In this guide, I will show you how to manage macOS software updates using Intune. You can use Microsoft Intune to manage software updates for macOS devices that are enrolled as supervised devices.
Do you have supervised macOS 12 and later devices in your setup? If this is the case, you can use Intune to manage software updates. The macOS users who enroll using one of the Automated Device Enrollment (ADE) methods (Apple Business Manager or Apple School Manager) are considered as supervised.
You can now use Intune policies to manage macOS software updates for devices that were enrolled using Automated Device Enrollment as of Intune Service release 2210. Microsoft keeps adding additional features with every release, making it easier to deploy the updates for macOS devices.
In most organisations, allowing users to install updates on their macOS devices is strictly forbidden. Especially if you want all of your macOS devices to run the same version. Like Windows devices, Intune allows you to configure software update policies for macOS devices and manage update deployment. After you deploy macOS software update policy, you can monitor update installation failures on devices.
Prerequisites
Listed below are some prerequisites required to manage macOS software updates using Intune.
- To manage macOS updates using Intune, you’ll need macOS 12 and later (supervised). Prior to the macOS 12.5 release, devices may download and install additional updates before installing the latest update.
- You must enroll your macOS devices into Intune before managing the updates.
- According to Microsoft, by default, devices check in with Intune about every 8 hours. If an update is available through an update policy, the device downloads the update. The device then installs the update upon next check-in within your schedule configuration.
Support for macOS Software Updates in Intune
With policies for Intune software updates, you can manage and configure the following update types for macOS devices:
- Remotely manage how downloads, installations, and notifications should occur when the following types of updates are available for macOS:
- Critical update
- Firmware update
- Configuration file update
- All other updates (OS, built-in apps)
- Set a schedule for when the update should be installed. Schedules can be as simple as installing updates the next time the device checks in, or as complex as creating day-time ranges during which updates can or cannot be installed.
Manage macOS Software Updates using Intune
Let’s go through the steps to manage macOS software updates using Intune. We will first create a new software update policy in Intune to manage the updates for macOS. These settings determine how and when software updates deploy. This profile doesn’t prevent users from updating the OS manually. Please note that updates will only apply to supervised devices.
Use the following steps to create the macOS software update policy:
- Sign in toMicrosoft Intune Admin Center.
- Navigate to Devices > Update policies for macOS and select Create Profile.
Enter a name for the profile in the Basics tab of the Create profile pane. Add a brief description about the profile. Click Next.
For instance, you can enter the following information:
- Name: macOS Software Updates Policy
- Description: Manage software updates for macOS devices. Applies to macOS 12 and later (supervised).
The Update Policy Settings tab allows you to control how and when software updates are installed on macOS devices. This is a critical step that must be configured based on your needs. In other words, the configuration differs from organisation to organisation.
Update Policy Behavior Settings
The update policy behavior settings allow you to select how downloads, installations, and notifications should occur for each type of update. For Critical, Firmware, Configuration file, and All other updates (OS, built-in apps), the following installation actions can be configured for each update:
- Download and install: Download or install the update, depending on the current state.
- Download only: Download the software update without installing it.
- Install immediately: Download the software update and trigger the restart countdown notification.
- Notify only: Download the software update and notify the user through the App Store.
- Install later: Download the software update and install it later.
- Not configured: No action taken on the software update.
In the below example, the following update policy behavior settings are configured within our macOS software update policy.
- Critical Updates: Set it to Install Immediately
- Firmware Updates: Notify only
- Configuration File Updates: Notify only
- All other Updates (OS, built-in apps): Install immediately
Update Policy Schedule Settings
When an update policy is assigned to a device, Intune automatically deploys the most recent updates at device check-in. Instead, you can make a weekly schedule with custom start and end times. If you update outside the scheduled time, Intune will not deploy updates until the scheduled time has expired.
- Update at next check-in: The update installs on the device the next time it checks in with Intune. This option is the simplest and has no extra configurations.
- Update during scheduled time: You configure one or more windows of time during which the update will install upon check-in.
- Update outside of scheduled time: You configure one or more windows of time during which the updates won’t install upon check-in.
In the below example, the following update policy schedule settings are configured within our macOS software update policy.
- Schedule Type: Update at next check-in
Note: If you don’t configure times to start or end, the configuration results in no restriction and updates can be installed at any time.
Once you have configured the update policy settings, click Next.
On the Assignments tab, add the Azure AD groups to which you want to deploy the macOS software update policy. It is recommended that you create a pilot group consisting of a few macOS devices that can be used for testing the deployment of updates. Click Next.
On the Review + Create tab, review the macOS Software Update policy settings, and then select Create when ready to save your macOS update policy.
Your new policy is displayed in the list of update policies for macOS. You must wait for the policy to apply to the targeted groups and once the devices check-in with the Intune service they will receive the settings. You can also run Check Status in company portal on your Mac devices to retrieve the latest policies from Intune.
