Update 7th May: some excellent documentation and guide on how the various configuration options for Platform SSO for macOS with Intune is here: Configure Platform SSO for macOS devices | Microsoft Learn
Long time readers of this blog will know that I worked for Microsoft’s Asia Pacific Education team from 2016-2023, supporting education customers across the region “go modern” with their device management strategy and drive the value of M365 inside organisations. More recently, I’ve joined Cyclone where I now use a MacBook Pro as my primary device (along with a Windows365 Subscription for good measure!) and am focused on helping organisations enjoy a premium managed Mac experience.
Whilst the concepts of managing a Mac with an MDM are similar to that of Windows 11, there has been a lot of learning for me over the previous few months, closer partnership with Apple, attending a lot of Apple and Jamf webinars as well as asking lots of questions of organsations on how they currently manage their Macs (short answer: most do it very poorly).
The overwhelming message I hear from customers is they firstly want to improve their employee’s experience when getting a new Mac and secondly, they want to manage their Macs in a comparable manner to their Windows fleet, but most are struggling to get anywhere close to this level of experience.
Consequently, I read with interest a couple of Tweets / X Posts from Microsoft this morning:
These posts all point to this update which I encourage you to read closely: What’s new in macOS management: Platform SSO and more | Microsoft Intune blog
There is a heap in here, but given many organisations are most focused on the end user experience, Microsoft has helpfully created a walk through video showcasing this experience:
Platform SSO
The ‘magic sauce’ making much of this possible is Apple’s Platform SSO functionality:
With Platform Single Sign-on (Platform SSO), developers can build SSO extensions that extend to the macOS login window, allowing users to synchronise local account credentials with an identity provider (IdP). The local account password is automatically kept in sync, so the cloud password and local passwords match. Users can also unlock their Mac with Touch ID and Apple Watch
Platform Single Sign-on for macOS – Apple Support (NZ)
It is this capability that starts to take the macOS experience far closer to what users may have enjoyed for a long time with Windows 11 and EntraID joined devices (formerly, AzureAD joined – AADJ). As the Microsoft blog post from today explains, this is critical for those organisations on a Zero Trust journey:
Platform SSO is a win for security and productivity alike. From a security standpoint, SSO integrates with Apple’s Secure Enclave technology. This means that organizations can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune. For organizations implementing Zero Trust, this is a big win, especially since Intune is cloud native.
What’s new in macOS management: Platform SSO and more | Microsoft Intune blog
There are lots of buzz words there that speak my love language: cloud IdP, SSO, passwordless authentication … if you’re serious about security and improving the end user experience inside your organisation these are all things you should be considering as part of your endpoint management pre-requisites.
At Cyclone, we are deep in the M365 ecosystem and yet many of our users have MacBooks as their primary device. I use the M365 Apps for Enterprise desktop and web apps every single day, and Edge is my default browser. This new Platform SSO powered experience means I can have single sign on into all my M365 Apps experience from the time I sign into the device (with my EntraID credentials) bringing my macOS experience far closer to matching that of the Intune managed Windows 11 user experience I am more familiar with.
As the video above showed, the ability to integrate the password experience into Apple’s TouchID means an end user can essentially go passwordless when signing into their macOS device and M365 Apps, replicating the hugely popular, and highly secure, Windows Hello for Business experience on Windows 11.
When I first joined Microsoft in 2016 they were requiring forced password rotation every 60 days. This was eventually phased out and with WHfB on my Surface Laptop, combined with MFA via the Microsoft Authenticator App, I virtually never used my password at all. In fact, at one point I went so long between entering passwords I forgot my long and complex password. Fortunately, with Entra’s Self Service Password Reset I was able to resolve this without needing to raise a support ticket.
Await Final Configuration Setting
In the past, I demonstrated to many security conscious organisations the ability in Intune’s Enrolment Status Page (ESP) to block user access to the device desktop until the full configuration of the device was completed. Whilst this slowed down the device deployment, it did ensure that critical security policies were deployed: e.g. disk encryption with BitLocker and VPN access enforced. It is really exciting to see this type of setting also landing inside Intune for macOS management:
I am engaging with multiple organisations now who operate in highly regulated industries where this level of enforced device configuration is an absolute minimum requirement before allowing an employee access to the desktop.
Streamlining The End User Experience: Setup Assistant Screens Configuration
One of the other features I always demonstrated on the Intune managed Windows experience was reducing the number of interactions a user had with the device during the deployment phase. Windows Autopilot made huge strides in this area by allowing an organisation to hide numerous settings from the user during enrolment (language/keyboard selection, EULA agreement etc). This is now possible in the macOS experience as well:
The key here is choice: many organisations are offering their employees choice on their device selection (Windows 11 or macOS) and to that end, some businesses want to allow their users to add their personal Apple ID to their work device, or to configure Apple Pay with their personal or business credit card. In that case, allowing the user to see those configuration screens during enrolment will certainly personalise the experience of their Mac and make it feel much more like their experience with a personal MacBook or iPad they may own at home.
However, other organisations absolutely do not want these options being presented to users and now Intune offers this experience on macOS that has been on Windows 11 for a long time.
Managed Device Attestation Coming Soon In Intune
In a separate blog announcement made today, Microsoft announced that in 2024 H2 they will be supporting Managed Device Attestation:
As part of our ongoing partnership with Apple, Intune is planning to introduce support for the Automated Certificate Management Environment (ACME) protocol and managed device attestation for Intune-enrolled iOS, iPadOS, and macOS devices in the second half of 2024. This critical security feature will better help you verify that credentials cannot be lifted from authorized personal and corporate-owned devices. New and eligible personal devices and automated device enrollments will attempt to become attested. There will be no change to the end user onboarding experience, and the attestation status report described above will report on these devices, too.
Boost security with Microsoft Intune device attestation | Microsoft Intune blog
Both admins and end users will see that the ACME certificate is hardware-bound within the Settings app. This is the critical indication from the Apple device that the MDM certificate is bound to the hardware and stored in the secure enclave.
Final Thoughts
While still only in public preview, this is a big deal from Microsoft and shows their intent to really try to be the MDM of choice for organisations with mixed device fleets, as well as their positioning of EntraID as the premium cloud identity in business.
I have not gone into it in this post, but a configuration of Windows 11 + macOS + EntraID + Intune certainly allows for a ‘single pane of glass’ experience and when integrated with Conditional Access in EntraID a very granular, rules based experience can be applied to ensure that corporate data is only accessible to authorised users on a managed, secured and compliant device – be that Windows 11 or macOS.
I know the wider Apple Practice Team at Cyclone will be getting hands on with this new functionality now that it is in Public Preview and I look forward to discussing this with customers interested in managing their macOS devices securely and offering a premium end user experience as well.
No Responses