Field-tested Intune engineering for iOS, Android, Windows, and MacOS: 302 deep-dive guides, four open-source toolboxes, and the failure modes the official docs don’t mention — written and maintained by working endpoint engineers.
302 guides4 platforms87 open-source picks311 official Microsoft links
Pick a platform to enter its library — the menus, guides, search defaults, and scripts all follow your choice. Switch any time from the selector at the top of the page.
20+ vetted community projects per platform — packaging frameworks, assignment auditors, user-facing dialog tooling, and reference test utilities, each one proven in production tenants.
A full simulated Intune tenant in your browser — devices, users, dynamic groups, profiles, compliance, scripts, and reports. All of the picture, none of the risk.
Intune endpoint automation, PowerShell tooling, and Graph-native engineering — with contract engineers available for your fleet. Built by the same hands that maintain these guides.
Become a sponsor. IntuneNerds is free and independent — sponsorship pays the hosting bill and buys back the evenings spent writing and testing every guide.Get in touch →
Begin your journey with easy navigation and comprehensive guides for every platform you manage with Microsoft Intune.
Starting is pretty easy. Just navigate the sidebar menu on the left and scroll through the content you are interested in. But let's see how you can get the most value out of the guides.
Note
IntuneNerds isn't here to compete with the communities you already trust — the Slack workspaces, the Discords, the MVP blogs. It exists for the layer those formats can't hold: long-form, maintained engineering guides for every platform, with the failure modes written down next to the happy paths.
Get the Most out of the Content
As you can see on the left, there are multiple topics covering the platform you have selected — switch platforms at the top of the sidebar and the entire site follows. The goal is to add a short overview, a guide to configure the setting or policy, as well as insights based on real-world experiences that are not documented anywhere else, e.g., Microsoft Docs.
This list is growing, and we want you to help us improve and add more content. Check out How to Contribute.
Navigating the Site
Sidebar Menu: Use the sidebar menu on the left to quickly find the topics you are interested in.
Search Functionality: Use the search bar at the top to find specific guides, tools, or best practices.
Types of Content Available
Guides: Step-by-step instructions on how to set up and configure enrollment, policies, and apps.
Scripts: Ready-to-use Microsoft Graph automation to manage your fleet at scale, straight against the same API the console uses.
Best Practices: Recommendations based on industry standards and real-world experiences.
Insights: Unique insights and tips that you won't find in official documentation, shared by community members.
Thank you for being a part of the IntuneNerds community. Together, we can make endpoint administration with Microsoft Intune easier and more efficient.
Home
How to Contribute
Learn how to contribute guides, scripts, and insights to IntuneNerds.
IntuneNerds is community-driven. Every guide, script, and insight on this site comes from admins managing real production fleets. Contributions of any size are welcome — from fixing a typo to writing a full topic section.
What We're Looking For
Guides: Step-by-step configuration walkthroughs with screenshots.
Contributors are listed here as pull requests are merged. Add your name by contributing on GitHub!
Want to see your name here?
Check out How to Contribute — guides, scripts, insights, and corrections all count.
Home
Feedback
Tell us what's working, what's missing, and what you want to see next on IntuneNerds.
We want this site to be the place you check before you build anything in Intune. That only works if you tell us what's missing.
Ways to Reach Us
GitHub Issues: The fastest way — open an issue for content requests, corrections, or bugs.
GitHub Discussions: For open-ended questions and ideas — start a discussion.
What Helps Most
Which guide you were reading and what was unclear or out of date.
The Intune service release and device OS version where behavior differed from the guide.
Topics you searched for and didn't find.
Home
Changelog
What's new on IntuneNerds.
June 2026 — Initial release 🎉
IntuneNerds is live. The site launches complete rather than aspirational: 302 deep-dive guides across four platform libraries, written and tested by working endpoint engineers, with the failure modes documented next to the happy paths. Pick your platform at the top of the page and the entire site — navigation, search, and every guide — follows your selection.
🚀 Four complete platform libraries — every guide written platform-pure for the fleet you actually manage, with explicit prerequisites, step-by-step processes, and verification on every procedure.
🧪 Intune Simulator — a full, browser-based replica of the Microsoft Intune admin center that runs entirely on your device. Generate a tenant of users and devices, build dynamic groups with real query logic, deploy configuration profiles, apps, compliance, and Endpoint security, then advance time to watch check‑ins, compliance drift, and queued device actions land. Nothing touches a real tenant — the safe place to learn the console before you click in production.
⚙️ Graph API Automation — a production PowerShell script library (inventory reports, bulk actions, license audits, connector health) and a snippets collection built to copy, adapt, and ship.
🔎 The site itself — platform-scoped navigation and search (Ctrl/Cmd+K), per-page contents, prev/next reading chains, dark and light themes, and a single fast page that works offline once loaded.
From here, every change to the library lands on this page.
Start Here
Learning Path
A 30/60/90-day roadmap from zero to competent endpoint engineer — with platform-specific milestones that adapt to your fleet.
Endpoint management rewards structured learning: the concepts stack, and the order matters. This path takes you from nothing to genuinely competent in ninety days of consistent effort — read, then build, then break, in that loop, every week. The spine is universal; the milestones below adapt to the platform selected.
Days 1–30FoundationsLab built, first devices enrolled — goal: explain enrollment-to-policy flow on a whiteboard
Days 31–60DepthYour platform's hard topics plus a first Graph script — goal: three failures diagnosed to root cause
Days 61–90Production thinkingRings, RBAC, change discipline — goal: defend a design decision to a skeptical room
Days 1–30 — Foundations. Understand what MDM actually is, build your lab, enroll your first devices, and learn the tenant's anatomy: groups, filters, profiles, apps, compliance. Goal: you can explain enrollment-to-policy flow on a whiteboard.
Days 31–60 — Depth. Pick your platform's hard topics and go deep; ship your first Graph script; break things in the lab on purpose and fix them with the troubleshooting pages. Goal: you've diagnosed three failures to root cause.
Days 61–90 — Production thinking. Rings, RBAC, change discipline, reporting rhythms, and the architecture corner. Goal: you can defend a design decision to a skeptical room.
Certifications: MD-102 (Endpoint Administrator) covers the Intune fundamentals this path builds on, and Apple's own deployment and management training deepens the platform track you just walked.
Certifications: MD-102 (Endpoint Administrator) covers the Intune fundamentals this path builds on, and Google's Android Enterprise training academy deepens the platform track you just walked.
Certifications: MD-102 (Endpoint Administrator) maps almost one-to-one onto this track — if any badge is worth the exam fee here, it's this one.
Certifications: MD-102 (Endpoint Administrator) covers the Intune fundamentals this path builds on, and Apple's own deployment and management training deepens the platform track you just walked.
The single highest-leverage habit on this path: write down every failure you diagnose — symptom, wrong guesses, root cause. Ninety days of that document is worth more in an interview than any certification, because it's proof you've actually operated.
A blast-radius-zero environment where enrollment flows get broken on purpose — start with the universal foundation that's identical on every platform, then build the lab your platform actually needs.
Every confident production change on this site was rehearsed somewhere safe first. A lab is where enrollment flows get broken on purpose, where scripts run their first time, and where "what happens if" gets answered without a ticket queue watching. The good news is that the foundation is identical on every platform: a dedicated test tenant (a free Intune trial or developer tenant — never a corner of production), a naming discipline (LAB- prefixes on everything so nothing ambiguous ever reaches a production scope), the snapshot ethos that keeps every lab device one reset away from clean, and a fence of scope tags plus a dedicated RBAC role so experiments physically cannot touch production objects. Build that spine once and it carries iOS, Android, Windows, and macOS equally. What goes into the lab differs by platform — and each platform gets its own dedicated page below.
RequiresDedicated test tenant — free Intune trial or developer tenant
NamingLAB- prefix on every group, profile, and policy
Reset ethosEvery lab device one reset away from clean
ScopeFenced with scope tags and a dedicated RBAC role
Adopt the universal spine
These steps are platform-agnostic. Do them once, in order, and you have a tenant that any of the four platform labs can plug into. None of them touches device hardware yet — this is the part of the lab that lives entirely in the admin center.
Stand up the dedicated tenant. Create a free Intune trial or a Microsoft 365 developer tenant — never a slice of production. This is the single rule that makes everything afterwards safe: a tenant that contains nothing real can't break anything real. Sign in once and confirm Intune is provisioned before you go further.
Apply LAB- naming from the very first object. Prefix every group, profile, policy, app, and filter with LAB- the moment you create it. The discipline pays off the first time you copy something toward production and the name announces exactly where it came from — and it makes a stray lab object impossible to mistake for the real thing.
License one admin and one test user. You need exactly two identities to exercise every flow: an administrator to build and assign, and a standard test user to receive policy and feel what a real end user feels. Resist the urge to license more — a two-account lab stays cheap and stays honest.
Fence the lab with scope tags and a dedicated RBAC role. Create a LAB- scope tag, tag every lab object with it, and grant your lab work through a dedicated RBAC role scoped to that tag alone. Now an experiment cannot reach a production group even if you fat-finger an assignment — the fence is structural, not a matter of remembering to be careful.
Calendar any certificate renewals the day they're issued. Some platform labs mint certificates with hard expiry dates — Apple's APNs certificate is the classic example. The instant you issue any cert in the lab, put its renewal on a calendar. Rehearsing the renewal you'll own in production starts with never letting the lab's own cert lapse silently.
Then build your platform's lab
With the spine in place, the rest is platform-specific — different hardware truths, different virtualization stories, different things that simply refuse to be simulated. Each page below reuses and expands the per-platform build it once lived inside: what you're building, prerequisites, the step-by-step, the honest limits, and exactly what to rehearse.
iOS & iPadOS
Simulators don't enroll — MDM, profiles, and apps all need real hardware. The lab centers on a spare iPhone or iPad you can wipe, supervised locally with Apple Configurator.
The friendliest platform to lab: emulators take real work-profile and fully-managed enrollments, so most of the lab runs on the laptop you already have — Google built the lab tools.
The most rehearsable platform — VMs take real Autopilot enrollments, and a checkpoint at OOBE turns every experiment into a two-minute revert instead of a reinstall.
Apple silicon VMs are gold for profile and script dry-runs, but real metal plus ABM reality carries enrollment, attestation, and recovery — a used Mac mini earns its keep fast.
The platform pages differ, but the working habits don't. These practices apply identically whether your lab is a drawer of spare iPhones, a folder of emulators, a stack of checkpointed VMs, or a bench Mac — and they're what separate a lab that builds confidence from one that just burns time.
Snapshot before every experiment. A clean restore point ahead of each change means you're always one revert from a known-good state — and you'll actually run the risky test instead of tiptoeing around it.
Provoke failures on purpose. Break enrollment, fail an app install, expire a token, watch the timeout. A failure you caused and watched end to end is the fastest education in reading the ones you didn't.
Mirror your production ring structure. Build the same group and ring layout you run in production so what graduates from the lab lands in a shape ring 1 already recognizes — the lab is the first rung of that same ladder.
Document what broke and how you fixed it. A short note per failure turns a one-time scramble into a runbook, and turns incident response from research into recognition.
When you want to rehearse a console flow without standing up any hardware at all, practice risk-free in the Intune Simulator — every click is reversible, so it pairs naturally with the snapshot-and-break ethos above.
Do
Build the universal spine first, then the platform lab
Fence the lab behind scope tags and a dedicated RBAC role
Prefix every lab object with LAB- and snapshot before experiments
Treat the lab as the first rung of the ring ladder
Don't
Run experiments in a corner of the production tenant
Let an ambiguously named object near a production scope
Skip the snapshot and then fear the risky test
Promote a change that skipped both the lab and ring 1
Insights
The lab's highest-value product isn't validation — it's calibrated confidence: knowing exactly what a failure looks like before it happens in production turns incident response from research into recognition.
Budget honesty: a free tenant, two licensed identities, and whatever your platform's page calls for — usually one spare device, one bench unit, and a hypervisor you already own. The lab that never gets built is the one specced as a rack; the one that changes your career fits in a drawer.
A blast-radius-zero iOS environment — a throwaway tenant, a lab-only Apple relationship, and one spare device you are free to wipe — plus the hardware truths that decide what you can rehearse and what you can't.
The universal lab foundation — dedicated test tenant, LAB- naming discipline, the snapshot ethos, and scope-tag fencing — lives on the cross-platform Build a Lab hub; this page is the iOS/iPadOS-specific build that sits on top of it.
An iOS lab is one dedicated test tenant, one physical device you are free to wipe, and a small set of Apple relationships that belong to the lab alone. The non-negotiable hardware truth up front: simulators don't enroll. The Xcode iOS Simulator renders a UI, but it has no MDM stack — no enrollment, no profile delivery, no managed app installation, no APNs path. Everything that makes this site real requires physical hardware, so the centerpiece of the lab is at least one real iPhone or iPad. An older spare is ideal: enrollment behavior, restriction handling, and app-config delivery do not need a current model, and an aging device you can reset without a second thought is worth more than a flagship you instinctively protect.
TenantDedicated trial or developer tenant, LAB- naming on every object
Apple relationshipLab-only test Apple Account + the lab tenant's own APNs certificate
HardwareOne spare iPhone/iPad — simulators do not enroll
ABM caveatNo throwaway ABM — ADE flows rehearse on a production ring-1 device
The Lab at a Glance
Five moves take you from a blank tenant to a device you are deliberately breaking. Most of this needs no Apple Business Manager at all — only the final ADE-dependent rehearsals do, and the ABM Reality section below explains where those go instead.
Step 1Stand up the tenantTrial/developer tenant, one admin + one test user, LAB- from object one
Step 2Create the Apple relationshipLab test Apple Account, then the lab tenant's APNs certificate
Step 3Supervise the spareWipe + supervise locally with Apple Configurator
Step 4Enroll and break thingsDeliver a profile, deploy an app, then provoke failures on purpose
Step 5Optional: run an open-source MDMPoint micromdm/nanomdm at the spare for a weekend
Prerequisites
A dedicated test tenant (free Intune trial or developer tenant), fenced with its own LAB- naming on every group, profile, and policy so nothing ambiguous ever drifts toward a production scope.
A separate, team-owned test Apple Account for the lab — never your personal account, and never the production organizational account that backs your live APNs certificate.
The lab tenant's own APNs certificate, created with that lab Apple Account, with the renewal date calendared the day it is issued — the same one-year clock you will own in production, rehearsed where a lapse costs nothing.
One spare iPhone or iPad dedicated to the lab, a cable, a desktop running Apple Configurator (macOS) or the bench-recovery equivalent, and the patience to wipe the device often.
Build It, Step by Step
Stand up the tenant. Create the trial or developer tenant, license one admin and one test user, and apply the LAB- naming discipline from the first object you create. The habit pays off the first time you copy a policy into production and the name announces exactly where it came from. Fence it immediately with scope tags and a dedicated RBAC role so a stray assignment can never reach a real group.
Create the lab Apple relationship. Sign up the test Apple Account, then issue the APNs certificate for the lab tenant with it. Nothing Apple-side enrolls until this certificate exists — every command Intune sends to every Apple device flows through APNs using it — and creating one in the lab demystifies the production renewal you will eventually own. Note the identity that created it: renewing with a different Apple Account forces a re-enroll, which is itself a failure mode worth seeing here first.
Supervise the spare device locally. Wipe the device and supervise it with Apple Configurator. Local supervision unlocks most of the supervised-only surface — device restrictions, Single App and kiosk modes, forced settings, non-removable management — without any organizational ABM enrollment, which makes it the fastest route to testing the policies that matter most. This is the single highest-leverage step: it gives you a supervised device to aim policy at today.
Enroll and start breaking things. Enroll the supervised device into the lab tenant, deliver a configuration profile, deploy an app, then deliberately cause the failures documented on the troubleshooting pages so you see each one where it costs nothing: provoke an enrollment error, force a profile installation failure with a conflicting payload, and block APNs at the network edge to watch push connectivity degrade. A failure you caused on purpose is the fastest education in reading the ones you didn't.
Optional, but career-changing: run an open-source MDM for a weekend. Pointing micromdm or nanomdm at the spare device teaches you what the MDM protocol actually does under Intune's console — the enrollment handshake, the command/result loop, the APNs wake. Every enrollment conversation you have afterward is sharper for it.
The ABM Reality
Apple Business Manager is a real-organization enrollment: legal-entity details, a D-U-N-S number, and a verifiable contact mean a throwaway lab ABM usually isn't possible — and shouldn't be faked. Plan for it instead of fighting it. The flows that require ABM — full Automated Device Enrollment, the Intune–ABM token exchange, Apps & Books (VPP) licensing, and Return to Service — get rehearsed on a production ring-1 device, which is precisely what ring 1 exists for. Everything else on this page works without ABM, and one detail bridges the gap honestly: a device captured into ABM with Apple Configurator's enrollment-capture behaves like an ADE device, but the capture is real and not reversible on a whim — so reach for it on production ring-1 hardware, not a borrowed spare.
Profile and app-config behavior: delivery timing, conflict resolution, and what the device actually shows the user.
App Protection Policy prompts on a BYOD-style setup, so the first user who asks "why is it asking me for a PIN" gets an answer from experience.
Enrollment restrictions — block a platform, then watch the device-side message — so the production posture is a decision you have seen, not one you guessed.
Full ADE / zero-touch enrollment without ABM — it lives on a production ring-1 device, not the spare.
Anything from the iOS Simulator — it has no MDM stack and will never enroll.
Apps & Books (VPP) silent install at scale — that needs the real ABM token, so prove it in ring 1.
A throwaway ABM tenant — don't fabricate legal-entity details to force one into existence.
Insights
The lab's highest-value product isn't validation — it's calibrated confidence: knowing exactly what a failed APNs push or a conflicting restriction looks like before it happens in production turns incident response from research into recognition.
Budget honesty: one spare iPhone, a free tenant, and a Mac you already own. The iOS lab that never gets built is the one specced as a fleet of devices; the one that changes your week fits in a drawer.
Local supervision plus the open-source MDM weekend together teach more about Apple management than any amount of console clicking — the protocol stops being a black box.
A blast-radius-zero Android Enterprise environment — almost all of it on the laptop you already have, with one spare device for the truths only hardware can tell.
Every confident production change starts as a rehearsal somewhere safe. The universal foundations of a lab — a dedicated test tenant (a free Intune trial or developer tenant, never a corner of production), a LAB- naming discipline so nothing ambiguous ever reaches a production scope, and the snapshot ethos that keeps every device one reset away from clean — are covered once on the universal Build a Lab hub. This page is the Android-specific build: what goes into the lab, what runs on the emulator, what genuinely needs metal, and exactly what to rehearse before any of it touches a managed fleet.
TenantDedicated trial or developer tenant, LAB- naming on every object
Managed Google PlayOne dedicated lab Google account — the binding identity, never personal Gmail
EmulatorsAndroid Studio AVDs with Play-enabled images take real enrollments
HardwareOne spare Pixel you are free to factory-reset on repeat
What You're Building
Android is the friendliest platform to lab, because Google built the lab tools. The reference device policy controller (Test DPC), emulator images that take real enrollments, and a free work-profile sandbox mean most of the lab runs on the machine you are reading this on — with one physical device reserved for the hardware-only truths. The arc is: bind Managed Google Play once, learn the platform's ceiling with Test DPC, enroll emulators in every management mode side by side, and keep the spare Pixel for NFC, QR, FRP, and battery behavior that no virtual device can fake.
Step 1Bind Managed Google PlayThe lab Google account binds the tenant — the gateway every enrollment depends on
Step 2Learn the ceiling with Test DPCGoogle's reference DPC exposes every AE capability as a toggle
Step 3Enroll emulators in all four modesPlay-image AVDs take real work-profile and corporate-owned enrollments
Step 4Reserve the Pixel for hardware truthsNFC, QR, FRP, and battery realities live only on metal
Prerequisites
A dedicated test tenant (free Intune trial or developer tenant) with LAB- naming on every group, profile, and policy. Fence it with scope tags and a dedicated RBAC role so experiments can never reach a production group.
A dedicated Google account for the lab's Managed Google Play binding — owned by the team, documented, and never reused from production. This account becomes the permanent enterprise binding identity, so make it an organizational mailbox (mgp-lab@yourdomain-style), never a personal Gmail.
Android Studio with Play-enabled emulator images (pick an AVD system image whose target shows the Google Play badge, not merely Google APIs — only Play images carry the Managed Google Play surface enrollment needs). Container-minded engineers can use emulator-container-scripts instead.
One spare physical device — a spare Pixel is ideal because it is GMS-certified, gets provisioning fixes first, and is cheap to keep current — that you are free to factory-reset repeatedly.
Build It, Step by Step
Stand up the tenant and bind Managed Google Play. Create the trial or developer tenant, license one admin and one test user, and apply LAB- naming from the first object. Then bind Managed Google Play with the lab Google account. This connection is the gateway every Android Enterprise enrollment and app deployment depends on — making the lab binding by hand rehearses the single most consequential setup step the platform has, and it is five minutes that unlocks the entire Android Enterprise surface.
Install Test DPC and learn its toggles.Test DPC is Google's reference device policy controller, and it exposes every Android Enterprise capability as a switch. When you wonder whether the platform supports something the Intune UI doesn't expose, Test DPC answers in five minutes — before you spend a day on a support case arguing about a setting that was never going to exist. It is also the cleanest way to feel the work-profile boundary and the fully-managed surface without any console in the way.
Enroll emulators in every management mode. Android Studio AVDs with Play images take real work-profile and fully-managed enrollments. Build one of each — work profile (BYOD), fully managed, corporate-owned work profile, and a dedicated-device enrollment — side by side. Mode comparison becomes a laptop exercise instead of a hardware shuffle, and you can leave all four running while you lead a choosing-a-mode conversation from the screen in front of you.
Use the physical Pixel for the hardware truths. Factory Reset Protection behavior, NFC provisioning, camera/QR enrollment flows, and battery realities only exist on real hardware. Generate QR provisioning payloads from the lab tenant and run the full dedicated-device flow on the Pixel — the bump-or-scan moment, the network-during-setup behavior, the wipe-and-re-provision loop. This is the device that tells you the truth about provisioning.
Put Shelter on a personal device.Shelter creates a work profile with no MDM attached — a free education in exactly how the profile boundary feels to your users: the badged apps, the separate clipboard, the cross-profile prompts. It is the part no console screenshot teaches, and it costs nothing but an afternoon.
Provoke the failures on purpose. Once the modes enroll cleanly, break them deliberately: a deliberately-failed Play Integrity verdict, a stalled app install, a work profile that won't provision. Each failure caught in the lab is worth ten tickets read cold — see the enrollment-error and work-profile troubleshooting pages for the failures worth rehearsing first.
Honest Limits
Two things genuinely resist simulation, and pretending otherwise wastes a weekend. Zero-touch enrollment requires a real reseller relationship — devices are registered to your enterprise at the point of purchase, which a throwaway lab cannot fabricate. The honest workaround: QR provisioning payloads generated from the lab tenant produce the same provisioning result, just triggered by a scan instead of by the supply chain, so you rehearse everything downstream of the trigger. The same logic applies to Samsung KME. The second limit is OEMConfig: a schema is only as real as the device that implements it, so OEMConfig testing honestly requires the OEM's own hardware. A Pixel will not validate a Samsung Knox OEMConfig key. Budget a borrowed or surplus unit of the specific OEM you manage when that day comes, and treat the emulator as out of scope for OEMConfig from the start.
What to Rehearse Here
Rehearse until it's muscle memory
All four management modes side by side, until the choosing-a-mode conversation is something you can lead from memory.
Managed Google Play app flows — approval, assignment, update behavior, and what the device shows at each stage.
Runtime permission policy first-runs, watched on-device so auto-grant behavior is never a surprise to a user.
Play Integrity failures provoked deliberately — a failed verdict you caused reads instantly when a real one arrives.
The full QR dedicated-device flow on the Pixel, end to end, including a wipe-and-re-provision.
Don't expect the lab to cover
Zero-touch / KME triggers — those need a reseller; QR payloads stand in for the downstream behavior.
OEMConfig schema validation — that needs the specific OEM's hardware, not an emulator or a Pixel.
Real-world battery and thermal behavior — emulators lie about both; only the physical device tells the truth.
NFC bump provisioning — a flow that exists only on metal with a second seed device.
Insights
The lab's highest-value product isn't validation — it's calibrated confidence: knowing exactly what a Play Integrity failure or a stalled provisioning looks like before it happens in production turns incident response from research into recognition.
Budget honesty: Android needs the least hardware of any platform. One spare Pixel, a laptop running Android Studio, and a free tenant cover the entire surface short of zero-touch and OEMConfig. The lab that changes your career fits in a drawer, not a rack.
A blast-radius-zero Windows environment — a dedicated tenant, a hypervisor that takes real Autopilot enrollments, and one physical machine for the truths VMs can't carry.
Every confident production change starts as a rehearsal somewhere safe. The universal foundations — a dedicated test tenant, LAB- naming on everything, scope-tag fencing, and the one-reset-from-clean ethos — are covered on the cross-platform Build a Lab hub; start there if you haven't. This page is the Windows-specific build, and Windows is the most rehearsable platform in the fleet for one reason: VMs take real Autopilot enrollments. The entire pipeline — hardware-hash registration through ESP completion — runs on the machine you are reading this on. The lab's superpower is checkpoint discipline: snapshot once at the out-of-box screen, and every experiment afterwards is a two-minute revert instead of a half-hour reinstall.
TenantDedicated test tenant — free Intune trial or developer tenant, LAB- naming throughout
HypervisorHyper-V or your choice, with disk for several checkpointed VMs
ToolingGet-WindowsAutopilotInfo to harvest hashes, Get-AutopilotDiagnosticsCommunity to decode
Physical metalOne real machine for firmware, TPM, DFCI, drivers, and OSDCloud bare-metal
What You're Building
A Windows lab is a dedicated tenant, a hypervisor with room for a handful of checkpointed virtual machines, and one physical machine held in reserve for the hardware-bound truths. Virtualization is a first-class citizen here, not a compromise: a Hyper-V VM registers as Autopilot hardware, runs the full user-driven flow, holds at the Enrollment Status Page while policy and apps land, and reverts to a clean OOBE in two minutes so the next experiment starts identical to the last. That revert loop is what turns Windows enrollment from a thing you watch once into a thing you drill until it's muscle memory.
The high-level arc looks like this:
Step 1Stand up the tenantTrial or developer tenant, one admin, one test user, LAB- discipline
Step 2Checkpoint a VM at OOBEInstall Windows, stop at the first out-of-box screen, snapshot
Step 4Run user-driven + ESPWatch the Enrollment Status Page hold, then revert and rerun
Step 5Break ESP on purposeForce a failure, decode it with the diagnostics script
Prerequisites
A dedicated test tenant (free Intune trial or developer tenant) with LAB- naming on every group, profile, and policy — the habit pays off the first time you copy something into production and its name announces exactly where it came from.
A hypervisor — Hyper-V is the natural choice on a Windows host, but any hypervisor that exposes a TPM works — with enough disk for several checkpointed VMs. Each checkpoint chain costs real space; budget for it rather than discovering the limit mid-drill.
Get-WindowsAutopilotInfo for harvesting hardware hashes, and Get-AutopilotDiagnosticsCommunity for decoding what the enrollment actually did afterwards — install both from the PowerShell Gallery before you need them.
One physical machine for the truths a VM cannot represent: real firmware, TPM attestation, docking-station behavior, and vendor drivers.
Build It, Step by Step
Stand up the tenant. Create the trial or developer tenant, license one admin and one test user, and apply the LAB- prefix discipline from the first group you create. Confirm Entra join is permitted for your test user and that the MDM auto-enrollment scope covers the lab group — Windows enrollment rides identity, so this verification is the real setup work.
Build the reference VM and checkpoint it at OOBE. Install Windows in the VM, enable a virtual TPM, stop at the first out-of-box-experience screen, and take the checkpoint. This checkpoint is the lab. Every enrollment experiment starts from it and ends with a revert, which is the entire reason a Windows lab is faster than any other platform's.
Harvest the hash and register the VM. From the VM, run Get-WindowsAutopilotInfo to export the hardware hash, import it into the lab tenant, and assign the lab's Autopilot deployment profile (user-driven, Entra join). The VM is now corporate-registered hardware as far as the pipeline is concerned — indistinguishable from a real device to Intune.
Run the full user-driven flow, including ESP. Revert to the OOBE checkpoint, boot, and run Autopilot user-driven end to end. Watch the Enrollment Status Page hold the session while policy and apps land — the blocking-apps decision you make here defines the provisioning experience forever after. Then revert, change one variable, and run it again. The two-minute loop is what makes Windows worth labbing at all.
Break ESP on purpose. Assign an app that cannot install — a deliberately broken Win32 package, an impossible requirement rule — and watch the timeout behavior. Then decode the result with Get-AutopilotDiagnosticsCommunity and the Autopilot and ESP failures playbook. An ESP failure you caused on purpose is the fastest possible education in reading the ones you didn't.
Reserve the physical machine for hardware truths. Move to metal for the flows a VM genuinely cannot fake: real firmware and DFCI, vendor driver and firmware update behavior, TPM-attestation nuances, and dock or peripheral quirks. OSDCloud from the open-source toolbox earns its slot here for bare-metal-to-Autopilot practice — imaging a wiped machine straight into your registered fleet.
What Needs Real Hardware
A VM carries the enrollment pipeline faithfully, but four things resist virtualization and belong on the physical machine. Firmware and DFCI: Device Firmware Configuration Interface speaks to UEFI settings a hypervisor doesn't expose, so locking the BIOS or disabling boot devices is a metal-only drill. Driver and firmware updates: the vendor catalog only delivers to the hardware it matches, so update behavior is meaningless on a VM. TPM attestation: a virtual TPM passes the basic Autopilot checks, but attestation-backed flows and conditional-access posture want a real, vendor-provisioned TPM to be honest. And docks, peripherals, and battery realities simply don't exist in a VM. Treat the physical machine as scarce and precious — most of your hours live in the VM revert loop, and the metal is for the specific truths only it can tell.
What to Rehearse Here
Rehearse in the VM loop
Every Autopilot variant you intend to run in production, each from the same clean OOBE checkpoint
ESP failure triage, repeated until the diagnostics output reads like a narrative instead of a log
Save for the physical machine
DFCI and firmware lockdown — UEFI settings a hypervisor never surfaces
Driver and firmware update delivery against the real vendor catalog
TPM-attestation-backed enrollment and conditional-access posture checks
OSDCloud bare-metal-to-Autopilot, docks, and peripheral behavior
Insights
The Windows lab's highest-value product isn't validation — it's calibrated confidence. Knowing exactly what a broken ESP looks like before it happens to a real user turns incident response from research into recognition.
Budget honesty: a hypervisor you already own, one physical machine you can wipe, and disk for a few checkpoint chains. The Windows lab that never gets built is the one specced as a rack of hardware; the one that changes how you work fits inside a single workstation.
A Mac lab is two tiers in one: disposable Apple silicon VMs for fast profile and script iteration, and a single physical bench Mac for the enrollment, attestation, and FileVault flows that virtualization can't honestly represent. This page is the macOS-specific build; the cross-platform reasoning — ring discipline, scope-tag fencing, and why a lab beats a production corner — lives on the universal Build a Lab hub.
TenantDedicated trial/dev tenant, LAB- naming on everything
Apple relationshipLab Apple Account + the tenant's APNs push cert and ADE token
HardwareOne erasable Apple silicon Mac + disposable VMs
ABM caveatVMs are never ABM-known — rehearse ADE on a real ring-1 device
What You're Building
Apple silicon made the Mac lab genuinely affordable. UTM and Parallels — both built on Apple's Virtualization framework — spin up disposable macOS guests that are gold for profile testing, script dry-runs, and validating each new OS release before it reaches the fleet. Sitting underneath that fast tier is one piece of real metal: a bench Mac you are willing to erase. On Apple silicon, Erase All Content and Settings makes a full reset a sixty-second menu item rather than a reinstall afternoon, so the same physical unit can take a fresh enrollment several times a day. The whole lab — host, VMs, and one used Mac mini — fits in a drawer and costs less than a single production incident.
Step 1Stand up the tenantTrial/dev tenant, LAB- discipline, one licensed test user
Step 2Wire the Apple plumbingLab Apple Account, APNs cert, ADE token from the lab's ABM
Step 3Build the VM tierOne UTM/Parallels guest per OS release, snapshotted clean
Step 4Enroll the bench MacReal ADE + bootstrap token + FileVault escrow on metal
Step 5Rehearse the hard flowsPlatform SSO, DDM updates, PPPC — until they hold no suspense
Prerequisites
A dedicated test tenant (free Intune trial or a developer tenant) with LAB- prefixing on every group, profile, and policy so nothing is ever mistaken for production.
A lab Apple Account created as an organizational identity (appleid-mdm-lab@yourdomain, backed by a shared mailbox) — never a personal Apple ID, because it owns the lab tenant's push certificate and must outlive whoever set it up.
The lab tenant's APNs certificate (one per tenant covers every Apple enrollment) and, for device enrollment, an ADE token exchanged against the lab's own ABM organization.
An Apple silicon host running UTM or Parallels for disposable VMs, plus one erasable bench Mac — a used mini earns its keep inside the first quarter.
Build It, Step by Step
Stand up the tenant. Spin up a trial or developer tenant, license one test user, and commit to LAB- naming immediately — the discipline is worthless if it starts late.
Wire the Apple plumbing in order. Connect the lab Apple Account's APNs certificate first (nothing Apple enrolls without it), then exchange an ADE token against the lab's ABM organization, and add a VPP token so app licensing exists before your first app assignment. Calendar the APNs renewal before you close the tab.
