Intune macOS Management Intune macOS Management
Level-500-Referenz fĂŒr macOS Enrollment, Apple Business Manager, Konfigurationsprofile, Platform SSO, FileVault, Apps, Compliance, Declarative Device Management und Troubleshooting. Level 500 reference for macOS enrollment, Apple Business Manager, configuration profiles, Platform SSO, FileVault, apps, compliance, declarative device management, and troubleshooting.
Erfolgreiche macOS-Verwaltung entsteht aus sauberer ABM-Zuweisung, ADE, deklarativen Policies, Platform SSO und zuverlĂ€ssigem FileVault-Escrow. Wird einer dieser Bausteine ausgelassen, steigen Supportaufwand und SicherheitslĂŒcken deutlich. Successful macOS management comes from clean ABM assignment, ADE, declarative policies, Platform SSO, and reliable FileVault escrow. If one of those building blocks is skipped, support effort and security gaps rise sharply.
Betriebsmodell und Rollen Operating model and roles
ADE, Company Portal und UAMDM ADE, Company Portal, and UAMDM
Token, Zuweisung und Await configuration Token, assignment, and await configuration
Device Features, VPN, Wi-Fi, PPPC Device features, VPN, Wi-Fi, PPPC
Shell Scripts und Custom Attributes Shell scripts and custom attributes
Platform SSO, FileVault und Extensions Platform SSO, FileVault, and extensions
PKG, DMG, Microsoft 365, VPP PKG, DMG, Microsoft 365, VPP
APIs, PowerShell und Logs APIs, PowerShell, and logs
Architektur und Betriebsmodell Architecture and operating model
Intune verwaltet macOS ĂŒber Apples MDM-Frameworks. FĂŒr belastbare Designs werden ABM, Intune, Entra ID, Zertifikatsdienste, Recovery-Prozesse und Support-Runbooks gemeinsam geplant. Intune manages macOS through Apple MDM frameworks. Durable designs plan ABM, Intune, Entra ID, certificate services, recovery processes, and support runbooks together.
| Baustein Component | Zweck Purpose | Level-500-Hinweis Level 500 note |
|---|---|---|
| ABM / ASM ABM / ASM | GerĂ€tezuweisung und App-Lizenzen Device assignment and app licensing | MDM- und Apps-and-Books-Tokens getrennt ĂŒberwachen und mit klarer Owner-Dokumentation versehen Monitor MDM and Apps and Books tokens separately and assign clear ownership |
| Automated Device Enrollment Automated Device Enrollment | Zero-Touch-Erstbereitstellung Zero-touch initial provisioning | FĂŒr neue Firmen-Macs Standard; BestandsgerĂ€te nur nach vollstĂ€ndigem Reset sinnvoll Standard for new corporate Macs; existing devices only make sense after a full reset |
| Entra ID Entra ID | IdentitĂ€t, Compliance und Conditional Access Identity, compliance, and Conditional Access | Gruppen, SSO und CA frĂŒh planen, damit Pilot und Produktivzustand ĂŒbereinstimmen Plan groups, SSO, and CA early so pilot and production stay aligned |
| Settings Catalog Settings catalog | Moderne Konfigurationssteuerung Modern configuration control | Bevorzugter Pfad vor Custom Profiles, weil Konflikte und Versionierung sauberer sichtbar sind Preferred over custom profiles because conflicts and versioning are more visible |
| Shell Scripts Shell scripts | ErgĂ€nzende Konfiguration und PrĂŒfung Supplemental configuration and checking | Nur idempotente Skripte verwenden und jeden Seiteneffekt lokal loggen Use only idempotent scripts and log every side effect locally |
| Recovery-Modell Recovery model | FileVault- und Break-Glass-Prozesse FileVault and break-glass processes | PRK-Escrow ohne getestete Wiederherstellung ist kein vollstÀndiger Sicherheitsprozess PRK escrow without tested recovery is not a complete security process |
Enrollment-Methoden Enrollment methods
Microsoft Learn unterscheidet auf macOS zwischen Automated Device Enrollment, Device Enrollment ĂŒber Company Portal, direkter Enrollment und User Approved MDM. Die Wahl hĂ€ngt an Besitzmodell, Reset-FĂ€higkeit und gewĂŒnschter Zero-Touch-Tiefe. Microsoft Learn differentiates on macOS between automated device enrollment, device enrollment through Company Portal, direct enrollment, and user-approved MDM. The choice depends on ownership, reset capability, and the desired zero-touch depth.