Monitor macOS Update Installation failures in Intune
If the macOS software updates are failing on a few devices, you can monitor them in the Intune portal. To accomplish that, in the Microsoft Intune admin center, go to Devices > Monitor > Software Updates > Installation status for macOS devices. Here, you can view software updates installation status for macOS devices.
Intune displays a list of supervised macOS devices that have an update policy applied to them. Because macOS devices only return information about installation failures, the list excludes devices that are up-to-date and in good health.
The Installation Status for each device on the list displays the error that the device returned. On the Installation status for macOS devices page, select Filters and then expand the drop-down list for Installation Status to see a list of potential installation status values.
Conclusion
When it comes to deploying software updates for macOS devices, Microsoft Intune streamlines admins’ tasks. On your macOS supervised devices, you can specify how and when you want the updates to be applied. The Intune Settings Catalog allows administrators to set up additional macOS software update settings in addition to the macOS software update policies. Using the information covered in this article, you should now be able to manage macOS software updates using Intune. Please ask any questions you may have in the comments section.
FAQs
Can you manage macOS with Intune? ›
All Mac enrollments in Intune are considered user-approved. User-approved enrollment lets you manage macOS devices that aren't part of Apple School Manager or Apple Business Manager. It provides the same level of control as supervised macOS devices enrolled using Automated Device Enrollment or Apple Configurator.
What is the minimum macOS version for Intune? ›Requires macOS 10.15 and newer. Removable volumes: Your options: Not configured: Intune doesn't change or update this setting.
How do I push iOS updates through Intune? ›- Sign in to the Microsoft Intune admin center.
- Select Devices > Update policies for iOS/iPadOS > Create profile.
- On the Basics tab, specify a name for this policy, specify a description (optional), and then select Next.
- On the Update policy settings tab, configure the following options:
Use Microsoft Intune to enable or disable settings and features on macOS devices being used for work. To configure and enforce these settings, create a device configuration profile and then assign the profile to groups in your organization.
Does Intune have patch management? ›Intune helps configure Windows Update for Business (WUfB) policies to patch. This is the simplified patch management using Intune and WUfB. The latest update guide for Intune monthly patching is available in the following Cloud PC Monthly Patching Process Using Intune.
Is Intune a full MDM? ›Microsoft Intune is a cloud-based mobile device management (MDM) service that helps you manage and secure mobile devices used by your employees. With Intune, you can manage apps, devices, and data for your employees. You can also set up security policies to help protect your company's data.
What is the maximum number of processes in macOS? ›In macOS, the system is limited to running no more than 1064 processes (or 2088 starting with Catalina) systemwide, and individual users are limited to 709 (or 1392 in Catalina). Why is there a limit? Why is it this size? Why not a round number like 2500 or a binary round number like 1024?
How to deploy any application to macOS device using Intune? ›- Sign in to the Microsoft Intune admin center.
- Select Apps > All apps > Add.
- In the Select app type pane, under the Other app types, select Line-of-business app.
- Click Select. The Add app steps are displayed.
- Step 1: Prepare the update package as Win32 app content. Download the Windows update package by searching on Microsoft Update Catalog. ...
- Step 2: Create the Win32 app. Sign in to the Microsoft Intune admin center. ...
- Step 3: Deploy the app.
Does Intune support iOS 15? ›
Intune requires iOS 14. x or later for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. For Intune app protection policies and app configuration delivered through Managed apps App configuration policies, Intune requires iOS 14.
What is the difference between Intune and Jamf for Macs? ›While Jamf is a dedicated Apple device manager, Intune supports Apple devices in addition to most other OSs. Given the relative rarity of Apple-only organizations, it's not just possible but likely that you will find a need to manage Windows devices.
How do I sync my Mac with Intune? ›- Open the Company Portal app.
- Select Devices.
- If you only have one device, you'll go directly to the device details screen and can skip to step 4. ...
- Select More [...] and then choose Check Status to sync your device.
- Wait while Company Portal confirms your device status.
Microsoft Access is not designed for macOS. However, you can run the Microsoft Access Windows version in a virtual machine in the Mac system created by a software hypervisor that allows multiple operating systems to work in parallel.
What are the disadvantages of using Microsoft Intune? ›- Intune CONS :
- * Narrow focus on mobile devices; not a full systems-management platform.
- * Doesn't support server-side applications.
- * Not intended for large applications.
- * Doesn't have the feature-set to handle complex package deployments.
Homebrew is a free and open-source software package management system that simplifies the installation of software on Apple's operating system, macOS, as well as Linux.
Does macOS use Pam? ›Each service that uses PAM, has a configuration file, where the various facilities, the responsible modules and their policy in the chain of modules is defined. On macOS the PAM configuration files can be found in /etc/pam.
