The last of the different platforms covered in this book (at the time of writing, Linux and ChromeOS management are still too limited) is macOS. We will look at configuring and then deploying a corporate device. For this, we will use the Apple Business Manager (or Apple Education) configuration, which is explained in the Technical requirements section (as well as in the previous chapter on iOS).

The chapter will cover the configuration of profiles for your macOS devices as well as their enrollment.

We will also run through the process of configuring Intune to work with Apple Business Manager and deploy applications, using the Volume Purchase Program.

In this chapter, we will cover the following recipes:

• Configuring a macOS Settings catalog policy
• Deploying shell scripts to macOS
• Configuring update policies for macOS
• Deploying apps to macOS
• Configuring a macOS enrollment profile
• Enrolling your corporate device

As with Chapters 2, 5, and 6, this will not cover all available policy types, so we will run through them all now to get a better understanding of what is available for macOS devices. As with Windows and iOS, macOS policy settings have now been largely migrated to the settings catalog.

The available profile types are as follows:

• Settings catalog: The unified settings catalog is a more modern way to deploy settings.
• Custom: This lets you upload a .mobileconfig file created in Profile Manager to configure settings not yet available elsewhere. We will cover this briefly in the following shell scripts recipe. Some examples can be found here: https://github.com/microsoft/shell-intune-samples/tree/master/macOS.
• Device restrictions: These are an alternative to the settings catalog for your standard restrictions.
• Device features: Device restrictions are used to protect and lock down devices. Device features set various custom settings, such as lock...

When dealing with Apple devices, there are some very important things to consider throughout the initial setup and continued management, which we will run through here.

It is important when dealing with Apple devices to keep an eye on the certificate renewal dates and record them somewhere, with a renewal reminder. You could also use Azure Automation to automate the reminders for you; see more here: https://andrewstaylor.com/2022/06/07/alerting-when-my-apple-certificates-expire-in-intune-using-azure-automation/.

The MDM Push Certificate connects your devices to the Intune MDM Service. If this expires, you can sometimes contact Apple directly if it is within 30 days of expiry to renew it. If they cannot, or 30 days have passed, your only option is to wipe and re-enroll all your devices. Yes, it is a full wipe – data destruction, everything.

The enrollment token is used to initially enroll your devices. If this expires, you must create a new enrollment...

For this chapter, you will need a modern web browser and a PowerShell code editor, such as Visual Studio Code or PowerShell ISE.

All of the scripts referenced can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook.

You will need an Apple Business Manager (ABM) account set up and ready to be configured with Intune. You can find instructions to set up your ABM account at https://www.apple.com/business/docs/site/Apple_Business_Manager_Getting_Started_Guide.pdf and https://www.intuneirl.com/onboarding-to-abm/.

Your hardware supplier should be able to add your devices to ABM, but you can also use Apple Configurator on a device running macOS or iOS: https://support.apple.com/en-gb/apple-configurator.

Alternatively, you can watch these videos:

• https://www.youtube.com/watch?v=G_9bPrsJHGY&t=34s
• https://www.youtube.com/watch?v=G-rvHUY4iA0

To enroll devices, you will need a macOS device enrolled into ABM.

We have looked at the different policy types available, but the most expanded option is the settings catalog, which is constantly being updated with new settings and, therefore, is the recommended method to deploy settings to your macOS device. You can now also export and import settings catalog directly in the UI, which is a further advantage over other policy options.

Follow this recipe to find out how to configure your devices.

How to do it…

Here, we will learn how to use the settings catalog to configure our first macOS policy:

1. First, navigate to Devices, and then click on macOS.

Figure 7.1 – The macOS Devices msenu

2. Now, click on Configuration profiles, and click Create and select New policy.
3. Select Settings catalog, and click Create.
4. Enter a name and an (optional) description, and then click Next.

   As with our Windows and iOS devices, we need to add settings...

With Windows devices, you can use PowerShell scripts to make changes not currently supported by other methods, such as the settings catalog or a custom OMA-URI. We will cover these in Chapter 12, PowerShell Scripting across Intune.

For devices that run macOS, the alternative is shell scripts. These can be configured to run at either the system or user level, and as macOS is Unix-based, it can configure almost anything on a device.

Getting started

There are some prerequisites and things to watch with shell scripts; we will start with the prerequisites:

• Prerequisites:
  • You must be running at least macOS 11.0
  • Your devices must have a direct connection to the internet (no proxy server)
  • Scripts must begin with #!
• Considerations:
  • Shell scripts run in parallel, so if you deploy multiple scripts, they will run at the same time
  • Scripts deployed as the signed-in user will run on all signed-in accounts on the device at the point the script runs
  • A...

As with our Windows and iOS devices, we want to make sure they run the latest available OS version to increase security across the estate. For macOS, this is accomplished using an update policy, which can either be created within the Software updates template in Profiles, the Software Update category in the settings catalog, or by using a specific menu item. To keep things standardized across platforms, in this example, we will use the specific update policies menu so you always know where to look for your updates. As with Windows devices, for a large macOS estate, it is worth using deployment rings so that updates can be tested prior to large-scale deployment.

How to do it…

Follow the following steps:

1. Start by clicking on Devices and then macOS.
2. Then, click Update policies for macOS.
3. Click Create profile.
4. As usual, we will start with a name and description, and then click Next.
5. On the next screen, you can select...

We have configured and protected our devices, but the end users are going to want to have some applications deployed as well. Within Intune, there are a number of options available:

• Microsoft 365 Apps: A GUI to deploy M365 apps (covered later)
• Microsoft Edge: To deploy Edge version 77 and later (Chromium) (covered later)
• Microsoft Defender for Endpoint: To protect your devices (covered later)
• Web link: Deploy a URL to the desktop
• Line-of-business app: Deploy a custom pkg application
• macOS app (DMG): Upload and deploy a DMG-based application (covered later)
• App Store app: Similar to iOS, this deploys a VPP app from the App Store (covered later)

Getting started

For this recipe, make sure you have a DMG file available to deploy, and also access to either ABM or Apple Education to deploy applications from the App Store.

How to do it…

All of these instructions will be from Apps and then macOS apps in the Intune...

Before we enroll our first macOS device, we have one last task to complete – we need to configure an enrollment profile, the same as we completed in the previous chapter for iOS.

Getting started

For this recipe, you will need your Intune instance linked to ABM with an enrollment token configured. If you did not complete this in Chapter 6, complete the following recipes before continuing:

• Configuring a connector between Apple and Intune
• Adding enrollment profile tokens

How to do it…

Follow the following steps:

1. First, select Devices and then macOS.
2. Click macOS enrollment.
3. Now, click on Enrollment program tokens.
4. Click on the token created earlier:

Figure 7.16 – An Apple token

5. Next, click on Profiles, and if you set up an iOS profile earlier, you should see it here now.
6. Select the drop-down arrow next to Create profile, and choose macOS...

Now, we have our environment configured to support and manage macOS devices, and we can enroll our first device. As these are generally corporate-owned machines, this recipe will only cover full ABM enrollment, and it is suggested to turn off personal enrollment of macOS devices.

If, however, you need to allow Bring Your own Device (BYOD) for macOS, you can find instructions here: https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp.

Getting started

For this recipe, you will need a factory reset device that is already enrolled into either ABM or Apple Education and connected to the internet. If you wish to use Apple Configurator on an iPhone to register your applications, follow the guide at the following link: https://support.apple.com/en-gb/guide/apple-configurator/apd65c9ff558/ios.

How to do it…

Use the following steps:

1. Upon booting your device, you will first be presented with...