MacOS Management with InTune / SCCM?

DHR · 9 Apr 2020 at 10:27

Has anyone recently gone through this, understand SCCM and InTune have now kind of merged into one supported product.

I've got a small fleet of MacOS devices I'll have to manage, biggest thing for me is getting the agent installed easily, then rolling out basics such as O365 etc. without local admin rights?

TechMinerUK · 10 May 2020 at 15:57

So, we are doing a lot with Intune at work at the moment and I can definitely say SCCM and Intune are not merged into one nor will they be (They broke that dream a few years ago when they severed integration between the two)

The issue you are going to have with MacOS is you are stuck with self enrollment, we have had a few customers who have Macs and are using Intune and we generally try manually work around the users to enrol into Intune and for those we can't we drew up a generic guide for them. It's not too hard but it will require a local admin account on the system as there is no way to silently push it unless you are on the Apple DEP program or already have some sort of MDM solution in place

We use the following steps

Send user a link to Company Portal app for OSX
Get user to download and install app (Requires local administrator)
Get user to sign in with credentials
Customer selects ownership type for device (Can be changed later if they mess it up)
We add device to security groups (I use dynamic groups so I don't have to do anything)
Security groups apply encryption and AV policies
Publish apps in portal for users to download

DHR · 10 May 2020 at 21:12

Amazing thank you so much really helpful, proper insight into these things before heading straight into them is so valuable!

Do you leave the users with local admin?

TechMinerUK · 11 May 2020 at 19:05

DHR said:
Amazing thank you so much really helpful, proper insight into these things before heading straight into them is so valuable!
Do you leave the users with local admin?

No problem

So it's a bit unusual on this one, if it's the users own Mac (BYOD) then they are left as an admin, if not and the user has no need to be an admin we create our own service desk account on the Mac and give them a standard account.

Macs are hard because Intune still doesn't give us the ability to authenticate users against AzureAD

DHR · 11 May 2020 at 20:08

Makes sense admin wise, we've got ours authenticating against a local active directory via LDAP but it has been problematic at times.

Remote control software I've currently got in place has been a bit of an issue of late as it requires admin since MacOS was updated, not sure if that can be pre-instaled yet or not with not having physical access to the devices at the moment.

Did you have the option of SCCM or was it intune only?

Are the install packages available to uses scripted up with anything like JamF or is it all just native tooling?

TechMinerUK · 11 May 2020 at 22:32

DHR said:
Makes sense admin wise, we've got ours authenticating against a local active directory via LDAP but it has been problematic at times.
Remote control software I've currently got in place has been a bit of an issue of late as it requires admin since MacOS was updated, not sure if that can be pre-instaled yet or not with not having physical access to the devices at the moment.
Did you have the option of SCCM or was it intune only?
Are the install packages available to uses scripted up with anything like JamF or is it all just native tooling?

Yeah, one of our customers has Mac auth via LDAP and it's a small nightmare to say the leasy (Binds keep dying)
For remote control it might be worth while into looking at an RMM program, we used CentraStage/DattoRMM and we can pre-load it on PC's and Macs for remote control without issue. I also use ComodoOneRMM at home which allows for the same I think
The place where we rolled out the above was Intune only (They weren't big enough to have SCCM) but we did have another customer with SCCM however integration is pretty severed with ConfigMgr being the main reminant for enrollment into Intune but their is no co-management any more. ConfigMgr just enrolls it for you
Jamf does have integration with Intune for compliance but I have never used it so mileage may vary, from what I have read it is just for compliance however personally JamF has a better reputation for MacMDM over Intune