Until recently, macOS was an operating system dedicated to graphic designers, musicians or in any case to the consumer environment, while the corporate sphere was characterized exclusively by Windows systems; according to a survey conducted by the Parallels company, to date, more than 55% of companies use macOS devices or explicitly approve their use within their network.
Other interesting results on the adoption of these devices in the company reveal how employees believe that the choice of device affects productivity:
- In fact, 68% say that being able to select their favorite device makes them more productive in the workplace;
- 35% of respondents felt that using their favorite device made them proud of the place where they work;
In this article we will deal with the management of macOS devices through the features made available by the Microsoft Endpoint Manager solution.
One of the main points of attention related to the adoption of Mac devices in the company was certainly the management of these devices; this involved the adoption of ad hoc solutions which in turn involved additional licensing costs, additional maintenance costs and also constant re-training of the IT department.
For this reason, Microsoft has extended the current management solutions to allow you to better control all the devices in the company; it is therefore possible to manage macOS devices in two ways:
- Traditional: The integration of the Parallels plug-in with Microsoft Endpoint Configuration Manager allows you to manage devices using an on-premise infrastructure.
- Modern: through Microsoft Intune, it is possible to manage macOS devices and protect the information they contain by exploiting all the potential of the cloud.
In the next paragraphs, we will see how the modern solution can be used to meet the various needs arising from the management of these endpoints.
A structured Mac provisioning procedure allows you to automate and customize as much as possible the process of introducing this type of device into the company; it also allows you to benefit from a single procedure for the delivery of new workstations, for technological renewals and for the updating of existing workstations.
All this therefore allows to reduce the IT workload in the provisioning and standardization process of the corporate platform.
The provisioning solutions available are different based on the type of management scenario that you want to adopt for these devices:
- The first solution consists of manual registration through the installation and subsequent configuration of the Company Portal app (or Company Portal) available on the Apple public store.
- The second solution, ideal for company-owned devices (therefore owned by the company), appears to be the adoption of Apple Automated Device Enrollment (or Apple ADE). This solution is nothing more than the alter-ego of Windows Autopilot for the macOS world; it therefore allows rapid provisioning of devices in supervised mode with consequent application of the entire set of available policies. The provisioning process through Apple ADE requires devices to be registered directly by Apple or an authorized reseller on the Apple Business Manager portal and, once this procedure is completed, these devices will be automatically synchronized to the Microsoft Endpoint Manager portal. In the event that the macOS devices are not purchased directly from Apple or from an authorized reseller, it is still possible to manually enroll on Apple Business Manager by scanning a QRCode from the Apple Configurator application for iPhone.
- The third provisioning solution consists in registering devices through a DEM (Device Enrollment Manager) account; this solution is ideal for kiosk environments or where there is no association between user and device. In addition, this type of registration involves a whole series of limitations such as, for example, the inability to use the Apple Volume Purchase Program channel to purchase applications.
Once the provisioning process is complete, we need to predict the configuration of these endpoints based on what company policies are.
This phase is intended to manage and secure the access and use of company services and information from Mac devices, while providing the same User Experience available on Microsoft platforms.
Through the Configuration Profiles (or Configuration Policies), available on the Microsoft Endpoint Manager portal, I have the ability to perform various types of configuration on macOS devices:
- Manage the operating system features and customize the user environment, such as: the configuration of printers using the AirPrint protocol, the management of other types of authentication (such as OKTA), the ability to perform content caching;
- Control a whole series of device-level settings such as: blocking non-corporate features such as Game Center, Apple Music, and especially iCloud. The latter service turns out to be unmanageable and therefore outside the company perimeter; by deactivating this feature, I have the possibility to inhibit the synchronization of stored credentials in the Keychain, data, emails, etc … which could be compromised if stored on this service.
- Block the ability to reset the operating system and unenroll from Intune.
- Provide VPN profiles, WiFi profiles, certificates and configurations for 802.1x Wired-Networks.
Finally, everything that cannot be done natively through the Microsoft Endpoint Manager admin center portal can be done through the use of custom profiles using configuration files with the mobileconfig extension.
The configuration of these endpoints undoubtedly also includes the distribution of applications; Microsoft recently extended the package of applications that can be delivered through Microsoft Endpoint Manager with the introduction of applications in DMG format. In addition to this format, you can distribute:
- Microsoft Apps (Microsoft 365 Apps, Microsoft Edge, Microsoft Defender for Endpoint).
