Modern Device Management

Every now and then I come across customers seeking advice on managing macOS devices. The most common ask is around keeping them patched and secured which usually tops the list of the requirements. When users install their own updates (instead of admins managing the updates), it can disrupt user productivity and business tasks. Lately, Intune has made huge strides in managing macOS devices as part of cross platform management in general. There are built-in policies in Intune that one can use to manage device updates, configure when devices are updated, and review the device update status. Currently, there are mainly two ways to manage software updates for macOS using Intune - 1. DDM settings - Recommended on macOS 14.0 and newer devices, DDM is a new way to manage settings allowing installation of a specific update by an enforced deadline. The independent nature of DDM provides an improved user experience, as the device handles the entire software update lifecycle. It prompts users that...

Back in 2022, I had blogged about MDE onboarding for Android and iOS  and my experience dealing with Conditional access policies. Recently, I implemented the solution for a customer and experienced similar behavior, so decided to write about it. Basically, the behavior involves MDE onboarding getting blocked due to enforcing of Conditional Access (CA) policies for conditions like Device compliance state, App Protection Policies (APP).  Now, according to Microsoft , excluding MDE from CA policies shouldn't be required -  However, on a different official link , Microsoft also states that - " Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to report the device security posture. This security posture is used in the Compliance and App Protection policies to secure the managed apps and ensure that corporate data is accessed only in a secured device. However, with restrictive Conditional Access policies such as having Block...