Create the disposable VM tier. Build a UTM or Parallels guest per OS release you support, snapshot each one in a clean state, and make this tier the default first-run destination for every profile, script, and update policy. Revert-to-snapshot is your fastest reset.
Put the bench Mac through real enrollment. Assign it an ADE profile in the lab tenant and run Automated Device Enrollment end to end — Setup Assistant, MDM check‑in, the works. VMs are never ABM-known hardware, so this physical unit is the only thing that tells you the truth about the enrollment flow.
Rehearse the bootstrap token and FileVault escrow. Confirm the bootstrap token escrows to the lab tenant during enrollment, enable FileVault, and verify the personal recovery key escrows and is retrievable from the admin center. Then deliberately simulate a locked-out morning and recover from the escrowed key — before a real one makes it urgent.
Reset and repeat. Use Erase All Content and Settings to wipe the bench Mac back to a clean Setup Assistant and run the whole sequence again. Each loop is one more rehearsal of the day a real device fails.
The ABM + virtualization reality
This is the one place a Mac lab cannot cheat, and it mirrors the iOS story exactly. ADE requires Apple Business Manager, and ABM requires a real organization — a legal entity, a D-U-N-S number, a verifiable contact, and a signup that takes days. There is no sandbox ABM. So your lab tenant either gets its own real (small) ABM organization, or you accept that the genuine ADE rehearsal happens on a ring-1 device in the org's actual ABM, treated as the first cautious production enrollment rather than a throwaway.
Virtualization has a hard ceiling too. macOS guests on Apple silicon are real and useful, but they are not ABM-known hardware, so ADE simply cannot target them. They also lack a Secure Enclave and the T2/secure-boot identity that several management behaviors depend on: Managed Device Attestation, hardware-bound keys, and some bootstrap-token and FileVault interactions need real metal to behave honestly. Apple's VM licensing also bounds how many guests you may run — the Apple silicon operations page covers the count. For everything below the enrollment layer — profile payloads, script logic, app installs, OS-release smoke tests — VMs are the faster, cheaper tool and you should reach for them first.
When you need local supervision without ADE — capturing a retail-bought Mac, or bench-provisioning a unit — Apple Configurator on a second Mac is the tool. Its companion flow can also add a retail Mac into ABM after the fact, which is how a lab unit bought off the shelf joins the org relationship at all.
What to rehearse here
The lab's job is to turn every production surprise into recognition. Drive these until they bore you:
Rehearse on the bench Mac
Platform SSO registration and its failure modes — watched once in the lab, recognized forever after
Declarative software updates with a real deadline, so you see the user-facing countdown and enforcement before a fleet does
PPPC prompts against the actual apps you deploy, confirming the payload silences the prompt it's meant to
Bootstrap-token escrow and FileVault recovery, run end to end until they hold no suspense
Split the work by altitude: iterate in VMs, validate on metal. Almost everything you change day to day is a payload or a script, and those belong in a snapshot-revert VM. The bench Mac is reserved for the few flows — enrollment, attestation, escrow — that only real hardware can prove.
When enrollment or a profile misbehaves in the lab, the Mac enrollment and profile issues page is the first stop — and the lab is exactly where you should learn to read those failures, where the stakes are zero.
The lab that never gets built is the one specced as a rack. One erasable Mac, a hypervisor you already own, and a free tenant is a complete macOS lab — and it changes how calm you are at 9 a.m. on a FileVault lockout.
The known-good starting floor for every platform — where to start, what to adopt, and how to adapt a baseline to your org.
A baseline is a reviewed set of security and configuration decisions that gets a new tenant from blank to defensible without re-deriving every setting yourself. It is a starting point, not a final state — you adopt it, then adapt it. Every platform on this site has a baseline; pick your platform above and this page points you at the right one, plus the adoption discipline that applies everywhere.
Adopting Any Baseline, Step by Step
Review before assigning. Every baseline encodes opinions. Inventory the settings that change user-visible behavior and flag anything your org cannot accept. The review takes about an hour and prevents a wave of support tickets.
Deploy to a pilot ring first. A baseline meets your hardware, apps, and users for the first time in the pilot — surface conflicts there, not across the whole company.
Track your deviations; don't fork. Keep a short document recording where you depart from the published baseline. When the upstream baseline updates, you re-apply your known deltas instead of re-evaluating every setting from scratch.
Re-review on a cadence. Baselines age as the OS and threat landscape change. Schedule a quarterly review and treat baseline version bumps like any other ringed rollout.
Android's floor is the hardening baseline — the restriction and security posture that corporate-owned modes should start from — backed by compliance policies with Play Integrity anchoring the trust story, and device restrictions tuned per management mode. As with Apple, Microsoft ships no Android security baseline — hardening comes from CIS, Android Enterprise, and the App Protection Framework.
Start with Microsoft's own security baselines — deployed in audit mode first, exactly as that guide prescribes — then layer the ASR rules cookbook and the endpoint security family. The community OpenIntuneBaseline is the field-tested alternative when you want opinionated coverage that maps to real-world fleets. Windows is the one platform where Microsoft ships real importable baselines — treat them as the floor and CIS as the regulated overlay.
A baseline's real value is a documented, defensible default. When a security review asks why a setting is configured the way it is, "we reviewed the published baseline and recorded our deviation" is an answer; "that's how it was when I got here" is not.
Keep the baseline separate from the hardening roadmap. The baseline is what every device gets today; the roadmap is a separate, ringed project of future tightening. Combining them stalls both.
r/Intune — day-to-day questions, war stories, and the occasional gold-mine thread.
Mac Admins Slack — Apple-centric by name, but #microsoft-intune is one of the most active Intune channels anywhere and platform-agnostic in practice. Join here.
The Apple admins community Slack — its #microsoft-intune channel is one of the most active Intune channels anywhere, with deep Apple device management expertise on tap. Join here.
The #microsoft-intune community Slack — a long-running admin community workspace whose Intune channel is one of the most active anywhere and platform-agnostic in practice. Join here.
bayton.org (Jason Bayton) — the community Android Enterprise resource: mode deep-dives, zero-touch guides, and honest platform commentary. Required reading alongside the Android sections of this site.
call4cloud (Rudy Ooms) — the deepest Intune-internals writing anywhere; the investigative method transfers to every platform.
scloud.work (Florian Salzmann) — practical Intune guides and ready-to-use templates.
andrewstaylor.com (Andrew Taylor) — Intune automation and Graph scripting at volume.
Ugur Koc's blog — Intune automation and community tooling, including IntuneAssignmentChecker.
oofhours.com (Michael Niehaus) — Autopilot and Windows deployment lore from the person who built much of it; the Windows section's recommended deep-reading.
SkipToTheEndpoint — Windows endpoint engineering and the OpenIntuneBaseline project.
Der Flounder (Rich Trouton) — two decades of MacOS administration depth; required reading for anyone running Macs in production.
Watch and Listen
Intune.Training — the long-running community YouTube series; excellent onboarding material for the Learning Path.
Mac Admins Podcast — Apple platform management weekly; the MDM-protocol episodes are required listening for anyone running Apple devices under MDM.
Mac Admins Conference (Penn State) — the Apple-management community's annual gathering; Intune content grows every year.
The Apple admins conference at Penn State — the Apple-management community's annual gathering; Intune content grows every year.
MMS (Midwest Management Summit) — deep Microsoft endpoint management, small-room format, heavy Intune track year after year.
WWDC (online, free) — where the Apple management features covered on this site are first announced.
Google I/O (online, free) — where the Android management features covered on this site are first announced.
Microsoft Ignite (sessions stream free) — where the headline Intune and Windows-management announcements land each year.
Community
Community Tools and Scripts
The open-source and free tooling Intune admins actually use, organized by job.
Tools built by the community (and a few by vendors, free) that make device management with Intune meaningfully better. Found something that belongs here? Contribute it.
Graph, Automation, and Config-as-Code
Graph Explorer (Microsoft) — run any Graph call against your tenant interactively. Prototype here, script after.
Graph X-Ray — browser extension that reveals the exact Graph calls the Intune portal makes as you click. The fastest way to discover an undocumented endpoint or payload shape — indispensable for everything in our automation section.
IntuneAssignmentChecker (Ugur Koc) — answers "what is actually assigned to this user/device/group" across policies and apps, every platform. The assignment-audit tool the portal should have shipped with.
IntuneCD (Tobias Almén) — configuration-as-code: backs up, documents, and diffs your entire Intune configuration (every platform, the lot) into a Git repo. Change tracking, drift detection, tenant-to-tenant promotion.
IntuneDeviceDetailsGUI (Petri Paavola) — a PowerShell GUI showing everything about one device — assignments, group memberships, applied policies — in a single pane.
Apple-Side Tooling
Apple Configurator (the desktop app plus its iPhone companion app) — Apple's own tool; essential for adding retail devices to ABM and bench provisioning.
Apple Configurator — Apple's own tool; the companion app captures retail-bought Macs into ABM, and the desktop app revives or restores Apple silicon Macs that no longer boot.
Apple Devices app (Microsoft Store) — Apple's app for updating and restoring iPhones and iPads from an ordinary office desktop; the bench-recovery tool when no dedicated Apple hardware is around.
libimobiledevice — open-source CLI suite for talking to iOS devices from practically any desktop OS; idevicesyslog streams live device logs with no extra Apple hardware required.
Android-Side Tooling
Test DPC (Google) — Google's open-source test device policy controller: spin up a work profile or device-owner sandbox and explore every Android Enterprise policy hands-on before you build it in Intune. The single best Android learning tool in existence.
PSAppDeployToolkit — the community-standard framework for installs needing logic: process closing, user dialogs, pre/post steps. If a Win32 package has more than two moving parts, it belongs in PSADT.
OpenIntuneBaseline (SkipToTheEndpoint) — community Windows security baseline as reviewable Settings Catalog policy; the settings-as-code counterpart to Microsoft's sealed baselines.
Mist — fetches MacOS installers/IPSWs on demand; the lab and re-provisioning companion.
Frequently Asked Questions
FAQ
Frequently asked questions about managing devices with Microsoft Intune — organized by platform.
Common questions every admin runs into. The first three apply to every tenant; the rest are specific to the platform you have selected.
What licenses do my users need?
Microsoft Intune Plan 1 (included in Microsoft 365 E3/E5, Business Premium, EMS E3/E5, and others) covers everything on this site unless a page notes otherwise.
Why is a brand-new device "not compliant" right after enrolling?
Compliance needs a first full check‑in plus Entra device registration to complete — usually a few minutes. If it persists past ~15 minutes, open the device's compliance blade and check which specific setting is failing. The blanket "not compliant" state is a symptom; the per-setting view is the diagnosis.
What's the difference between Retire, Wipe, and Delete?
Retire removes company data, apps, and management while leaving personal data intact — the action for a personal device leaving management.
Wipe is a full factory reset — the action for corporate hardware being decommissioned or redeployed.
Delete removes only the Intune record without touching the device — a last resort for dead or unreachable hardware, never the first move.
Each platform has nuances on what these actions reach; the platform's enrollment pages carry the details.
Do iOS devices support scripts?
No — iOS exposes no mechanism for MDM to execute arbitrary code on the device. Everything you configure happens through MDM profiles, managed apps, and declarative configurations; fleet automation happens server-side via the Microsoft Graph API.
What's the difference between supervised and unsupervised?
Supervision is an Apple device state (not an Intune setting) that unlocks the most powerful management capabilities: Lost Mode, Single App Mode, Home Screen Layout, blocking app removal, silencing Activation Lock, many restrictions, and more. Devices become supervised through Automated Device Enrollment or Apple Configurator. BYOD devices are never supervised.
Do I really need Apple Business Manager?
For corporate-owned devices: yes, full stop. ABM gives you Automated Device Enrollment (zero-touch, supervised, non-removable management) and Apps & Books (app licensing without Apple IDs). For a pure BYOD/MAM environment you can technically operate without it, but you still need ABM for Managed Apple Accounts if you want account-driven enrollment.
Why does my Apple MDM Push certificate matter so much?
Every command Intune sends to every Apple device flows through the Apple Push Notification service using that one certificate. If it expires, all enrolled Apple devices stop receiving commands until you renew it — and if you renew with a different Apple ID, every device must be re-enrolled. Treat the Apple ID that created it as a crown jewel. See Apple MDM Push Certificate.
Can users remove management from their devices?
ADE-enrolled (supervised): No, if the enrollment profile is locked — management survives even a device wipe.
Device enrollment (web/Company Portal): Yes, users can remove the management profile.
Account-driven user enrollment (BYOD): Yes, users can sign out of work at any time, which removes all work data.
Should I use device licenses or user licenses for VPP apps?
Device licensing is the default recommendation: no Apple ID required on the device, apps install silently on supervised devices, and licensing is tied to the serial number. User licensing only makes sense for Shared iPad scenarios with Managed Apple Accounts.
Does Intune support eSIM?
Intune can collect eSIM identifiers (EID) in hardware inventory and supports eSIM activation via mobile network operators that provide activation servers, but carrier support varies widely. Plan a pilot with your carrier before committing to an eSIM-only fleet.
Can I rename devices remotely?
Yes — supervised devices accept the setDeviceName action (per-device in the portal, or fleet-wide with our Bulk Device Rename script). Pair it with a restriction blocking user renames so your naming convention holds.
Can I block iOS updates forever?
No — deferral maxes out at 90 days (supervised). Apple intends this as a validation window, not an indefinite hold. Build the ring-based enforcement model instead.
Does wiping a device remove it from Apple Business Manager?
No. ABM ownership is permanent (after any provisional window) and survives every wipe — that's exactly what makes ADE management non-removable. Devices leave ABM only by explicit release in the portal.
Is GCC / government cloud different?
The Apple half (ABM, APNs, VPP) is identical; the Microsoft half uses different endpoints in GCC High/DoD and trails commercial on feature releases. Details and script portability guidance: Sovereign Clouds and GCC.
Why can't I use Android device administrator anymore?
Google removed its powers — Android 10 deprecated most of the legacy device admin API, and Android Enterprise is the only supported management model now. Anything still on device admin is technical debt that will require re-enrollment.
Can my company see my personal apps in a work profile?
No — and not as a policy choice, as architecture. The work profile is a sealed container; the org manages inside it and cannot see personal apps, photos, or messages. The OS enforces the separation, which is what makes the work profile the right BYOD answer.
What does "Wipe" actually do on Android?
It depends on the management mode: on a BYOD work profile, wipe/retire removes only the work profile — the device and personal data are untouched. On fully managed and dedicated devices, wipe is a full factory reset. Confirm which fleet you are targeting before clicking; the button reads the same.
Is Play Integrity the same thing as SafetyNet?
Play Integrity is SafetyNet's successor — Google's device attestation service. Intune compliance policies consume its verdicts to verify the device is certified and untampered; if your documentation or vendor still says "SafetyNet," read it as Play Integrity.
Can Intune manage Android devices without Google services?
Only via AOSP mode, with a reduced feature set — no Managed Google Play, no Play Integrity. It exists for GMS-less rugged and specialty hardware on Intune's supported list. For everything else, GMS certification is a hard requirement — check before buying gray-market hardware.
Can I deploy paid apps through Managed Google Play?
Practically, no — Managed Google Play's enterprise distribution is built around free apps and your own private apps; there is no bulk purchase mechanism. Vendors with paid consumer apps nearly always offer an enterprise or private build — that is the conversation to have.
Do I need Configuration Manager to manage Windows with Intune?
No — cloud-native Windows (Entra join + Autopilot + Intune) needs no ConfigMgr at all. Where ConfigMgr already runs the estate, co-management lets workloads move to Intune one at a time; it is a migration bridge, not a requirement.
Entra join or hybrid join?
Entra join for everything new; hybrid only where a specific, enumerated legacy dependency forces it — and even then as a bridge with a retirement date. The on-prem-resources objection is mostly obsolete: cloud Kerberos trust lets Entra-joined devices reach AD file shares and printers.
Does Autopilot replace imaging?
For cloud-native fleets, yes — the OEM image plus Autopilot's transformation of OOBE replaces build-and-capture imaging. You give up the golden image and the work of maintaining it.
Where do BitLocker recovery keys live?
Escrowed to Entra ID by policy, with audited admin retrieval, user self-service lookup, and rotation after use. Measure escrow coverage, not just encryption coverage — an encrypted disk whose key never escrowed is a future lockout.
Can users stay local admins?
The defensible posture is standard users plus Windows LAPS as the managed break-glass path. Give power users a defined elevation path rather than standing admin rights; broad exemptions undermine the whole model.
Does Intune replace Jamf for Macs?
For most fleets, capability-wise, yes — ADE, DDM updates, Platform SSO, FileVault escrow, PPPC, and scripts are all first-class. The honest caveats: the idioms differ (Smart Groups become filters, policies become scripts), and Apple's June feature announcements land in Intune on Microsoft's adoption curve. For Microsoft-stack orgs, single-console economics usually decide it.
Do Macs need Apple Business Manager?
For corporate Macs, treat it as required: ABM is what makes Automated Device Enrollment possible — supervised, mandatory, wipe-surviving management — plus app licensing through Apps & Books. A Mac outside ABM can still enroll, but management is removable and the deeper controls stay locked.
Where do FileVault recovery keys live?
Personal recovery keys escrow to Intune by policy, with audited retrieval and rotation after use. Measure escrow coverage, not just encryption coverage, and rehearse the locked-out-recovery procedure on a bench unit before you need it in production.
Can users stay local admins?
The mature posture is standard users plus a hidden managed admin account plus a defined elevation process — the account strategy decision made at enrollment time. Standing admin rights undermine the security model; a real elevation path keeps it intact while still serving power users.
What must exist before the first device enrolls — licensing, identity, admin access, and the platform-specific accounts and programs.
This page is the checklist to complete before tenant setup. Four items apply to every tenant; the rest depend on the platform you manage.
LicenseIntune included and assigned to pilot users
IdentityHealthy Entra ID — cloud-only or fully syncing
Admin accessIntune Administrator for daily work; Global Admin reserved as break-glass
BrowserModern browser signed into the correct tenant
Universal Prerequisites
Licensing. Confirm your plan includes Intune (Intune Plan 1 standalone, EMS E3/E5, or a Microsoft 365 bundle — verify against the licenses doc) and assign the license to your pilot users in Microsoft 365 admin center > Users. A purchased-but-unassigned license blocks enrollment.
Identity. Entra ID must be healthy — cloud-only, or with Entra Connect sync fully configured. A partially-configured hybrid identity (sync errors, unverified UPN suffixes) is the most common cause of day-one enrollment failures.
Admin access. Assign the built-in Intune Administrator role for routine work. Keep Global Administrator for break-glass only and document the break-glass accounts — see RBAC and Scope Tags.
Browser and tenant. Use a current browser signed into the correct tenant. Confirm the tenant in the account switcher before configuring anything; an admin signed into the wrong tenant is a recurring source of lost time.
Platform-Specific Prerequisites
Two Apple relationships must exist before any iOS/iPadOS device enrolls:
An Apple Account for the APNs certificate. Create it as an organizational account (for example appleid-mdm@yourdomain, backed by a shared mailbox), never a personal Apple ID — this identity must outlive any individual employee. The APNs certificate page covers why its renewal date belongs on multiple calendars.
Apple Business Manager enrollment for anything supervised at scale. ABM signup requires legal-entity details and a D-U-N-S number and takes days, not minutes — start it first. BYOD-only pilots can begin on the APNs certificate alone.
One Google relationship: the account that binds Managed Google Play to the tenant. Create a fresh Google account specifically for this (for example mgp@yourdomain, backed by an organizational mailbox) — never a personal Gmail, because this identity owns the enterprise's Play relationship permanently and cannot be changed later without re-binding. There are no device-side prerequisites beyond GMS-certified hardware (AOSP fleets are documented separately). Zero-touch and Knox Mobile Enrollment are set up later through resellers and need nothing pre-staged now.
The shortest list:
Confirm Entra join is permitted. In Entra admin center > Devices > Device settings, allow users to join devices; in Entra > Mobility (MDM and MAM) > Microsoft Intune, set the MDM user scope to your pilot group.
Confirm the edition story. OEM Pro hardware steps up to Enterprise via subscription activation when the user's license carries it, so the Windows license assignment belongs on this checklist, not later.
Autopilot needs no further pre-work beyond deciding who will harvest or supply hardware hashes.
Macs run on the tenant's shared Apple foundations:
APNs certificate. A single APNs certificate per tenant covers every Apple enrollment — if one already exists for iOS, Macs are covered.
Licenses assigned to pilot users (not just purchased).
Identity signs in cleanly with no sync errors.
Admin roles issued and break-glass accounts documented.
Platform accounts created with renewal dates on a shared calendar.
Insights
Treat every credential created on this page as organizational infrastructure: shared-mailbox-backed, documented, and renewal-calendared. The two failures this prevents — an APNs certificate tied to a departed employee's Apple ID, and a Managed Google Play binding on a personal account — both require disruptive re-enrollment to recover from.
From empty tenant to enrollment-ready — the universal configuration spine, then the per-platform connectors in the right order.
A fresh tenant becomes enrollment-ready in an afternoon if the steps run in order. The universal spine first: confirm the MDM authority is Intune (modern tenants default correctly), set auto-enrollment scope (Entra > Mobility > Microsoft Intune — MDM user scope to your pilot group), build the starter group structure (dynamic groups and filters — an all-pilot-users group and per-platform device filters carry you surprisingly far), apply company branding (logo and support contact — it appears in every enrollment flow and Company Portal, so first impressions are configured here), and set enrollment restrictions deliberately rather than inheriting defaults — personal-device posture per platform is a policy decision, not an accident.
Step 1Confirm MDM authorityIntune — modern tenants default correctly
Step 2Set auto-enrollment scopeEntra > Mobility > Microsoft Intune — MDM user scope to the pilot group
Step 3Build starter groupsAll-pilot-users group plus per-platform device filters
Step 4Apply company brandingLogo and support contact appear in every enrollment flow
Step 5Set enrollment restrictionsPersonal-device posture is a decision, not an inherited default
Then the platform connectors, in the order that avoids rework:
Order matters absolutely here. First the APNs certificate — nothing Apple enrolls without it; created with the organizational Apple Account from prerequisites, renewal calendared before you close the tab. Then the ABM token: link Intune as an MDM server in ABM, exchange tokens, set the default device assignment. Then VPP: the Apps and Books token so app licensing exists before the first app assignment. Finish with an ADE enrollment profile for corporate devices, and the enrollment-method page decides the BYOD lane.
One connector does most of the work: bind Managed Google Play using the dedicated Google account from prerequisites — five minutes that unlocks the entire Android Enterprise surface. Then create enrollment profiles per management mode you'll actually run (work profile arrives nearly free; corporate-owned modes generate the provisioning tokens and QR payloads), approve your first apps in Managed Google Play, and set Android enrollment restrictions to match your BYOD stance.
Windows enrollment rides identity, so most setup is verification: auto-enrollment scope covers the pilot group (set in the spine above), then stand up Autopilot — import a first hardware hash, create a deployment profile (user-driven, Entra join), and configure the Enrollment Status Page deliberately: the blocking-apps decision made here defines your provisioning experience forever after. A starter Settings Catalog profile and one required app make the first enrollment prove the whole pipeline.
Macs reuse the Apple plumbing — a single APNs certificate per tenant covers every Apple enrollment (if your tenant already has one, this step is done), and the same ABM token serves Mac ADE; what's Mac-specific is its own enrollment profile (the Setup Assistant and await-configuration decisions) and the early account-strategy choice that's expensive to change later. Add VPP app licensing and a first shell script to prove the script channel, and the bench Mac from the lab takes the inaugural enrollment.
Prove It
The setup isn't done when the consoles are green — it's done when one device per platform has enrolled, received a profile, installed an app, and reported compliant. That four-line verification is the afternoon's real deliverable, and the device that did it becomes ring 1's founding member.
Insights
Resist configuring everything on day one: the tenant needs exactly enough to enroll and prove the pipeline. Every policy added before the first successful enrollment is a variable you'll have to rule out when something fails — the build-up discipline starts here.
A full simulated Microsoft Intune admin center — Devices, Apps, Endpoint security, Enrollment, Updates, Reports, Users, Groups, Tenant administration, and Troubleshooting, mirroring the real console's menus blade by blade. Generate a fleet, build dynamic groups with real query logic, deploy configuration and apps, harden with Endpoint security, watch compliance evolve. Nothing here touches a real device.
Simulated tenant
Everything below runs locally in your browser and persists to this device. Set the environment size in Tenant administration → Simulator settings, then explore — or hit Advance time and watch the fleet live. Reset any time.
Loading simulator…
Decision Tools
Decision Tools
Stop guessing. Answer a few questions and get a concrete, defensible recommendation — then the exact guides to execute it. Built for engineers who are new to Intune and need the right path, not every path.
Endpoint management is a series of either/or decisions made under pressure: which enrollment method, which config surface, which app type, MDM or MAM. Pick wrong early and you rebuild later. These tools encode the decisions experienced engineers actually make, so you start from a defensible default and adapt — not from a blank tenant.
Decision Wizards
Branching questionnaires that take your situation — platform, ownership, use case — and land on a single recommendation with links to execute it.
🧭 Which enrollment method?
The first and most consequential decision. Platform, ownership, and supply chain decide whether you land on Autopilot, ADE, work profile, or app-only management.
Enrollment is the foundation — it decides your management ceiling for the life of the device. Answer three questions and land on the right method, with the guide to execute it.
Why enrollment is the decision that sticks
Every later choice — which restrictions apply, whether you can wipe selectively, how much the device trusts you — is bounded by how it enrolled. A BYOD phone enrolled with App Protection can never be force-restricted like a supervised corporate device, and a retail Mac outside ABM can never be made truly zero-touch after the fact without a wipe. Get this right first; the rest of the stack builds on it.
Decision Tools · Comparison
MDM vs MAM
Manage the whole device, or just protect the data inside the apps? The decision that defines your BYOD strategy.
MDM (Mobile Device Management) enrolls and manages the entire device — restrictions, configuration, compliance, the works. MAM (Mobile Application Management), delivered through App Protection Policies, protects company data inside managed apps without enrolling or controlling the device. The split usually falls on ownership: you manage what you own, you protect data on what you don't.
Criterion
MDM (device enrollment)
MAM (App Protection)
Enrollment required
Yes — device is enrolled and managed
No — works with or without enrollment
Scope of control
Whole device — OS settings, restrictions, Wi-Fi, certs, apps
Company data within managed apps only
Best fit
Corporate-owned devices
Personal / BYOD devices
Wipe scope
Full wipe or retire the whole device
Selective wipe — only company data in the app
User privacy
Lower — IT sees device inventory, location capabilities
High — IT never sees personal data or the device
Control ceiling
High — enforce passcode, encryption, OS version, threat level
Moderate — PIN, cut/copy/paste, save-as, jailbreak block per app
Conditional Access
Require compliant device
Require app protection policy
Setup effort
Higher — enrollment program, profiles, compliance
Lower — policy targets users, no device onboarding
Choose MDM when…
The device is corporate-owned
You need device-level restrictions (kiosk, Wi-Fi/VPN/cert profiles, OS-version enforcement)
Compliance must gate access via require compliant device
You're deploying shared, frontline, or single-purpose hardware
Choose MAM when…
The device is personal / BYOD and you can't (or shouldn't) take it over
You only need to protect company data in Outlook, Teams, Edge, Office
User privacy and low onboarding friction matter
Contractors or unmanaged devices need access to specific apps
The pragmatic answer for most fleets is both: MDM for corporate-owned devices, MAM for BYOD — and on enrolled corporate devices you can layer App Protection on top for defense in depth. Not sure which a given device needs? Run the enrollment wizard.
Decision Tools · Blueprint
Corporate Windows knowledge worker
A complete, ordered starter stack: from a boxed laptop to a hardened, compliant, app-ready Windows device — every component linked to the guide that builds it.
🪟 The stack
Platform: Windows 11 · Ownership: Corporate · Identity: Entra join · Effort: ~1 day to pilot
Register devices to Autopilot & deploy a user-driven profile
Get hardware hashes into Autopilot (OEM, reseller, or manual import) and create a user-driven deployment profile with an Enrollment Status Page that blocks until critical apps land. Autopilot user-driven →
Set the configuration baseline with the Settings Catalog
Author your org's device configuration in the Settings Catalog — the modern CSP-backed surface. Keep one home per setting. Settings Catalog & CSPs →
Apply the Microsoft security baseline
Deploy the Security Baseline for Windows 10 and later in audit-mindset first, then ring it out. This is your hardening floor. Security baselines →
A compliance policy (encryption, Secure Boot, threat level, min OS) makes the posture real; Conditional Access then requires a compliant device for corporate resources. Windows compliance policies →
Manage updates with Update rings
Pilot and broad Windows Update for Business rings with deferrals and deadlines — controlled patching, not surprise reboots. Update for Business →
Ship the app set
Microsoft 365 Apps, Edge, and the Company Portal as required; Win32 packaging for everything else with proper detection and requirement rules. Win32 app packaging →
What this gets you
Zero-touch provisioning — ship the laptop straight to the user
A hardened, audited, compliant baseline from day one
Conditional Access that trusts the device because it's actually compliant
Controlled patching and a clean app catalog
Common first-timer traps
Assigning the security baseline and a Catalog profile to the same setting → conflict
An ESP that blocks on an app that never installs → stuck OOBE
Skating past the pilot ring straight to the whole fleet
Compliance policy with no Conditional Access — posture set but never enforced
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Wizard
Which app deployment type?
Intune doesn't deploy "an app" — it deploys a specific app type, and the right one depends on the platform and how the software is packaged. Pick wrong and you fight detection rules, broken updates, or a missing licence. Answer two questions and land on the exact type to create.
Why the type matters more than the app
Two engineers can "deploy Chrome" and end up with completely different reliability because one chose a Win32 wrapper with solid detection and the other fought the store catalog. The app type decides how installs are detected, whether updates are automatic or manual, whether licensing flows through VPP, and what config you can layer on. Match the type to the package — installer complexity, source, and licensing — and most of the pain disappears before you assign anything. When you genuinely can't make a simpler type work on Windows, Win32 is the capable fallback that can model almost anything.
Decision Tools · Wizard
Which configuration surface?
Intune gives you several places to author the same setting — and picking the wrong one means a brittle profile, a setting that won't apply, or a conflict with another policy. There's a clear order of preference. Answer a few questions and land on where this setting actually belongs.
The order of preference, and why
There's a deliberate hierarchy here. Settings Catalog first — it's the modern, flat, searchable surface and Microsoft is steadily moving everything into it. Reach for a Template profile when the thing you're configuring is a whole scenario (VPN, Wi-Fi, certificates, email, kiosk, endpoint protection) that wires up interdependent values you shouldn't hand-assemble. Use Administrative Templates / imported ADMX for classic Group Policy settings that haven't made it into the catalog yet. And treat Custom (OMA-URI / .mobileconfig) as the genuine last resort — only when the setting exists in no friendlier surface at all.
The one rule that survives every surface: one home per setting. A given setting should be authored in exactly one profile. The fastest way to a "why won't this apply?" ticket is configuring the same value in a Catalog profile and a template (or a custom OMA-URI) at once — Intune reports a conflict and neither side wins cleanly. Pick the right surface, put the setting there, and don't set it anywhere else.
Decision Tools · Comparison
Settings Catalog vs Templates
Two ways to author Windows configuration. One is the modern default; the other still owns a handful of scenarios you can't build anywhere else.
The Settings Catalog is a flat, searchable list of CSP-backed settings — you pick exactly what you want, named the way the CSP names it, and nothing else comes along. Classic Template profiles (Device restrictions, Endpoint protection, and the rest) are curated, grouped bundles Microsoft hand-built before the catalog existed. The catalog is where Microsoft is investing and where new work should start; templates linger because some scenarios — VPN, Wi-Fi, certificates, email — still only ship as a template. Most of this lives behind the Settings Catalog & CSPs surface.
Criterion
Settings Catalog
Template profiles
Setting coverage
Broadest — thousands of CSP settings, updated as new ones ship
Fixed set — only what the template author curated
Discoverability / search
Searchable — type the setting name and add it
Browse fixed categories; no cross-template search
Naming
CSP / ADMX names — maps straight to docs and reports
Friendly labels — easier to read, harder to trace to a CSP
Report granularity
Per-setting status in the configuration report
Coarser — per-profile, less per-setting detail
Scenario templates (VPN / Wi-Fi / cert / email)
Gaps — these aren't fully in the catalog yet
Only home — these scenarios still exist only as templates
Conflict behavior
Setting-level — two profiles touching one setting conflict cleanly
Profile-level overlap is easy to create by accident
Future direction
Where Microsoft is investing — new settings land here first
Maintenance mode — no new template categories coming
Learning curve
Steeper at first — you must know the setting you want
Gentler — grouped, labeled, discoverable by browsing
Choose the Settings Catalog when…
You're authoring new configuration — make it your default surface
You want per-setting reporting and clean conflict resolution
The setting maps to a known CSP and you can search for it by name
You're consolidating sprawl — one home per setting, no overlapping profiles
Choose a Template when…
The scenario only exists as a template — VPN, Wi-Fi, certificates, email profiles
You're maintaining an existing template profile that already works
You want a grouped, labeled starting point while you learn the CSP names
You need Endpoint protection / Device restrictions areas not yet mirrored in the catalog
The pragmatic rule: catalog-first, templates where you have no choice. Build all new baseline configuration in the Settings Catalog, and reach for a template only when the scenario — a VPN, a Wi-Fi network, a SCEP/PKCS certificate — simply isn't available anywhere else. Don't migrate working template profiles for the sake of it; do stop creating new ones. When in doubt, search the catalog first — if the setting is there, that's its home.