- Web Link.
- Line-of-Business app nel formato PKG.
Protection and update
Device protection aims to prevent corporate devices from exposing the corporate network and information to a wide range of threats. Microsoft Endpoint Manager allows you to distribute configurations through policies called Endpoint Security Policies which are strictly focused on securing devices; in fact, through these policies it is possible:
- Manage the Firewall present on Apple devices with the possibility of defining exclusions at the app level.
- Encrypt volumes through File Vault – this solution is nothing more than the alter ego of Microsoft BitLocker on macOS devices; taking advantage of the full integration with the Microsoft 365 world, I have the possibility to save the recovery keys directly on Azure Active Directory.
- Activate the anti-malware protection by entrusting it to Micosoft Defender for Endpoint (MDE) in order to adopt the advanced features present in the solution such as Cloud-delivered protection, Endpoint detection and response, Potentially Unwanted App, etc …
- Control files downloaded from the web via Gate keeper equivalent Microsoft Smart Screen on Windows systems.
- Manage interactions between apps and the OS through System Extensions. System Extensions are used for applications that must interact with drivers (eg antivirus, VPN) and do nothing more than create trust relationships between the application and the operating system (Kernel or System).
Through Microsoft Endpoint Manager, we have the ability to configure how and when my Apple devices can perform the update in order to maintain an adequate level of security according to company standards; at the moment, this configuration is only possible through a Custom profile but Microsoft is working to make it available directly via UI.
As reported at the beginning of this article, until a few years ago, the use of Macs in the company was something difficult to apply due to the many incompatibilities and integration difficulties with the Windows world; in the last 2 years, Microsoft and Apple have worked in synergy to allow optimal integration between the two worlds, especially on the identity front in order to provide the same user experience regardless of the device used.
In the case of identities based on Active Directory or synchronized with Azure AD, it is possible to use the Apple Kerberos Single Sign-On Extension: this solution allows authentication to the corporate identity provider from Safari and native apps, thus allowing the use of the same credentials from the moment I need to access company services. It is also possible to configure different providers based on your Identity Provider, whether based on OpenID Connect, Oauth, Kerberos or SAML and thus avoid using, and consequently manage, credentials related to Apple ID.
It is through this extension that I have the ability to synchronize the password of my corporate account as well as the ability to determine which applications can take advantage of SSO.
As for Azure Active Directory-based identities, you need to use the Microsoft Enterprise SSO for Apple device plugin.
This plugin developed by Microsoft in collaboration with Apple is essential to allow authentication by Cloud-native accounts and can be used in conjunction with Apple Kerberos SSO Extension to access cloud resources.
The introduction of these two extensions therefore allows you to avoid the use of domain identities (and consequent AD join) or mobile accounts in favor of local accounts for authentication and access on these devices.
A final aspect to take into consideration regarding identity management concerns the management of Apple IDs: through the Federated Authentication solution, you have the possibility to put your Azure Active Directory infrastructure in communication with Apple Business Manager; this ensures that my Azure AD identities are synchronized on Apple Business Manager and these identities can be used as real Apple IDs for accessing Apple services.
This feature ensures a separation between personal and corporate context – separation from the moment I register multiple Apple IDs on the device.
The only peculiarity but very important to take into consideration is linked to the fact that, after 60 days from the activation of the federation, all “personal” Apple IDs registered with the company address will be revoked.
From the moment this feature is activated, a warning is sent by Apple that will instruct the user to update his Apple ID with references to an e-mail address other than the corporate domain; if this activity is not performed within the indicated deadline, Apple will automatically perform the switch to a temporary domain.
Here are some useful references to the official documents:
- Set up enrollment for macOS devices in Intune
- macOS device settings to allow or restrict features using Intune
- Add a macOS DMG app to Microsoft Intune
- Kerberos Single sign-on extension with Apple devices
- Intro to federated authentication with Apple Business Manager
This article has provided the information necessary to be able to manage macOS devices in the best possible way; through the adoption of the Microsoft Endpoint Manager solution, it is possible to manage in a simple and centralized way all the phases of the life cycle of Mac devices (and more).