To make this scenario even easier we can support the user by configuring and providing the macOS Microsoft Azure AD single sign-on (how to configure link) experience within the Apple Desktop session for cloud resources. On the other hand, if I’m logged on to the device with a local user and have to authenticate against my cloud resources with my IDP managed identity, my data is still protected very well.
MAC OS ARCHITECTURE PASSWORD
Password change of the local account will not change the account managed by the IDP and vice versa. This account can be the same as the centrally managed account, but again it has no real relationship. Meaning right now, you have to have a local account on the device for logon. macOS does not provide the native support of a cloud identity provider (IDP) like Azure AD during OS logon (I’m hoping Apple decides to add this in the future). Logon to the OS and logon to services like SaaS applications in the browser session. Next, I will differentiate between two scenarios here.
I’m not going to consider a domain join this is not the future of identity management for me. First, I have to say, I want to look at options in a cloud-only approach. When we think of user logon it can mean different things. For me these 5 areas are the essential parts to look at, to accomplish all typical device management tasks.įollowing a small abstract for each of the areas to get a clearer picture what we can use with Microsoft Endpoint Manager and the cloud component Intune: And as last puzzle piece, we need a proper way of distributing software. Next, a way to handle additional tasks outside of the MDM protocol like executing scripts via an additional management agent to accomplish all the left-over tasks we couldn’t solve with MDM and configuration profiles. When we talk about management, we need a way to enroll the device into an MDM system, as MDM is the new golden standard for configuration management for all platforms. This user account is typically used for user logon and getting access to devices and resources. Let’s start with a short introduction what is necessary for macOS device management.Įverything starts with a user account within the enterprise. In the following paragraphs I describe my findings and my decisions why I chose the architecture like this.įirst of all, which components do we need in terms of management in general and which options do we have to fulfill the needs.
Yes, I will come up with some tweaks here and there, but we will see an approach which works very well. The question is… How well can a macOS device be managed via Intune? Especially if you already have a management system like Intune in place which is capable of managing macOS. I also need to build expertise for these tools and can’t use already existing management tool knowledge, which is something I really like to avoid to a certain degree. As Microsoft 365 customers already have Intune, an additional second management system for macOS introduces additional licenses fees, different operational efforts, and of course maintenance.
MAC OS ARCHITECTURE WINDOWS
So, I looked at ways to manage a macOS similar to Windows with Microsoft Intune. This way we get synergy effects during day-by-day operations. The goal should be to have a common management strategy, using mostly the same tools and infrastructure components we are familiar with. It could be the marketing department, developers and often seen in the C-level departments. Most companies I engage with do have the majority of devices running Windows, but there is always a certain amount of percentage running macOS.
MAC OS ARCHITECTURE ANDROID
Microsoft Intune is great when it comes to managing Windows devices and for sure it doesn’t need to hide when it comes to mobile phones like Android phones or Apple phones.