Decision Tools · Comparison
Work Profile vs Fully Managed
Two Android Enterprise modes that look similar in the console and behave nothing alike on the device. The split is ownership.
Personally-owned work profile is the BYOD container: Android carves a managed work area onto a user's personal phone, and IT manages only what's inside it. Fully managed (corporate-owned, COBO) takes the whole device — every app, every restriction, no personal side at all. The decision is almost always about who owns the hardware. Start from choosing a management mode if you're not sure which scenarios you're even solving for.
Criterion
Work profile (BYOD)
Fully managed (COBO)
Ownership
Personal device — user owns the hardware
Corporate device — the org owns it
Scope of control
Work container only — personal side is untouched
Whole device — every app and setting
Personal-data privacy
High — IT can't see or touch personal apps or data
User-driven from the personal device via Company Portal
Provisioned at setup — QR / NFC / zero-touch / token
Choose Work Profile when…
The phone is employee-owned and you can't take the whole device
Personal-data privacy is a hard requirement
You only need work apps and a managed container, not device-wide control
You want a selective wipe that leaves the user's personal side intact
Choose Fully Managed when…
The device is corporate-owned and there is no personal use
You need device-wide restrictions, hardware control, or kiosk lockdown
You're deploying frontline, shared, or single-purpose Android hardware
A full wipe on offboarding is acceptable — and expected
The pragmatic answer maps to ownership: protect what you don't own, control what you do. Work profile for BYOD, fully managed for issued corporate devices. There's also a middle ground — corporate-owned work profile (COPE) — a corporate device that still carves out a private work profile, giving the user a personal side on hardware the org owns. And on personal devices where even a work profile is too much, you can drop to App Protection Policies (MAM) and protect data inside the apps without enrolling the device at all.
Decision Tools · Blueprint
BYOD iPhone with App Protection
A complete, ordered starter stack for personal iPhones touching corporate data: protect the data inside the apps, not the whole device — every component linked to the guide that builds it.
📱 The stack
Platform: iOS/iPadOS · Ownership: Personal · Identity: Entra · Effort: ~half a day to pilot
Pick your enrollment posture: light enrollment or enrollment-free
Either enroll the device with Account-Driven User Enrollment for a managed APFS data volume and per-app management, or stay enrollment-free and let App Protection do all the work on unenrolled devices. For BYOD, enrollment-free MAM is the lower-friction default; reach for AdUE only when you need managed app config or a managed identity on the device. Account-Driven User Enrollment →
Create an App Protection Policy for iOS
This is the heart of BYOD. Require a PIN (or biometric) to open managed apps, enforce app-level encryption, and clamp the data exits: block save-as to personal locations, restrict cut/copy/paste to managed apps, and disable backup of org data. The container is what you wipe — never the personal device. App Protection Policies →
Layer App Configuration onto the managed apps
Where applicable, push App Configuration to Outlook and other managed apps to pre-set the account, block adding personal accounts to the managed app, and steer links and attachments back into the managed set. Configuration plus protection is what makes the experience feel intentional rather than punitive. App Protection & configuration →
Gate access with Conditional Access requiring app protection
Build a Conditional Access policy that requires an approved client app with an App Protection Policy for the mobile platform — not a compliant device. This is the lever that makes the whole thing real: corporate mail and files only open inside the protected, policy-bound apps. Conditional Access →
Deploy the managed app set
Make Outlook, Teams, and Edge available through the Company Portal as the sanctioned way in. These are the apps your App Protection and App Configuration target, so users land in the protected experience by simply installing what you offer. Managed app set →
Send the user comms before you flip Conditional Access
Tell users exactly what changes: which apps to install, that personal data and the rest of the phone stay untouched, and what "company access removed" means if they leave. Clear comms is the difference between a quiet rollout and a helpdesk queue. Conditional Access rollout →
What this gets you
Corporate data protected inside the apps with zero device enrollment required
A selective wipe that removes org data and leaves the personal phone alone
Conditional Access that admits only approved, policy-protected apps
A low-friction BYOD experience users will actually accept
Common first-timer traps
Requiring a compliant device in Conditional Access — wrong for BYOD; require an app protection policy instead
Over-restricting a personal device until users route around you with personal apps
Forgetting to set a minimum OS version, so old, unpatched phones sail through
Shipping the App Protection Policy without a matching Conditional Access policy — protection set but never enforced
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Blueprint
Android frontline / dedicated devices
A complete, ordered starter stack for shared, single-purpose Android hardware — kiosks, scanners, and frontline tablets that belong to the org, not a person — every component linked to the guide that builds it.
🤖 The stack
Platform: Android · Ownership: Corporate · Mode: Dedicated (COSU) · Effort: ~1 day to pilot
Connect Managed Google Play
Bind your tenant to Managed Google Play with an enterprise-owned account — this is the foundation for every Android Enterprise mode and the only sanctioned app source for dedicated devices. Do this once; everything below depends on it. Dedicated device enrollment →
Create a Dedicated (COSU) enrollment profile with a token / QR
Build a corporate-owned dedicated enrollment profile and generate its enrollment token and QR code. Devices factory-reset, scan the QR (or use NFC/zero-touch), and provision as headless, userless, fully-managed kiosks bound to that profile. Dedicated device enrollment →
Choose single-app kiosk vs multi-app managed launcher
Decide the experience now, because it shapes everything downstream: lock the device to one pinned app for true single-purpose use, or run the Managed Home Screen launcher with a curated grid of apps. Most frontline fleets want the multi-app launcher. Dedicated device modes →
Lock it down with a device restriction profile
Author an Android Enterprise device-restriction profile to disable the camera, factory reset, USB transfer, and unknown sources; control power and volume buttons; and set the kiosk behaviour. This is what turns a tablet into appliance-grade hardware. Device Restrictions →
Assign apps via Managed Google Play and configure them
Approve and assign your apps — including the Managed Home Screen — as required through Managed Google Play, then push App Configuration to pre-wire each app and the launcher so devices come up ready, with no manual sign-in or setup on the floor. App Configuration Policies →
Define compliance and wire Play Integrity attestation
Create a compliance policy that requires Google Play Integrity (SafetyNet's successor) attestation, blocks rooted or tampered devices, and sets a minimum OS — then make sure that compliance state actually feeds your access decisions, not just a report. Compliance Policies →
Enroll at scale with zero-touch or QR
For volume, register hardware in Android zero-touch (or the OEM equivalent like Samsung Knox) so devices auto-provision to your dedicated profile straight out of the box; fall back to QR for ad-hoc batches. Pilot a handful, then roll the floor. Enrollment at scale →
What this gets you
Userless, appliance-grade devices that boot straight into the job
A locked, single-purpose surface no one can wander off of
Apps and launcher pre-configured — zero touch on the floor
Tamper detection that actually gates the device, not just a dashboard
Common first-timer traps
Forgetting to configure the Managed Home Screen — devices land on a blank or broken launcher
No managed auto-update window, so apps update mid-shift and interrupt frontline work
Wiring Play Integrity attestation into the profile but never feeding it into compliance — tampered devices stay trusted
Skipping the pilot batch and reflashing the whole fleet to fix one profile mistake
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Blueprint
Corporate Mac knowledge worker
A complete, ordered starter stack for company-owned Macs: from ABM zero-touch to an encrypted, SSO-enabled, compliant Mac — every component linked to the guide that builds it.
💻 The stack
Platform: macOS · Ownership: Corporate · Enrollment: ADE (supervised) · Effort: ~1 day to pilot
Enroll zero-touch with Automated Device Enrollment
Tie the Mac to your tenant through Apple Business Manager and an ADE profile, so it enrolls supervised straight out of Setup Assistant — no hands on the device. ADE for macOS →
Encrypt the disk with FileVault and escrow the key
Enforce FileVault and escrow the personal recovery key to Intune so an encrypted Mac is never an unrecoverable Mac. FileVault with escrow →
Give users seamless identity with Platform SSO
Platform SSO ties the local account to Entra ID, so a single sign-in unlocks the Mac and the cloud — the modern Mac identity story. Platform SSO →
Set the hardening baseline (CIS / mSCP)
Microsoft ships no Mac security baseline — generate an auditable one from the CIS Apple macOS Benchmark via the macOS Security Compliance Project and deploy it as profiles + scripts. CIS Benchmarks & mSCP →
Turn on the security stack
Confirm Gatekeeper/XProtect posture and layer endpoint security (Microsoft Defender or your EDR) on top of the baseline. Endpoint security for Mac →
Define compliance and gate access
A compliance policy (FileVault on, OS floor, Gatekeeper, jailbreak-free) makes the posture real; Conditional Access then requires a compliant Mac for corporate resources. Mac compliance policies → · Conditional Access →
Manage updates with DDM
Declarative software-update policies enforce a target macOS version by a deadline, with the OS handling the nag — controlled patching, not pestering. DDM software updates →
Ship the app set
Microsoft 365 and first-party apps as required; everything else through the Installomator pattern for clean, repeatable DMG/PKG delivery. Installomator cookbook →
What this gets you
Zero-touch ADE provisioning — ship the Mac straight to the user
Encrypted disks with escrowed recovery keys
Single Entra identity for device and cloud via Platform SSO
An auditable CIS/mSCP baseline and compliance-gated access
Common first-timer traps
Forgetting the bootstrap token — deep operations (DDM, some account flows) silently fail
Expecting a Microsoft "Mac security baseline" — there isn't one; CIS + mSCP is the path
FileVault enforced but the recovery key not escrowed → unrecoverable Macs
Compliance policy with no Conditional Access — posture set but never enforced
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
iOS · Baseline Settings
Importing Baseline Settings into Intune
Get a community-reviewed iOS security and management baseline into your tenant fast.
RequiresPolicy-creation rights; Graph consent for the import script
ScopePolicies import unassigned — pilot group first
Scope
The baseline targets supervised, ADE-enrolled corporate devices. Settings that require supervision are marked on each page; BYOD guidance lives in the App Protection Baseline.
Prerequisites
A local copy of the baseline repository. Clone or download it from the GitHub repository so you can review every policy before anything touches your tenant.
Rights to create policies in your tenant — Settings Catalog configuration, compliance, and App Protection. If you use the import script, you also need consent to call Microsoft Graph with device-management write permissions.
A pilot group. An Entra ID group of test devices and users, so imported policies are never assigned straight to the fleet.
Option 1 — Import the JSON (Recommended)
Each policy in the baseline repository ships as exported JSON you can import with a short Graph script:
Get the policy files locally. Clone or download the baseline folder from the repository so you import from a version you've pinned, not a moving branch.
Review every JSON file.Never import a policy you haven't read. You are accountable for every value that lands in your tenant — and reading the export is also the fastest tour of what the baseline actually changes.
Run the import script in the repo (plain PowerShell + Graph REST, same style as our Graph Quickstart) to POST each policy to its endpoint:
Assign to your pilot group. Policies land unassigned by design — nothing applies anywhere until you assign it. Scope every imported policy to the pilot group first and widen only after the pilot stays quiet.
Option 2 — Build by Hand
Every settings page in this section lists the exact Settings Catalog paths and values. Twenty minutes of clicking gets you the same result, and you'll know exactly what each setting does — familiarity that pays for itself the first time a setting needs troubleshooting.
Rollout Order
Enterprise SSO Plug-in (improves everything else)
Passcode + Compliance
Restrictions
Software Updates (deferral first, enforcement after a cycle)
App Protection (BYOD ring)
Pilot → Ring 1 → fleet. Watch helpdesk volume between rings.
Verification
Every imported policy is visible in the console with its expected iOS-BL- prefixed name, and its Assignments tab lists only the pilot group.
On a pilot device, the profiles arrive (Settings > General > VPN & Device Management) and each policy's per-device status reports Succeeded.
Helpdesk stays quiet through the pilot window — that silence is your signal to widen the rings.
How baseline changes are proposed, reviewed, and merged.
The baseline is only as good as the operational experience behind it. If a setting bit you in production, or a new iOS release added something the baseline should adopt, contribute.
What a Baseline Contribution Looks Like
The change: exported policy JSON (or the exact Settings Catalog path + value for hand-built review).
The rationale: what it does, why the chosen value, what breaks without it.
The blast radius: supervision requirements, minimum iOS version, user-visible impact, known conflicts.
Process
Open a pull request against the baseline/ folder in the repository, or open an issue if you'd rather discuss the idea first — both are welcome starting points.
A maintainer reproduces the setting in a test tenant. Nothing merges on trust alone; reproduction catches typos in paths and values before they reach anyone's production fleet.
Discussion happens on the PR. Controversial defaults get a documented "Decision" note on the settings page, so future readers see why a value won — not just what it is.
Merged changes appear in the Changelog, so adopters can diff exactly what moved between baseline versions.
Principles We Hold
Secure by default, usable by default. A baseline nobody deploys protects nobody.
Every setting earns its place. No cargo-culted CIS line items without operational justification.
Version-aware. Settings note the iOS version they appeared in and whether supervision is required.
Everything possible is Settings Catalog, not legacy templates — Microsoft's investment is there, and DDM delivery happens automatically where supported.
The baseline is split into multiple small policies rather than one mega-profile, so you can adopt incrementally and troubleshoot conflicts sanely.
Naming convention used in the JSON: iOS-BL-<Area>-v<version>, e.g. iOS-BL-Restrictions-v1.
What the Baseline Deliberately Doesn't Do
No Wi-Fi/VPN/certificate payloads — too environment-specific.
No Home Screen Layout — cosmetic, org-specific.
No app deployment — see the Complete Guide for the core app set.
Restriction conflicts across multiple profiles resolve to the most restrictive value on iOS. Keep restrictions in this single policy so "why is this blocked?" has exactly one place to look.
Settings Catalog > Declarative Device Management > Software Update, one profile per ring:
Ring
Target
Deadline
Ring 0 (IT)
Current minor version
Release + 5 days
Ring 1 (10%)
Same
Release + 14 days
Ring 2 (fleet)
Same
Release + 30 days
Set Target OS Version to the exact version string and Target Date Time in UTC. The device handles download scheduling, escalating user notifications, and forced installation at deadline.
Operating Rhythm
Validate the release. Apple ships an update → install it on Ring 0 devices inside their window and confirm your critical apps and profiles still behave.
Move the deadlines forward. Update the Target OS Version and Target Date Time in each ring profile (or script it via Graph — the profiles are Settings Catalog policies, editable at deviceManagement/configurationPolicies).
Let compliance sweep the stragglers. Keep the compliance policy minimum OS one version behind enforcement, so devices lose access only after every ring's deadline passes — pressure without surprise lockouts.
Caution
Don't set a DDM deadline in the past "to force it now" — give devices at least 48–72 hours of runway so download windows and user notifications behave as designed.
Microsoft Authenticator deployed (required VPP app) — the extension lives inside it.
Assign to device groups for corporate, and include in BYOD user-enrollment targeting too: SSO is equally valuable on the work partition.
Don't
Don't add wildcard URL entries or third-party IdP URLs to this payload "while you're in there" — scope creep here causes the weirdest auth loops you'll ever troubleshoot.
Baseline app configuration policies for Outlook, Edge, and Office on iOS.
App Configuration Policies (managed devices channel) that pre-configure Microsoft apps so they're signed-in-ready on first launch. Background: App Configuration Policies.
Intune offers the toggle to add the shared device/account mode and SSO-relevant keys automatically when you create app config policies for Microsoft apps — let it. Combined with the Enterprise SSO plug-in, first-launch sign-in is typically zero-prompt.
Insight
Token variables like {{username}}, {{mail}}, and {{userprincipalname}} resolve per-assigned-user at delivery. On user-affinity ADE devices they just work; on no-affinity (kiosk) devices they resolve empty — scope these policies to user-affinity devices only.
The MAM baseline that protects corporate data with or without enrollment.
App Protection Policies (APP/MAM) wrap corporate data inside managed apps — they work on enrolled devices and on completely unmanaged BYOD alike. This baseline (iOS-BL-APP-v1) is Microsoft's "Level 2 — Enhanced" data protection framework with field-tested adjustments.
Apps > Protection policies > Create policy > iOS/iPadOS. Target: all Microsoft 365 apps + your LOB apps using the Intune App SDK. Assign to user groups (it follows the user, not the device).
PolicyiOS-BL-APP-v1 — Level 2 Enhanced base
Applies toEnrolled devices and unmanaged BYOD alike
❌ Block (org choice — relax if you have managed print)
Access Requirements
Setting
Value
PIN for access
✅ Require, numeric, 4+
Touch ID / Face ID instead of PIN
✅ Allow (with PIN fallback after timeout)
Work account required
✅
Recheck access timeout
30 min
Conditional Launch
Check
Value
Action
Max PIN attempts
5
Reset PIN
Offline grace period
720 min
Block access
Offline grace period
90 days
Wipe org data
Jailbroken/rooted
—
Block access + wipe org data
Min OS version
(current − 1 major)
Warn, then block on (current − 2)
Pair with Conditional Access
Create a CA policy with grant control Require app protection policy for iOS, so unprotected apps can't touch corporate data even with valid credentials. Details: Conditional Access.
What Apple Business Manager is and how to enroll your organization.
Apple Business Manager (ABM) is Apple's free web portal for organizations. It is the foundation of every corporate iOS deployment — it provides device enrollment automation, app licensing, and Managed Apple Accounts.
Devices: assign corporate devices to Intune for Automated Device Enrollment — zero-touch, supervised, mandatory management.
Apps & Books: buy app licenses (free apps too) in volume and deploy them silently — no Apple ID needed on devices. See Apps & Books (VPP).
Managed Apple Accounts: organization-owned Apple Accounts, ideally federated with Entra ID, required for Shared iPad and account-driven enrollment.
Device Identity in Entra ID
However an iOS device enrolls, it becomes Entra registered — the device record Conditional Access reads. The enrollment path decides how corporate that record is; the device identity guide has the full picture:
Enrollment path
Entra identity
What Conditional Access sees
ADE (supervised, via ABM)
Entra registered, corporate record from Setup Assistant
User + device compliance on supervised hardware
Company Portal (BYOD)
Entra registered at enrollment sign-in
User + device compliance; personal ownership respected
App protection only (no enrollment)
No device record — identity is the user + managed app
App-based grants only; device-based grants will fail
Prerequisites
A D-U-N-S number registered to your legal entity. Apple validates your application against the Dun & Bradstreet record, so confirm the registered legal name and address are current before you apply.
A work email address on a domain your organization owns — consumer mailbox addresses are not accepted for the enrolling account.
A verification contact who can legally accept the terms on behalf of your organization. Apple calls this person to verify, so brief them that the call is coming.
Enrolling Your Organization — Step-by-Step
Start the application. Go to business.apple.com and select Sign up now, entering the legal-entity details exactly as they appear in your D-U-N-S registration.
Complete verification. Apple phones the verification contact to confirm the request is genuine before approving the organization.
Allow a few business days for approval. If your D-U-N-S details don't match your legal name exactly, fix them with Dun & Bradstreet first; mismatches are the most common rejection reason.
After Approval
Add at least one additional Administrator account — never run ABM with a single admin; one departed colleague or forgotten password shouldn't lock the organization out of its own device program.
Note your Organization ID (Settings > Enrollment Information); resellers need it to auto-assign purchased devices.
Configure federated authentication if you'll use Managed Apple Accounts. Under Settings > Accounts, federate with Microsoft Entra ID so users sign in with their work credentials.
Education?
Schools use Apple School Manager (ASM) instead. Everything in this guide applies equally — ASM is a superset of ABM.
Connect ABM to Intune with an enrollment program token so devices flow automatically.
The integration between ABM and Intune is a server token (.p7m file). One token per ABM "MDM server" entry; the token tells Apple to hand devices to your Intune tenant at activation. The exchange is a three-part handshake: Intune generates a public key, ABM binds that key into a server token, and Intune consumes the token.
RequiresABM Administrator or Device Enrollment Manager role
Console pathDevices > Enrollment > Apple > Enrollment program tokens
RenewalEvery year — same ABM account that created the token
ScopeOne token per ABM MDM server entry
Step 1Download the Intune public key.pem from the Enrollment program token wizard
Step 2Create the MDM server in ABMUpload the .pem; download the .p7m server token
Step 3Upload the token to IntuneEnter the owning Apple ID — record it for renewals
Step 4Verify the connectionGreen status; expires one year out — set an 11-month reminder
Prerequisites
An ABM account that can manage MDM server assignments (Administrator or Device Enrollment Manager role).
Access to the Intune admin center with permission to manage Apple enrollment.
A decision about which ABM account owns the token — renewals must come from the same account every year, so use a role account your team controls rather than a personal login.
Step 1 — Download the Intune Public Key
Open the token wizard. In the Intune admin center: Devices > Enrollment > Apple tab > Enrollment program tokens > Add.
Grant consent and download the key. Grant Apple permission to send user/device info, then Download your public key (.pem). ABM will bind your server token to this key.
Step 2 — Create the MDM Server in ABM
Add a server entry. In ABM: Settings (or Preferences) > MDM Server Assignment > Add.
Name it clearly, e.g. Intune - Production — this name shows up in assignment menus for years, so make it self-explanatory.
Upload the .pem public key from Step 1.
Download the generated server token (.p7m).
Step 3 — Upload the Token to Intune
Enter the owning Apple ID. Back in the Intune wizard, enter the Apple ID of the ABM account used to create the token (record this — renewals must use the same account).
Upload the .p7m file and create. Intune validates the token and the connection goes live.
Step 4 — Verify
The token appears under Enrollment program tokens with a green status and an expiration date one year out. Set a renewal reminder at 11 months. Devices assigned to this MDM server in ABM will sync into Intune (manual sync available; Apple rate-limits a full sync to once per 15 minutes).
Token hygiene
Renew with the same ABM account that created the token. A different account breaks the device assignment chain.
One token can serve every device family ABM supports — or you can create separate ABM MDM server entries per device family if you want different default enrollment profiles. Separate entries per family is the cleaner pattern at scale.
The three ways devices get into ABM — reseller channel, Apple Configurator for iPhone, and Apple Configurator 2 over USB.
A device must exist in ABM before it can use Automated Device Enrollment. There are three ways in, and the right one depends on how the device was purchased.
devices are purchased through Apple or an authorized resellerReseller channelGive them your Organization ID — purchases appear in ABM automatically, no provisional period.
a retail-bought device needs adding in the fieldApple Configurator for iPhoneCable-free proximity add at the Hello screen; 30-day provisional period applies.
a bench is doing batch intake from traysApple Configurator 2 over USBTethered Prepare workflow — slower per device, suits lined-up hardware.
1. Purchased Through Apple or an Authorized Reseller (Best)
Give Apple or your reseller your Organization ID (and add their Reseller Number under ABM Settings > Enrollment Information). New purchases then appear in ABM automatically — true zero-touch. This should be your default procurement path for every corporate device going forward.
2. Apple Configurator for iPhone (iOS 16+)
For devices bought retail or otherwise outside the reseller channel:
Install Apple Configurator from the App Store on a work iPhone and sign in with an ABM administrator/device-manager account.
Factory-reset the target device. At the Setup Assistant Hello screen, bring it near the Configurator iPhone (like AirPods pairing) and scan the on-screen image.
Confirm the add. The device is added to ABM and appears in your MDM server assignment within minutes.
No cables and no bench hardware required. This is the field-friendly method.
3. Apple Configurator 2 over USB
The classic tethered method for benches doing batch intake: connect the freshly-wiped device by USB to a bench computer running Apple Configurator 2, select Prepare, and choose Add to Apple Business Manager. Slower per device than the iPhone method, but it suits an intake bench where devices are already lined up in trays.
The 30-day provisional period
Devices added via either Configurator method enter a 30-day provisional period during which the user can remove the device from ABM (Settings > General > About shows the option). After 30 days, ABM membership is permanent. Reseller-purchased devices have no provisional period.
Assign to Your MDM Server
Assign the serials. In ABM: Devices > select device(s) > Edit MDM Server > choose your Intune server.
Set a default MDM server per device type (Settings > MDM Server Assignment) so new purchases auto-assign without manual work.
Sync the token in Intune. The serials appear under your enrollment program token after the next sync.
Verification
The device shows in ABM under Devices with your Intune server listed as its MDM server, and the same serial appears in Intune under the enrollment program token's device list. If a serial seems "missing" in Intune right after assignment, trigger a token sync and allow a few minutes — Apple rate-limits a full sync to once per 15 minutes.
Create and maintain the certificate that lets Intune talk to your Apple devices.
Every command Intune sends to any Apple device — policy, app install, wipe — is triggered through the Apple Push Notification service (APNs) using one certificate. It's free, takes five minutes, and is the single most important object in your Apple deployment.
LicenseFree — takes five minutes
Console pathDevices > Enrollment > Apple > Apple MDM Push certificate
RequiresDedicated organizational Apple ID with two-factor authentication
RenewalEvery year — same certificate, same Apple ID
Prerequisites
A dedicated organizational Apple ID (e.g. apple-mdm@yourdomain.com) with two-factor authentication configured — never a personal account. This identity anchors the certificate for the life of your deployment.
Intune admin center access with rights to manage Apple enrollment settings.
Create It — Step-by-Step
Open the certificate blade. Intune admin center: Devices > Enrollment > Apple tab > Apple MDM Push certificate.
Download the CSR. Check I agree, then Download your CSR (a .csr file signed by Microsoft).
Sign in with the dedicated organizational Apple ID (e.g. apple-mdm@yourdomain.com — never a personal account).
Create the certificate. Select Create a Certificate, accept the terms, upload the CSR, then download the resulting .pem.
Finish in Intune. Enter the Apple ID you used (this is recorded for renewal), upload the .pem, and finish.
Verification
Status turns Active with a one-year expiration. To prove the push channel end to end, sync or remote-lock a test device and confirm the command lands — command delivery is the certificate doing its job.
Renewal — Read This Twice
Renew the same certificate in the Apple portal using the same Apple ID every year.
If the certificate expires, every Apple device stops receiving commands until you renew it — devices stay enrolled and recover once renewed.
If you create a new certificate instead of renewing (or use a different Apple ID), the certificate topic changes and every Apple device must be re-enrolled. This is the classic career-limiting Apple MDM mistake.
Operational guardrails
Calendar the renewal at 11 months with two owners invited.
Document the Apple ID, who controls its mailbox, and its 2FA recovery in your vault.
The Bulk Device Actions page includes a Graph snippet to check days-to-expiry — wire it into your monitoring.
Do
Renew the same certificate with the same Apple ID every year
Calendar the renewal at 11 months with two owners invited
Document the Apple ID, its mailbox owner, and 2FA recovery in your vault
Don't
Let it expire — every Apple device stops receiving commands until you renew
Create a new certificate or switch Apple IDs — every Apple device must re-enroll
Build the enrollment profile that controls Setup Assistant and supervision for corporate iOS devices.
The enrollment profile defines what happens when an ABM-assigned device activates: supervision, user affinity, authentication method, and which Setup Assistant screens users see. Every device that activates against the profile inherits these decisions until its next wipe, so this is where the corporate device experience is really designed.
Applies toABM-assigned devices at activation
Console pathDevices > Enrollment > Apple > Enrollment program tokens > Profiles
RequiresActive APNs certificate + connected enrollment program token
ScopeDecisions persist until the next wipe
Prerequisites
Your APNs certificate is active and your enrollment program token is connected, with device serials syncing from ABM.
You know which devices are 1:1 user devices and which are shared or kiosk hardware — the user-affinity decision below follows directly from that split.
Create the Profile — Step-by-Step
Open the profile wizard.Devices > Enrollment > Apple tab > Enrollment program tokens > your token > Profiles > Create profile > iOS/iPadOS.
Work through the key decisions in the table below. Each row is a choice the device keeps until it is wiped, so decide deliberately rather than accepting defaults.
Trim Setup Assistant and create the profile. Skip the screens users don't need (guidance below), review, and save.
Key Decisions
Setting
Recommendation
Why
User affinity
Enroll with user affinity for 1:1 devices; without for kiosks/shared
Affinity links the device to a primary user for app/policy targeting
Authentication method
Setup Assistant with modern authentication
Entra ID sign-in (with MFA/Conditional Access) during Setup Assistant
Await final configuration
Yes
Locks the device at Setup Assistant until critical policies and apps land — users get a finished device, not a half-configured one
Locked enrollment
Yes
Users cannot remove the management profile
Supervised
Yes (forced for locked enrollment)
Unlocks the full iOS management surface
Setup Assistant Screen Skipping
Skip everything users don't need to touch: Apple Intelligence/Siri, Apple Pay, Screen Time, Restore, etc. Leave Passcode visible — you want a passcode set during setup, and your compliance policy will require it anyway.
Modern auth details
With Setup Assistant modern authentication, the user authenticates to Entra ID during setup, and Company Portal completes Entra registration after enrollment so Conditional Access sees the device as compliant. Deploy Company Portal as a required VPP app to these devices. Just-in-time (JIT) registration via the Enterprise SSO plug-in can remove the Company Portal sign-in step — see Deploy the Enterprise SSO Plug-in.
Assign Devices to the Profile
Assign serials. In the token blade: Devices > select serials > Assign profile.
Set the token's default profile. Make this profile the token's default profile so newly synced devices pick it up automatically — an unassigned serial is how a corporate device ends up activating with no management.
Verification
The token's device list shows your profile name against each assigned serial.
Wipe and activate a test device: the Remote Management screen appears during Setup Assistant, followed by your chosen authentication flow.
Profile changes apply at next activation — already-deployed devices must be wiped to receive an updated enrollment profile.
Configure the Microsoft Enterprise SSO plug-in so users sign in once across all Entra-protected apps on iOS.
The Microsoft Enterprise SSO plug-in gives iOS devices true single sign-on to Entra ID: a user authenticates once and every app and website that uses Entra ID picks up the session — including Safari. It also enables just-in-time (JIT) device registration during web-based and Setup Assistant enrollments.
RequiresMicrosoft Authenticator as a required VPP app
Applies toMDM-enrolled devices — the extension only activates via MDM
Microsoft Authenticator deployed to the device (the plug-in ships inside it). Deploy it as a required VPP app. Users do not need to open or configure Authenticator for SSO to work.
Device must be MDM-enrolled (the extension only activates when delivered by MDM).
After the profile lands (Settings > General > VPN & Device Management shows the SSO payload), sign into one Microsoft app, then open Safari to https://office.com — you should land signed-in without a password prompt.
Insight
Deploy the SSO plug-in before broad app rollout. Retrofitting it works, but users only feel the magic when it's there from day one — and JIT registration during enrollment depends on it.
License and silently deploy App Store apps with no Apple IDs on devices.
Apps & Books (still universally called VPP) is how corporate iOS app deployment works: your organization acquires licenses in ABM, Intune consumes them through a location token, and supervised devices install apps silently with no Apple ID signed in.
Find the app. Search for the app (e.g., Microsoft Authenticator, Outlook, Edge, Company Portal).
Acquire licenses. Choose a quantity (free apps still need "purchased" license counts — grab plenty, e.g. 5,000 for core apps) and assign to your Location.
Step 2 — Connect the Location Token to Intune
Download the token from ABM. Your account > Preferences > Payments and Billing > Content Tokens — download the .vpptoken for your location.
Open the connector blade in Intune.Tenant administration > Connectors and tokens > Apple VPP tokens > Create.
Upload and configure. Upload the token, enter the Apple ID that manages it, set Automatic app updates to Yes, and decide if this token grants used licenses to Intune-managed devices only.
Tokens expire annually — same renewal discipline as your APNs certificate.
Step 3 — Deploy Apps
Licensed apps appear automatically under Apps > All apps (type: iOS volume purchase program app) after the token syncs.
Open the assignment. Select the app > Properties > Assignments.
Pick the intent.Required for must-have apps (silent install on supervised devices), Available for enrolled devices for the self-service catalog in Company Portal.
Keep device licensing.License type: Device licensing (default and recommended) — no Apple ID involvement at all.
Core App Set for the Complete Guide
Deploy these as Required / Device licensed to your corporate iOS group:
What your users actually see during zero-touch enrollment, start to finish.
This is the end-to-end experience on a corporate device deployed through everything configured so far. Knowing it cold makes support tickets self-explanatory.
1 · HelloLanguage, region, Wi-Fi
2 · Remote ManagementNo skip with locked enrollmentAppears because the serial is ABM-assigned
3 · Entra sign-inWork account; MFA and Conditional Access apply
4 · PasscodeSet during setup, policy minimums enforced
5 · ConfiguringAwait Final Configuration holds the deviceProfiles and required VPP apps land first
6 · Home screenFully provisionedTypically 8–15 minutes on decent Wi-Fi
Unboxing to Desk-Ready
Hello screen — user powers on, selects language/region, joins Wi-Fi (or uses cellular activation).
Remote Management screen — "Your organization will automatically configure your device." This appears because the serial is ABM-assigned to your Intune token. With locked enrollment, there is no skip option.
Entra ID sign-in — with Setup Assistant modern authentication, the user signs in with their work account; Conditional Access and MFA apply right here.
Passcode — user sets a passcode (your compliance and passcode policies enforce minimums).
Await Final Configuration — the device holds at "Configuring..." while required profiles and VPP apps land, so the home screen appears fully provisioned.
Home screen — Outlook, Teams, Authenticator, Company Portal already installed. If you deployed a Home Screen Layout, icons are arranged your way.
First app launch — thanks to the Enterprise SSO plug-in, apps pick up the Entra session without re-prompting for the password.
Typical elapsed time on decent Wi-Fi: 8–15 minutes, most of it app downloads.
What Users Notice Day-to-Day
Settings > General > VPN & Device Management shows the management profile; on supervised devices the top of Settings reads "This iPhone is supervised and managed by…".
App Store can stay enabled or be hidden — managed apps update via VPP regardless.
No Apple ID prompts for any managed app, ever.
What They Can't Do
Remove the management profile (locked enrollment).
Erase their way out — after a wipe, the Remote Management screen returns at activation (and Activation Lock doesn't strand you if managed properly).
Deploy Microsoft Defender for Endpoint on iOS with zero-touch onboarding.
Microsoft Defender for Endpoint on iOS provides web protection (anti-phishing via a local loopback VPN), jailbreak detection feeding device risk into compliance, and vulnerability assessment of OS versions.
LicenseMDE P1/P2, Microsoft 365 E5, or standalone
RequiresMDE–Intune connection enabled in both consoles
Applies toCorporate iOS group — Required, device-licensed VPP app
ScopeSilent onboarding needs supervision
Prerequisites
Defender for Endpoint licensing (MDE P1/P2, Microsoft 365 E5, or standalone).
The MDE–Intune connection enabled: Defender portal > Settings > Endpoints > Advanced features > Microsoft Intune connectionOn, and in Intune Endpoint security > Microsoft Defender for Endpoint > allow iOS to report to MDE.
Step 1 — Deploy the App
Deploy Microsoft Defender: Security as a Required, device-licensed VPP app to your corporate iOS group.
Step 2 — Silent Onboarding (Supervised)
On supervised devices Defender can onboard silently — no user tap-through:
Create an App configuration policy (Managed devices) targeting the Defender app.
Add the onboarding keys. Use the configuration designer and add:
issupervised = {{issupervised}} (variable)
For silent/zero-touch onboarding follow the current Microsoft Learn doc "Deploy Microsoft Defender for Endpoint on iOS" — Microsoft updates the exact key set periodically; pin your config to the doc, not to a blog post.
Deploy the Defender VPN payload. Push the Device control/Web protection VPN profile (Microsoft provides the VPN payload values in the same doc) so web protection activates without user consent.
Step 3 — Connect Risk to Compliance
In your iOS compliance policy, set Require the device to be at or under the machine risk score (e.g., Medium). Now a jailbroken or high-risk device automatically loses access through Conditional Access.
Verification
The device appears in the Defender portal's device inventory shortly after onboarding completes.
On the device, the Defender app reports web protection active and the loopback VPN shows under Settings > VPN.
Risk flows into compliance: a test device's compliance state reflects the machine risk score requirement you configured.
Insight
The zero-touch path matters: in our experience, user-driven Defender onboarding completion rates plateau around 70–80%. Supervised + app config + VPN profile gets you to ~100% without a single user tap.
How DDM changes iOS management and where Intune uses it today.
Declarative Device Management is Apple's modern management protocol, layered on top of MDM. Instead of the server polling and pushing commands, the server sends declarations — desired states — and the device itself enforces them and proactively reports status changes.
ProtocolDeclarations layered on MDM — the device enforces desired state
RequiresiOS/iPadOS 17+ for update enforcement (DDM itself since iOS 15)
Server sends command, waits for device to check in
Device holds the declaration and acts autonomously
State drift until next sync
Device self-corrects immediately
Server polls for status
Device pushes status reports when things change
The flagship example: a software update declaration with a deadline. The device schedules downloads, notifies the user with escalating urgency, and force-installs at the deadline — even if it can't reach Intune at that moment.
Requirements
iOS/iPadOS 17 or later for the update enforcement scenarios Intune exposes (DDM itself exists since iOS 15).
No special enrollment — DDM activates automatically within an existing Intune MDM enrollment on supported OS versions.
Where Intune Uses DDM Today
Managed software updates (the headline scenario — full guide).
A growing set of Settings Catalog payloads are delivered declaratively when the device supports it — Intune chooses the channel; you don't have to.
Enforce iOS updates with DDM — deadlines that actually stick.
The final piece of the deployment: keeping the fleet current. On iOS 17+ this is done with DDM-based software update enforcement, which replaces the old MDM update commands with deadlines the device itself enforces.
Pick the payload. Category Declarative Device Management > Software Update.
Set the target and deadline. Configure:
Target OS Version — e.g. 17.5.1 (exact version string)
Target Date Time — the enforcement deadline (UTC)
Optionally Target Build Version for precision
Assign to your iOS device groups (use a pilot ring first — see below).
Before the deadline, users get increasingly insistent notifications and can update on their own terms. At the deadline, the device downloads (if it hasn't) and installs the update, requiring the passcode where needed.
DeclareTarget OS Version + UTC deadline assigned
NotifyEscalating user notificationsUsers can update on their own terms before the deadline
EnforceDownload and forced install at deadlinePasscode requested where needed
Verification
On a targeted device, Settings > General > Software Update shows the targeted version, and the notification cadence begins as the deadline approaches.
The policy's per-device status in Intune reports success, and after the deadline the device's inventoried OS version moves to the target.
Stragglers surface in the compliance minimum-OS report — chase that report, not individual serial numbers.
Hide Updates Users Shouldn't See Yet
Pair enforcement with deferral so users can't jump ahead of your validation:
This creates the classic pattern: defer 14–30 days for validation, then enforce by deadline.
Recommended Ring Model
Ring
Audience
Deadline after release
Ring 0
IT + volunteers
~5 days
Ring 1
10% of fleet
~14 days
Ring 2
Everyone
~30 days
Drive ring assignment with Entra groups, one enforcement profile per ring with staggered Target Date Times.
Legacy update policies
The older Update policies for iOS/iPadOS (one-time ScheduleOSUpdate pushes) still exist in the console but are not reliable as an enforcement mechanism — devices on a charger and locked might update. DDM deadlines are deterministic. Use DDM for anything you actually need to happen.
A decision guide for the four iOS enrollment methods in Intune.
Intune offers four practical ways to enroll an iOS device. Choosing correctly up front matters — moving a device between methods later means wiping it.
the device is corporate-ownedADESupervision and locked enrollment are non-negotiable for company hardware.
it's corporate-owned but genuinely can't get into ABMWeb-based device enrollmentUnsupervised and removable — a stopgap while procurement catches up.
it's BYOD needing full corporate app accessAccount-driven User EnrollmentCryptographic work/personal separation; the user keeps control.
it's BYOD and MAM is enoughNo enrollment at allApp Protection Policies guard the data with zero device management.
Corporate-owned? → ADE. Always. Supervision and locked enrollment are non-negotiable for company hardware. Get devices into ABM even if bought retail (here's how).
Corporate-owned but genuinely can't get it into ABM? → Web-based device enrollment. Accept that it's unsupervised and removable; plan to replace these devices through proper procurement.
BYOD with full corporate app access? → Account-driven User Enrollment. Cryptographic separation of work/personal data, privacy-respecting, user keeps control of the device.
BYOD where MAM is enough? → Don't enroll at all. App Protection Policies without enrollment protect corporate data inside Microsoft apps with zero device management. This is the right answer more often than people think.
Retired Methods
Profile-based User Enrollment (the old Company Portal BYOD flow) has been retired by Microsoft and Apple in favor of account-driven enrollment. If you still have devices on it, plan migrations — users sign out / retire, then re-enroll account-driven.
Supervised, locked, zero-touch enrollment for corporate iOS devices.
ADE (formerly DEP) is the gold standard for corporate iOS: the device enrolls itself during Setup Assistant because Apple's activation servers know the serial belongs to your organization.
Applies toCorporate devices with ABM-assigned serials
RequiresABM + server token + an assigned enrollment profile
ScopeSupervised, locked, whole-device management
What You Get
Supervision — the prerequisite for the strongest controls: Lost Mode, Single App Mode, Home Screen Layout, blocking app removal, many restrictions, silent VPP app installs, and Activation Lock management.
Locked enrollment — the management profile cannot be removed; a wipe just lands the device back at the Remote Management screen.
A zero-touch rollout — ship sealed boxes; users self-provision in minutes.
Await Final Configuration — devices arrive at the home screen fully provisioned.
A device re-checks its ABM assignment at every activation. Reassigning a serial to a different enrollment profile only takes effect after a wipe.
ABM token sync to Intune is rate-limited (full sync every 15 minutes) — "missing" serials right after assignment usually just need a sync and patience.
Keep one default profile per token sane: it's what every newly purchased device gets if you forget to assign explicitly.
Safari-driven device enrollment without Company Portal — for corporate devices outside ABM.
Web-based device enrollment lets a user enroll a device entirely through Safari — no Company Portal app required to enroll. It produces a standard (unsupervised) device enrollment and is Microsoft's default for new device enrollment profiles. Because the entire flow runs in the browser, it is the lowest-friction way to bring a corporate-owned device under management when it was procured outside the channels that feed automated enrollment.
Applies toCorporate devices outside ABM
RequiresiOS/iPadOS 15 or later; Enterprise SSO plug-in for JIT registration
Console pathDevices > Enrollment > Apple > Enrollment types
ScopeUnsupervised — the user can remove management
Prerequisites
iOS/iPadOS 15 or later on the devices being enrolled.
Licensed users in an assignable group — the flow is user-driven, so the enrollment link and instructions you communicate are part of the deployment.
The Enterprise SSO plug-in policy in place — just-in-time (JIT) registration during this flow depends on it. The plug-in deploys once the device is managed, and it is used at sign-in time to complete Entra device registration.
Step-by-Step: Create and Assign the Enrollment Profile
Open the enrollment configuration. Go to Devices > Enrollment > Apple tab > Enrollment types.
Create the profile. Choose Create profile, select Web based device enrollment as the enrollment type, and name it so the intended audience is obvious from the assignment view later.
Assign it to user groups. Enrollment type profiles target users, not devices. If several profiles could match the same user, the profile priority order decides which flow they get — review that order deliberately whenever you add a profile.
Step-by-Step: The User Flow
Open Safari and go to https://portal.manage.microsoft.com (or the enrollment link you communicate). Safari specifically — the management profile download requires it.
Sign in with Entra ID credentials. Conditional Access applies at this step exactly as it would for any other sign-in.
Install the management profile. Safari downloads it; the user finishes via Settings > Profile Downloaded and confirms with the device passcode.
Let JIT registration complete. Entra device registration happens inside the flow itself — no Company Portal sign-in needed afterward.
Wait for policy to land. Apps and configuration profiles arrive over the following minutes as the device starts checking in.
Company Portal can still be deployed afterward as an app catalog, but it's optional.
Verification
The device appears under Devices > iOS/iPadOS with the expected primary user, and the management profile is visible on-device under Settings > General > VPN & Device Management.
Compliance evaluates to Compliant after the first check‑ins — a record stuck at Not evaluated means the enrollment didn't finish cleanly.
Open a managed app gated by Conditional Access: a successful grant proves the Entra registration that JIT was responsible for actually completed.
Limitations to Accept
Not supervised — no Lost Mode, no Single App Mode, no update deferral, no blocking profile removal.
The user can remove management at any time (compliance + Conditional Access is your backstop: remove the profile, lose access).
No Await Final Configuration — provisioning happens live on the home screen.
When It's the Right Call
Corporate devices procured outside the reseller channel that you can't (yet) Configurator-add to ABM.
Contractor/loaner hardware with short lifecycles.
Fast pilots where ABM logistics would slow you down.
For anything long-lived and corporate-owned, do the ABM work and use ADE.
The modern BYOD enrollment — users sign in from Settings, work data lives in a separate APFS volume.
Account-driven User Enrollment is Apple's privacy-first BYOD model: the user signs into their work account directly in iOS Settings, and the device creates a cryptographically separate work partition. IT manages the work side only; the personal side is invisible to MDM. The separation is structural, not cosmetic — the work side gets its own encrypted APFS volume and key material — which is what makes the privacy promise to users credible and a retire surgically clean.
Applies toPersonal (BYOD) devices, iOS/iPadOS 15+
RequiresManaged Apple Accounts + service discovery endpoint
Console pathDevices > Enrollment > Apple > Enrollment types
ScopeWork partition only — serial number hidden
What IT Can and Can't See
Can
Cannot
Managed (work) apps and their data
Personal apps, photos, messages
Work account configuration
Device location
Installed managed app inventory
Full app inventory
Retire (remove work data)
Full device wipe
Require passcode (limited)
Device serial number (a per-enrollment ID is used instead)
Prerequisites
iOS/iPadOS 15 or later on the personal devices being enrolled.
Managed Apple Accounts — via ABM, ideally federated to Entra ID so users sign in with work credentials and accounts materialize on demand.
Service discovery: an HTTPS endpoint at https://yourdomain/.well-known/com.apple.remotemanagement returning JSON that points Apple at Intune's enrollment URL. Microsoft Learn documents the exact JSON body — host the file on the domain matching your users' UPN suffix.
An Intune license per user and a user group to carry the enrollment profile assignment.
Stand up the discovery endpoint. Publish the well-known JSON on the UPN-suffix domain over HTTPS with a publicly trusted certificate. This file is what turns a typed work email into a routed enrollment — without it, nothing downstream happens.
Confirm Managed Apple Account coverage. With federation, accounts are created at first sign-in; if you provision accounts manually instead, verify every pilot user actually has one before they try.
Create the enrollment profile.Devices > Enrollment > Apple tab > Enrollment types — create a profile of type Account driven user enrollment.
Assign it to user groups, and review profile priority if multiple enrollment type profiles could match the same user.
Step-by-Step: The User Flow
Start from Settings.Settings > General > VPN & Device Management > Sign In to Work or School Account.
Enter the work email. Discovery resolves your domain and hands off to Entra ID sign-in — Conditional Access and MFA apply normally.
Let iOS build the work partition. Managed apps and the work Apple Account land in it automatically.
Review the separation. Settings shows the user a clean statement of what the organization manages — worth pointing at during onboarding, because it is the privacy story in one screen.
Verification
Before pilot day: request the well-known URL from the public internet and confirm it returns HTTP 200 with the correct JSON body.
After a test enrollment: the device record appears keyed to a per-enrollment ID rather than a hardware serial, and managed apps install into the work side only.
Confirm compliance evaluates and Conditional Access grants access from a managed app signed in with the work account.
Insights
The serial-number privacy behavior breaks any process keyed on serials — inventory reconciliation must use the enrollment user instead.
Users can end management anytime by signing out — pair with App Protection Policies so the data story doesn't depend on enrollment persisting.
If discovery isn't set up, enrollment fails with vague errors at the email step — validate the well-known URL returns HTTP 200 + correct JSON from the public internet before pilot day.
Settings-initiated full device management for personal devices — iOS 18 and later.
Account-driven Device Enrollment is the newest member of the family (iOS/iPadOS 18+): the same friendly Settings-based sign-in flow as account-driven User Enrollment, but resulting in whole-device management rather than a separated work partition.
Applies toPersonally owned devices that must be fully managed
RequiresiOS/iPadOS 18 or later + Managed Apple Accounts
Console pathDevices > Enrollment > Apple > Enrollment types
ScopeWhole device — real serial visible, full wipe possible
Where It Fits
Think of it as the successor to old profile-based device enrollment for personally owned devices that need to be fully managed — common in regulated industries, or where corporate policy requires whole-device control on stipend/BYOD hardware. Unlike User Enrollment, IT sees the real serial number, full app inventory, and can issue a full wipe — make sure users understand that trade before enrolling.
Prerequisites
iOS/iPadOS 18 or later — older builds cannot take this enrollment type.
Managed Apple Accounts (ABM, federation recommended) — the same identity plumbing as User Enrollment.
The same service discovery endpoint (/.well-known/com.apple.remotemanagement); the JSON advertises both enrollment flavors with separate version keys (mdm-byod for user enrollment, mdm-adde for device enrollment) — see Microsoft Learn for the current body.
An Intune license per user and a user group to carry the profile assignment.
Step-by-Step: Enable and Roll Out
Update the discovery JSON. Make sure the mdm-adde capability is advertised alongside any existing mdm-byod entry, so devices learn that full device enrollment is on offer for your domain.
Create the enrollment profile.Devices > Enrollment > Apple tab > Enrollment types — create a profile of type Account driven device enrollment and assign it to the target user groups. Profile priority decides which flow wins when a user matches several profiles.
Communicate the trade before anyone enrolls. IT sees the real serial number and full app inventory and can issue a full wipe — put that in the enrollment instructions in plain language so users on personal hardware consent knowingly, not retroactively.
The User Flow
Identical entry point to User Enrollment: Settings > Sign In to Work or School Account → work email → Entra sign-in. iOS evaluates which enrollment type the targeted profile prescribes and proceeds into full device management with user consent screens that spell out what IT will control.
Compared to Its Siblings
User Enrollment
Device Enrollment (account-driven)
ADE
Scope
Work partition
Whole device
Whole device
Supervised
No
No
Yes
Removable by user
Yes
Yes
No
Serial visible
No
Yes
Yes
Full wipe
No
Yes
Yes
Verification
The enrolled device shows the hardware serial number and full app inventory in the console — the visible markers that distinguish it from a User Enrollment record.
Policy lands device-wide (not in a separated work partition) and compliance evaluates normally.
Run one full lifecycle in the pilot — enroll, apply policy, unenroll from Settings — so the helpdesk knows exactly what each side sees at every stage.
Insights
Intune support for this enrollment type is recent — pilot on current Intune service releases and keep an eye on What's New for capability changes.
Because users can still unenroll, treat compliance + Conditional Access as the enforcement backbone, exactly as with web-based enrollment.
Wipe-to-working without hands — the modern erase flow that re-enrolls the device before anyone touches it.
The classic device handoff had a dead zone: wipe the iPhone, and it sits at Hello until a human walks it through Setup Assistant. Return to Service closes the zone — the erase command carries a Wi-Fi payload (and optionally eSIM preservation on supported builds), so the device wipes, rejoins the network on its own, runs straight through ADE, and lands back at the home screen enrolled and configured. Wipe-to-working becomes one remote action.
How It Works
The wipe action, issued with Return to Service options, embeds: the Wi-Fi configuration the freshly-erased device should join, the default language/region (skipping those panes), and — because the device is ABM-assigned and supervised — the ADE flow that does the rest. Your enrollment profile's pane skips and await-configuration design carry the experience from there.
WipeErase issued with Return to Service optionsWi-Fi payload (and optionally the eSIM) rides along
RejoinDevice erases and joins the network on its own
Re-enrollADE runs hands-freePane skips + await-configuration from your enrollment profile
ReadyHome screen, enrolled and configuredWipe-to-working as one remote action
Where It Changes Operations
Shared iPad and frontline pools: end-of-term or end-of-rotation resets become a bulk action run after close, with carts full of ready devices by morning — no bench day
Device transfers: departing user's iPhone → Return to Service → next user's first touch is the sign-in screen — the handoff becomes a remote action instead of a desk-side reprovisioning appointment
Remote remediation: the troubleshooting economics shift — past a half hour of diagnosis on a weird-state supervised device, reprovisioning is now genuinely cheaper than continuing
Prerequisites
Supervised + ABM-assigned — the front-door guarantees that let the device re-enroll itself hands-free.
An OS version on the device that supports the flow.
A Wi-Fi payload that works at the device's actual location — a corporate-PSK payload sent to a home-office device re-enrolls nothing. Build location-appropriate payloads before you need them.
Confirm the device qualifies. Supervised, ABM-assigned, supported OS, Activation Lock accounted for — thirty seconds on the device blade saves a stranded device later.
Choose the Wi-Fi payload deliberately. The network configuration embedded in the erase must be joinable where the device physically sits when it reboots, not where it was originally provisioned.
Issue the wipe with Return to Service options. From the device's Wipe action — or across a pool via a bulk action — enable Return to Service and attach the Wi-Fi configuration; preserve the cellular plan where the device should keep its line.
Let ADE do the rest. The device erases, rejoins the network on its own, runs your enrollment profile's pane skips and await-configuration design, and lands provisioned at the home screen.
Verification
The device re-enrolls and checks in — confirm the fresh enrollment timestamp on the device blade and that policies and apps report as applied.
A quick remote confirmation with the receiving user (sign-in screen reached, apps present) closes the loop without anyone shipping hardware.
If the device never comes back, assume the Wi-Fi payload didn't match its location — the fix is physical, which is exactly why the lab test below matters.
Insights
Test the failure path deliberately: issue Return to Service with a wrong Wi-Fi password once in the lab and watch what you get — knowing what a stranded device looks like (and that the fix is physical) calibrates how confidently you fire this at remote workers.
Pair with stale-device hygiene: Return to Service makes recycling easy, which makes the inventory-truth question ("is this device active or a drawer ghost?") the only remaining gate before pulling the trigger.
Gate the front door — ownership checks, OS floors, and per-user device caps, evaluated once at the moment of enrollment.
Enrollment restrictions decide which devices get to enroll at all. They are evaluated when a device attempts enrollment — and crucially never again afterward. Intune offers two restriction types for iOS: device platform restrictions (allow or block the platform, block personally owned devices, enforce an OS version range) and device limit restrictions (cap how many devices one user can enroll). You can run up to 25 policies of each type, assigned to user groups, with a priority order resolving conflicts.
ScopeAssigned to user groups only — priority 1 wins
Applies toEvaluated once, at enrollment — never re-checked afterward
What "Personally Owned" Actually Means
Intune classifies every iOS device as personally owned unless it can prove otherwise at the gate. There are exactly two proofs:
The device comes through ADE — its serial lives in ABM and is assigned to your MDM server, so corporate ownership is established by the supply chain before any user touches it.
The serial or IMEI is pre-registered under corporate device identifiers — your way of vouching for corporate hardware that lives outside ABM.
Everything else — Company Portal, Safari, Settings — presents as personal, whoever actually paid for the hardware.
Blocked — this is the BYOD flow the setting exists to stop
Blocking personal devices is an enrollment decision, not a data-protection one: BYOD users turned away here can still be served with App Protection Policies, which need no enrollment at all.
Caution
ADE bypasses the ownership block — not a platform block. If a restriction that catches your users sets the iOS/iPadOS platform to Block, ADE devices fail activation with an invalid-profile error in Setup Assistant. For a corporate-only fleet, block personally owned devices and leave the platform allowed.
OS Version Floors
Platform restrictions accept a minimum and maximum allowed OS version, in major.minor.rev format. The floor is the useful half: it keeps forgotten hardware on ancient builds from ever entering the tenant. But the gate is evaluated once — a device that enrolled healthy and then stopped updating sails on untouched. Pair the enrollment floor with a minimum-OS rule in your compliance policies: the restriction guards the door, compliance patrols the building.
Device Limit Restrictions
The device limit caps how many devices a single user can enroll — from 1 to 15. A record counts against the cap when it is Intune-managed, made contact within the last 90 days, isn't stuck pending registration over 24 hours, and hasn't failed enrollment or been deleted. Two separate caps exist, and the stricter one wins:
The Intune device limit — gates enrollment into management.
The Entra ID "maximum number of devices per user" setting — gates the device registration underneath; a device blocked from registering fails enrollment however generous the Intune limit is.
Corporate enrollment is not exempt: an ADE device enrolling with user affinity counts against the signing user under both limits, which bites when a provisioning technician signs into device after device and hits the cap mid-cart. Plan for it — enroll genuinely shared hardware without user affinity (no user, no cap), give provisioning staff a high-limit restriction, or use a device enrollment manager account for Company Portal-driven staging (DEM doesn't work with ADE).
25max policies per restriction type
1–15device limit range per user
90 daysactivity window for the device cap
~15 mingroup and filter propagation
Priority and Assignment
Restrictions are assigned to user groups only. When a user sits in several groups with different restrictions, the highest-priority policy — 1 is the top — applies and the rest are ignored. New restrictions land just above the default; reorder by dragging in the priority column. The default restriction sits immovably at the bottom and catches everyone unassigned — including enrollments with no user behind them, such as ADE without user affinity, which always evaluate against the default. That makes the default the most consequential policy you own. Assignment filters are supported with a reduced property set (the device isn't enrolled yet): manufacturer, model, OS version, ownership, and enrollment policy name.
Prerequisites
The Intune Administrator role — other built-in Intune roles get read-only access to restrictions.
User groups that mirror your enrollment audiences — a restriction without an assignment does nothing.
Corporate device identifiers uploaded for corporate hardware outside ADE — before flipping the block, not after the first lockout ticket. Better still, get the hardware into ABM.
A helpdesk article written in advance describing what a blocked user sees and what to do next.
Step-by-Step: Block Personally Owned Devices
Pre-stage the exceptions. Upload serials/IMEIs of corporate devices that don't come through ADE, and confirm the ADE token and enrollment profiles are healthy — those two populations are the only ones that will pass.
Open the restriction blade. Go to Devices > Enrollment > Device platform restrictions, select the iOS/iPadOS tab, and choose Create restriction.
Name it for the audience. "iOS — corporate only — all staff" reads better in the priority list at 2 a.m. than "Restriction 3".
Configure platform settings. Leave the platform on Allow, set Personally owned devices to Block, and set the minimum OS version while you're here — one gate, one review.
Scope and assign. Apply scope tags if you delegate administration, then assign to the user groups this gate should govern. Group and filter changes take up to about 15 minutes to propagate — don't test enrollment seconds after adding a user to the group.
Review priority. If multiple restrictions could catch the same user, drag the order until the intended one wins.
Verification
An ADE device enrolls untouched through Setup Assistant — proof the block is scoped to ownership, not platform.
An identifier-listed device enrolls through your user-driven flow of choice.
An unlisted personal device is refused. Company Portal and the Safari flow show a deliberately generic couldn't-enroll message; a user at the device limit instead sees they've added the maximum number of devices allowed and must remove one to continue.
Check enrollment failure reporting in the admin center after the pilot window — blocked attempts appear with a failure reason pointing at enrollment restrictions. Enrollment Errors covers the triage from there.
Insights
A restriction is a gate, not a policy. It is evaluated exactly once, at enrollment; editing it later affects new enrollments only and never unenrolls a device already inside. Tightening the gate doesn't clean the fleet — compliance does that.
Most "device cap reached" tickets are stale-record problems wearing a limit costume. Before raising anyone's cap, check the age of the devices on their list and run stale device cleanup — usually the cap was doing its job.
The blocked-user message is vague by design, so the helpdesk traffic arrives as "Company Portal is broken", not "I'm blocked by policy". Publishing the what-you-will-see article before enforcement is the difference between a quiet rollout and a loud one.
Do
Upload corporate identifiers before flipping the block
Block personally owned devices and leave the platform allowed
Publish the what-you-will-see helpdesk article before enforcement
Don't
Set the iOS/iPadOS platform to Block — ADE devices fail activation in Setup Assistant
Raise device caps before checking for stale records
Expect a tightened gate to unenroll devices already inside
What enrollment actually creates in Entra ID — the device record and certificate that every compliance and Conditional Access decision hangs from.
Enrolling an iPhone or iPad creates two records that are easy to conflate: the Intune managed-device object (the management channel — MDM profile, APNs, check‑ins) and the Microsoft Entra ID device object (the identity). Every iOS enrollment flow produces the same identity class: a Microsoft Entra registered device. Registration is the device identity model for iOS — the device registers with the directory; it never becomes a joined device. What varies between flows is when registration completes and what the record is keyed to — two variables that explain most "enrolled but still blocked" tickets.
Registration produces a device object in the directory — device ID, display name, OS version, a compliance flag, an activity timestamp — and provisions a workplace-join certificate on the device. The private key lives in the device keychain, where the broker apps (Microsoft Authenticator, Company Portal) and the Enterprise SSO plug-in can present it. That certificate binds hardware to directory: brokered sign-ins carry a certificate-backed device claim, and in Safari, Entra identifies the device by prompting for the client certificate. No certificate at sign-in means Entra sees a user with no device — however healthy the Intune record looks. In short: enrollment establishes management, registration establishes identity, and compliance-driven Conditional Access needs both.
The Chain That Makes Compliance Mean Something
Intune evaluates compliance policies against the enrolled device as it checks in.
The verdict is stamped onto the Entra device object as its compliant flag — the Intune record holds the detail, the Entra record holds the answer.
The sign-in presents the device identity — the SSO plug-in or broker app attaches the certificate-backed claim.
Conditional Access matches the claim to the record, reads the flag, and grants or blocks.
1 · EvaluateIntune checks compliance at check‑in
2 · StampVerdict lands on the Entra object's compliant flag
3 · PresentSign-in carries the certificate-backed device claim
4 · DecideConditional Access reads the flag — grant or block
The chain fails closed: a device whose registration never completed presents nothing at step 3, so a require-compliant-device grant fails even while the Intune blade shows green. That isn't a compliance problem, and re-enrolling won't fix it faster than completing the registration would.
Tip
The device overview in Intune shows the Microsoft Entra Device ID — the join key between the two portals. When records multiply, match on it, never on display names.
Entra registered, keyed to a per-enrollment ID — not the serial
During the Settings sign-in that performs the enrollment
The pattern to internalize: Setup Assistant and the enrollment profile get the device managed; registration is a second, interactive handshake that needs an Entra sign-in on the device itself. Historically that was Company Portal's job; with just-in-time registration it happens at the first sign-in to any work app. Until then, a freshly provisioned ADE device sits in the gap — managed, compliant in the Intune blade, and invisible to device-based Conditional Access.
Where Duplicate and Stale Records Come From
Wipe and re-enroll. The wipe destroys the keychain, and the workplace-join certificate with it. Re-enrollment completes a fresh registration and creates a new Entra object; the old one lingers with its timestamp frozen. Routine Return to Service cycles produce these by design — budget for cleanup.
Restore from backup. Backups never carry the management profile, so a user migrating to new hardware by restore arrives looking configured but unmanaged and unregistered. The fresh enrollment creates new records while the old device's linger, and a restored Company Portal can show stale state until the next sign-in.
The activity timestamp is coarse. It updates only when the stored value is more than 14 days old (with about a five-day variance) — anything younger than roughly three weeks is noise, not a liveness signal.
Step-by-Step: Clean Up Records Safely
Cleanup needs the Intune Administrator or Cloud Device Administrator role, and a deliberate order:
Clean the management side first. Retire or delete the dead Intune record — stale device cleanup automates the find-and-action. Intune deletions remove the Intune object only; the Entra object survives independently.
Identify Entra candidates by activity timestamp. Export the list before acting — the export is your undo plan for everything except deletion, which has none.
Match on device ID, not name. Duplicates share display names by construction; the live record is the one matching the Entra Device ID on the active Intune object.
Disable before deleting. A disabled record stops satisfying Conditional Access but is reversible. Give it a grace period.
Delete after the grace period. Deletion is permanent, and it removes the directory identity only — the device itself keeps a registration state it can no longer use.
Verification
The user's device list in Entra shows one record per physical device, matching the active Intune object.
A sign-in to a Conditional Access-protected app from the surviving device still gets a grant — you removed the twin, not the identity in use.
No new device-limit complaints — stale registrations quietly consume per-user headroom.
Caution
Deleting the Entra record of a working device is the self-inflicted outage here: the device keeps a certificate the directory no longer recognizes, and every device-based grant starts failing for that user. Recovery is a fresh registration — Company Portal sign-out and sign-in, or a retire and re-enroll in stubborn cases.
Hardening the Identity: Managed Device Attestation
Registration proves possession of key material; it doesn't prove what hardware holds it. Managed Device Attestation closes that gap: the Secure Enclave generates keys that cannot leave the silicon, and Apple's attestation servers vouch cryptographically that the request comes from a genuine, specific device. Classic registration binds the record to a certificate that could theoretically be exfiltrated; attestation binds it to physics — the strongest anchor a Conditional Access posture can stand on.
Insights
When Intune says compliant and Entra says noncompliant, registration never completed. The fix is an interactive sign-in on the device — Company Portal or any SSO-extension app — not a re-enroll, which rebuilds the same gap with more downtime.
Processes keyed on serial numbers silently miss Account-driven User Enrollment records, which deliberately carry a per-enrollment ID. Reconcile BYOD inventory by user, not hardware.
Do inventory hygiene in Intune and identity hygiene in Entra — in that order, on a schedule. Tenants that clean only one side accumulate the half-orphaned records that make every future cleanup scarier.
How Intune's per-setting policy surface maps to Apple payloads — and the conflict rules that govern it.
The Settings Catalog is the modern home for iOS configuration: every setting individually selectable, mapped 1:1 to Apple's MDM payload keys, with per-setting reporting. New Apple capabilities land here first.
Practical rule: new policies go in the Catalog; keep Templates only where the Catalog hasn't absorbed the payload yet (some Wi-Fi/VPN scenarios) or where an existing fleet depends on them.
Finding Settings
The Catalog's search matches both Intune's friendly names and Apple's raw key names — searching allowAirDrop or "AirDrop" both work. When Microsoft's description is thin, look the key up in Apple's Device Management documentation — the Catalog is a UI over that spec, and Apple documents supervision and OS-version requirements per key.
Conflict Resolution — Memorize This
Restrictions: when two profiles disagree, the most restrictive value wins. A single allow can never override a block.
Other payload types (Wi-Fi, SSO, etc.): conflicting duplicates produce a conflict state and neither applies reliably — per-setting reporting shows exactly which key collided.
Corollary: keep each setting in exactly one policy. The baseline's one-policy-per-area split exists for this reason.
Operational Hygiene
Name policies so the assignment story is readable at a glance: iOS-<Area>-<Audience>-v<N>.
One purpose per policy; resist the 200-setting mega-profile — it can't be piloted, diffed, or rolled back sanely.
Document the why in each policy's description field. Future-you and auditors both read it.
Policies are Graph objects (deviceManagement/configurationPolicies) — version them with IntuneCD for config-as-code backup and diffing.
Do
Put new policies in the Settings Catalog
Keep each setting in exactly one policy
Name for the assignment story: iOS-<Area>-<Audience>-v<N>
Document the why in the description field
Don't
Build 200-setting mega-profiles — they can't be piloted, diffed, or rolled back
Duplicate a setting across profiles — non-restriction payloads land in a conflict state
Expect an allow to win — restrictions resolve to the most restrictive value
PSK and 802.1X enterprise Wi-Fi for iOS — including the MAC randomization gotcha.