| Methode Method | Einsatz Use case | Ablauf Flow | Kommentar Comment |
|---|---|---|---|
| ADE mit BenutzeraffinitĂ€t ADE with user affinity | Neue persönliche Firmen-Macs New personal corporate Macs | Setup Assistant, moderne Authentifizierung, automatische Intune-Registrierung Setup Assistant, modern authentication, automatic Intune registration | Beste Basis fĂŒr Platform SSO, FileVault und Compliance vom ersten Login an Best foundation for Platform SSO, FileVault, and compliance from first sign-in |
| ADE ohne BenutzeraffinitĂ€t ADE without user affinity | Shared Macs, Labs, Kiosk Shared Macs, labs, kiosks | GerĂ€teorientierter Enrollment-Pfad ohne primĂ€ren Benutzer Device-centric enrollment path without a primary user | Nicht fĂŒr Wissensarbeiter-SSO oder personalisierte App-Zuweisung gedacht Not intended for knowledge-worker SSO or personalized app assignment |
| Company Portal Device Enrollment Company Portal device enrollment | BestandsgerÀte oder BYOD Existing devices or BYOD | Anmeldung in Company Portal, Profilinstallation und UAMDM-BestÀtigung Sign in to Company Portal, install the profile, and approve UAMDM | Funktional, aber ohne echte Zero-Touch-Vorteile Works, but without true zero-touch benefits |
| Direct Enrollment Direct enrollment | Spezial- oder gemeinsam genutzte GerÀte Special-purpose or shared devices | GerÀtebasierter Enrollment-Flow Device-based enrollment flow | App- und IdentitÀtsszenarien eingeschrÀnkt App and identity scenarios are limited |
| User Approved MDM User Approved MDM | Pflicht fĂŒr viele geschĂŒtzte Payloads auf nicht-ADE-GerĂ€ten Required for many protected payloads on non-ADE devices | Benutzer bestĂ€tigt MDM explizit in Systemeinstellungen User explicitly approves MDM in System Settings | Ohne UAMDM schlagen PPPC-, Extension- oder FileVault-Szenarien oft fehl Without UAMDM, PPPC, extension, or FileVault scenarios often fail |
| NachtrĂ€gliche ABM-Aufnahme Post-purchase ABM assignment | Refresh bestehender Hardware Refreshing existing hardware | Apple Configurator weist GerĂ€t ABM zu; danach Reset auf ADE-Pfad Apple Configurator assigns the device to ABM; then reset into the ADE path | Wichtig fĂŒr Standardisierung nach Akquisitionen oder Shadow-IT-BestĂ€nden Important for standardization after acquisitions or shadow-IT estates |
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'macOS'" -All |
Select-Object DeviceName,UserPrincipalName,ComplianceState,ManagementAgent,EnrolledDateTimeApple Business Manager / School Manager Apple Business Manager / School Manager
ABM und ASM liefern die GerĂ€tequelle fĂŒr ADE und die Lizenzquelle fĂŒr Mac-App-Store-Apps. Tokenpflege, GerĂ€tezuweisung, Enrollment Profiles und Await configuration gehören in ein festes Betriebsverfahren. ABM and ASM provide the device source for ADE and the license source for Mac App Store apps. Token hygiene, device assignment, enrollment profiles, and await configuration belong in a fixed operational procedure.
| Objekt Object | Funktion Function | Operativer Fokus Operational focus |
|---|---|---|
| MDM-Server-Token MDM server token | Vertrauen zwischen ABM und Intune Trust between ABM and Intune | Ablauf ĂŒberwachen, Renewal testen und Zugang nur ausgewĂ€hlten Apple-Admins erlauben Monitor expiration, test renewal, and restrict Apple admin access |
| GerÀtezuweisung Device assignment | Bindet Seriennummer an Intune-MDM-Server Binds serial number to the Intune MDM server | Vor GerÀteausgabe immer verifizieren, sonst startet ADE nicht Always verify before handoff or ADE will not start |
| Enrollment Profile Enrollment profile | Definiert Setup Assistant, BenutzeraffinitĂ€t und GerĂ€tebenennung Defines Setup Assistant, user affinity, and device naming | Getrennte Profile fĂŒr Shared, Knowledge Worker und Spezialhardware verwenden Use separate profiles for shared devices, knowledge workers, and specialty hardware |
| Await final configuration Await final configuration | Blockiert Nutzung bis Pflicht-Policies ankommen Blocks use until mandatory policies arrive | Nur fĂŒr schlanke Pflichtsets nutzen, damit OOBE nicht ĂŒberlang wird Use only for a slim mandatory set so OOBE does not become excessive |
| Apps and Books Token Apps and Books token | Synchronisiert VPP/Mac-App-Store-Apps Synchronizes VPP/Mac App Store apps | Region, Tokenbesitz und device-based vs user-based licensing dokumentieren Document region, token ownership, and device-based versus user-based licensing |
| Managed Apple IDs Managed Apple IDs | Apple-Service-IdentitÀt, nicht primÀre macOS-Anmeldung Apple-service identity, not the primary macOS sign-in | Föderation und Endbenutzerkommunikation sauber abstimmen Align federation and end-user communication carefully |
{
"displayName": "macOS ADE Corporate",
"description": "User-affinity profile with await configuration",
"awaitDeviceConfigured": true,
"deviceNameTemplate": "MAC-%SERIAL%",
"supervisedModeEnabled": true,
"configuredSetupItems": ["AppleID", "Siri", "Privacy", "ScreenTime"]
}Konfigurationsprofile und Einstellungen Configuration profiles and settings
Die macOS-KonfigurationsflĂ€che in Intune deckt Device Features, Device Restrictions, VPN, Wi-Fi, E-Mail, Endpoint Protection, Extensions, PPPC und Custom Profiles ab. Eine belastbare Referenz strukturiert diese Payloads nach AbhĂ€ngigkeiten statt nach PortalmenĂŒs. The macOS configuration surface in Intune covers device features, device restrictions, VPN, Wi-Fi, email, endpoint protection, extensions, PPPC, and custom profiles. A durable reference organizes these payloads by dependencies rather than portal menus.
| Profilfamilie Profile family | Typische Payloads Typical payloads | Tiefeinsatz Deep-use guidance |
|---|---|---|
| Device features Device features | Single Sign-On Extension, Login Items, Notifications, Login Window Single Sign-On Extension, login items, notifications, login window | FĂŒr standardisierte User Experience und moderne SSO-Szenarien verwenden Use for standardized user experience and modern SSO scenarios |
| Device restrictions Device restrictions | Passwort, Screen Time, iCloud, Siri, Software Update, Medien Password, Screen Time, iCloud, Siri, software update, media | Mit Fachbereichen abstimmen, damit Restriktionen nicht produktive SpezialfÀlle blockieren Align with business stakeholders so restrictions do not block productive edge cases |
| VPN VPN | IKEv2, per-app VPN, on-demand rules IKEv2, per-app VPN, on-demand rules | Zertifikate, DNS und App-Traffic immer gemeinsam testen Always test certificates, DNS, and app traffic together |
| Wi-Fi Wi-Fi | WPA2/WPA3 Enterprise, 802.1X, EAP-TLS, Hidden SSID WPA2/WPA3 Enterprise, 802.1X, EAP-TLS, hidden SSID | Trust Profile, SCEP/PKCS und WLAN-Payload als Kette betrachten Treat trust profile, SCEP or PKCS, and WLAN payload as one chain |
| Email Email | Exchange ActiveSync und IMAP Exchange ActiveSync and IMAP | Nur einsetzen, wenn Outlook- oder Browserstrategie dies ergÀnzt statt ersetzt Use only where it complements rather than replaces Outlook or browser strategy |
| Endpoint protection Endpoint protection | FileVault, Firewall, Gatekeeper FileVault, firewall, Gatekeeper | Nicht isoliert betreiben, sondern mit Compliance und Defender abstimmen Do not operate in isolation; align with compliance and Defender |
| Extensions Extensions | System Extensions, Kernel Extensions, DNS Proxy, Content Filter System extensions, kernel extensions, DNS proxy, content filter | Nur signierte und dokumentierte Anbieterpakete zulassen Allow only signed and documented vendor packages |
| PPPC / TCC PPPC / TCC | Camera, Microphone, Screen Capture, Accessibility, Automation Camera, microphone, screen capture, accessibility, automation | Code Requirements exakt aus dem signierten App-Build ableiten Derive code requirements exactly from the signed application build |
| Custom Profiles Custom profiles | mobileconfig fĂŒr noch nicht modellierte Apple-Payloads mobileconfig for Apple payloads not yet modeled | Nur mit Versionskontrolle und Ownership einsetzen Use only with version control and ownership |
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
</dict>
</array>
</dict>
</plist>Platform SSO, PPPC, Extensions und FileVault Platform SSO, PPPC, extensions, and FileVault
Platform SSO verbindet Entra ID mit der lokalen Anmeldeerfahrung. Zusammen mit Kerberos, Secure Enclave, PPPC, System Extensions und FileVault entsteht die moderne macOS-Sicherheitskette in Intune. Platform SSO connects Entra ID with the local sign-in experience. Together with Kerberos, Secure Enclave, PPPC, system extensions, and FileVault, it forms the modern macOS security chain in Intune.
| Thema Topic | Tiefeinstellung Deep setting | Praxisnotiz Practice note |
|---|---|---|
| Platform SSO Platform SSO | Entra-Anmeldung, Token-Caching, lokale Session-Integration Entra sign-in, token caching, local session integration | Mit Helpdesk-Prozess fĂŒr Offline-Anmeldung und KennwortĂ€nderungen koppeln Pair with a help-desk process for offline sign-in and password changes |
| Kerberos Kerberos | Ticketzugriff fĂŒr SMB, Intranet und Hybrid-Apps Ticket access for SMB, intranet, and hybrid apps | Realm, DNS und Ticket-Lifetime separat testen Test realm, DNS, and ticket lifetime separately |
| Secure Enclave Secure Enclave | Schutz lokaler Geheimnisse und Hardwarebindung Protection of local secrets and hardware binding | FĂŒr moderne Authentifizierung und Recovery-Design relevant Relevant for modern authentication and recovery design |
| PPPC PPPC | Zugriff auf Kamera, Mikrofon, Screen Recording, Automation Access to camera, microphone, screen recording, automation | Falsch gesetzte Team- oder Bundle-IDs verhindern die komplette Wirkung Incorrect team or bundle IDs prevent the policy from working at all |
| System Extensions System extensions | Netzwerkfilter, Defender-Agenten, VPN-Erweiterungen Network filters, Defender agents, VPN extensions | Mit zugehöriger PPPC- und Network-Extension-Konfiguration gemeinsam ausrollen Roll out together with associated PPPC and network extension configuration |
| Kernel Extensions Kernel extensions | Legacy-Hardware oder Ă€ltere Security-Produkte Legacy hardware or older security products | Nur ĂŒbergangsweise nutzen; langfristig auf System Extensions migrieren Use only temporarily; migrate to system extensions long term |
| FileVault FileVault | Silent Enablement, PRK-Escrow, Rotation Silent enablement, PRK escrow, rotation | ADE und Bootstrap Token vereinfachen zuverlÀssiges Escrow erheblich ADE and bootstrap token simplify reliable escrow significantly |
$uri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations"
Invoke-MgGraphRequest -Method GET -Uri $uri |
Select-Object -ExpandProperty value |
Where-Object { $_.displayName -like '*macOS*' } |
Select-Object id, displayName, '@odata.type'Shell Scripts und Custom Attributes Shell scripts and custom attributes
Shell Scripts ergÀnzen fehlende native Intune-Einstellungen, wÀhrend Custom Attributes Inventardaten und Zustandswerte liefern. Die Trennlinie ist wichtig: Konfigurationen Àndern Systeme, Custom Attributes beschreiben Systeme. Shell scripts complement missing native Intune settings, while custom attributes provide inventory and state values. The distinction matters: configuration changes systems, custom attributes describe systems.
| Typ Type | Merkmale Characteristics | Empfehlung Recommendation |
|---|---|---|
| Shell Script Shell script | Einmalig oder wiederkehrend, Root- oder Benutzerkontext One-time or recurring, root or user context | Nur idempotent, mit lokalem Logging und klarer Exit-Code-Logik Only idempotent, with local logging and clear exit code logic |
| Systemkontext System context | Zugriff auf /Library, Daemons, systemweite Einstellungen Access to /Library, daemons, and system-wide settings | Standard fĂŒr Baseline-Konfigurationen Standard for baseline configurations |
| Benutzerkontext User context | Zugriff auf Benutzerprofil und per-user Preferences Access to user profile and per-user preferences | Nur einsetzen, wenn ein Benutzer sicher angemeldet ist Use only when a user is reliably signed in |
| AusfĂŒhrungsfrequenz Execution frequency | Einmalig, wiederkehrend oder je Check-in One-time, recurring, or per check-in | PrĂŒfskripte hĂ€ufiger, Konfigurationsskripte seltener ausfĂŒhren Run validation scripts more often and configuration scripts less often |
| Custom Attribute Custom attribute | Kurze RĂŒckgabe fĂŒr Inventar und Reporting Short return value for inventory and reporting | Stabile SchlĂŒssel wie RosettaInstalled oder SecureTokenState verwenden Use stable keys such as RosettaInstalled or SecureTokenState |
| Logging Logging | stdout, stderr und lokale Dateien stdout, stderr, and local files | Logs unter /Library/Logs/<Firma> mit Zeitstempel schreiben Write logs under /Library/Logs/<Company> with timestamps |
#!/bin/zsh
logFile="/Library/Logs/Contoso/intune-health.log"
mkdir -p "$(dirname "$logFile")"
profiles status -type enrollment >> "$logFile"
fdesetup status >> "$logFile"#!/bin/zsh
if /usr/bin/pgrep oahd >/dev/null 2>&1; then
echo "RosettaInstalled=True"
else
echo "RosettaInstalled=False"
fiApps, Compliance, Updates und DDM Apps, compliance, updates, and DDM
Auf macOS gehören App-Lebenszyklus, Compliance und Software Update eng zusammen. Unternehmens-Apps mĂŒssen mit Gatekeeper, FileVault, Platform SSO und Update-Deadlines harmonieren; DDM bringt dabei mehr lokale Intelligenz auf das GerĂ€t. On macOS, app lifecycle, compliance, and software update belong together. Enterprise apps must harmonize with Gatekeeper, FileVault, Platform SSO, and update deadlines; DDM adds more local intelligence on the device.
| Workload Workload | UnterstĂŒtzung Support | Tiefe Betriebsnotiz Deep operational note |
|---|---|---|
| PKG Apps PKG apps | Bevorzugter Installationspfad fĂŒr verwaltete Software Preferred installation path for managed software | Silent Installer, Detection und Exit-Codes immer separat testen Always test silent installer, detection, and exit codes separately |
| DMG Apps DMG apps | FĂŒr Drag-and-drop- oder herstellerspezifische Pakete For drag-and-drop or vendor-specific packages | Detection Rules brauchen besondere Sorgfalt Detection rules require special care |
| Microsoft 365 Apps for Mac Microsoft 365 Apps for Mac | Suite-Bereitstellung mit Updatekanalsteuerung Suite deployment with update channel control | MAU-Kanal mit Change-Management und Add-ins abstimmen Align the MAU channel with change management and add-ins |
| LOB Apps LOB apps | Interne PKG- oder Wrapper-Pakete Internal PKG or wrapper packages | Codesigning und notarization sind Pflicht fĂŒr reibungslose Rollouts Code signing and notarization are mandatory for smooth rollouts |
| Web Clips Web clips | Self-Service- oder PortalverknĂŒpfungen Self-service or portal shortcuts | Gut fĂŒr ĂbergĂ€nge, aber kein Ersatz fĂŒr echte App- oder Browserstrategie Good for transitions, but not a substitute for a real app or browser strategy |
| Mac App Store / VPP Mac App Store / VPP | App-Store-Bereitstellung ĂŒber ABM-Token App Store deployment through ABM token | Device-based assignment bevorzugen, wenn persönliche Apple-IDs vermieden werden sollen Prefer device-based assignment when personal Apple IDs should be avoided |
| Compliance Compliance | OS-Minimum, Passwort, VerschlĂŒsselung, Firewall, SIP OS minimum, password, encryption, firewall, SIP | Mit Conditional Access und Update-Ringen synchronisieren Synchronize with Conditional Access and update rings |
| Software Updates Software updates | Deferral, Deadline, User Experience Deferral, deadline, user experience | Minor- und Major-Wellen trennen und Deadlines ankĂŒndigen Separate minor and major waves and announce deadlines |
| Declarative Device Management Declarative Device Management | Passcode- und Managed-App-ZustĂ€nde lokal auswerten Evaluate passcode and managed-app states locally | NĂŒtzlich fĂŒr resilientes Offline-Verhalten und weniger Roundtrips Useful for resilient offline behavior and fewer round trips |
Graph API, PowerShell und Troubleshooting Graph API, PowerShell, and troubleshooting
FĂŒr Automation und Fehleranalyse sind Graph API, Graph PowerShell SDK, legacy Microsoft.Graph.Intune-Skripte und lokale Apple-Logs relevant. Ein gutes Runbook verbindet Portalzustand, lokale Profile, Setup-Assistant-Symptome und Company-Portal-Logs. Graph API, the Graph PowerShell SDK, legacy Microsoft.Graph.Intune scripts, and local Apple logs matter for automation and troubleshooting. A good runbook links portal state, local profiles, Setup Assistant symptoms, and Company Portal logs.
Die hÀufigsten macOS-Störungen entstehen nicht durch einzelne Policies, sondern durch abgelaufene Tokens, unklare Besitzer oder fehlende lokale Logs. Dokumentierte Renewal-Prozesse und ein standardisierter Logpfad reduzieren Eskalationen am stÀrksten. The most common macOS failures come not from a single policy but from expired tokens, unclear ownership, or missing local logs. Documented renewal procedures and a standardized log path reduce escalations the most.
| Bereich Area | Beispiel Example | Praktische Nutzung Practical use |
|---|---|---|
| Graph deviceConfigurations Graph deviceConfigurations | macOS-Profilobjekte lesen und versionieren Read and version macOS profile objects | odataType und assignments immer mit exportieren Always export odataType and assignments |
| Graph configurationPolicies Graph configurationPolicies | Settings-Catalog-Richtlinien fĂŒr macOS Settings catalog policies for macOS | Richtige Basis fĂŒr Infrastructure-as-Code Ă€hnliches Policy-Management Correct base for infrastructure-as-code style policy management |
| Graph managedDevices Graph managedDevices | Inventar und Compliance-Zustand aller Macs Inventory and compliance state of all Macs | Auf operatingSystem eq macOS filtern, um Berichte klein zu halten Filter on operatingSystem eq macOS to keep reports small |
| Microsoft.Graph.Intune Microsoft.Graph.Intune | Legacy-Runbooks wie Get-IntuneManagedDevice Legacy runbooks such as Get-IntuneManagedDevice | Nur fĂŒr AltbestĂ€nde; neue Skripte auf MgGraph umstellen Use only for legacy estates; move new scripts to MgGraph |
| Enrollment-Fehler Enrollment failures | ADE startet nicht oder UAMDM fehlt ADE does not start or UAMDM is missing | ABM-Zuweisung, Reset-Status und Benutzerrechte prĂŒfen Check ABM assignment, reset state, and user rights |
| Profilzustellung Profile delivery | PPPC oder Extensions greifen nicht PPPC or extensions do not apply | Team-ID, Bundle-ID, codesign und log show nutzen Use team ID, bundle ID, codesign, and log show |
| Logsammlung Log collection | profiles, log show, Console.app, Company Portal logs profiles, log show, Console.app, Company Portal logs | Feste Support-Checkliste spart massiv Zeit A fixed support checklist saves significant time |
Connect-MSGraph
Get-IntuneManagedDevice -Filter "contains(operatingSystem,'macOS')" |
Select-Object deviceName, complianceState, enrolledDateTimeprofiles show -type enrollment
log show --predicate 'subsystem == "com.apple.ManagedClient"' --last 30m
sudo fdesetup status