as a first-class app, with policy delivered through Intune configuration profiles.

Platform SSO

Platform SSO (built on Apple's Platform SSO framework) integrates Mac login with Entra ID directly — users sign in to the Mac with their Entra ID credentials, FileVault is unlocked with that identity, and the system establishes a passkey-style trust binding. This replaces older Jamf Connect / Kandji style setups.

For Microsoft 365 customers with Mac fleets, Intune is now the default. The case for keeping a Mac-specific MDM is much weaker than it was three years ago.