Push Wi-Fi so devices join the right network before the user can mistype a passphrase. Two tiers: simple PSK, and certificate-based enterprise (EAP-TLS) — the second is where iOS fleets earn their keep.
the segment is guest or IoT-gradePSK profileSSID + pre-shared key, connect automatically — quick and adequate there.
it's a corporate data networkEnterprise EAP-TLSThe device authenticates with a certificate — no passwords anywhere.
Prerequisites
Network facts agreed with the network team: SSID, security type, and (for PSK) the passphrase.
For EAP-TLS: a working certificate issuance chain (trusted root + SCEP) and the exact server names on your RADIUS certificate.
A decision per SSID on whether network tooling needs the hardware MAC (corporate networks) or privacy-preserving randomization is fine (guest) — see the gotcha below.
Step-by-Step: Basic (PSK) Profile
Create the profile.Devices > iOS/iPadOS > Configuration > Create — Wi-Fi (Templates, or the Catalog's Wi-Fi category).
Set the SSID and turn on Connect automatically so devices join without user action.
Leave Hidden network off unless it truly is hidden — hidden SSIDs add probe noise, not security.
Choose the security type — WPA/WPA2/WPA3 Personal — and enter the pre-shared key.
Add per-network proxy settings if your egress design requires them.
Assign to the target device group and deploy.
Good for guest/IoT-grade segments. Corporate data networks deserve certificates.
Step-by-Step: Enterprise (EAP-TLS) Profile
The gold standard: the device authenticates with a certificate, no passwords anywhere. Build order matters — three profiles, deployed together:
Deploy the trusted certificate profile — your root (and issuing) CA, so the device trusts the RADIUS server. (Certificates guide)
Deploy the SCEP certificate profile — issues the device its identity cert.
Create the Wi-Fi profile (Enterprise) — EAP type EAP-TLS, Identity certificate = the SCEP profile from step 2, Server Trust > certificate server names matching your RADIUS server's cert.
Assign all three profiles to the same group. Intune sequences the dependencies automatically; reporting on the Wi-Fi profile shows "pending" until the SCEP cert lands.
Profile 1Trusted certificateRoot + issuing CA so the device trusts RADIUS
Profile 2SCEP certificateIssues the device its identity cert
Profile 3Wi-Fi (Enterprise)EAP-TLS, identity cert + server trust names
AssignAll three to the same groupWi-Fi shows pending until the SCEP cert lands
The MAC Randomization Gotcha
Since iOS 14, devices present a per-network private (randomized) MAC address by default — which breaks MAC-based NAC, DHCP reservations, and Wi-Fi analytics keyed on hardware MACs. The Intune Wi-Fi profile exposes a MAC address randomization setting — set it to use the static (hardware) MAC on your corporate SSIDs where network tooling depends on it. Leave randomization alone on guest networks; it's good privacy hygiene there.
Verification
Profile reporting shows Succeeded for all deployed profiles — a Wi-Fi profile stuck at Pending usually means the SCEP certificate hasn't issued yet.
On a pilot device, the SSID joins without prompting, and the identity certificate is visible inside the management profile details.
Ask the network team to confirm one successful EAP-TLS authentication in the RADIUS logs — that single log line proves the entire chain end to end.
Insights
Deploy the Wi-Fi profile in the enrollment-time policy set so ADE devices land on corporate Wi-Fi during Await Final Configuration — otherwise first-boot app installs ride whatever network the user picked.
Removing a Wi-Fi profile removes the network and its stored credentials — sequencing matters during SSID migrations: add the new profile, confirm fleet adoption, then retire the old one.
802.1X failures are almost always server trust (RADIUS cert name not listed) or an expired device cert — check those before blaming the WLAN team, and they'll do the same for you.
Device-wide, per-app, and always-on VPN for iOS — and where Microsoft Tunnel fits.
iOS VPN comes in three escalating flavors. Most enterprises should be running the middle one and don't know it.
users need classic full-device remote accessDevice-wide VPNIKEv2 or a vendor client; user-initiated or on-demand rules.
corporate apps need internal access and personal traffic must never touch your gatewayPer-app VPNTunnel activates only for designated managed apps — the one most fleets should run.
a regulated fleet must tunnel everything, alwaysAlways-On VPNSupervised-only, IKEv2-only, no user off-switch — pilot longer than feels necessary.
1. Device-Wide VPN
The classic: a VPN profile (IKEv2 native, or a vendor connection type — Cisco Secure Client, GlobalProtect, FortiClient, F5 Access, Zscaler, Check Point, and friends) the user or on-demand rules activate. Configure under Devices > Configuration > VPN (Template or Catalog):
Connection type determines which client app must also be deployed (VPP, required) — the profile configures the vendor's app, it doesn't replace it.
On-demand rules can auto-connect when specific domains are requested.
2. Per-App VPN (the one you probably want)
The standout iOS capability: the tunnel activates only for designated managed apps — corporate apps reach internal resources, personal traffic never touches your gateway. Better privacy, smaller attack surface, happier users.
Setup is two halves, and the second half is the step everyone misses:
Create the VPN profile with per-app VPN enabled (the vendor must support it — most do).
Associate the profile on the app assignment. In the app assignment (the VPP/LOB app's Required assignment), associate the per-app VPN profile. The association lives on the assignment, not on the profile — configure the profile alone and the tunnel never activates.
Safari can participate via Safari domains listed in the profile: matching URLs route through the tunnel.
3. Always-On VPN
Supervised-only, IKEv2-only: the device tunnels all traffic, always, with no user off-switch. Reserved for regulated/high-security fleets — it's operationally unforgiving (gateway outage = fleet outage). Configure deliberately, pilot longer than feels necessary.
Microsoft Tunnel
Microsoft's own VPN gateway: a Linux-hosted appliance, with the iOS client delivered inside Microsoft Defender — one app provides MTD and per-app VPN. If you're already deploying Defender for iOS and need lightweight internal access, Tunnel avoids introducing another vendor. Conditional Access can gate the tunnel itself.
Verification
Per-app: launch a designated managed app and confirm it reaches an internal resource while non-designated traffic does not — that asymmetry is the feature working as designed.
Device-wide / always-on: the VPN indicator shows on the device, and the gateway's session table lists the device.
Check per-device deployment status on the profile; a per-app tunnel that never activates almost always means the app-assignment association (step 2) was skipped.
Insights
Per-app VPN + Defender's web-protection loopback VPN can coexist (the loopback isn't a real tunnel), but stacking multiple real VPN vendors on one device is misery — pick one.
Test the failure mode: what does the LOB app show users when the gateway is down? "Spinning forever" generates tickets; work with the app team on a timeout message.
The certificate chain that powers Wi-Fi, VPN, and app authentication on iOS.
Certificates are the quiet dependency under everything good: EAP-TLS Wi-Fi, per-app VPN auth, and password-less access to internal systems. iOS handles them beautifully — once the issuance chain is built.
The Three Profile Types
Profile
Purpose
Notes
Trusted certificate
Installs your root/issuing CA public certs
The anchor; deploy first, everything references it
SCEP certificate
Device requests its own identity cert
Per-device keys, never leave the device — the default choice
PKCS imported/PKCS
CA-side key generation, pushed to device
For scenarios needing key escrow (S/MIME) or specific CA constraints
Issuance Backends — Pick One
Microsoft Cloud PKI (Intune Suite add-on): Microsoft-hosted CAs purpose-built for Intune SCEP — no on-prem connector, no NDES, stand up issuance in an afternoon. The default recommendation for new builds without an existing PKI mandate.
Your enterprise CA via the Certificate Connector for Intune: the on-prem path — install the connector, publish templates, point SCEP profiles at it. Right answer when AD CS already runs your world.
Third-party CAs (DigiCert, Sectigo, EJBCA, SCEPman, etc.) via their Intune integrations — SCEPman in particular is a popular Azure-native community favorite for Intune-only PKI.
you're building new with no existing PKI mandateMicrosoft Cloud PKIIntune Suite add-on; no connector, no NDES — issuance in an afternoon.
AD CS already runs your worldEnterprise CA + Certificate ConnectorInstall the connector, publish templates, point SCEP profiles at it.
you want a third-party or Azure-native serviceThird-party CA integrationDigiCert, Sectigo, EJBCA — SCEPman is the community favorite for Intune-only PKI.
Step-by-Step: Build the Issuance Chain
Deploy the Trusted certificate profile first. Export your root (and issuing) CA public certs, create the profile, and assign it to the target group — every SCEP profile references it, so it anchors everything that follows.
Create the SCEP profile.Devices > Configuration > Templates > SCEP certificate (iOS/iPadOS), then work through the settings:
Subject name format: e.g. CN={{DeviceName}},O=YourOrg — token variables ({{AAD_Device_ID}}, {{SerialNumber}}, {{UserPrincipalName}} on user-affinity devices) make certs traceable
SAN: include {{AAD_Device_ID}} as URI for Entra-aware services
Validity: 1 year is the sane default; shorter if your backend automates renewal cleanly (Intune renews automatically near expiry)
Root certificate: link the Trusted certificate profile
SCEP server URLs: from Cloud PKI / your connector
Assign both profiles to the same groups so issuance can complete in one policy cycle — a SCEP profile without its trusted root never finishes.
Verification
Profile reporting shows Succeeded for both the trusted root and the SCEP profile; on the device, the issued identity certificate is visible inside the management profile details.
Your CA's issued-certificates log shows one cert per device with the expected subject — duplicates or rapid re-issuance point at a profile misconfiguration.
Test one downstream consumer end to end (an EAP-TLS Wi-Fi join or a per-app VPN authentication) — certificates only matter insofar as the things they authenticate actually work.
Insights
Renewal is silent until it isn't. Intune re-issues before expiry, but a broken connector fails silently fleet-wide; alert on the connector's health and on Wi-Fi auth failure spikes — that's your early warning.
Certs issued to the device die with the management profile — a retire/wipe revokes access to everything cert-gated instantly. That's a feature; document it for the helpdesk.
One identity cert can serve both Wi-Fi and VPN profiles — reference the same SCEP profile from each rather than issuing duplicates.
Wallpaper, lock screen messages, and pinned icon layouts — turning a fleet into your fleet.
Branding settings are supervised-only and pure quality-of-life — but on shared, kiosk, and frontline fleets they're the difference between "an iPad" and "our iPad." All of it lives in supervised territory (ADE).
Applies toSupervised (ADE) corporate hardware only
Console pathDevices > Configuration > Templates > Device features
RequiresPortrait PNG, asset-tag scheme, if-lost contact line
ScopeShared, kiosk, and frontline fleets — skip 1:1 knowledge workers
Prerequisites
Supervision — every control on this page requires it, which in practice means ADE-enrolled, corporate-owned hardware.
Assets and copy ready: a portrait PNG for wallpaper, your asset-tag scheme, and the if-lost contact line.
Step-by-Step: Home Screen Layout
Open the template.Devices > Configuration > Templates > Device features > Home screen layout (supervised).
Define the Dock. 4–6 daily-driver apps: Outlook, Teams, your LOB app — the things a user reaches for hourly.
Lay out pages and folders for the curated set. Apps not in the layout flow onto later pages automatically — you're pinning the front door, not cataloguing everything.
Position web clips like apps — pin the intranet portal next to Outlook.
Assign to the shared/kiosk/frontline device groups and deploy.
Reality check: users on 1:1 personal-enabled devices resent frozen layouts. Use layout policies on shared/kiosk/frontline fleets; skip them (or dock-only) for knowledge workers.
Step-by-Step: Wallpaper
Prepare the asset. A portrait PNG sized generously — devices scale down better than up — with a high-contrast logo. A branded lock screen makes pool devices identifiable across a room; operationally underrated in hospitals and warehouses.
Configure the same Device features template (supervised): push the image to the lock screen, home screen, or both.
Test on both iPhone and iPad aspect ratios before any fleet-wide push — one asset rarely flatters both without checking.
Step-by-Step: Lock Screen Message (the asset tag trick)
Find the settings. Settings Catalog > search Lock Screen Message.
Set Asset tag information: e.g. Asset: CFA-00231 · IT: x4357 — it shows on the lock screen and in Settings > General > About.
Set the "If Lost, Return To…" footnote text. Combined with Lost Mode, this is your loss-recovery funnel: every honest finder sees exactly who to call without unlocking anything.
Verification
After the next check‑in on a pilot device, lock it and read the lock screen exactly the way a finder would: wallpaper, asset tag, and if-lost line all present.
Confirm the asset tag also appears under Settings > General > About — that is where the helpdesk will look during calls.
Check the home screen layout applied: Dock contents and page order match the policy.
Naming Ties It Together
Branding on glass should match identity in the console — the Bulk Device Rename script enforces a naming convention (IOS-<site>-<serial-tail>) across the fleet so the label, the lock screen, and the Intune object all agree.
The iOS 18+ AI restriction set — what each control governs and a sane enterprise posture.
Apple Intelligence (iOS/iPadOS 18+ on supported hardware) brought a new family of MDM restrictions, and "what's our AI policy on phones?" is now a question every iOS admin gets. Here's the control surface and a defensible default.
Applies toiOS/iPadOS 18+ on supported hardware
RequiresSupervision for most controls
Console pathSettings Catalog > Restrictions
RenewalRe-run the Catalog search every OS cycle — Apple adds keys each release
Where the Controls Live
Settings Catalog > Restrictions — search "intelligence", "Genmoji", "writing", or "playground" to surface the family. Most require supervision, and Apple adds keys each OS cycle — re-run that search after every major release and check Apple's device management documentation for per-key OS requirements.
The Control Family
Control
Governs
Writing Tools
System-wide rewrite/proofread/summarize in any text field — including corporate app content
Mail / message summarization
AI-generated summaries of (potentially sensitive) correspondence
Genmoji
Generated emoji
Image Playground / Image Wand
On-device image generation features
External intelligence integrations
The big one: hand-off of requests to external providers (the ChatGPT integration) — blockable independently of on-device features
Siri request history / external processing controls
Where assistant requests may be processed
The Data-Flow Mental Model
Apple processes most Apple Intelligence requests on-device, escalating heavier requests to Private Cloud Compute (Apple silicon servers, cryptographically attested, no retention per Apple's design). External integrations (ChatGPT) are a separate, explicit hand-off to a third party — which is why the controls split there. Your legal/security stance on "Apple PCC" vs "third-party AI" can differ, and the keys let you encode that difference.
A Defensible Baseline Posture
Tier
Posture
External integrations (ChatGPT)
Block until counsel explicitly approves a third-party AI data path
Summarization of Mail/Messages
Block in regulated environments; allow elsewhere
Writing Tools
Allow — blocking it punishes productivity for little risk reduction (data stays in Apple's path)
Genmoji / Image Playground
Allow; block only on locked-down frontline fleets where it's pure distraction
Whatever you choose, write the rationale into the policy description — this is the restriction family auditors ask about first now.
Step-by-Step: Put the Posture in Place
Create the policy.Devices > iOS/iPadOS > Configuration > Create > Settings catalog, named so the intent is obvious later, e.g. iOS-Restrictions-AppleIntelligence-v1.
Add the restriction keys. Search the Restrictions category for the family ("intelligence", "Genmoji", "writing", "playground") and set each control according to the tier table above.
Record the decision. Put the rationale — what is blocked, why, and who approved the external-integration stance — into the policy description field before assignment.
Pilot on hardware that actually supports Apple Intelligence. Ineligible devices silently ignore the keys, so a pilot ring of older hardware proves nothing about the restrictions working.
Assign broadly, then re-audit every OS cycle. Apple adds keys each release; re-run the Catalog search after every major version and fold new controls into the policy deliberately rather than letting them default.
Insights
These restrictions interact with device eligibility: older hardware without Apple Intelligence simply ignores the keys — fine, but it means reporting "policy applied" ≠ "feature existed to restrict."
Pair the MDM posture with your App Protection story: APP's data-egress rules already prevent pasting corporate data into a personal ChatGPT app — the restriction keys close the system-integration path specifically.
What Intune can and can't do with cellular — and the operational traps in eSIM fleets.
eSIM-only iPhones made cellular an endpoint-management problem. Set expectations correctly: Intune observes and protects cellular configuration well, but provisioning lives with your carrier.
What Intune Gives You
Inventory: per-device hardware blade (and Graph) reports EID, ICCID, IMEI, phone number, and carrier — everything your telecom team needs for reconciliation.
Protection: the wipe action's "Retain cellular data plan" option — the single most important checkbox in eSIM fleet operations (below).
Configuration: a Cellular payload (Settings Catalog/custom profile) for APN settings in private-APN/IoT deployments.
Restrictions: block users from modifying eSIM settings / removing the plan (supervised) — stops the accidental "deleted my work line" ticket.
What Intune Doesn't Do
Activating a plan onto a device. eSIM provisioning paths are: carrier activation at point of sale, the carrier's app/QR flow, or carrier eSIM orchestration platforms that push profiles by EID. Enterprise pattern: ship your carrier a CSV of EIDs (export via Graph) and they pre-provision — pair that with ADE and a device arrives with management and service, zero touch.
The Wipe Trap (Read Twice)
A standard Wipe erases the eSIM along with everything else. The device returns to a user — or worse, a remote field tech — with no cellular service and possibly no Wi-Fi to recover with. Check "Retain cellular data plan" on every wipe of a device that will be redeployed with its line. Wipe without it only when the line should genuinely die with the assignment.
Train the helpdesk on this before the first remote-worker redeploy, not after.
Do
Check Retain cellular data plan on every wipe of a device that keeps its line
Train the helpdesk before the first remote redeploy
Pilot the full lifecycle with your carrier: provision → wipe-with-retain → reassign → terminate
Automate the EID → user → line mapping from day one
Don't
Run a standard wipe on a device that will be redeployed with its plan — it erases the eSIM
Expect Intune to provision plans; activation lives with the carrier
Leave EID reconciliation for later — retrofitting it across a fleet is a quarter of someone's life
Insights
Pilot your carrier, not just your devices. eSIM transfer/redeploy behavior varies meaningfully between carriers; run a full lifecycle (provision → wipe-with-retain → reassign → terminate) before committing the fleet.
Dual-SIM (work eSIM + personal physical/eSIM) is increasingly the BYOD-adjacent ask — Intune sees both identifiers; your acceptable-use policy should say which line the org pays for and controls.
Keep EID → user → line mapping automated from day one (inventory script + telecom billing export); reconciling it retroactively across 2,000 devices is a quarter of someone's life.
The modern iOS network-control payloads — relays as the VPN successor, encrypted DNS, and filter architecture.
VPN profiles cover the classic tunnel; this page covers the payload family Apple built for the post-tunnel era — network controls that shape traffic without a legacy VPN's weight.
your ZTNA/secure-edge vendor exposes relay-compatible endpointsRelay payloadDomain- or app-scoped MASQUE transport — no packet-tunnel extension, better battery, the bridge out of VPN debt.
you want the cheapest meaningful network-security winDNS payloadProtective DoH/DoT resolvers enforced at the OS, following the device onto every network.
you need real web policy from a security vendorFilter-provider payloadPoints at the vendor's filter extension — one provider per scope, never stacked.
Network Relay (the VPN Successor Pattern)
The relay payload configures Apple's built-in relay client (the MASQUE/HTTP-3-based transport behind iCloud Private Relay, opened to enterprise): traffic to defined domains routes through your relay infrastructure — per-app or domain-scoped — with no packet-tunnel extension, no third-party client app, and dramatically better battery and connection-migration behavior than device-wide VPN. The fit: organizations on ZTNA/secure-edge platforms whose vendors expose relay-compatible endpoints, replacing per-app VPN for web-shaped corporate access. The strategic note: relays are the bridge out of VPN debt, not another tunnel to accumulate.
Encrypted DNS (DNS Settings Payload)
The DNS payload pins devices to DoH/DoT resolvers — your protective DNS, enforced at the OS — with optional always-on behavior on supervised devices. This is the cheapest meaningful network-security control on the platform: phishing/malware domain blocking that follows the device onto every network, deployed as one payload.
Content Filter Architecture
Filtering on iOS is payload-mediated, two-tier: the built-in restrictions (limit adult content / allow-list) for blunt needs, and filter-provider payloads pointing at a vendor's filter extension for real policy — the MTD/Defender class of products ride this for web protection. One provider per scope; stacking filter providers recreates the classic two-security-agents-one-hook conflict in network form — multiple extensions claiming the same traffic produce breakage nobody can cleanly triage, so pick a single provider and document the choice.
Insights
Decide the sequencing against per-app VPN explicitly — relay, VPN, DNS, and filter payloads all touch the same flows, and the interaction matrix is yours to own: document which control owns which traffic class or the first conflict ticket will be unsolvable by anyone who didn't write the profiles.
The DNS payload is the quiet BYOD-tier win: protective DNS on enrolled devices costs users nothing visible and closes the commodity-phishing door — deploy it before the fancier layers.
The ecosystem features as policy surface — sharing, casting, and cross-device handoff under management.
Apple's ecosystem magic — AirDrop, AirPlay, Handoff, clipboard sync — is also a set of data paths, and managed fleets decide each one on purpose. The restrictions catalog's ecosystem family, organized by what's actually at stake:
AirDrop
The headline decision. Options run from off (regulated fleets — AirDrop is unauditable point-to-point file transfer) through managed-devices-only postures via the managed pasteboard/sharing boundary interactions, to open with managed open-in doing the data-boundary work (the common knowledge-worker landing: AirDrop exists, but corporate documents can't leave managed apps to ride it). Decide per data classification, write the one-liner for users, move on.
AirPlay and Casting
The conference-room reality: AirPlay to meeting-room hardware is a productivity feature; AirPlay to arbitrary receivers is a projection-of-confidential-content risk. The control set: restrict AirPlay targets via allow-listed receivers/passwords where rooms are managed, and pair with the screen-capture/recording restrictions that govern the adjacent risk on regulated fleets.
These ride the user's Apple Account across their devices — and that is exactly the question: corporate data continuing onto unmanaged personal hardware. On supervised corporate devices, Handoff/clipboard restrictions close the path; on BYOD, the workable answer is App Protection's cut/copy boundary governing the data rather than fighting the feature. The underlying discipline is iCloud-boundary thinking: decide which Apple Account data paths corporate data may ride, write the decision down, and apply it consistently across every ecosystem feature.
Do
Decide each data path per data classification — then write the one-liner for users
Allow-list AirPlay receivers (and passwords) where rooms are managed
Govern BYOD with App Protection's cut/copy boundary instead of fighting the feature
Test restrictions in the actual conference room
Don't
Block ecosystem features without explanation — mystery breakage breeds personal-device workarounds
Leave Apple Account data paths undecided while corporate data rides them
Let confidential content project to arbitrary receivers on regulated fleets
Insights
This family is where the restraint doctrine earns trust: block what the data classification demands, leave the rest — a fleet where AirDrop mysteriously "doesn't work" without explanation breeds workarounds (personal devices in the workflow), a worse outcome that happens to look compliant.
Test in the actual conference room: AirPlay restrictions interact with receiver firmware and network segmentation, and the ten-minute room test beats the theoretical matrix every time.
Apple's modern management protocol — desired state on the device, not commands from the server.
Declarative Device Management (DDM) is Apple's next-generation management protocol, introduced at WWDC 2021 and expanded every release since. It runs inside an existing MDM enrollment — same channel, new grammar.
The Mental Model Shift
Legacy MDM is imperative: the server sends a command ("install this update"), the device executes it (maybe), and the server polls for status. Latency, drift, and "did it actually happen?" are baked into the design.
DDM is declarative: the server sends a declaration describing the desired state ("be on iOS 17.5.1 by June 20, 18:00 UTC"), and the device takes ownership of getting there — scheduling, retrying, notifying the user, and enforcing the deadline autonomously, even if it can't reach the server at the moment of truth.
1 — DeclareServer sends desired state"Be on iOS 17.5.1 by June 20, 18:00 UTC"
2 — Device owns itSchedules, retries, notifies, enforcesAutonomous — even if the server is unreachable at the deadline
3 — Status flows backDevice reports state changes proactivelyNo polling — reporting freshness improves dramatically
The Building Blocks
Concept
What it is
Declarations
The desired-state payloads: configurations, activations, assets, and management properties
Activations
Logic that decides when a configuration applies (can include predicates)
Status channel
The device proactively reports state changes — no more polling
Assets
Referenced content (e.g., per-user data) that declarations can point to
The status channel is the underrated half: when a device installs the update, changes passcode state, or drifts, it tells the server immediately. Reporting freshness in Intune improves dramatically for DDM-managed state.
Software update enforcement via DDM: iOS/iPadOS 17+ — this is the scenario Intune exposes today and the one that matters operationally.
What This Means in Intune
You don't toggle DDM on. Intune delivers supported payloads declaratively when the device qualifies — most visibly the Software Update enforcement settings in the Settings Catalog. Your job is simply to prefer those payloads over their legacy equivalents.
Target OS Version — exact version string, e.g. 17.5.1
Target Date Time — enforcement deadline. Entered/stored in UTC; do the timezone math for your users
(Optional)Target Build Version — only when you must disambiguate builds
Assign to the ring's device group. Repeat per ring with staggered deadlines.
What the User Experiences
Declaration lands silently; the device begins downloading the update on its own schedule (charger + Wi-Fi preferred).
Notifications start polite and get insistent as the deadline approaches — including a final countdown phase the user cannot dismiss away forever.
At deadline: install proceeds. If a passcode is set, iOS prompts for it; an ignored prompt results in installation at the next practical opportunity (lock/charge), and the OS treats the deadline as binding.
Verification
Devices > Monitor > the Apple software updates reporting surfaces per-device update state (DDM status reports make this near-real-time compared to legacy).
Per-device: the device blade shows the installed OS version refreshed by the status channel.
After a ring's deadline passes, spot-check one device: the installed OS version matches the declaration's target — that single comparison proves the policy end to end.
Real-world DDM update behavior that the docs won't tell you.
Field notes from running DDM update enforcement on production fleets.
UTC will bite you once. Target Date Time is UTC. A "5:00 PM" deadline entered naively becomes mid-morning enforcement for US time zones. Decide deadline in local terms, convert deliberately, write the local time in the policy name or description.
Give real runway. Deadlines less than ~48–72 hours out skip most of the polite-notification phase and feel hostile to users. The design shines when the device has days to find its own charger-and-Wi-Fi moment.
Don't stack legacy update policies on top. Remove old Update policies for iOS/iPadOS assignments from devices that get DDM enforcement. They don't merge; they confuse both your reporting and occasionally the device.
Exact version strings matter.17.5.1 and 17.5 are different declarations. When Apple ships a same-week security respin, update the policy — the device won't "round up" on its own.
Offline enforcement is real. Devices that received the declaration enforce at deadline even with Intune unreachable — great for field devices, surprising the first time a device in a drawer updates itself.
Low battery is the most common "it didn't update" cause. The device defers installation until charging conditions are reasonable; deadlines effectively resolve at the next charge. Tell your helpdesk before they escalate.
Deferral + enforcement is the complete system. Enforcement without deferral restrictions lets eager users jump to day-one releases before validation. Deferral without enforcement lets laggards live on old builds forever. You need both halves.
Apps as declarations — the autonomous install model that does to app deployment what DDM did to updates.
DDM's premise — ship the device a desired state and let it converge autonomously — was proven on software updates; Apple has been extending the same model to apps: app declarations the device honors itself, reporting status back through DDM's status channel rather than waiting on command-queue round-trips.
What Changes vs Command-Based Installs
The classic VPP install is imperative: the server sends InstallApplication, the device obeys (eventually), the server polls for truth. Declarative apps invert it: the declaration states this app, this configuration, present — and the device owns convergence: installing when conditions allow, retrying on its own after transient failures, re-asserting if the app vanishes, and reporting state proactively through status subscriptions. The pending-forever class of ticket is exactly what this architecture deletes.
DeclareDesired state lands"This app, this configuration, present"
ConvergeDevice installs when conditions allowRetries transient failures on its own
Re-assertState is defendedIf the app vanishes, the device puts it back
ReportStatus flows proactivelyStatus subscriptions, not command-queue polling
The Practical State of Play
This is a capability arriving in stages — OS support landed before management-platform surfacing, and what Intune exposes evolves by release. The pragmatic operating posture: know the model now (it's where the platform is going), watch the What's New feed for the Intune-side surfacing of declarative app configuration, and design new app-deployment standards so the intent layer (which apps, which populations — your assignment taxonomy) is independent of the delivery mechanism, which is precisely what makes mechanism upgrades free.
Why It Matters Beyond Speed
Declarations compose: an app declaration can participate in DDM's predicate/activation logic — state that applies when conditions hold — which points at app management that reacts on-device to context without server round-trips. The update-enforcement page's lesson generalizes: the device is the best agent of its own state.
Insights
The migration thinking to start now: inventory which of your app deployments are state ("these 12 apps, always present, current") versus events ("push this once") — the state set is the natural DDM-apps cohort, and naming it today makes the eventual cutover a targeting exercise instead of a redesign.
Apple's emergency patch lane — what RSRs are, the MDM controls that govern them, and where they fit in your update strategy.
Rapid Security Responses are Apple's out-of-band patch vehicle: small, fast security fixes (the "(a)" suffix builds) that ship between full OS updates — installable without a full update cycle and, distinctively, removable. They exist for the actively-exploited-in-the-wild class of vulnerability where waiting for the next point release is the wrong answer.
Applies toDevices on the latest OS — laggards aren't eligible
Patch laneOut-of-band "(a)" suffix builds between point releases
MDM restrictions govern the RSR experience on supervised devices:
Allow/disallow RSR installation — whether devices take responses at all; the corporate default should be allow (these are the patches whose entire reason is urgency)
Allow/disallow RSR removal — whether users can roll one back; managed fleets generally disallow removal, since "user uninstalled the emergency mitigation" is not a state you want discoverable in an incident review
These sit alongside — not inside — your DDM update enforcement: DDM deadlines drive scheduled OS currency; RSR policy governs the emergency lane. Two lanes, two doctrines, deliberately different speeds.
How to Run It
Allow installs fleet-wide, block removal — the boring, correct posture
Don't ring RSRs like point releases: their value is speed, and a three-week bake on an actively-exploited fix inverts the risk math. The ring-1 canary still exists — it just measures in hours, not weeks
Verify uptake: RSR state surfaces in OS version strings — the inventory report's version column showing the lettered suffix is your coverage proof when security asks
Insights
RSRs apply to the latest OS — a fleet lagging on point releases isn't eligible for the emergency lane, which is one more argument for the DDM deadline discipline keeping the fleet current: emergency patching is a privilege of the up-to-date.
When an RSR ships, the comms move is pre-written one-liner territory: "Apple shipped an urgent fix; your device may install it quickly and prompt for a short restart — that's expected and protective." Thirty seconds of comms converts a confusion spike into a non-event.
True multi-user iPadOS for frontline, clinical, and education fleets.
Shared iPad is Apple's only true multi-user mode: multiple people share one iPad, each signing in with a Managed Apple Account to get their own separated workspace — apps see per-user data, sign-ins persist between sessions, and a returning user picks up where they left off.
How It Works
The iPad partitions local storage among a configurable number of cached users. A returning cached user signs in to their data instantly; a new user beyond the cache triggers eviction of the least-recent.
User data syncs against the Managed Apple Account, so a user can move between shared devices.
Temporary Sessions (guest mode) provide a sign-in-free session that is completely wiped when the user signs out — ideal for kiosks-with-flexibility, libraries, patient devices.
Hard Requirements
Requirement
Detail
Enrollment
ADE only, with Shared iPad enabled in the enrollment profile — cannot be retrofitted without a wipe
Identity
Managed Apple Accounts from ABM (federate with Entra ID so users sign in with work credentials) — except Temporary Sessions, which need no account
Hardware
Modern iPads with sufficient storage; user partitioning consumes space fast on 64 GB models
Healthcare: nurses sharing cart iPads across shifts
Retail/frontline: shift workers with personal sign-in but pooled hardware
Education: the original use case (via Apple School Manager)
If users don't need their own state on the device, you may not need Shared iPad at all — a no-affinity ADE device with Single App Mode or a focused app set is far simpler to operate.
users need their own state on pooled hardwareShared iPadPer-user workspaces behind Managed Apple Accounts; sign-ins persist and follow users across devices.
the population is anonymous walk-up trafficTemporary SessionsSign-in-free guest sessions, completely wiped at sign-out — libraries, patient devices, loaners.
nobody needs personal state at allNo-affinity deviceADE without user affinity plus Single App Mode or a focused app set — far simpler to operate.
In ABM: Settings > Accounts, configure federated authentication with Microsoft Entra ID. Users then sign into Shared iPads with their existing work credentials; Managed Apple Accounts are created on the fly. (Manual MAA creation works but doesn't scale.)
Step 2 — Enrollment Profile
Devices > Enrollment > Apple tab > Enrollment program tokens > token > Profiles > Create profile > iOS/iPadOS:
User affinity: Enroll without user affinity
Shared iPad: Yes
Maximum cached users: balance storage vs sign-in speed. Rule of thumb: number of people who realistically rotate through a single device in a week. Fewer cached users = more storage each.
Or Temporary Sessions only for guest-style fleets — no Managed Apple Accounts needed at all.
Setup Assistant: skip aggressively; nobody should linger in setup on a shared device.
Assign serials, wipe/activate devices. Shared iPad state is set at activation.
Step 3 — Target Policies and Apps to Devices
Everything targets device groups (there is no persistent primary user):
VPP apps: Required, device licensed
Configuration: Wi-Fi, restrictions, Enterprise SSO plug-in — SSO makes the per-user Microsoft sign-in experience tolerable
A dynamic device group on the enrollment profile name keeps targeting automatic: (device.enrollmentProfileName -eq "SharedIPad-Production")
Step 4 — Session Settings (Settings Catalog)
Settings catalog > Shared iPad category exposes session behavior — temporary session timeouts, passcode requirements for MAA sign-ins, and quota-related options. Configure idle logout for clinical/retail floors so abandoned sessions close themselves.
