![]() While Intune can easily enable encryption on MacOS and escrow the recovery key for backup to Azure and rotation. Recently I had a customer looking to enable FileVault on a number of shared machines. Without either of these, the user would be perpetually bombarded by Gatekeeper to elevate and implement everything we throw at them. For better or worse, Intune leverages the root account (unless otherwise designated) to elevate and run functions like scripts and packages via the Intune Management Extension (not to be confused with Kernel or System Extensions). Whether the device is enrolled manually or through Automated Device Enrollment (ADE) the end users account is the first and only one created out of the box. Source: iOS Mobile Device Management (MDM) Architecture ()Ī key difference that sets Intune apart from the likes of JAMF is the lack of a managed admin account. In order to do more, each provider must implement it’s own methodology to execute and deploy configurations beyond Apple’s supported means. However, generally speaking this is where the similarities end. These MDM commands are baked into the OS by Apple and are therefor (usually) universally applicable regardless of the MDM provider (You can find a list of these commands and their supported devices HERE). Once received, the device reaches out over HTTPS to exchange property lists (plists), executes new MDM commands within them, then report the results back to the MDM server. They do not, as commonly believed, PUSH configurations to the device. There are a number of reasons, but to understand why we first have to understand how Apple MDM architecture works.įrom a high level, Apple uses their Push Notification Service (APNS) to let the device know that it has new configurations to pull down. While Microsoft has made fantastic strides in their cross platform capabilities all around, the fact of the matter is when it comes to MacOS it flatly does not compare to other MDM providers that have offered Mac management for far longer. But it is true that with Intune, we can manage Windows, iOS, Android, and MacOS albeit with diminishing turn-key options as we go down the list. I’m not going to get into the licensing as (per usual) it’s complicated. It’s ready to integrate with everything Microsoft and if you already pay for SCCM/MEMCM, EMS, or M365 E3 or E5 you already own it! Well… sort of. The all inclusive, one stop shop for your device management needs. Source: Desktop OS market share 2020 | StatistaĮnter the hero of our story: Microsoft Intune. Platforms like JAMF or VMWare’s Workspace One are often considered too costly (whether that’s true or not) to implement for such a limited use case and Administrators are left to choose either leaving them un-managed or rejecting them in the environment entirely. Despite their market dominance of the mobile world, Apple maintains a fractional foothold in the desktop OS space and thus are often neglected by organizations where the MacOS footprint is limited to a handful users. If you have ever managed an Apple device, you know this story all too well. In my experience, this ‘keep it simple’ approach is fine for most small organizations, however sooner or later we are all faced with a need to push the limits of what turn-key offerings can provide and look closely at the gears under the hood in order to move forward. With no on-prem infrastructure to build and maintain, we often learn just enough to make services like Intune do what we want and move on without a second thought to why or how. With the advent of MDM in the cloud, very little has changed in this regard except the exposure we receive to the inner workings of the platform. No matter if you used ConfigMan, DesktopCentral, Smart Deploy, or even good ol’ fashioned MDT the underlying premise has always been the same: Distribute a payload and run it. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production.įor many Administrators, MDM for Windows has historically been a smattering of scripts, agents, group policy, and registry changes. As the name suggests, these accounts are based on experiences I’ve had in my own lab. ![]() Disclaimer: This blog is not intended to be advice on how to manage your environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |