Microsoft's Intune team has released an open-source starter kit called 'Intune my Macs' that bundles over 31 enterprise-grade macOS configurations into a single PowerShell script, enabling IT teams to deploy a complete proof of concept in minutes rather than weeks.
Microsoft's Intune Customer Experience Engineering team has released an open-source starter kit called Intune my Macs that addresses a common enterprise challenge: the significant time and expertise required to configure macOS devices for management through Microsoft Intune. The project packages over 31 enterprise-grade configurations—identified by Apple's Mac Evaluation Utility—into a single PowerShell script that can deploy a complete macOS proof of concept in approximately five minutes.
What Changed: From Manual Configuration to Pre-Built Templates
Traditionally, enterprise IT teams evaluating or implementing macOS management through Microsoft Intune faced a steep learning curve. Each configuration required manual creation through the Intune portal, extensive research into Apple's management frameworks, and careful testing to ensure compatibility with existing security policies. The Intune my Macs project fundamentally changes this workflow by providing a curated collection of production-ready configurations that can be deployed programmatically.
The starter kit operates in a dry-run mode by default, allowing administrators to preview exactly what will be created in their Intune tenant before committing changes. When ready, adding the --apply flag executes the deployment. The project also includes a --remove-all command-line flag that cleans up all previously created objects based on a custom naming prefix, providing a safe way to reset or iterate on configurations.
Provider Comparison: Microsoft Intune's macOS Capabilities in Context
Microsoft Intune competes in the enterprise mobility management (EMM) space with several established players, including Jamf Pro, Kandji, and Mosyle. Each platform has distinct strengths:
Jamf Pro remains the market leader for dedicated Apple device management, offering deep integration with Apple's ecosystem and specialized features like Jamf Pro's App Catalog and advanced patch management. However, it requires separate licensing and management console, creating additional complexity for organizations already invested in the Microsoft ecosystem.
Kandji and Mosyle offer modern, cloud-native approaches with strong automation capabilities, often at lower price points than traditional solutions. They excel at rapid deployment and user-friendly interfaces but may lack the breadth of enterprise integrations that larger organizations require.
Microsoft Intune's advantage lies in its integration with the broader Microsoft 365 ecosystem. Organizations using Azure Active Directory (now Microsoft Entra ID), Microsoft Defender for Endpoint, and Microsoft 365 applications can manage macOS devices through a single pane of glass alongside Windows devices. The Intune my Macs project specifically leverages this integration, including optional Microsoft Defender for Endpoint configuration through the --mde flag.
The project demonstrates Intune's maturation in macOS management. While early versions of Intune offered basic macOS support, recent updates have expanded capabilities significantly. The starter kit includes configurations for:
- Security: FileVault encryption, firewall enablement, Gatekeeper policies, and Microsoft Edge browser security settings
- Compliance: Minimum macOS version enforcement, System Integrity Protection (SIP) requirements, and encryption verification
- Identity: Platform Single Sign-On (SSO) via Secure Enclave with Microsoft Entra ID
- Applications: Company Portal, Microsoft 365 suite, Remote Help, Intune Log Watch, and Microsoft 365 Copilot
- Custom Attributes: Hardware compatibility checks and Intune agent version reporting
Technical Implementation: How the Starter Kit Works
The Intune my Macs project uses XML manifest files to define each configuration artifact. A main PowerShell script reads these manifests, resolves associated JSON files, mobileconfig files, or scripts, and creates corresponding objects in Intune via the Microsoft Graph API. This approach provides several advantages:
- Transparency: Each configuration is documented in the manifest, explaining what settings are applied and why
- Modularity: Administrators can scope deployments using command-line flags like
--apps,--config,--compliance,--scripts, or--custom-attributes - Consistency: Naming conventions follow patterns like
pol-sec-001-filevaultorscr-app-100-install-company-portal, making policies easy to identify and manage
The project includes several utility tools for analysis and documentation:
- Export-MacOSConfigPolicies.ps1: Backs up existing Intune macOS policies to JSON
- Find-DuplicatePayloadSettings.ps1: Detects conflicting settings across configuration files
- Generate-ConfigurationDocumentation.py: Creates Markdown or Word documentation from manifests
- Get-IntuneAgentProcessingOrder.ps1: Shows script and app processing sequence
- Get-MacOSGlobalAssignments.ps1: Lists policies assigned to All Devices or All Users
Business Impact: Accelerating Evaluation and Reducing Risk
For organizations considering Intune for macOS management, the starter kit reduces evaluation time from weeks to minutes. This acceleration has several business implications:
Faster Proof of Concepts: IT teams can demonstrate value to stakeholders quickly, showing tangible configurations rather than theoretical capabilities. The project provides a realistic baseline that includes security, compliance, and application management—key concerns for enterprise adoption.
Reduced Implementation Risk: By using configurations identified by Apple's Mac Evaluation Utility as enterprise-grade, organizations start with proven settings rather than experimenting with untested combinations. The dry-run mode further reduces risk by allowing preview and adjustment before deployment.
Lower Training Requirements: New administrators can learn Intune's macOS capabilities through practical examples rather than abstract documentation. Each configuration serves as a reference implementation, showing how to implement specific security policies or compliance requirements.
Standardization Across Teams: Organizations with multiple IT teams or geographic regions can establish consistent macOS management baselines. The starter kit provides a common starting point that teams can adapt to local requirements while maintaining core security standards.
Important Considerations and Limitations
Microsoft explicitly states that while Intune and its ability to deploy PowerShell scripts are fully supported, the scripts themselves—even those in the GitHub repository—are provided for example only and are not supported by Microsoft. Organizations must test configurations in their environment and assume responsibility for any changes made.
The starter kit is not intended as a one-size-fits-all production solution. It serves as a starting point for proof of concepts and reference implementations. Organizations should adapt configurations to their specific requirements, security policies, and compliance needs.
For organizations evaluating Microsoft Defender for Endpoint on macOS, the optional --mde flag deploys the full configuration, including system extensions, privacy preferences, network filter settings, and an installation script. This integration demonstrates how Intune can coordinate multiple Microsoft security products for comprehensive endpoint protection.
Getting Started
The Intune my Macs project is available on GitHub as an open-source initiative. Organizations can review the full configuration documentation before deployment and examine the Microsoft Defender for Endpoint setup instructions if interested in that integration.
Prerequisites include:
- An active Microsoft Intune tenant
- Appropriate administrative permissions
- PowerShell 7 or later
- Microsoft Graph PowerShell SDK
The project represents Microsoft's continued investment in macOS management capabilities and provides a practical tool for organizations navigating multi-cloud or hybrid endpoint management strategies. Whether evaluating Intune for the first time, setting up a new tenant, or seeking reference implementations for common security configurations, the starter kit offers a structured approach to accelerating macOS management initiatives.
Resources:
Comments
Please log in or register to join the discussion