Most companies I engage with do have the majority of devices running Windows, but there is always a certain amount of percentage running macOS. Microsoft Intune is great when it comes to managing Windows devices and for sure it doesn’t need to hide when it comes to mobile phones like Android phones or Apple phones. To add an Office 365 account: Select the Office 365. This will allow Fantastical to connect using any single-sign-on or multi-factor authentication methods used by your organization. If your organization uses Office 365 then it is better to add your account as an Office 365 account rather than an Exchange account. Adding an Office 365 account.As Microsoft 365 customers already have Intune, an additional second management system for macOS introduces additional licenses fees, different operational efforts, and of course maintenance. So, I looked at ways to manage a macOS similar to Windows with Microsoft Intune. This way we get synergy effects during day-by-day operations. The goal should be to have a common management strategy, using mostly the same tools and infrastructure components we are familiar with.
Office 365 My Workspace Mac And IPadCitrix Workspace Mac Version. If asked, enter your.We recommend using My Workspace with Office 365 for Mac. The question is… How well can a macOS device be managed via Intune?Mac and iPad owners with corresponding Microsoft 365 subscriptions can access and download those applications using Apples App Store. Especially if you already have a management system like Intune in place which is capable of managing macOS.My Workspace is a menu bar that offers quick access to Short answer, very well □. I dont need to spend time on my folder to open the documents I need, no time to look at my Bookmarks in the web browser.Microsofts Garage team has a new tool designed to make using Office 365 on your Mac a little easier. Each time I work on a new project, I set a new Workspace and it boosts my productivity. Simplifying access to information and all your applications based on your role, location and on any device, that is Workspace 365. In the following paragraphs I describe my findings and my decisions why I chose the architecture like this.Everything you need based on your role, device & location in one workspace. Yes, I will come up with some tweaks here and there, but we will see an approach which works very well. When we talk about management, we need a way to enroll the device into an MDM system, as MDM is the new golden standard for configuration management for all platforms. This user account is typically used for user logon and getting access to devices and resources. Enter your Name and Microsoft 365 Email Address, and.First of all, which components do we need in terms of management in general and which options do we have to fulfill the needs.Let’s start with a short introduction what is necessary for macOS device management.Everything starts with a user account within the enterprise. Select Exchange and Continue. I’m not going to consider a domain join this is not the future of identity management for me. First, I have to say, I want to look at options in a cloud-only approach. For me these 5 areas are the essential parts to look at, to accomplish all typical device management tasks.Following a small abstract for each of the areas to get a clearer picture what we can use with Microsoft Endpoint Manager and the cloud component Intune:When we think of user logon it can mean different things. And as last puzzle piece, we need a proper way of distributing software. Password change of the local account will not change the account managed by the IDP and vice versa. This account can be the same as the centrally managed account, but again it has no real relationship. Meaning right now, you have to have a local account on the device for logon. MacOS does not provide the native support of a cloud identity provider (IDP) like Azure AD during OS logon (I’m hoping Apple decides to add this in the future). Logon to the OS and logon to services like SaaS applications in the browser session. In addition, we have two options for enrollment with user affinity and an option without user affinity. Microsoft Intune supports this enrollment experiences for the macOS devices. That means during the enrollment process we have cloud IDP support and therefore can force the user to authenticate against Azure AD and do additional MFA for example. The latest additions to the Automated Device Enrollment (ADE) (formerly known as DEP) supports Apple Setup Assistant with modern authentication. To make this scenario even easier we can support the user by configuring and providing the macOS Microsoft Azure AD single sign-on (how to configure link) experience within the Apple Desktop session for cloud resources.Here it will become interesting. Epson print cd software for mac lionThe compliance policies are most important for the Conditional Access scenarios.Special modifications (like configurations which can’t be done via configuration profile) are typically done via shell scripts, as they provide the maximum on flexibility. For Compliance policy processing we need the Company Portal here as well. These are typically security configurations as well as configurations for usability or look and feel (wallpaper etc.). In addition, we have the “ user approved enrollment” scenario, driven by the Microsoft Company Portal, and a “ direct enrollment” scenario for enrollment with no user affinity.Once enrolled we can configure the devices with MDM configuration profiles provided by Microsoft Intune. With ADE we have the most streamlined experience with minimal user input. ![]() Hopefully we get IDP support in future.By keeping the local user account and using the SSO plug-in, we have a pretty good user experience when it comes to the sign-ins. Cloud management is the way for the future, so we are not going to build some (legacy) local Active Directory and bind the macOS to a domain. Without proper IDP support for Azure AD during logon, we have to keep the local user logon in my opinion, but we support the user by deploying the Microsoft Enterprise SSO plug-in for macOS. User LogonThere is not very much to say for macOS. In my opinion we have a pretty good trade-off, even if the device logon account is not a real logon with an Azure AD account.There are solutions on the market to add some kind of IDP support to the logon like Jamf Connect. Okay, we lose somehow the central management of the device login account, but in fact if we utilize more and more cloud services, we have the majority of our data in the cloud and the access to these services is managed centrally by Azure AD, protected by Conditional Access. I expect to see more and more applications successfully working with SSO in future (with an exception if an application ships their own network layer implementation). MacOS version 10.15 and the Company Portal must be deployed, as the plug-in will be delivered by the Company Portal. The plug-in relies on the Apple Enterprise SSO framework and you have to use at min. Credentia is another approach for on-the-fly user provisioning at the logon screen. With updates from Apple for the macOS system you might face severe logon issues in your enterprise. If something changes, e.g. I’m not really convinced by this approach and it looks like bolt-on solution to me. We get just an on-top layer of managing the local user. The process is very similar to the Windows Autopilot User-Driven deployment mode. If you want to see how this looks like, I really recommend the following guide from Hubert Maslowski, he did a great run-through in his blog article macOS Setup Assistant with Modern Authentication in MEM/Intune. Device EnrollmentClearly to say, the best user experience is to do an Automated Device Enrollment with user affinity using the Apple Setup Assistant with modern authentication. If someone is interested in one of the solutions, I recommend to check them out, but they come with a price tag and again I still think, nothing is perfect at the moment until we have native IDP support at logon, but I also think for the minority of devices a local user and SSO plug-in works quite well.
0 Comments
Leave a Reply. |
AuthorKang ArchivesCategories |