What can you manage with Intune? ›Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. You can protect access and data on organization-owned and users personal devices.
What is the difference between configuration manager and Intune? ›Both solutions are parts of Microsoft Endpoint Manager – a single, integrated platform for managing all the endpoints in the organization. Intune is a cloud-based solution that allows you to manage company-owned and personal devices, while SCCM is a more traditional on-premises solution.
What apps can be managed by Intune? ›| App | Platform | App configuration |
|---|---|---|
| Office (Microsoft 365) | iOS | ✔ see Office app config |
| Microsoft OneDrive | Android | No settings |
| Microsoft OneDrive | iOS | No settings |
| Microsoft OneNote | Android | No settings |
Which activity cannot be carried out by Intune MDM administrators? ›
Intune admins can't see phone call history, web surfing history, location information (except for iOS 9.3 and later devices when the device is in Lost Mode), email and text messages, contacts, passwords, calendar, and cameral roll.
What is the difference between MDM and Intune management? ›The main difference of MDM for Office 365 versus Intune is that Intune is not limited to Office 365-related scenarios. For most organizations, the management boundaries must expand to include all apps and data that can be exposed via AAD and all apps on devices that can use modern authentication.
What is the difference between Intune and Endpoint Manager? ›Microsoft Intune is a cloud-based service that allows businesses to manage devices and applications from a single console. Intune is a part of the Microsoft Endpoint Management family, and it provides management of mobile devices, PCs, and applications from the cloud.
How many threads can macOS handle? ›The thread limit can be increased to 5000 by activating the macOS server performance mode which was originally meant to be used with macOS Server machines.
How do I stop unnecessary processes on Mac? ›When you think about Mac force kill process, you immediately start looking for some kind of keyboard shortcut that can help force quit apps. Indeed, there's one: press Command + Option + Esc and you'll see the Force Quit menu that lets you force quit one or multiple apps.
What is the max Ulimit on a Mac? ›For the current shell, limit of maximum open files can be changed by: ulimit -n 10240 . If shell limit cannot be changed, then you need to use the launchctl command first, e.g. To change the kernel limits, run: sudo sysctl -w kern. maxfiles=10240 .
Where is macOS script in Intune? ›Sign in to the Microsoft Intune admin center. Navigate to Devices > Scripts and select a macOS shell script.
How do I push apps through Intune? ›- Sign in to Microsoft Intune admin center, select Apps > All apps > Add.
- In the App type drop-down box, select Windows 10 and later from Microsoft 365 Apps.
- Click Select. ...
- Confirm the default details in the App suite information step and click Next.
Example of installing an expedited update
Each month, Intune administrators deploy the most recent Windows 10 quality updates on the fourth Tuesday of the month. This period gives them two weeks after the patch Tuesday event to validate the updates in their environment before they force installation of the update.
Go through Intune Settings Catalog Guide (linked below) to create the policy in detail. However, search with keywords Windows Update in the Settings picker search box, and Select Allow Auto Update.
How do I automatically update Intune software? ›
Auto install at maintenance time - Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, users are prompted to restart for up to seven days, and then restart is forced.
How do I force Intune to sync all devices? ›Sign in to the Microsoft Intune admin center. Select Devices > All devices. In the list of devices you manage, select a device to open its Overview pane, and then select Sync. To confirm, select Yes.
How frequently do Microsoft Intune agents check for updates? ›The default connection interval for Intune is every 24 hours I believe. Have a look here. You can force a policy download manually by running a task. Perhaps you can reduce the schedule interval but there is NO way for clients to know there are updates and to connect immediately.
Do I need an Intune license for every device? ›Each device that accesses and uses the online services and related software (including System Center software) must have a device license available in the Microsoft 365 tenant. If a device is used by more than one user, each device requires a device based software license or all users require a user software license.
How do I manage iOS with Intune? ›- Install the company portal app from the App store.
- Once installed, open the company portal app and click on Sign in.
- Enter the user's email address, and Enter the password. Click on Begin.
Intune supports mobile device management (MDM) of iPads and iPhones to give users secure access to work email, data, and apps. This guide provides iOS-specific guidance to help you set up enrollment and deploy apps and policies to users and devices.
Does Intune work for iOS? ›Enroll your iOS device with the Intune Company Portal app to gain secure access to your organization's email, files, and apps. After your device is enrolled, it becomes managed. Your organization can assign policies and apps to the device through a mobile device management (MDM) provider, such as Intune.
What is the minimum macOS for Intune? ›Requires macOS 10.15 and newer. Removable volumes: Your options: Not configured: Intune doesn't change or update this setting.
What is the Apple equivalent of Intune? ›Automated Device Enrollment (former DEP, now ADE) is a free cloud-based service from Apple, that streamlines the device enrollment (and supervision) into any supported MDM/UEM platform like Microsoft Endpoint Manager (Intune).