Verification
Activate one device and confirm the Shared iPad sign-in screen appears at the end of setup — if it boots to a standard home screen, the enrollment profile's Shared iPad setting wasn't applied at activation.
Sign in with a test Managed Apple Account (or start a Temporary Session) and confirm apps, Wi-Fi, and the SSO experience land inside the session.
Sign out and back in: the returning user's workspace should restore quickly — that round-trip exercises caching, identity, and policy in one pass.
Operational truths about Shared iPad from production fleets.
First sign-in is the slow one. A new user's first session provisions their workspace and syncs account state — on weak Wi-Fi this is tens of seconds to minutes. Pilot users conclude "it's broken." Set expectations: first sign-in slow, returning sign-in fast.
Storage math is the design constraint. Usable space divides across the system, shared apps, and per-user partitions. On 64 GB iPads with heavy apps, more than 8–10 cached users gets cramped. Buy 128 GB+ for shared fleets and thank yourself later.
Eviction is silent. When cached-user slots overflow, the least-recently-used profile is purged locally (cloud-synced data survives; purely local app data does not). Apps that stash data outside proper sync get blamed for "losing" work — vet your LOB apps' data story before committing to Shared iPad.
Temporary Sessions wipe absolutely everything at sign-out. This is the feature. It's also why a patient/visitor who "saved" something locally cannot get it back. Signage near the device beats a helpdesk ticket.
Some apps just behave badly multi-user. Apps assuming a single keychain identity or device-bound licensing can cross-contaminate or break between users. Test every LOB app with two different accounts on one device before scale-out.
No affinity means no user-targeted policy. App config that depends on {{mail}}-style tokens resolves empty here. Apps must get user context at sign-in (MSAL + the SSO plug-in), not from MDM.
The sign-in screen is your brand moment. Shared iPad's lock screen lists cached users — combine with a wallpaper policy and clean device naming (SHARED-ER-CART-03) so staff grab the right device and IT can find it in Intune.
Quotas, temporary sessions, and sign-in behavior — the dials that decide whether shared carts feel fast or full.
Shared iPad's architecture and setup get devices into multi-user mode; this page is the tuning — the handful of settings that determine the daily experience once carts are in the field.
The Storage Math
Shared iPad partitions storage across cached user spaces; the core dial is how many users the device caches versus how much space each gets. The trade is explicit: more cached users = faster repeat sign-ins for a rotating population; fewer = more room per user for app data. Calibrate from the actual rotation: a cart serving the same 8 nurses caches 8 beautifully; a lobby device serving hundreds shouldn't cache deeply at all — which is the temporary-session conversation.
Temporary Sessions (the Guest Mode)
Temporary sessions let anyone tap in without credentials and wipe the slate at sign-out — the kiosk-adjacent mode for libraries, loaners, and exam carts. The control set: whether temporary sessions are offered at all, plus idle timeouts (auto-end abandoned sessions) and sign-out behavior. The decision rule: if the population is anonymous, temporary sessions beat shared-credential workarounds every time — credentials shared on a sticky note are the failure mode this feature exists to delete.
the same small crew rotates through the deviceCache the crewA cart serving the same 8 nurses caches 8 beautifully — repeat sign-ins stay fast, everyone keeps room.
hundreds of anonymous users pass throughTemporary SessionsDon't cache deeply — guest sessions wipe at sign-out and end the shared-credential sticky note.
Sign-In Experience
Managed Apple Accounts drive Shared iPad identity — federation makes the password the Entra password, and the sign-in screen's responsiveness rides your network's ability to reach Apple's auth quickly. Session timeouts tuned to shift rhythm close the loop: too short and users re-authenticate mid-task; too long and the next shift inherits a session.
Insights
The classic "Shared iPad is slow" ticket is storage pressure showing up as a performance complaint — a device at quota evicting/rebuilding user spaces on every rotation churns visibly. The inventory view's capacity data per cart tells you before users do.
Pilot the cache-count change on one cart and measure sign-in time — it's a thirty-second stopwatch test, and the number ends the meeting about it.
The three flavors of locking an iOS device to one app — and which one you actually want.
"Kiosk mode" on iOS is really three different mechanisms. Picking the right one up front saves a redeploy.
The Three Flavors
Single App Mode (SAM)
Autonomous SAM (ASAM)
Guided Access
Who locks it
MDM, permanently
The app enters/exits itself (MDM allowlists it)
A human, ad hoc
Supervised required
✅
✅
❌
Survives reboot
✅
App decides
✅ (with passcode)
Use case
Signage, POS, check‑in kiosks
Testing/exam apps, clinical workflows that lock during a task
One-off situations, parents, demos
Managed by Intune
✅ App Lock payload
✅ Restrictions allowlist
❌ (on-device feature)
SAM is the true kiosk: the device boots into one app and physically cannot leave it — no home gesture, no app switcher. The home screen ceases to exist.
ASAM delegates the locking to the app itself. The MDM allowlists bundle IDs that may call the autonomous lock APIs; the app then locks during an exam or signature capture and releases afterward. The app must actually implement ASAM support — check with the vendor.
Guided Access is the consumer feature (triple-click side button). Useful to know about; not a management strategy.
What SAM Implies Operationally
The locked app is the entire user experience — if it crashes to a black screen or needs an update restart, your remote tools are the only way in.
Pair with restrictions that suit a dark-corner appliance: auto-lock disabled, no passcode (plus Block Erase Content and Settings), and a remote restart capability you've tested.
ExitRemove the assignment and let the device sync — the only way out
Single App Mode (App Lock)
Create the profile.Devices > iOS/iPadOS > Configuration > Create > Settings catalog, and name it so the intent is readable in a policy list six months from now (e.g. iOS-AppLock-Lobby-Kiosks).
Add the App Lock category and configure it:
App > Identifier: the bundle ID, e.g. com.yourorg.checkin. Copy it from the Intune app blade rather than typing it — the identifier must match character-for-character, and a typo produces a profile that reports success while locking nothing.
Options: disable what a kiosk shouldn't have — auto-lock, touch can stay on, volume/sleep buttons per use case, disable VoiceOver/Zoom unless accessibility requires them.
Assign to the kiosk device group. Target devices, not users — kiosk fleets enroll without user affinity, so user-group assignments never reach them.
The device locks to the app within moments of the policy applying. Removing the assignment (and the device syncing) is the only exit.
Verification
Watch a pilot device take the policy: within moments of a sync it should snap into the app, with the home gesture and app switcher dead.
Reboot it: the device must boot straight back into the locked app — surviving restarts is the point of SAM.
Prove the exit path before shipping units: remove the pilot device from the assignment group (or unassign the profile), force a sync, and confirm the device returns to a normal home screen. A kiosk you can't unlock in the lab is a kiosk you can't unlock in the field.
Supporting Policies for a Kiosk Fleet
Bundle these in a kiosk-specific restrictions profile:
Setting
Value
Why
Auto-lock
Never (App Lock option)
Signage/check‑in stays awake
Require passcode
No passcode policy assigned
Nobody "unlocks" an appliance
Block Erase Content and Settings
✅
No passcode means Settings must be defanged (also unreachable under SAM, defense in depth)
Block app removal
✅
Belt and suspenders
Autonomous Single App Mode
For exam/clinical apps that lock themselves: Settings catalog > Restrictions > Autonomous Single App Mode Permitted App IDs — add the vendor's bundle ID(s). The app handles enter/exit via its own UI.
Multi-App "Kiosk"
iOS has no true multi-app kiosk. The accepted pattern: no-affinity supervised device + Home Screen Layout (pin the allowed apps) + restrictions hiding everything else (block App Store, Safari if unneeded) + Block app removal. It's a curated device, not a locked one — set expectations accordingly.
Plan the exit before the entrance. Leaving SAM requires the device to receive a policy change — which requires working Wi-Fi and APNs. A kiosk on a captive-portal network that dropped its session is a brick until someone gives it network. Validate connectivity health before assigning App Lock, and keep a bench procedure (wipe via ADE) for the stragglers.
Deploy the app before the lock. If App Lock lands first, the device locks to... nothing useful. Stage assignments: app to the device group, confirm install, then the App Lock policy. For new batches, bake a soak delay into your process.
App updates restart the app. VPP auto-updates apply under SAM, and the app relaunches. For 24/7 signage, that's a brief flicker; for a POS mid-transaction it's a support call. Schedule-sensitive fleets should stage app updates deliberately (pin versions, update in maintenance windows).
A crashed kiosk app = black screen. The device is fine; the app isn't running. The Restart device remote action (supervised) is your first-line fix — wire it into a bulk action script for fleet-wide overnight restarts. Weekly scheduled restarts prevent most of it.
Disable auto-lock, or the whole fleet goes dark on schedule. It's an App Lock option, and the #1 forgotten setting — every display sleeps at the default interval and stays that way until someone touches it. Pair with guided brightness for signage longevity, and remember always-on displays cook batteries — keep units on quality power.
Name devices for humans on the floor.KIOSK-LOBBY-NORTH on a label and in Intune turns "the iPad by the door is frozen" into a 30-second remote restart.
Temporary Sessions vs SAM: if users need to do anything beyond the one app — even occasionally — a Shared iPad with Temporary Sessions may fit better than fighting SAM's absolutism.
When the app drives the lock — ASAM for testing, point-of-sale, and clinical workflows that confine themselves.
Single App Mode locks a device to one app by policy; Autonomous Single App Mode (ASAM) hands the keys to the app itself — a whitelisted app may enter and exit single-app lock programmatically, on its own logic. The difference sounds subtle and changes the use cases entirely.
Applies toSupervised devices — ASAM payloads are ignored elsewhere
RequiresAn app built for ASAM, deployed before the allowlist
Your configuration profile names the bundle IDs permitted to self-lock; the app (built against the relevant API) then locks the device when its workflow demands and releases when done. The device isn't a kiosk — it's a normal supervised iPad that becomes one for the duration of an exam, a transaction, or a procedure.
Where ASAM Is the Right Tool
Assessment and testing: the canonical case — the exam app locks at test start, releases at submission; the device serves the whole class day normally otherwise
Point-of-sale and payment moments: the register app confines during transactions on a device that also runs inventory and email
Clinical and procedure workflows: a charting/procedure app that owns the screen during the sterile window, by its own state machine
The pattern in one line: periodic confinement on a multi-purpose device — versus full kiosk mode for dedicated appliances and Guided Access for ad-hoc human-supervised moments
Prerequisites
Supervised devices (the universal rule) — ASAM payloads are ignored on unsupervised hardware.
The app deployed and installed first — an allowlist entry for an app that isn't on the device grants nothing.
An app actually built for ASAM. The app itself must call the autonomous lock APIs; the app vendor's documentation defines the contract. ASAM only works for apps built for it, so the procurement question "does your app support autonomous single app mode" belongs in the RFP, not the deployment week.
Step-by-Step
Collect the exact bundle ID(s) from the vendor's documentation. The allowlist matches identifiers, not app names — character-exact or it silently does nothing.
Create the profile. The allowlist rides the custom/settings-catalog surface: Settings catalog > Restrictions > Autonomous Single App Mode Permitted App IDs, adding each permitted bundle ID.
Assign to the device group that runs the workflow and let the devices sync.
Verification
Run the app's own lock workflow on a pilot device: start an exam, transaction, or procedure and confirm the device confines itself (home gesture dead, app switcher gone) — then complete the workflow and confirm it releases. The release test matters more than the lock test; an app that locks and never releases is the failure mode you will meet in production.
Insights
Troubleshooting ASAM is mostly state confusion: a device "stuck in kiosk" is usually an app that locked and crashed/never released — force-quit paths and the vendor's release behavior belong in the runbook, and the device-side logs name the locking bundle in seconds.
Audit the allow-list annually like any standing trust list: every bundle ID that may seize the screen is a small standing grant — keep it to the apps that still earn it.
Remotely lock, message, and locate supervised iOS devices.
Lost Mode is the supervised-only remote action that turns a missing device into a locked beacon: a full-screen message with your contact info, all notifications silenced, and — uniquely — location lookup becomes available to IT while the mode is active.
Applies toSupervised corporate devices — no BYOD Lost Mode
RequiresAPNs reachability — the command queues until the device is online
Console pathDevices > select the device > Lost mode > Enable
UnlocksLocation lookup and Lost Mode sound while active — audit-logged
Requirements
Supervised device (ADE) — this is a corporate-device capability; BYOD/user enrollment has no Lost Mode
Device reachable via APNs (online at some point — the command queues)
Enable It
Devices > select the device > ... (or the action bar) > Lost mode > Enable.
Provide:
Message: e.g. "This device belongs to Contoso. Please call IT."
Phone number: tappable from the lock screen
Optional footnote text
The device locks immediately on receipt — whatever the user was doing ends.
While Lost Mode Is Active
Locate device action returns the device's location on a map in the Intune console. Outside Lost Mode, location is not available for standard corporate devices — this is the privacy boundary working as designed (location requests are audit-logged).
Play Lost Mode sound action makes the device emit a persistent tone — couch-cushion recovery.
The device is unusable: no notifications, no apps, just your message.
Disable It
Same device blade > Lost mode > Disable. The device unlocks back to normal (passcode still applies). If the device is gone for good, escalate: Wipe — and handle Activation Lock properly so the hardware remains recoverable.
Insights
Lost Mode is queued via APNs: a powered-off device locks the moment it next comes online. Enable it immediately on report of loss; don't wait to "see if it turns up."
Every Lost Mode and location action lands in Intune Audit logs — your evidence trail for HR/legal.
Train helpdesk that this exists. The median lost-device ticket still gets a wipe as the first response, destroying the locate-and-recover option Lost Mode provides.
Stop Activation Lock from turning returned corporate devices into paperweights.
Activation Lock ties a device to the Apple Account that enabled Find My. Brilliant anti-theft for consumers; for fleets it's the classic failure mode: an employee signs in with a personal Apple ID, leaves the company, and the returned iPhone demands their password at activation. Without a plan, that hardware is scrap.
The Managed Approach (Supervised Devices)
Intune gives you three layers — use all of them:
1. Control who can enable it
Settings catalog > Restrictions > Allow Activation Lock: Block on supervised corporate devices. Users can still use Find My features; the device just doesn't bind to their personal account.
If business needs require Activation Lock (high-theft field environments), prefer device-based Activation Lock managed by the org rather than user Apple IDs.
2. Bypass codes (your get-out-of-jail card)
For supervised devices, Intune automatically escrows an Activation Lock bypass code (device blade > Hardware). At the Activation Lock screen, leave the username blank and enter the bypass code as the password — the lock clears.
3. The Disable Activation Lock remote action
Device blade > Disable Activation Lock consumes the stored bypass code server-side. Run it before wiping a device headed for redeployment or return.
The Decommission Flow That Never Strands Hardware
Retrieve/confirm the bypass code exists (Hardware blade or Graph).
Disable Activation Lock action.
Wipe.
Device activates clean for the next user — or returns to ABM stock.
Do
Block Allow Activation Lock on supervised corporate devices
Confirm the escrowed bypass code exists before any decommission
Run Disable Activation Lock before wiping hardware headed for redeploy or return
Don't
Delete the Intune device object before clearing the lock — the bypass code goes with it
Let personal Apple Accounts bind corporate hardware via Find My
Expect a bypass on unsupervised BYOD — the user's password is the only key
Insights
Bypass codes are single-use — after one bypass, the stored code is spent. Re-supervision generates a new one.
ABM can also release org-owned devices from Activation Lock (device must be in your ABM org) — your fallback when an Intune record was deleted prematurely. Never delete the Intune device object before clearing Activation Lock; the bypass code goes with it.
Unsupervised BYOD: there is no bypass. The user's Apple ID is the only key — which is fine; it's their device. This entire page is about corporate hardware.
Pre-configure apps so they launch ready — settings, accounts, and onboarding pushed from Intune.
App configuration policies push key/value settings into apps that support managed configuration (Apple's NSUserDefaults-based managed app config). It's how Outlook knows the user's address before first launch, how Defender onboards silently, and how LOB apps get their server URLs.
Create either under Apps > Configuration policies > Add.
Building a Managed-Devices Policy
Add > Managed devices, pick platform iOS/iPadOS, select the targeted app (it must already exist in Intune — usually your VPP app).
Settings format:
Configuration designer — friendly key/value editor; Microsoft apps surface known keys.
XML — paste a property list for apps whose vendors hand you raw plist config.
Add keys. Vendor documentation is the source of truth for key names — there is no discovery mechanism; apps read whatever keys they were coded to read.
Token Variables
Values can include Intune variables resolved per device/user at delivery:
On no-affinity devices, user tokens resolve empty — scope user-dependent configs to user-affinity devices.
Verifying It Worked
App config has no user-visible footprint — the app simply behaves configured.
Intune: the policy's Device install status shows delivery.
If the app ignores the config: confirm the bundle ID matches exactly, the app actually supports the keys (vendor docs), and the app was restarted after the policy landed — most apps read managed config at launch only.
Protect corporate data inside apps — with or without device enrollment.
App Protection Policies (APP, colloquially MAM) draw the security boundary around the data inside managed apps rather than the device. They're the reason "we don't manage personal phones" and "corporate data is protected on personal phones" can both be true.
Applies toApps built with the Intune App SDK — all Microsoft 365 mobile apps
RequiresNo enrollment — APP activates at work-account sign-in
Assign toUser groups; the policy follows the user across devices
MonitorApps > Monitor > App protection status
What APP Controls
Data egress: where org data can go — save-as targets, share-sheet destinations, cut/copy/paste boundaries, backup exclusion
Access: PIN/biometric to open the app's work context, work-account requirement
Conditional launch: automatic responses to risk — jailbreak detected → block and wipe org data; offline too long → block; OS too old → warn
Selective wipe: remove org data from the apps, touch nothing personal
It applies to apps built with the Intune App SDK — all Microsoft 365 mobile apps, plus a large supported app list and your own wrapped/SDK-integrated LOB apps.
Enrollment State Targeting
One policy can target, or you can split policies by state:
Assign to user groups — APP follows the user across devices.
APP activates when the user signs into a targeted app with their work account. No enrollment prompt, no Company Portal requirement on iOS (Authenticator handles broker duties where needed).
Pair with the Conditional Access grant Require app protection policy so only protected apps can reach corporate data — details in Conditional Access.
Offboarding: a selective wipe (Apps > App selective wipe) clears org data from a departing user's personal device — the respectful goodbye.
Insight
The most common "APP isn't working" report is a user signed into the app with a personal account. APP governs the work account's data inside the app; multi-identity apps like Outlook keep personal and work contexts separate by design. Check which account the user means before debugging policy.
Pin intranet sites and web apps to the home screen as managed icons.
Web clips put a URL on the home screen with an icon, indistinguishable at a glance from an app. For intranet portals, ticketing systems, ESS/HR pages, and PWAs, a web clip is frequently the right "app deployment" — zero licensing, instant updates, nothing to package.
Console pathApps > All apps > Add > Web link
LicenseNone — zero licensing, instant updates, nothing to package
IconSquare PNG; 512×512 works well
LifecycleManaged — removed at retire/unenrollment
Deploy One
Apps > All apps > Add > app type Web link (under Other).
Configure:
Name — what appears under the icon (keep it short; iOS truncates)
URL — https:// destination
Icon — upload a square PNG (512×512 works well); skip it and you get an unloved default
Full screen: opens without Safari chrome — feels app-like, but no URL bar means no user navigation rescue; best for true web apps
Assign as Required (icon appears automatically) or Available (Company Portal self-service).
Behavior Worth Knowing
Web clips deployed by MDM are managed: they're removed at retire/unenrollment and can be pinned in place with a Home Screen Layout policy.
Authentication uses Safari's engine — with the Enterprise SSO plug-in deployed, Entra-protected sites open already signed in. This combination is what makes web clips feel like real apps.
A PWA-capable site in full-screen mode gets you most of the "native app" feel for the cost of an icon and a URL.
Privately distributing a vendor-built or in-house app to your organization through Apple Business Manager, then deploying it through Intune like any VPP app.
Most iOS apps reach devices one of two ways: public App Store titles, or sideloaded line-of-business IPAs you sign yourself. Custom Apps are a third path. A developer (a vendor or your own team) publishes the app privately to your organization in App Store Connect, and it then appears in your Apps and Books in Apple Business Manager as a licensable, device-assignable app — vetted through App Review, installed through the store, and updated automatically — but invisible to the public. This avoids the enterprise-certificate signing and re-signing lifecycle that sideloaded IPAs require.
How distribution flows
The developer designates your organization (by ABM Organization ID) as the private audience in App Store Connect. Once the app clears App Review, it surfaces in your ABM Apps and Books, you acquire licenses, and the VPP token sync brings it into Intune as an assignable app.
App Store Connectvendor publishes privately to your org
Give the developer your ABM Organization ID. Find it in Apple Business Manager under Settings > Enrollment Information > Organization ID. The developer enters it as the app's private audience in App Store Connect (Pricing and Availability > Distribute on Apple Business Manager / custom app). This audience setting lives entirely on the developer's side — handing over the ID is the whole integration.
Acquire licenses in ABM. Once the app passes App Review it appears in Apps and Books, visible to your organization only. Buy the quantity you need (free apps still require a license "purchase") under the same location whose VPP/content token Intune already holds.
Sync the token in Intune. Go to Tenant administration > Connectors and tokens > Apple VPP Tokens, select the token, and choose Sync (or wait for the scheduled sync). The app and its license count appear under Apps > iOS/iPadOS.
Assign and deploy. Open the app, go to Properties > Assignments, and assign it as Required with device licensing for corporate devices. Updates continue to flow through the store with no re-signing schedule to maintain.
When to use this lane
Vendor-built apps for your organization — an agency-built field app, a white-labeled portal. Custom Apps is the channel Apple intends for this; a vendor offering to "send you an IPA" in current iOS is worth pushing back on.
Your own apps with a store-compatible release cadence — App Review adds a few days but provides the automatic update pipeline and removes the signing-certificate expiry that strands sideloaded apps.
Sideloaded LOB IPAs remain the option for what genuinely cannot go through review — rapid-iteration internal tools and functionality App Review would reject. Treat it as the deliberate exception, not the default.
Operational notes
License management is ordinary VPP: the same license pools and the same reclaim-on-retire hygiene. The usual onboarding failure is that the app never appears in your Apps and Books — almost always because the developer's private-audience setting does not match your ABM Organization ID. It is a developer-side fix; confirm the ID they used against Settings > Enrollment Information in ABM.
Insights
Put Custom Apps into your procurement language: require that "iOS deliverables are distributed via Apple Custom Apps to our ABM Organization ID." One contract line removes every future conversation about enterprise certificates, expiring provisioning profiles, and re-signing.
The OS-level boundary between managed and unmanaged apps on enrolled iOS devices — what it controls, how to set it, and how it composes with App Protection Policies.
iOS classifies every app on an enrolled device as managed (installed or assigned by Intune/MDM) or unmanaged (installed by the user). The managed open-in controls govern whether documents, contacts, and clipboard content can cross that line. This predates App Protection Policies (APP) and still applies on enrolled — especially supervised — devices, so you need to know how the two interact to avoid both gaps and conflicting double-blocks.
Enforced byiOS itself, device-wide (no per-app agent)
RequiresEnrollment; the document/clipboard controls work best on supervised devices
Set inDevices > Configuration > Device restrictions (iOS/iPadOS), or the equivalent Settings Catalog restriction keys
BoundaryWho installed the app (managed vs unmanaged), not user identity
The two restriction settings
In a Device restrictions profile (Devices > Manage devices > Configuration > Create > iOS/iPadOS > Templates > Device restrictions), under Apps:
Require managed apps to share data only with other managed apps (block managed → unmanaged): a corporate document opened in managed Outlook cannot be handed to a user-installed PDF reader. The iOS share sheet simply omits unmanaged destinations.
Require unmanaged apps to share data only with other unmanaged apps (block unmanaged → managed): personal content cannot flow into the corporate context. Enforce this only where ingestion of unvetted content is a real concern; it is the less common of the two.
Supporting controls in the same profile: the managed contacts/calendar boundary (block managed apps from writing contacts to unmanaged accounts), the managed pasteboard (clipboard honors the same managed/unmanaged line), and the AirDrop restriction covered on the AirPlay and Continuity page (treat AirDrop as an unmanaged destination). Together these form a device-level data perimeter defined by which apps Intune installed.
Open-in vs App Protection Policies
The two mechanisms solve different problems and target different fleets:
On corporate supervised fleets, open-in is the inexpensive OS-level floor and APP is the precision layer on top. On BYOD without enrollment, open-in does not apply at all — APP is the only data boundary you have. The common misconfiguration is running both on enrolled devices with rules that disagree, producing reports of "sharing works from Outlook but is blocked from Teams." Keep one written data-flow matrix — which source apps may hand documents to which destination apps — and re-audit both the restriction settings and the APP data-transfer settings against it whenever either changes.
Do
Use open-in as the OS-level floor on supervised fleets and APP as the precision layer
Keep one written data-flow matrix: which source apps may share to which destinations
Audit the open-in restrictions and the APP data-transfer settings together whenever either changes
When triaging a "can't open this document" ticket, first identify which control fired: a missing share-sheet destination is open-in; an in-app block dialog is APP
Don't
Let the OS restrictions and the APP settings disagree — that is the "works in Outlook, blocked in Teams" symptom
Rely on open-in for BYOD — it does not exist without enrollment; APP is the boundary there
Insights
For any "can't open this document" ticket, identify the control before touching policy. A share sheet that is missing destinations is managed open-in. An in-app "your organization does not allow this" dialog is App Protection Policy. The two live in different profiles, so naming which one fired tells you which policy to open.
Define what a healthy iOS device looks like — and what happens when it isn't.
A compliance policy is the contract: devices meeting it are marked compliant, and Conditional Access uses that mark as a gate to corporate resources. Configuration policies set device state; compliance policies judge it.
Devices with no compliance policy assigned: set to Not compliant — otherwise unpoliced devices ride free.
Compliance status validity period: default 30 days; devices that stop checking in fall noncompliant when it lapses.
Monitoring
Devices > Monitor > Noncompliant devices; per-policy per-setting drill-downs show exactly which check failed. The complianceState property is also in our inventory report script.
A compliance policy enforces consequences, but it doesn't tell you which controls to demand in the first place. For that, iOS/iPadOS leans on the same external authorities as the Mac — with one blunt caveat up front: Microsoft does not publish a security baseline for iOS or iPadOS. Microsoft's importable security baselines are Windows-only. There is no "iOS baseline" tile in Intune the way there is for Windows. The authoritative iOS controls come from CIS, Apple Platform Security, and — for the app/data layer — Intune's own App Protection Framework. Treat anyone who tells you "just import the Apple baseline" as someone who hasn't deployed one.
No MS baselineMicrosoft security baselines are Windows-only
CIS Apple iOS/iPadOS Benchmark
CIS ships a benchmark per major release — currently iOS 26 (v1.0.0), iOS 18 (v2.0.0) and iOS 17 (v1.1.0), with matching iPadOS 26 / 18 / 17 documents. Unlike the desktop benchmarks, the iOS document is organized around what an MDM-managed, supervised device can actually enforce — passcode policy, restriction payloads, network and Safari hardening, AirDrop/handoff controls, update behavior. The practical translation: a CIS iOS recommendation almost always maps to either a Settings Catalog/restriction payload you push, or a property your compliance policy on this page checks. Supervision is the dividing line — a large share of the benchmark's higher-value restrictions only apply to supervised (ADE-enrolled) devices, so a BYOD fleet can satisfy far fewer CIS items than a corporate-owned supervised one. Scope your audit claims to your enrollment model.
Apple Platform Security
Where CIS tells you what to set, the Apple Platform Security guide documents why the platform can be trusted — the Secure Enclave, hardware-backed key storage, Data Protection class keys tied to the passcode, Face ID/Touch ID, and the secure boot chain. This is the evidence layer for the controls your compliance policy can't directly toggle: when you require a passcode and block jailbroken devices, you're relying on Apple's hardware enforcement to make those requirements meaningful. Cite it in your control narrative rather than treating "encryption" and "jailbreak detection" as self-evident.
Intune App Protection Framework (the app/data layer)
For unmanaged or BYOD iPhones — and for defense-in-depth on managed ones — the device-level benchmark isn't reachable, so the control surface shifts to the data inside the apps. Microsoft's App Protection Framework (the data-protection configuration framework) is the closest thing to an official iOS hardening baseline, expressed as three escalating levels applied through App Protection Policies:
Level 1 — enterprise basic data protection. The minimum: require an app PIN, encrypt org data, enable selective wipe. Mirrors the defaults when you create an App Protection Policy and replaces basic Exchange Online device-access rules.
Level 2 — enterprise enhanced data protection. The recommended standard for most users handling sensitive data: restricts data transfer to policy-managed apps, blocks backup of org data, sets a minimum OS version. Some user-experience impact.
Level 3 — enterprise high data protection. For high-risk users and sophisticated security teams: tighter PIN complexity (6-digit, no simple PIN), blocks third-party keyboards, adds Mobile Threat Defense via "max allowed threat level," and constrains the dialer. Significant user impact — ring it carefully.
The levels are cumulative (L2 includes L1, L3 includes L2) and Microsoft recommends a QA → Preview → Production ring rollout — the same discipline you'd give any baseline change. App Protection works with or without enrollment, which is exactly why it carries the iOS data-protection story where MDM restrictions can't reach.
Operationalizing It
Set the controls with restriction/Settings Catalog payloads tailored to the CIS iOS benchmark for your OS version — and be honest about supervised vs. BYOD scope.
Judge the state with the compliance policy on this page (passcode, OS floor, jailbreak block, threat level) — configuration sets, compliance judges.
Protect the data with the App Protection Framework level matched to the user's risk tier, gated by Conditional Access.
Re-baseline per major iOS release — CIS reissues the benchmark each year, and the App Protection minimum-OS values track Apple's N-1 support window.
Make compliance mean something — gate corporate access on device and app state.
Conditional Access (CA) is the enforcement engine in Entra ID. Intune supplies device compliance and app protection signals; CA turns them into access decisions. Without CA, a noncompliant device is just a sad dashboard entry.
Intunecompliance & app-protection signals
→
Entra Conditional Accessthe enforcement engine
→
Corporate resourcesOffice 365 and everything behind CA
The classic iOS policy uses "Require one of the selected controls" with both — corporate devices satisfy via compliance, BYOD satisfies via APP, everything else is blocked.
A Sane Starter Policy Set
Block legacy authentication — all users, all apps, legacy auth clients: Block. (Old protocols bypass everything else here.)
Office 365 on iOS requires managed access
Users: all (exclude break-glass accounts)
Apps: Office 365
Conditions > Device platforms: iOS
Grant: require compliant device or app protection policy
MFA everywhere — your standing all-apps MFA/phishing-resistant policy applies to iOS sign-ins automatically; Setup Assistant modern auth during ADE honors it too.
Build in Report-only mode first; review the sign-in log impact for a week before flipping on.
Insights
Always exclude break-glass accounts. A CA policy that locks every admin out of a tenant during an Intune outage is a story you only get to tell once.
The What If tool (Entra > Conditional Access) answers "why is this user blocked" faster than any forum thread.
Sign-in logs (Entra > Sign-in logs > Conditional Access tab per event) show exactly which policy applied, which grant failed, and the device's compliance claim — first stop for any access ticket.
Newly enrolled devices can take a few minutes to present as compliant (first check‑in + Entra registration). The Enterprise SSO plug-in's JIT registration shrinks this window dramatically.
Hardware-rooted trust for iPhones and iPads — the Secure Enclave attestation model and what it ends.
Managed Device Attestation (MDA) first shipped on iOS and iPadOS, and it changes what device identity means in a management system: instead of services trusting what the enrollment record asserts, they verify what the hardware can cryptographically prove.
The Problem It Ends
Classic device identity is assertion: the MDM record claims serial X, the device presents a certificate someone could theoretically exfiltrate, and services trust the paperwork. MDA replaces the paperwork with silicon: the Secure Enclave generates hardware-bound keys (non-exportable by construction), and Apple's attestation servers vouch — cryptographically — that the request comes from a genuine, specific Apple device with the properties it claims. A cloned identity can't complete the handshake; there's no Enclave behind it.
The Mechanics in Brief
The ACME payload (the modern issuance protocol with attestation extensions) carries the flow: the device requests an identity, an Enclave-bound key plus Apple's attestation accompany the request, and the issuing CA enforces certificates only for proven hardware. Those identities then underpin the things that matter — 802.1X, VPN, MDM client identity — with private keys that physically cannot leave the device. SCEP remains the workhorse for the long tail; ACME-with-attestation is where high-assurance identity is heading, and PKI readiness — does your CA speak ACME, and can it consume attestation evidence? — is the gating project to scope first.
Secure Enclavehardware-bound, non-exportable keys
→
Apple attestation serversvouch for genuine, specific hardware
→
Issuing CAcertificates only for proven devices
Two properties worth holding onto when you design around it. First, the attestation speaks to identity and genuineness — this specific, genuine Apple device with these identifiers — which is exactly the claim a stolen or cloned certificate cannot fake. Second, attestation evidence is produced at issuance and renewal, not continuously; its freshness is bounded by your certificate rotation cadence, so pick lifetimes with that trade-off in mind rather than treating the attestation as a live health feed.
Where It Touches Compliance
Attestation-grade signals strengthen the compliance + Conditional Access loop at its root: the difference between "a device claiming to be enrolled iPhone-4821" and "hardware-proven iPhone-4821." As management platforms surface attestation-backed checks, the posture conversation shifts from what the device reports to what the silicon proves — the strongest foundation a compliance signal can stand on, because every downstream decision inherits the quality of the identity underneath it.
Insights
The security-review one-liner that lands: "What stops a stolen device certificate from impersonating a corporate iPhone? On attested identities — physics. The key never existed outside the Secure Enclave." That sentence is the entire ROI.
Diagnosing the most common iOS enrollment failures by symptom.
Work top-down from the symptom. First stop in every case: Intune > Devices > Monitor > Enrollment failures — filter to iOS and check whether the attempt even reached Intune.
"No Remote Management screen" (ADE device sets up like a personal device)
The device isn't being told it's yours. In order:
Is the serial in ABM? Search it in ABM > Devices. Retail-bought devices aren't there until you add them.
Assigned to the right MDM server? The serial must be assigned to your Intune server entry in ABM.
Synced to Intune? Check the token blade's device list; trigger a sync and respect the 15-minute rate limit.
Enrollment profile assigned? A synced serial with no profile still activates unmanaged. Set a default profile on the token.
Device was already activated before the assignment? Wipe it — ABM assignment is evaluated at activation.
"Unable to complete enrollment" during Setup Assistant sign-in
CA blocking enrollment: a Conditional Access policy requiring a compliant device on the enrollment/registration flow is a chicken-and-egg lock. Review sign-in logs for the user; exclude the Intune enrollment cloud apps appropriately.
License missing: user has no Intune license — instant, unhelpful failure.
Enrollment restriction: ADE counts as corporate, but check Enrollment device platform restrictions for OS-version blocks.
MFA method unavailable: Setup Assistant modern auth presents the full Entra sign-in — a user with no registered MFA method and a require-MFA policy stalls here.
An old management profile already exists: Settings > General > VPN & Device Management — remove stale profiles, or wipe.
Time skew: a wildly wrong device clock breaks the TLS chain — set automatically.
Network filtering: see APNs Connectivity for the inspection-breaks-Apple checklist.
Account-driven enrollment dies at the email step
The /.well-known/com.apple.remotemanagement discovery endpoint isn't reachable/valid for the user's UPN domain — curl it from outside your network; expect 200 + correct JSON.
The user's targeted profile type doesn't match the OS (account-driven device enrollment needs iOS 18+).
No Managed Apple Account resolvable: check ABM federation status for the domain.
"Device appears enrolled but gets no policy"
Almost always Entra device registration didn't complete — the Intune object exists, CA sees an unregistered device. Have the user launch Company Portal and sign in (or verify JIT registration / SSO plug-in reached the device), then sync.
When devices stop responding to Intune, it's almost always the push path.
Intune never talks straight to an iPhone. Every action follows the same path: Intune → Apple Push Notification service → device wakes → device checks in to Intune over HTTPS. Break any hop and the fleet looks "dead" while being perfectly healthy.
Intunequeues the command
→
APNswake-up nudge — TCP 5223, fallback 443
→
Devicechecks in to Intune over HTTPS 443
Symptoms That Mean "Check APNs"
Remote actions stuck at Pending fleet-wide
Devices only sync when a user manually opens Company Portal
Everything broke at once across all Apple platforms (the giveaway)
Checklist, in Order
1. The certificate
Devices > Enrollment > Apple tab > Apple MDM Push certificate — status Active, not expired? An expired cert stops everything; renew correctly (same Apple ID!) and devices recover on their own. Automate the watch with the expiry check script.
2. The network path (device side)
Devices need a direct connection to APNs:
TCP 5223 to 17.0.0.0/8 (Apple's block), falling back to TCP 443 on some networks
No TLS/SSL inspection on Apple traffic — APNs uses certificate pinning; an inspecting proxy kills the connection silently. This is the #1 root cause in enterprises.
Captive portals: a kiosk Wi-Fi whose session expired = no push. Use PSK/802.1X networks for unattended fleets.
Test from the device's actual network segment (guest Wi-Fi working proves nothing about the kiosk VLAN).
One device unresponsive while peers are fine: toggle Wi-Fi/airplane mode (forces a new APNs connection), verify the management profile still exists, and as a last resort re-enroll.
What APNs Does Not Carry
Push only carries the "wake up and check in" nudge — policies, apps, and inventory all move over standard HTTPS (443) to Intune. A device that can be nudged but fails to sync has an HTTPS/proxy problem to *.manage.microsoft.com instead, which is a different firewall conversation.
Deep cutsUnified log / sysdiagnoseConsole streaming during a repro, or the full archive
Company Portal Logs (first line)
On device: Company Portal > menu > Send Logs (also reachable via Settings > Company Portal > toggle verbose logging first for richer output).
The upload produces an incident ID — that ID lets Microsoft support pull the logs; have users screenshot it into the ticket.
Covers: enrollment flow, sync, Entra registration, app install orchestration as CP sees it.
The Intune Console (second line)
Device blade > Device configuration / Compliance: per-profile, per-setting status with error codes — most "policy didn't apply" answers live here.
Apps > the app > Device install status: VPP failures show distinct errors for no license vs App Store unreachable vs user declined (unsupervised).
Tenant administration > Audit logs: who did what, including remote actions — your evidence trail.
Troubleshooting + support pane: per-user rollup of devices, policies, app installs — the fastest helpdesk view in the product.
Settings on the Device (ground truth)
Settings > General > VPN & Device Management > the management profile shows every payload, restriction, and certificate the device actually has. If the console says delivered and the device disagrees, the device is right — sync and investigate the gap.
Unified Log Streaming and sysdiagnose (deep cuts)
For enrollment cryptography failures, SSO extension behavior, or anything you're escalating to Apple/Microsoft engineering:
Stream the device's unified log during a repro. Tether the device over USB to an admin workstation running Apple's Console log viewer, select the device in the sidebar, and stream — filter subsystems for the loud, honest mdmd/profiled messages while you reproduce the failure.
Or capture a sysdiagnose on-device (volume buttons + side button chord, then Settings > Privacy & Analytics > Analytics Data) for the full archive Apple support will ask for anyway — no tethering required.
One streamed Console session during a failing enrollment usually names the actual problem — a profile rejection reason, a TLS failure, an SSO extension crash — in plain text.
What to Put in Every Escalation
Serial number, Intune device ID, UPN, timestamp of the repro (with timezone), CP incident ID, and what the device's VPN & Device Management screen showed. That set turns a ping-pong ticket into a one-pass fix.
Why a VPP app silently isn't on the device — the diagnosis ladder.
App installs on iOS fail quietly — usually no user-visible error at all, just an absent icon and a ticket. Work this ladder top to bottom; the culprit is almost always in the first three rungs.
Rung 1Licenses0 available fails silently — the #1 cause
Rung 2StorageUnder ~1–2 GB free, installs and updates fail
Rung 3Token / regionWrong VPP location, country mismatch, failed sync
Rung 4DeliveryOffline, push blocked, or the user tapped Cancel
Rung 5App odditiesStuck updates, expired IPA signing, OS minimum
1. Licenses (the #1 cause)
A VPP app with 0 available licenses fails silently, every time, fleet-wide for new devices. Check the app's license counts in the portal or run the VPP License Report. Fix: raise the quantity in ABM (free apps included), sync the token, installs resume on next check‑in.
2. Storage
Devices under ~1–2 GB free routinely fail app installs and OS updates. The inventory report surfaces FreeStorageGB — under-provisioned 64 GB fleets generate this ticket forever. Short-term: clear space; long-term: buy bigger.
3. Token / region mismatches
The app was licensed under a different VPP location than the token Intune holds — license counts look fine in ABM, Intune sees zero.
Country mismatch: VPP location country ≠ the app's availability in that storefront — the app simply can't be granted.
Device offline / APNs blocked → install command never arrives. One device: toggle network, sync. Many devices: APNs Connectivity.
Unsupervised devices prompt the user to approve App Store installs — "failed" sometimes means "user hit Cancel." Supervised devices install silently; this entire class disappears with ADE.
5. App-specific oddities
Update loops ("installing…" forever): usually a stuck prior install — remove the app assignment for that device's group momentarily or wipe the app via device blade, resync.
LOB (IPA) apps: expired provisioning profile or missing device UDID in an ad-hoc profile — check the app's expiration in Intune and re-sign annually.
OS minimum: the app's deployment target exceeds the device's iOS version — shows as not applicable/failed on stragglers; your update enforcement is the real fix.
Evidence to Collect
Per-app Device install status in the portal (or the status report script) gives state + detail per device; the device-side truth is Settings > General > VPN & Device Management > the management profile > Apps — if Intune says installed and the device disagrees, sync and re-check before deeper surgery.
Payloads that bounce — the triage ladder from delivery to dependency to payload-level rejection.
A configuration profile "not working" is three different failures wearing one symptom: it never arrived, it arrived and was rejected, or it installed and the payload's dependencies are unmet. Walk them in order.
Rung 1Did it arrive?Scope, filters, APNs — then check the device's profile list
Rung 2Was it rejected?Conflicts, supervision gates, malformed payloads, OS mismatch
Rung 3Installed but inertDependencies unmet — certificates, apps, provider extensions
Rung 1 — Did It Arrive?
Targeting and transport first, as always: assignment/filter scope, then APNs and sync health — a device that can't hear commands installs nothing, and that's a connectivity ticket, not a profile ticket. Device-side, Settings > General > VPN & Device Management shows what's actually present; absence after a healthy sync points back at scope.
Rung 2 — Was It Rejected?
The OS validates payloads on install; rejection causes cluster tightly:
Conflicting payloads: two profiles claiming the same exclusive territory (duplicate identifiers, competing single-instance payloads). Give every exclusive setting exactly one profile home — when two claim it, the device resolves by rejection or an arbitrary winner, and both read as "profile failed"
Supervision-gated payloads on unsupervised devices: the payload requires supervision the device lacks; the fix is the enrollment path, not the profile
Malformed custom profiles: hand-built .mobileconfig with schema errors — validate in the lab on a test device before fleet assignment, every time
OS-version mismatches: payload keys newer than the device's OS fail quietly or partially — the annual OS-validation pass exists for this
Rung 3 — Installed but Inert
The profile shows present; the behavior doesn't — almost always a dependency: the Wi-Fi profile whose certificate hasn't issued yet (sequence assignments), the SSO payload waiting on its app, the filter payload whose provider app isn't installed. Map the profile's dependency chain and check each link — the profile is fine; its prerequisites aren't.
Insights
Fleet-level reading beats device archaeology: per-profile deployment status grouped by error, sliced by OS/model/enrollment type — a cohort failing one payload shares an attribute, and the attribute is the answer.
Keep a known-good minimal profile (one harmless restriction) as the probe: if it installs on a problem device, transport and trust are fine and the investigation narrows to the real profile's content in one move.
Devices stuck behind the DDM deadline — eligibility, capacity, connectivity, and the genuinely wedged.
A device sitting behind its DDM software-update enforcement usually isn't broken. Four things cause it, and only the last is a genuine malfunction — so check them in order, cheapest first, before you reach for a device.
EnforcementDDM declarative software update (target version + deadline)
EligibilityDevice must support the target iOS/iPadOS version
HeadroomFree storage for the payload (tight on 64 GB devices)
ConditionsNeeds power + network; installs at idle
1. The deadline hasn't passed yet
A DDM update has a target version and an enforcement deadline. A device inside that window is behaving correctly — it isn't late until the deadline is. Confirm two things before calling anything stuck:
Today vs the deadline. Open the update policy and compare its enforcement date to now. Inside the window = working as designed.
The declaration actually reached the device. Enforcement only applies once the device received the declaration, which needs a successful sync — a device that hasn't checked in hasn't heard the deadline. Work APNs / sync health first.
2. The device can't take the target version
Two hard blockers, both visible in inventory before you touch the device:
Hardware too old. The model doesn't support the target iOS/iPadOS major. Keep a model → last-supported-OS list and treat these as a refresh-planning item, not a ticket.
Not enough storage. The update payload needs free space (commonly several GB); 64 GB devices are the usual offenders. The device inventory report exposes free-storage and model columns so you can pre-sort the fleet and clear space (offload unused apps, clear caches) before the deadline.
3. The conditions for an automatic install are never met
iOS installs updates when the device is on power, on a good network, and idle (typically overnight, charging, on Wi-Fi). When those never coincide the update never starts:
The handset that's never charged overnight — installs have no window.
The cellular-only device avoiding a multi-gigabyte download over a metered link.
The kiosk that's never idle. DDM tightens the prompt as the deadline nears, but if the conditions are structurally absent, fix the conditions (charging habit, Wi-Fi access) — that's not an MDM problem.
4. The update mechanism is genuinely wedged
The small real-failure residue: a download that won't complete, or the update stuck mid-flight. The ladder:
Restart the device — clears most stuck downloads.
Free up storage and retry; a partial download plus a full disk is a common dead end.
Reprovision. On a supervised fleet, Return to Service wipes the device straight back to the current OS and re-enrolls it — for a device that's resisted real effort, that's faster and cleaner than more update surgery.
Read the pattern across the fleet
Before opening individual tickets, look at the shape of the lag — it names the cause: a whole ring lagging points at declaration delivery; a single model at eligibility; a site at network/bandwidth; scattered stragglers at conditions and genuine wedges. Rapid Security Responses follow the same triage on a compressed clock — and a fleet kept current on point releases is what makes that emergency lane work at all.
Insights
Most "stuck update" tickets are categories 1–3 — policy timing, eligibility, or conditions — not failures. Triage the distribution first; only category 4 needs hands on a device.
Twenty-plus vetted open-source projects every iOS admin should know — from Apple's own MDM schema to Graph tooling.
The iOS admin's open-source shelf, curated and load-bearing only. Each entry: what it is, why it earns the spot.
Apple's Own Source
apple/device-management — Apple's official, versioned YAML schema of every MDM command, profile payload, and DDM declaration. The ground truth under every vendor's UI; when documentation disagrees, this repo wins.
MDM Internals (Learn by Running One)
Nothing teaches the MDM protocol like operating a tiny one in the lab:
micromdm/micromdm — the open-source Apple MDM server; enrollment, commands, and APNs in readable Go
micromdm/nanomdm — its minimalist successor; the protocol with nothing else attached
Adoption rule for anything on this shelf: read the source of what you run before you run it, pin versions, and treat community tooling with tenant write-access like the privileged code it is — repo-versioned, reviewed, least-privilege app registrations.
The MDM-internals section is the highest-ROI learning spend on this page: one weekend running nanomdm against a test device permanently upgrades every conversation you'll have about enrollment, push, and profiles.
The management framework underneath everything — work profiles, device owners, and why device admin is dead.
Android Enterprise (AE) is Google's management framework, and it is the only modern way to manage Android. Everything on the Android side of this site assumes it. Five minutes here saves you weeks of confusion later.
The Model in One Paragraph
Android management runs on ownership boundaries enforced by the OS. A device owner (DO) controls an entire device; a profile owner (PO) controls a sealed work profile — an encrypted container with its own apps, data, and badge (the briefcase icon) living alongside an untouched personal side. Intune acts as the management authority through Google's APIs; on modern AE enrollments there's no separate agent doing the policing — the OS itself enforces policy.
Intunemanagement authority
→
Android Enterprisethe management framework
→
Device OSenforces policy natively
Device Admin Is Dead — Don't Look Back
The legacy "device administrator" API was deprecated and gutted: Android 10 removed its core powers, and Google has been dismantling the rest since. Any guide, vendor, or colleague proposing device admin enrollment in the 2020s is handing you technical debt. If you're migrating off device admin, the migration playbook patterns apply — it's a re-enrollment, not a toggle.
The Four (Plus One) Management Modes
Mode
Ownership
Control surface
Personally-owned work profile (BYOD)
User
Work profile only — org never sees personal side
Corporate-owned work profile (COPE)
Org
Work profile fully + limited device-wide guardrails
Fully managed (COBO)
Org
Entire device
Dedicated (COSU / kiosk)
Org
Entire device, no user affinity
AOSP (no Google services)
Org
Reduced surface for GMS-less hardware (rugged/HMD)
The decision tree lives in Choosing a Management Mode — it's the most consequential Android decision you'll make.
Device Identity in Entra ID
Every management mode produces an Entra registered device record — the identity Conditional Access evaluates. What differs per mode is what that record represents and which user (if any) stands behind it. The device identity guide covers the full story; the shape of it:
Mode
Entra identity
What Conditional Access sees
Work profile (BYOD)
Entra registered — the work profile, not the whole device
User + compliant work profile; personal side invisible
COPE
Entra registered, corporate-owned record
User + device compliance from the corporate half
Fully managed
Entra registered, whole device
User + full-device compliance verdict
Dedicated
Entra registered, no user affinity
No user — user-scoped policies never apply; plan exclusions deliberately
The Google Mobile Services Dependency
Android Enterprise (outside AOSP mode) requires Google Mobile Services — Play Store, Play Services, the works. Devices without GMS certification (some imported/budget hardware, most devices sold in mainland China) can't do standard AE enrollment. Check the Android Enterprise Recommended directory when buying; it filters for certified, update-committed hardware.
Operating Assumptions Worth Internalizing
The platform's single point of failure is the Managed Google Play binding — there is no annually expiring certificate to babysit, but losing that binding retires the entire fleet. Put it under change control from day one.
Capability flows from enrollment mode, full stop. There is no post-enrollment trust upgrade or elevation step — the mode a device enrolls into fixes its management ceiling, which is why the mode decision deserves to be written down per fleet before hardware ships.
The OS update story is fragmented and OEM-controlled: each manufacturer and carrier ships updates on its own cadence, so enforcement works through patch-level compliance rather than forced installs — you set a patch floor and let access depend on meeting it.
Privacy separation on work profiles is architectural, not policy — the org cannot see personal apps or data. That's a selling point; lead with it in BYOD comms.
The one-time binding between Intune and Google that everything Android depends on.
Connecting Intune to Managed Google Play (MGP) is the foundational act of Android management: a one-time, roughly five-minute binding between your tenant and Google that every Android Enterprise enrollment profile, every app deployment, and every managed Play store experience depends on. There is no renewal calendar — nothing about the binding expires — but treat it with more ceremony, not less: it is effectively permanent infrastructure, and losing it is a fleet-level event.
Applies toEvery Android Enterprise enrollment and app deployment
RequiresA dedicated Google service account, credentials vaulted
Console pathTenant administration > Connectors and tokens > Managed Google Play
RenewalNone — the binding never expires
Prerequisites
A dedicated Google service account — androidenterprise@yourorg.com or similar, backed by a shared mailbox. Never a personal account and never an individual admin's identity: people leave, and the account that anchors your Android Enterprise must not leave with them.
The account must be a plain Google account not already bound to another Android Enterprise or Google Workspace organization — Google enforces one enterprise per account, and an account with history will either fail to bind or bind to the wrong thing.
Credentials and recovery options vaulted before you bind: password, recovery email, and recovery phone documented, with two named owners. The recovery path is part of the infrastructure, not an afterthought.
An Intune role with rights to Tenant administration (Intune Administrator or Global Administrator) for the console side of the binding.
Step-by-Step: Creating the Binding
Open the connector page. In the Intune admin center: Tenant administration > Connectors and tokens > Managed Google Play.
Grant Microsoft permission to send user and device information to Google — the consent that lets the two management planes talk to each other.
Select Launch Google to connect. Use a private browsing session so a logged-in personal Google identity can't bleed into the binding; sign in with the dedicated service account, name your organization, and accept the agreement.
Confirm the connector shows Active. That status is the whole ceremony — there is nothing to download, nothing to schedule, nothing to renew.
Approve a test app in Managed Google Play, press Sync on the connector page, and confirm the app appears in Intune's app list — that round trip proves the binding end to end. Remember the Sync button: when an approved app "isn't showing up," this is the first click.
What "Losing It" Means
Disconnecting (or deleting the enterprise from the Google side) retires every Android Enterprise device and removes every MGP app from Intune. There is no "reconnect and resume" — it's a fleet rebuild. Accordingly:
Protect the binding
Put the MGP connection under formal change control. Nobody touches Disconnect without a written plan, and the service account's recovery path is tested annually — quietly, by the owners, not during an incident.
Do
Bind with a dedicated service account backed by a shared mailbox
Vault password and recovery options with two named owners
Test the recovery path annually — quietly, not during an incident
Don't
Bind with a personal account or an individual admin's identity
Reuse an account already bound to another enterprise
Touch Disconnect without a written, reviewed plan
Insights
One Intune tenant binds to one Android Enterprise. Multi-tenant consultancies: one service account per customer tenant, clearly labeled in the vault — see the same discipline in Sovereign Clouds and GCC.
Nothing here requires Google Workspace. The service account is free, and MGP app licensing is free — there is no license pool or token lifecycle to manage in the app supply chain, which leaves the binding itself as the only artifact worth guarding.
The decision that determines everything else on Android — work profile, COPE, fully managed, dedicated, or AOSP.
On Android, management mode determines capability — every control surface in this section flows from the mode a device enrolls into, and the mode is fixed at enrollment. Changing your mind means a re-enrollment (and for corporate modes, a factory reset), so make the decision deliberately, per fleet, before the first device ships.
the user owns the hardwarePersonally-owned work profileThe only respectful — and practically available — option for BYOD.
the org owns it and personal use is sanctionedCorporate-owned work profile (COPE)Org authority with a personal space — the take-home phone default.
the org owns it and one user carries itFully managedThe locked-corporate 1:1 device.
no single user — kiosk, shared scanner, signageDedicatedNo user affinity; pairs with kiosk configuration or shared device mode.
the hardware ships without Google servicesAOSP modeReduced management surface; confirm Intune's supported-device list first.
The Decision Tree
Who owns the device?
User owns it → Personally-owned work profile. Full stop — it's the only respectful (and practically available) option for BYOD.
Org owns it → continue.
Is personal use sanctioned?
Yes (take-home phones, field staff) → Corporate-owned work profile (COPE) — org authority with a personal space.
No → continue.
Does one user carry it?
Yes → Fully managed — the locked-corporate 1:1 device.
No Google services on the hardware? → AOSP mode (userless or user-associated) — reduced management surface for rugged/specialty devices; confirm Intune's supported-device list before committing.
Default corporate phones to COPE, not fully managed. Modern COPE (Android 11+) gives the org everything it operationally needs while the privacy separation dramatically reduces user resentment and shadow-IT workarounds. Reserve fully managed for regulated fleets and devices with no personal-use case.
Never enroll BYOD as anything but a work profile. The architectural privacy wall is your legal story and your adoption story.
Decide modes per fleet, in writing, before the first device ships — the enrollment profiles you create next encode this decision into tokens that are painful to walk back.
Managing Android without Google services — what works, what doesn't, and the hardware it exists for.
AOSP mode is Intune's answer for Android devices without Google Mobile Services — rugged handhelds, specialty hardware, and headsets that ship Android the operating system without Android the Google ecosystem. It's a deliberately reduced management model, and knowing the reductions before procurement is the entire game.
Applies toGMS-less rugged, specialty, and headset hardware on Intune's supported list
EnrollmentQR into corporate-owned AOSP modes — user-associated or userless
AppsLine-of-business APKs you host and version — no Managed Google Play
Compliance signalsOS version, encryption, password — no Play Integrity attestation
What's Missing Without GMS
No Google services means no Managed Google Play (apps deploy as line-of-business APKs you host and version), no Play Integrity (compliance leans on OS version, encryption, and password signals instead), and no Google-dependent push plumbing (check‑in behavior differs; plan for polling rhythms).
What Works
Enrollment via QR on supported devices into corporate-owned AOSP modes (user-associated or userless), core restrictions, Wi-Fi and certificate profiles, password policy, encryption enforcement, and LOB app deployment. For its target hardware — scanners, kiosk controllers, headsets on Intune's supported-device list — that set covers the actual requirements.
The Decision Discipline
Check Intune's supported AOSP device list first — AOSP support is device-cooperative, not universal; gray-market GMS-less hardware that isn't listed is unmanageable, full stop.
Prefer GMS-certified hardware when the use case allows — dedicated device mode with Managed Google Play beats AOSP on every operational axis; AOSP is for when GMS genuinely isn't on the device, not a style choice.
Design the app pipeline early: LOB APK hosting, versionCode discipline, and update cadence are your job here — there is no store doing it for you.
Insights
OEM tooling matters double in AOSP land — OEMConfig (where the OEM ships a GMS-less-compatible DPC extension) and vendor update services carry weight that Google services would otherwise carry.
Compliance expectations need recalibrating with your security team up front: an AOSP fleet cannot attest hardware integrity the way Play Integrity fleets can — document the compensating controls (network isolation, app allow-listing) as part of the architecture, not as an audit surprise.
Device Lifecycle and Android Enterprise Recommended
Procurement to retirement — AER, update commitments, and the lifecycle math that keeps an Android fleet healthy.
Android fleet health is decided at purchase time more than at policy time. This page is the lifecycle discipline: what to buy, how long it lives, and how it leaves.
OperateHold the patch lineUpdate policy, monthly patch-age buckets, the EOL ledger
RetireClean exitWipe, FRP release, zero-touch/KME deregistration, record cleanup
Buy: AER and the Update Commitment
Android Enterprise Recommended is Google's certified-hardware directory — devices validated for enterprise deployment with published OS-update and security-patch commitments. The procurement rules that follow:
Patch commitment ≥ your refresh cycle: a device promising 3 years of security updates on a 4-year refresh plan spends a year violating your own patch-floor compliance. Do this arithmetic per model, in the purchase decision.
Verify zero-touch reseller availability for the model and channel — supply-chain enrollment is bought, not retrofitted.
For Samsung fleets, the Knox roadmap (E-FOTA, KSP features) is part of the spec sheet.
Operate: the Mid-Life Rhythm
System update policy holds the patch line; the inventory report's patch-age buckets prove it monthly; and the EOL ledger — a simple table of model → last-patch date → device count — turns "are we exposed" into a lookup. Build the ledger the day the fleet deploys; it's miserable to reconstruct later.
Retire: the Exit Checklist
Wipe appropriate to mode (profile removal vs factory reset)
FRP release for devices leaving the org — resale/recycling with FRP armed creates e-waste and angry buyers
Intune device-object cleanup on the stale-device rhythm
Insights
The lifecycle KPI set: average fleet age, % within patch commitment, % past EOL. Three numbers, charted quarterly, and refresh budgeting becomes evidence instead of negotiation.
A two-model fleet (one rugged, one knowledge-worker) ages better than a six-model zoo — every model is a separate update-commitment clock, OEMConfig schema, and troubleshooting matrix. Standardization is a security control wearing a procurement costume.
What the OEM layer adds on top of Android Enterprise — Knox, rugged-vendor services, and when to pay for them.
Android Enterprise is the platform floor; OEM service layers — Samsung Knox foremost — sell capabilities above it. Knowing what lives in each layer keeps you from buying twice or assuming a feature your hardware doesn't carry.
The Knox Stack, Mapped to Layers
Knox Platform for Enterprise (KPE): the hardware-backed security substrate baked into Samsung devices — much of it surfaced to Intune free via the Knox Service Plugin OEMConfig app: granular USB/radio policy, firmware-adjacent controls, dual-DAR options. If your fleet is Samsung, KSP is table stakes, not an upsell.
Knox E-FOTA: licensed firmware version control — pin, schedule, and stage OS/firmware updates per group, beyond what system update policy expresses. The firmware-control page covers when this is worth money (short answer: validation-gated and frontline fleets).
Knox Manage/Asset Intelligence and friends: Samsung's own EMM/analytics — generally not purchased alongside Intune; know they exist so vendor decks don't confuse the meeting.
The Rugged-Vendor Equivalents
Zebra, Honeywell, and the rugged cohort ship the same shape: an OEMConfig schema exposing device-specific policy (scanner wedges, battery thresholds, boot behavior) plus a licensed firmware-update service (Zebra LifeGuard-class). The evaluation template is identical: free OEMConfig surface first, paid firmware service only where update-pinning is a genuine requirement.
The Decision Discipline
OEM services bind you to the OEM — that's the price under the price. Buy them for capabilities you'd otherwise build badly (firmware staging, hardware-level controls); skip them where standard Android Enterprise already covers the need, and keep the fleet-standardization math straight: every OEM layer adopted is one more reason the next hardware bid has one bidder.
standard Android Enterprise already covers the needSkip the OEM layerEvery layer adopted is one more reason the next hardware bid has one bidder.
your fleet is SamsungKnox Service Plugin — freeKPE controls surfaced via OEMConfig; table stakes, not an upsell.
update-pinning is a genuine requirementLicensed firmware controlKnox E-FOTA or the rugged-vendor equivalent — validation-gated and frontline fleets.
Insights
The KSP schema updates faster than documentation — the Test DPC-style lab habit applies: load the current schema on a bench device quarterly and skim what's new; Samsung ships admin-relevant controls mid-cycle that never get a blog post.
Workspace ONE, MaaS360, SOTI, and friends — the Android-specific mechanics of switching EMMs.
The DA-to-AE migration covers the legacy-mode move; this page covers the vendor move — an Android Enterprise fleet leaving Workspace ONE, MaaS360, SOTI, or another EMM for Intune. The universal choreography applies; these are the Android-specific facts that decide the plan.
The Mechanics That Shape Everything
One DPC per device: Android Enterprise binds the device to its EMM's device policy controller — there's no coexistence. Corporate-owned modes (fully managed/dedicated) migrate by factory reset + re-provisioning; work profiles migrate by profile removal + re-enrollment, personal side untouched.
The enrollment plumbing re-points, devices don't: zero-touch and KME configurations switch their default EMM to Intune in minutes — which flips future boots, while existing devices still need their reset wave. Re-point plumbing first so every reset lands in the new world.
Managed Google Play follows the binding: your MGP enterprise ties to the EMM connection — app approvals, private apps, and track configurations get re-established on the Intune side. Private-app ownership (the Play Console developer account) is the artifact to secure before the old EMM contract ends; orphaned publisher accounts are the classic migration hostage.
BYOD first (cheapest re-enrollment), knowledge-worker corporate second, frontline/dedicated last with spare-pool buffering — and Conditional Access gated on Android compliance as the deadline once the new world is proven. Track the only KPI that matters: old-EMM device count → zero, dated.
Wave 1BYOD work profilesCheapest re-enrollment, fastest wins
Wave 2Corporate knowledge workersCloud-synced data; reset and re-provision
Wave 3Frontline and dedicatedSpare-pool buffering protects operations
GateConditional Access deadlineCompliance-gated access converts the stragglers
Insights
Run both consoles in parallel longer than feels tidy: the old EMM is your rollback and your inventory-of-record until the last wave lands — decommissioning it to save a month of licensing while 400 devices remain is the false economy every migration post-mortem features.
Do
Re-point zero-touch/KME to Intune before the reset waves
Secure the Play Console publisher account before the old contract ends
Keep the old console alive until the last wave lands
Don't
Import old profiles wholesale — audit and rebuild from intent
Decommission the old EMM while devices remain on it
What each management mode writes into Entra ID, which app does the writing, and why Conditional Access lives or dies by that record.
Every Android enrollment produces two records: a device object in Intune (the management record) and a device object in Microsoft Entra ID (the identity record Conditional Access consults). Most "compliant device, blocked sign-in" mysteries are a disagreement between the two — know what each management mode writes, which app writes it, and how the records age.
One Identity Type: Microsoft Entra Registered
Android produces exactly one kind of Entra device identity: Microsoft Entra registered (Graph exposes it as trustType: Workplace). Registration happens during enrollment and provisions a client certificate; presented by a broker app — or via a certificate prompt on the first browser sign-in — it's how Entra recognizes which device record a sign-in comes from. The record carries the device ID, an enabled/disabled flag, the isCompliant bit Intune stamps, and the activity timestamp staleness cleanup keys on.
Microsoft Authenticator, via its shared-mode managed configuration
A shared device that rotating workers sign in and out of
User-less AOSP enrollments follow the dedicated pattern: a device record, no user affinity, device-group targeting downstream.
The Three Apps and Their Jobs
Company Portal is the BYOD agent: enrollment and Entra registration for personally-owned work profiles. On corporate-owned devices it still installs, but launching it redirects to the Intune app and its icon hides — its job there is brokering Conditional Access, not UI.
Microsoft Intune app is the corporate-owned front end (fully managed and corporate-owned work profile): the setup-time sign-in that completes registration, plus the compliance and remediation screens those users see.
Microsoft Authenticator is the broker — auto-installed and non-removable on corporate-owned modes, and on Shared Device Mode fleets the component that performs the shared device registration itself.
All three arrive on purpose
Corporate-owned provisioning installs the Intune app, Authenticator, and Company Portal as required apps — the trio that makes Conditional Access work. Don't spend a change request trying to strip the "extra" ones.
How Compliance and Conditional Access Bind to the Record
The chain: the compliance policy evaluates → Intune reports the verdict to both its own record and the Entra device object → a Conditional Access policy with Require device to be marked as compliant reads it at sign-in, after authentication. Two consequences. Conditional Access only credits a device it can recognize: if the sign-in can't present the registration (broker missing, certificate gone, wrong profile), a perfectly compliant device still gets blocked. And the verdict is the last reported state — a device inside its noncompliance grace period still evaluates as compliant.
Compliance policyevaluates the device
→
Entra device recordisCompliant stamped by Intune
→
Conditional Accessgrants or blocks the session
On work-profile devices the registration artifacts live inside the work profile: badged apps and browsers can prove device identity, personal-side apps cannot. That's the privacy boundary doing its job — "works in badged apps, blocked in the personal browser" is expected behavior, not a defect.