What is the equivalent of device Manager in macOS? ›| Windows term | Mac term |
|---|---|
| Control Panel | System Settings |
| Cortana | Siri |
| Device Manager | System Information |
| Disk drive eject button | Media Eject key |
Can you join Mac to Intune? ›
Enroll your macOS device with the Intune Company Portal app to gain secure access to your work or school email, files, and apps. Organizations typically require you to enroll your device before you can access proprietary data. After your device is enrolled, it becomes managed.
What are the features of Intune macOS? ›Intune includes built-in settings to customize features on your macOS devices. For example, administrators can add AirPrint printers, choose how users sign in, configure the power controls, use single sign-on authentication, and more.
Why is there no Microsoft Access for Mac? ›There is no Microsoft Access for macOS because Microsoft deems it a competitive advantage not to make a version for macOS. If people are dependent on Access, they cannot switch to macOS. Many years ago they stated there were technical reasons why it could not be ported.
Which is more user friendly Mac or Windows? ›User experience
The OS on a Mac computer is highly intuitive and user-friendly, with a sleek design that makes navigation simple. Mac computers often run applications more smoothly than Windows PCs since Apple designs its hardware and operating system, creating a smooth user experience through perfect integration.
FoundationDB is a free and open-source multi-model distributed NoSQL database developed by Apple Inc.
Which operating system does Intune manage? ›Microsoft Intune features and capabilities
Microsoft Intune currently supports management for Android, iOS and iPadOS, Linux, macOS, Windows and ChromeOS devices.
Intune supports Android, iOS/iPadOS, Linux, macOS, and Windows devices. There are some things you should know. For example, if existing devices are managed by another MDM provider, they may need to be factory reset. If the devices are using an older OS version, they may not be supported.
Does MDM work on Mac? ›iOS, iPadOS, macOS, and tvOS have a built-in framework that supports mobile device management (MDM). MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they're owned by the user or your organization.
What types of devices can you manage with Microsoft Intune? ›Microsoft Intune supports Android, Android Open Source Project (AOSP), iOS/iPadOS, macOS, and Windows client devices. With Intune, you can use these devices to securely access organization resources with policies you create.
Which OS is not supported by Intune? ›For guidelines on using Windows 10 virtual machines with Intune, see Using Windows 10 virtual machines. Intune does not currently support managing UWF enabled devices. For more information, see Unified Write Filter (UWF) feature.
What is the difference between Endpoint Manager and Intune? ›
Account editing: Microsoft Intune does not allow administrators to edit user accounts in the program's interface. Endpoint Manager allows users to manage accounts across its suite from its admin center.
What can Intune manage for iOS? ›Intune supports mobile device management (MDM) of iPads and iPhones to give users secure access to work email, data, and apps. This guide provides iOS-specific guidance to help you set up enrollment and deploy apps and policies to users and devices.
Which device will not delete from Intune? ›Remove in device Settings app
Open the Settings app. Go to Accounts > Access work or school. Select the connected account that you want to remove > Disconnect. To confirm device removal, select Yes.
Sign in to the Microsoft Intune admin center. Select Devices > All devices > select one of your listed devices to open its details: Overview shows the device name, and lists some key properties of the device, like whether it's a personal or corporate device, serial number, primary user, and more.
How do I know if my Mac is managed by MDM? ›It's easy to check whether your Mac has an MDM. Simply go to “System Preferences”. If you don't see a section as “Profiles” or “Profiles & Device Management”, then you don't have any MDM on your Mac. On the other hand, click on “Profiles” or “Profiles & Device Management”.
How to setup MDM macOS? ›- Provide your credentials (either a one-time passcode that is provided by your organization or your user name and password). ...
- Accept the terms and conditions, and then click Continue.
- Click Install to install the MDM profile on the device. ...
- Follow these steps to enroll the device:
Open System Preferences on your mac by clicking on the Apple icon in the top left corner and selecting "System Preferences..." from the drop-down list. Find the Profiles icon and click on it. Find "MDM Profile" in the list on the left and click on it.
Can you track a device with Intune? ›When you use the Locate device action for an Android Enterprise dedicated device that is off-line and unable to respond with its current location, Intune attempts to display its last known location. This capability uses data submitted by the device when it checks in with Intune.
What is the difference between Active Directory and Intune? ›AADDS and Intune are completely unrelated. AADDS, like on-prem AD, is a directory service like provides identity and authentication services. GPOs exist as well but I'd never call GPOs true management or administration of devices. Intune is a management system to configure and control the state of a device.
Can Intune access personal data? ›Your organization can't see your personal information when you enroll a device in Microsoft Intune. Enrolling your device makes certain information, such as device model and serial number, visible to IT administrators and support people with administrator access.