User-Less Identity and Why Conditional Access Misses It
Conditional Access evaluates at user sign-in. A standard dedicated device has no user affinity, which cuts both ways: user-targeted policies never evaluate for that hardware, and users can't sign in to CA-protected resources from it at all — even when the device is compliant. So target compliance at device groups, watch fleet health through inventory monitoring, and where rotating humans genuinely sign in, enroll with Entra Shared Device Mode — the signed-in worker is then evaluated normally, and the compliant-device grant works in SDM-aware apps.
Duplicates, Stale Records, and Safe Cleanup
A factory reset destroys the registration certificate with everything else, so a re-provisioned device cannot reclaim its old identity: re-enrollment mints a fresh Intune record and a fresh Entra record while the old pair goes stale. The same happens when a BYOD user removes and re-creates the work profile. Every re-enrollment leaves a corpse — duplicates that confuse the helpdesk, skew dynamic groups, and carry frozen compliance state.
Identify the live record first. Last check‑in in Intune and the activity timestamp (ApproximateLastSignInDateTime) on the Entra object separate the active record from its ancestors. Duplicate names are the confusion; timestamps are the truth.
Clean the Intune side before the Entra side. Deleting a genuinely stale Intune record is safe — no live device answers to it. But check timestamps twice: on corporate-owned Android, deleting an active record issues a wipe to a device that is still listening.
Disable, wait, then delete in Entra. Disable the stale object, leave a grace period for false positives, then delete. Deletion is unrecoverable, and deleting an Entra record never un-registers a live client — order matters.
When Conditional Access blocks a "compliant" device, compare device IDs before touching policy: the sign-in log names the record the token presented; Intune names the record it stamped. If they differ, it's a stale or duplicate registration — re-enroll cleanly rather than loosening the policy.
Build the stale-record cleanup job the same week you turn on device-based Conditional Access: enforcement raises the cost of every stale record, because stale registrations are exactly what sign-ins trip over.
On BYOD, identity follows the work profile, not the hardware. A user who removes and re-adds the profile is a brand-new device to Entra — access re-gates through compliance automatically, the model working as designed.
Personally-owned work profile — the only right answer for user-owned Android.
The personally-owned work profile is Android's BYOD story, and it's a good one: a sealed corporate container on the user's own device, created in about three minutes, with privacy separation the OS enforces rather than promises.
Applies toUser-owned devices — the only BYOD enrollment
RequiresManaged Google Play connected; GMS-certified device on a supported OS
Enrollment appIntune Company Portal from the public Play Store
Wipe scopeWork profile only — the device itself is never reset
Devices > Android > Enrollment: personally-owned work profile enrollment allowed (it's the default; enrollment restrictions can scope who may use it)
A GMS-certified device on a supported Android version
The User Flow
User installs Intune Company Portal from the public Play Store and signs in with their work account.
Company Portal walks them through work profile creation — the OS builds the container; takes a minute.
Done. Badged (briefcase) copies of work apps appear; the managed Play store inside the profile offers your Available apps; compliance evaluates and Conditional Access opens the door.
What the Org Controls — and Provably Can't See
Org can
Org cannot
Everything inside the work profile: apps, config, Wi-Fi/VPN/cert profiles scoped to the profile, profile passcode
See personal apps, photos, messages, browsing
Wipe the work profile ("Retire"/"Wipe" both remove only the container)
Put that table in your enrollment comms verbatim. Work profile adoption fights are almost always perception fights, and the architecture is on your side.
Insights
The personal side's Play Store keeps working normally; only the badged store is curated. Users who "can't find the app" are usually in the wrong store — teach the briefcase badge on day one.
Pair with App Protection Policies for defense-in-depth on the data layer — APP travels with the apps even here.
A user can remove the work profile anytime (it's their device) — which simply removes corporate access and data. That's the model working, not a gap: access is re-gated by Conditional Access the moment the profile dies.
Org-owned devices with a personal space — the modern default for take-home corporate phones.
COPE is the grown-up middle path: the org owns the device and holds real authority, the user gets a genuinely private personal profile, and Android 11+ enforces the boundary architecturally. For corporate phones that ride home in pockets, this should be your default.
Applies toOrg-owned take-home devices with sanctioned personal use
RequiresFactory-fresh device — Android 11+ enforces the boundary
Console pathDevices > Android > Enrollment > Corporate-owned devices with work profile
EnrollmentToken + QR, or zero-touch/KME at scale
How Modern COPE Works
Since Android 11, COPE means: Intune fully manages the work profile and holds a device-wide guardrail set (security baseline, FRP, update policy, a curated list of device-level restrictions) — but cannot inventory or inspect the personal profile. The org's reach is real but bounded, and the bound is OS-enforced.
Personal-side guardrails you do get: block/allow lists for the personal Play store (e.g., block sideloading-adjacent risk apps device-wide), camera/screenshot controls where justified, and personal-app installation policy. Use them sparingly — every personal-side restriction spends goodwill.
Enrollment
Devices > Android > Enrollment > Corporate-owned devices with work profile → create a profile; it generates a token + QR code.
On a factory-fresh device: tap the welcome screen six times → scan the QR (or type afw#setup at Google sign-in and follow into the token) → device provisions, work profile lands, user signs in.
At scale, skip the taps entirely: zero-touch or Samsung KME pre-stage the enrollment so the box-open experience is sign-in-and-go.
Factory reset required
All corporate-owned modes (COPE, fully managed, dedicated) can only be established during device setup. An in-use device must be wiped to cross over — plan fleet conversions as migration waves.
Insights
Wipe semantics: corporate actions can reset the whole device (it's org property) — but day-to-day "remove corporate data" operations target the work profile. Document both for the helpdesk.
COPE + Managed Google Play + a sane restrictions baseline covers 90% of corporate phone fleets; resist escalating to fully managed because one stakeholder wants to "see everything" — what they want is usually compliance reporting, which COPE provides.
Whole-device corporate control for single-user devices — COBO, the locked-down 1:1.
Fully managed is total device ownership: one corporate user, no personal profile, every setting yours. It's the right call for regulated environments, devices handling sensitive workloads, and anywhere the personal-use answer is a flat no.
Applies toOrg-owned 1:1 devices — one corporate user, no personal profile
EnrollmentSix-tap QR, afw#setup, or zero-touch/KME at scale
Account modelManaged Google Play accounts — no personal Google identities
Enrollment Paths (Pick by Scale)
QR code — factory-fresh device, tap the welcome screen six times, camera opens, scan the QR from your enrollment profile (Devices > Android > Enrollment > Corporate-owned, fully managed). The bench-tech workhorse.
afw#setup — at the Google sign-in step of setup, enter afw#setup as the account; it pulls the Android Device Policy flow and asks for the QR/token anyway. Useful when the six-tap gesture is awkward (no camera, odd OEM skin).
Zero-touch / Samsung KME — the device enrolls itself out of the box, enforced and wipe-persistent. The only sane path past a few dozen devices.
OEMConfig reaches deepest here — Samsung Knox Service Plugin and friends assume whole-device authority.
Insights
Fully managed devices use Managed Google Play accounts under the hood — users don't need (and shouldn't add) personal Google accounts; restrictions can block account modification to keep it that way, which also keeps FRP deterministic.
The user-experience tax is real: no personal space means users carry two phones or resent the one. If you're deploying fully managed and hearing "can I just put Spotify on it," the honest answer was COPE.
COSU — user-less corporate devices for kiosks, scanners, signage, and frontline fleets.
Dedicated devices (Google's COSU — corporate-owned, single-use) are Android's appliance mode: no user affinity, devices enrolled as equipment rather than as someone's phone, purpose-built for kiosks, warehouse scanners, point-of-sale, signage, and shared frontline hardware.
Applies toKiosks, scanners, point-of-sale, signage — equipment, not phones
Token typesStandard, or with Microsoft Entra Shared Mode for sign-in/out fleets
User affinityNone — no user signs in during enrollment
Enrollment
Devices > Android > Enrollment > Corporate-owned dedicated devices → create the profile. Decide token validity deliberately (long-lived tokens suit rolling deployments; treat the QR like a credential either way).
Choose the token type: standard dedicated, or with Microsoft Entra Shared Mode if humans will sign in and out (Shared Device Mode explains when).
Provision factory-fresh via six-tap QR, or — at fleet scale — zero-touch/KME with this profile's token embedded.
No user signs in during enrollment; the device belongs to a function, not a person.
Then Make It Do Its Job
A dedicated enrollment is just the chassis. The behavior comes from:
Device restrictions tuned for appliances: status bar, volume/power button behavior, safe-boot block, factory-reset block.
OEMConfig for the rugged fleet: scanner wedge settings on Zebra/Honeywell, Knox controls on Samsung.
System update policy with maintenance windows so the kiosk doesn't reboot at noon.
Insights
Group dedicated devices by function from day one — KIOSK-LOBBY, SCAN-DC01 — via enrollment-profile-based dynamic groups (the enrollmentProfileName trick works identically on Android). Every assignment downstream gets simpler.
Devices with no user have no one to notice problems: build Graph-based monitoring for last-check‑in and battery/storage anomalies before the fleet ships, not after the first dead-kiosk weekend.
Sequence enrollment → app install → kiosk lockdown when imaging: locking the launcher before the kiosk app lands strands the device in an empty cage. The Managed Home Screen page covers the ordering.
Supply-chain enrollment for Android — ship sealed boxes that enroll themselves, with wipe-persistent management.
Google zero-touch enrollment and Samsung Knox Mobile Enrollment (KME) are Android's supply-chain enrollment programs: devices registered at the reseller level enroll automatically at first boot — and re-enroll after every factory reset, which is the property that makes corporate management genuinely sticky. Past a few dozen devices, this is the only enrollment approach that scales.
RegisterReseller uploads devicesIMEI/serial registered to your portal account at purchase
ConfigureDefault configurationDPC extras carry the Intune enrollment token
First bootSelf-enrollmentDevice discovers its assignment and provisions into Intune
Every resetRe-enrollmentWipe-persistent — management survives factory reset
Prerequisites
A fully managed, COPE, or dedicated enrollment profile already created in Intune — supply-chain enrollment delivers devices into one of these modes; it doesn't replace them.
Devices purchased through a participating reseller or carrier that can register them to your account — confirm participation at procurement time, not after delivery.
Access to the relevant portal: the zero-touch portal (partner.android.com/zerotouch) and/or the Samsung Knox portal.
Step-by-Step: Zero-Touch (All Modern Android)
Get devices registered. A participating reseller/carrier registers your purchases into the zero-touch portal at the supply-chain level, keyed by IMEI/serial. Registration is a purchasing-channel feature — write it into the procurement contract so it happens automatically on every order.
Create a configuration in the portal. The DPC is Android Device Policy, and the DPC extras JSON carries your Intune enrollment token (from the fully managed, COPE, or dedicated profile). Intune's enrollment profile page surfaces the exact JSON to paste — don't hand-build it.
Set it as the default configuration so newly registered devices map automatically. First boot on network → device discovers its assignment → provisions straight into Intune. Sealed-box shipping to end users becomes routine.
You can link the zero-touch portal inside Intune (Android enrollment > zero-touch) to manage configurations without leaving the admin center.
Samsung KME
Same concept, Samsung's pipeline: devices land in the Knox portal via Samsung-authorized resellers; profiles carry the Intune enrollment payload. Two Samsung-specific superpowers:
The Knox Deployment App can capture retail-purchased Samsung devices into KME via Bluetooth/NFC — your escape hatch when devices weren't bought through a registered channel, and the capture path carries no purchase-window deadline.
KME pairs naturally with Knox Service Plugin for deep Samsung control post-enrollment.
Samsung-heavy fleets often run KME for Samsung and zero-touch for everything else — both can coexist pointing at the same Intune enrollment profiles. Keep the profile content identical across the two portals so every box lands in the same world; the KME deep dive covers the divergences.
Verification
Factory-reset a registered lab device and watch first boot: it should announce management during setup and provision into the intended mode with no human decisions along the way.
Reset it again to confirm wipe-persistence — it must come back enrolled. If it boots into a normal consumer setup instead, the device isn't registered or no default configuration matched it.
Insights
Wipe-persistence is the point. A stolen or wiped device boots straight back into forced enrollment — pair it with FRP configuration and the resale value of stolen corporate hardware approaches zero.
Get device registration written into the procurement contract — "all Android devices registered to our zero-touch/KME account before shipment." Retrofitting registration across an already-deployed fleet is misery.
Test the unhappy path in the lab: wrong default config, expired token in a config, device sold before deregistration. Each is a five-minute fix when rehearsed and a field incident when not.
Controlling who enrolls what — platform gates, mode gates, ownership gates, and device limits.
Enrollment restrictions are the bouncer at the door: they decide which devices, users, and management modes get in at all. Unconfigured, every licensed user can enroll personal devices into a work profile — which is either your BYOD program or your shadow-IT surface, depending on whether you decided it.
Block/allow Android Enterprise work profile — the BYOD on/off switch per population
Minimum/maximum OS version — keep museum-piece Androids out at the door rather than catching them in compliance later
Block personally owned devices — for the corporate-only crowd; pairs with corporate identifiers so your devices still pass
Manufacturer allow-listing where the fleet standard is contractual
Device limit restrictions — devices per user (default 5; right-size it). Frontline users hitting the limit during device swaps is a classic ticket; so is one user quietly enrolling nine.
Priority matters: restrictions evaluate top-down per user's group membership — keep the list short and the priorities documented, exactly the discipline you'd apply to Conditional Access hygiene.
Corporate Identifiers
Pre-registering serials/IMEIs as corporate identifiers lets a "block personal" posture coexist with corporate enrollment paths that look user-driven — the device matches the list, gets stamped corporate, and passes. Zero-touch and KME devices are inherently corporate; identifiers cover the procurement long tail.
What Restrictions Don't Do
They gate enrollment, not access — an unenrolled device still hits your apps until Conditional Access requires a compliant device or App Protection wraps the data. The complete posture is restrictions (who may enroll) + CA (what unenrolled gets) + APP (data control either way). One without the others is a fence with two open sides.
Enrollment restrictionswho may enroll what
→
Conditional Accesswhat unenrolled devices get
→
App Protectiondata control either way
Insights
Audit quarterly: the enrollment report's mode split against intent. Work-profile enrollments in a "fully managed only" org means a restriction priority is leaking — find it before the fleet forks.
Restriction changes are forward-looking — they don't evict already-enrolled devices; pair policy changes with a bulk-action cleanup of the now-out-of-policy stock.
What the user actually sees creating a work profile — and the communications that cut tickets in half.
Work profile covers the architecture; this page covers the human: the screens, the consent moments, and the messaging that decides whether your BYOD launch generates adoption or a helpdesk queue.
1Company Portal + sign-inFrom the public store; MFA and terms via Conditional Access
2Profile consentAndroid's own screens; the container builds in ~1–2 minutes
3Badged apps appearWork tab populates; personal side visibly untouched
4Compliance, then accessUnder ten minutes total on healthy Wi-Fi
The Flow, Screen by Screen
Company Portal from public Google Play (their personal store) → sign in with Entra credentials → Conditional Access does its dance (MFA, terms).
Work profile creation consent — Android's own OS screens explain the container; the user accepts and the profile builds (~1–2 minutes).
Badged apps appear: the work-badge versions of Play, Outlook, Teams populate the work tab/folder. Personal side: visibly untouched.
Compliance evaluates; access flows. Total: under ten minutes on healthy Wi-Fi.
The Three Questions Every User Has (Answer Them First)
"Can IT see my stuff?" No — and say it with the architecture, not policy promises: the work profile is a sealed container; the organization manages inside it and is structurally blind to your personal apps, photos, and messages. This single paragraph is the highest-ROI sentence in your comms.
"What happens if I leave?" The work profile is removed; the phone and everything personal stays exactly as-is. (What "wipe" means per mode — for BYOD, it means the container only.)
"What's the battery/storage cost?" Modest and bounded — the honest answer that pre-empts the forum thread.
Launch Mechanics That Work
A one-page visual guide (six screenshots, the three answers above) linked from the CA block screen — users hit the wall and the wall hands them the door.
Pilot with the vocal skeptics, not the friendly early adopters: their converted testimony is the launch asset.
Watch enrollment failures daily for week one — early failure patterns (OS minimums, restriction collisions, personal-account edge cases) are launch-tuning data.
Insights
The work profile's visibility is its adoption superpower — users can see the wall (two app instances, the badge, the profile pause toggle). Teach the pause feature proactively: "evenings off" being user-controlled converts the privacy conversation from suspicion to feature.
Track adoption as % of eligible users, not raw enrollments — and let the APP-only tier exist for the refusers; access tiers beat mandates for personal devices.
Retiring the legacy DA estate — wave planning, re-enrollment mechanics, and the data users keep (or don't).
Legacy device administrator management is dead platform walking — gutted since Android 10, incompatible with the modern feature set, and every quarter it lingers the migration gets harder. The move to Android Enterprise is a re-enrollment project, and re-enrollment projects are won with wave logistics.
Step 1Inventory and segmentSplit the DA population by ownership; map each segment to a target mode
Step 2Build the AE targetMGP, policies, apps, compliance — finished before anyone moves
Step 3Wave by re-enrollment costBYOD first, knowledge workers second, frontline last
Step 4Force the stragglersA dated Conditional Access policy sets the deadline
The Hard Truth First
There is no in-place conversion. A DA-managed device becomes AE-managed by unenrolling and re-enrolling into its target mode — and for corporate-owned modes (fully managed/dedicated) that means a factory reset with provisioning from setup. BYOD-pattern devices have it gentler: DA removal + work profile enrollment preserves the personal device intact. Set expectations accordingly; sugar-coating this is how migrations stall at 60%.
The Playbook
Inventory and segment — the Android inventory report splits the DA population by ownership and user; each segment maps to a target mode (DA-on-personal → work profile; DA-on-corporate → fully managed via zero-touch registration where the hardware supports it).
Build the AE target first — MGP connected, policies and apps staged, compliance ready. Migrating into an unfinished destination doubles the pain.
Wave by re-enrollment cost: BYOD-pattern first (lowest friction, fastest wins), corporate knowledge-worker devices second (data primarily cloud-synced — Outlook/Teams/Drive re-sign-in covers it), frontline/dedicated last with bench or self-service KME flows.
Force the stragglers with Conditional Access, the universal migration lever: a dated CA policy requiring AE-compliant enrollment converts "when I get around to it" into a calendar.
Data Reality Check
Corporate-owned resets lose local-only data — which modern fleets shouldn't have, but verify: photos outside synced storage, app data without cloud backing, authenticator apps (pre-stage the Authenticator migration explicitly or the helpdesk learns about TOTP re-registration at scale).
Do
Build the AE destination completely before the first wave moves
Pre-stage the Authenticator migration explicitly
Measure weekly — DA count trending to zero is the KPI
Don't
Promise an in-place conversion — there isn't one
Sugar-coat the factory reset corporate-owned modes require
Port DA configs verbatim instead of re-expressing them in AE policy
Insights
The DA estate's config doesn't port — it gets re-expressed in AE policy, which is the audit opportunity: most DA configs accumulated a decade of contradictions that the restrictions rebuild forces you to resolve.
Measure weekly: DA count trending to zero is the only KPI; everything else is commentary.
What's actually inside the enrollment QR — the provisioning extras that pre-stage Wi-Fi, settings, and behavior.
The QR enrollment flow scans a code and devices provision; this page is what's in the code — because the provisioning payload is configurable, and the right extras turn a fiddly bench process into tap-and-walk-away.
FormatJSON provisioning document, consumed at device setup
Trust anchorDPC component name + download URL + signature checksum
BindingEnrollment token — your tenant and management mode
TransportsQR scan or NFC bump — same payload
The Payload Anatomy
The QR encodes a JSON provisioning document the factory-reset device consumes at setup: the DPC identity (component name + download URL + signature checksum — the trust anchor that makes a QR safe to scan), the enrollment token binding the device to your tenant and mode, and the provisioning extras — the operationally interesting part:
Embedded Wi-Fi (SSID/auth): the device joins the provisioning network from the QR, no thumb-typing PSKs on a bench of forty units — the single highest-ROI extra
Locale, time zone, and setup behavior flags: skip the panes your fleet design already answers; system-app enablement posture per the system-apps decision
Mobile-data / activation options where the flow supports cellular-first provisioning
Zero-touch configurations carry the same extras server-side — the QR is the local expression of the same provisioning contract, which is why the bench QR and the supply-chain config should be maintained as one documented artifact, not two drifting ones.
Operating Notes
Version the payload in the repo like the production config it is; regenerate QRs on change rather than hand-editing JSON into posters
Provisioning-network hygiene: the embedded Wi-Fi is a credential printed on paper — use a dedicated provisioning SSID with bounded reach, rotate it on schedule, and treat lobby-taped QR posters as the secret-disclosure they are
NFC provisioning rides the same payload for the bump-to-provision pattern where hardware supports it — same JSON, different transport
Insights
The triage value is real: when enrollment fails at provisioning, decode the QR (it's just JSON) and check the three trust fields first — a stale DPC checksum after a Company Portal update explains a whole bench of failures in one look.
Knox Mobile Enrollment beyond the basics — reseller flows, profile design, and where it diverges from zero-touch.
The zero-touch and KME overview establishes supply-chain enrollment; Samsung-heavy fleets deserve the KME specifics, because the program has its own console, its own reseller mechanics, and a few behaviors zero-touch doesn't share.
Step 1Reseller uploadSamsung-authorized reseller registers IMEIs/serials to your KME tenant
Step 2MDM profileKnox console profile carries the Intune DPC identity and provisioning extras
Step 3First bootDevice calls Samsung's enrollment service and provisions — wipe-proof
The Pipeline
Reseller participation: devices enter KME via a Samsung-authorized reseller uploading IMEIs/serials to your KME tenant — the procurement-time decision that, like all supply-chain enrollment, is bought rather than retrofitted. Direct manual addition exists (the Knox Deployment App's bump/Bluetooth capture) for the long tail, with device-count realities that make it a bench tool, not a strategy.
The MDM profile: your KME console profile carries the Intune DPC identity, enrollment endpoint, and the provisioning-extras payload — keep it content-identical to your zero-touch config so a Samsung box and a Pixel box land in the same world.
First boot: the device phones Samsung's enrollment service, receives the profile, and provisions into the assigned mode — wipe-proof, like zero-touch: a factory reset re-enrolls, which is the theft-deterrence and FRP story's supply-chain anchor.
KME vs Zero-Touch, Honestly
Samsung devices generally support both; pick one per fleet and document it. KME's distinctives: Samsung-only but reseller coverage runs deep in carrier channels where zero-touch resellers are thin; the Deployment App capture path covers devices bought outside participating channels; and KME profiles sit adjacent to the rest of the Knox console family (E-FOTA, KSP licensing) — one vendor portal if you're deep in the ecosystem. Mixed-OEM fleets usually standardize on zero-touch where possible and run KME for the Samsung-carrier-channel remainder — fine, as long as the profile content is one artifact.
the fleet is Samsung, bought through carrier channelsKMEReseller coverage runs deep where zero-touch is thin; Deployment App capture covers the long tail.
the fleet mixes OEMsZero-touch firstRun KME only for the Samsung carrier remainder — and keep profile content one artifact.
Insights
The classic KME mystery — "new devices aren't enrolling" — is almost always uploaded-but-unassigned: the reseller delivered IMEIs to your KME tenant, nobody assigned the MDM profile to the batch. One console screen, checked on every PO receipt, deletes the ticket class.
The Android restrictions surface — per-mode profiles, the cross-profile boundary, and a baseline worth stealing.
Android restrictions come in two distinct profile types matching the management modes — and applying the wrong type to the wrong fleet is the most common Android configuration mistake on record.
Leave camera/Bluetooth alone unless a regulation says otherwise — blanket blocks generate workarounds, not security
Document the why per setting in the profile description — six months from now, "who set this and what breaks if we relax it" should be answerable from the profile itself. The Android hardening baseline applies the same discipline at full scale.
Do
Block factory reset, safe boot, developer options, and USB debugging
Block account modification — it keeps FRP deterministic
Require Play Protect threat scanning
Document the why per setting in the profile description
Don't
Blanket-block camera or Bluetooth without a regulation behind it
Keep one setting in multiple policies — conflicts resolve most-restrictive
Apply a device-wide template to BYOD — settings silently no-op
Insights
Restriction conflicts resolve predictably: most restrictive wins across profiles — keep each setting in one policy and conflicts stay theoretical.
Some settings silently no-op outside their mode (a device-wide key on a BYOD work profile, for instance) — "policy applied, nothing happened" usually means mode mismatch, not a bug. Check the template before opening the ticket.
OEMs layer their own toggles on top; when a setting needs to bite below the Android API surface (Samsung/Zebra hardware behavior), that's OEMConfig territory.
PSK and EAP-TLS Wi-Fi, always-on VPN, and the per-mode delivery details that trip people up.
Connectivity profiles are enrollment-critical plumbing: devices should land on corporate Wi-Fi during provisioning and authenticate with certificates rather than passwords someone can leak. Android delivers that with per-mode profile templates and a handful of delivery quirks worth knowing before the first profile ships.
Devices > Android > Configuration > Wi-Fi (pick the template matching the management mode — corporate-owned vs personally-owned work profile):
Basic (PSK): SSID, auto-connect, WPA2/WPA3 key. Fine for utility segments (printers, scanners-only VLANs, guest-adjacent networks); a shared secret is not an identity, so corporate data doesn't belong behind it.
Enterprise (EAP-TLS): certificate-based authentication, the gold standard — no password to phish, expire, or write on a whiteboard. Built as a three-profile chain (below).
MAC randomization: Android 10+ randomizes the MAC per-SSID by default, and the profile exposes the behavior for managed networks — pin the hardware MAC where NAC or DHCP reservations key on it; leave randomization on for guest segments.
Work-profile-scoped Wi-Fi lands device-wide in practice (radios are shared) but is managed through the profile — removal semantics follow the container.
Step-by-Step: the EAP-TLS Chain
Certificate-authenticated Wi-Fi is a three-profile dependency chain. Intune sequences the dependencies for you when the references are wired correctly:
Deploy the trusted certificate profile — your root (and issuing) CA — so the device can validate the RADIUS server's certificate.
Deploy the SCEP identity profile that issues the device its client certificate; Certificates on Android covers the issuance plumbing and per-mode targeting.
Create the Wi-Fi profile referencing both: EAP type EAP-TLS, the SCEP profile as the identity certificate, the trusted-cert profile as the root, and the server certificate names filled in so the device validates RADIUS trust strictly instead of trusting anything with a plausible chain.
Step 1Trusted certificate profileRoot and issuing CA — validates the RADIUS server
Step 2SCEP identity profileIssues the device its client certificate
Step 3Wi-Fi profile references bothEAP-TLS plus server certificate names for strict trust
VPN
Android VPN is client-app-centric: deploy the vendor's app (Managed Google Play), then configure it via app configuration policy (most modern clients) or a VPN profile (where templates exist). The capabilities worth knowing:
Always-on VPN (corporate-owned modes): designate the VPN package in device restrictions/configuration — with optional lockdown ("block connections without VPN") for regulated fleets. The operational warning is structural: gateway outage = fleet outage; pilot accordingly and write the break-glass procedure before you need it.
Per-app VPN behavior is delivered through the VPN vendor's managed configuration (package allow-lists in the app config) rather than an OS-level assignment association — read your vendor's Intune integration doc; they all differ slightly.
Microsoft Tunnel supports Android via the Defender app — one client covers MTD and tunnel duty, which is one fewer agent to deploy, update, and explain.
Verification
Enroll a lab device and confirm it joins the corporate SSID during provisioning — that is the test that matters, because production devices need the network before any user can intervene.
For EAP-TLS, confirm the work credentials are present on the device and perform an 802.1X join against production RADIUS. When 802.1X fails, triage in this order: server-trust names first, expired identity certificate second, WLAN infrastructure a distant third.
Insights
Sequence Wi-Fi into the enrollment-critical set (filter-shaped, not dynamic-group-gated) so zero-touch devices land on corporate Wi-Fi during provisioning — dynamic group membership lags enrollment by minutes you don't have at the setup screen.
Trusted root, SCEP, and PKCS for Android Enterprise — same chain, Android-flavored delivery.
The certificate architecture is platform-agnostic infrastructure: trusted roots anchor the chain, SCEP issues device identities, PKCS covers escrow scenarios, and the issuance backends — Microsoft Cloud PKI, the Certificate Connector in front of your AD CS, or third parties like SCEPman — serve every fleet you manage from one issuance plane. Build the PKI once; let each device estate consume it through its own profiles.
Profile typesTrusted root, SCEP for identity, PKCS for escrow
BackendsMicrosoft Cloud PKI, Certificate Connector + AD CS, or third party
StorageDevice KeyChain on corporate modes; inside the container on BYOD
RenewalIntune-automatic ahead of expiry — failures are silent, alert on backend health
The Android Specifics
Profiles are per management mode — a trusted-cert/SCEP profile targets either the corporate-owned template family or the personally-owned work profile template. BYOD certs live (and die) inside the container; corporate-mode certs are device-resident in the Android KeyChain.
Subject/SAN variables behave as you'd expect — {{DeviceName}}, {{AAD_Device_ID}}, {{UserPrincipalName}} on user-affinity modes — keep certs traceable to the Intune objects they were issued for.
App access to certificates: Android apps must be granted a KeyChain identity. Wi-Fi/VPN profiles that reference the SCEP profile handle their own binding; line-of-business apps doing client-cert auth typically take the certificate alias via app configuration policy (the common certificate alias-style keys) so users never see a chooser dialog. Silent cert selection is configuration, not luck.
Renewal is Intune-automatic ahead of expiry — but renewal failure is silent at fleet scale. Alert on connector/backend health and watch for 802.1X failure spikes as the canary: a dead issuing backend looks like "Wi-Fi is broken" three weeks later.
Step-by-Step: Practical Build Order
Trusted certificate profile (root + issuing) per mode family you operate — trust comes first; everything else references it.
SCEP profile referencing it — one identity can serve Wi-Fi and VPN and app auth; don't issue triplicates that triple your renewal surface for no security gain.
Consumers last: Wi-Fi/VPN/app-config profiles referencing the SCEP profile.
Verification
On a lab device, Settings > Security > Encryption & credentials shows the installed work credentials.
An EAP-TLS join against production RADIUS proves the chain end-to-end — root trust, identity issuance, and server validation in a single test.
Insights
A work-profile wipe (BYOD retire) destroys the container's certs instantly — cert-gated access dies with enrollment, by design. Corporate-mode wipes likewise. Write it into the offboarding runbook as the feature it is.
If you manage more than one device platform, share the PKI deliberately: same CA, same template philosophy, parallel profiles per estate — divergent PKI stacks are how orgs end up with four expiring things nobody owns. The Architecture Corner's RBAC model keeps issuance centrally owned either way.
The manufacturer back-channel — controlling Samsung, Zebra, and Honeywell hardware below the Android API surface.
OEMConfig is Android's pressure valve for hardware diversity: manufacturers ship a schema-driven companion app exposing their device-specific knobs, and Intune renders that schema as a configuration UI. It's how you reach the settings Google's APIs don't cover — and on rugged and Samsung fleets, it's not optional knowledge.
Step 1Approve the OEM appKSP, Zebra OEMConfig, Honeywell UEM Connect — via Managed Google Play
Step 2Deploy as requiredAssignment filter on manufacturer/model keeps schemas on their hardware
Step 3Build the profileDevices > Android > Configuration > OEMConfig — Intune renders the schema
Step 4App applies itManaged configuration lands with OEM privileges — typically instantly
The Mechanism
Approve the OEM's config app in Managed Google Play — Knox Service Plugin (Samsung), Zebra OEMConfig, Honeywell UEM Connect, and equivalents from most enterprise OEMs.
Deploy it as a required app to the matching hardware (an assignment filter on manufacturer/model keeps Zebra config off Samsungs).
Create the profile: Devices > Android > Configuration > OEMConfig, select the app — Intune renders the OEM's schema (hundreds of settings on KSP) as a navigable form.
The app receives the configuration as a managed configuration and applies it on-device with OEM privileges — typically instantly.
What Lives Here
Samsung KSP: firmware-control hooks, advanced Knox restrictions, DeX behavior, hardware-key remapping, granular USB/network controls — the deep Samsung surface.
Generally: anything the OEM considers theirs rather than Android's.
The Rules That Keep You Sane
One OEMConfig profile per app, per device
A device should receive exactly one profile for a given OEMConfig app. Multiple profiles targeting the same app on the same device produce undefined, last-writer-ish results — structure assignments so they can't overlap, and build variation inside one profile rather than stacking profiles.
Precedence discipline: an OEMConfig setting and an Intune-native restriction can disagree (two hands on one knob). Decide per setting which layer owns it, write it down, and never configure the same control in both.
Changes apply fast and device-side — there's no "deployment ring" safety net inherent to the channel. Pilot OEMConfig edits on a lab unit with the seriousness you'd give firmware.
Schemas version with the OEM app: after a KSP/Zebra app update, re-open the profile and review new/renamed settings before assuming continuity.
Do
Keep exactly one profile per OEMConfig app per device
Decide which layer owns each setting and write it down
Pilot schema edits on a lab unit with firmware-level seriousness
Re-review the schema after every OEM app update
Don't
Stack multiple profiles on the same app — results are last-writer-ish
Configure one control in both OEMConfig and a native restriction
Assume a deployment-ring safety net — changes land fast and device-side
Insights
KSP behind KME enrollment is the canonical Samsung stack — enrollment, deep config, and (with licensing) Knox E-FOTA update control in one vendor lane.
Treat OEMConfig profiles as code: export/document via IntuneCD — they encode tribal hardware knowledge that otherwise lives in one engineer's head.
The fragmentation truth, the policies that actually work, and patch-level compliance as your enforcement lever.
Start with the uncomfortable truth: Intune cannot push an Android OS update. Nothing in the management stack downloads and installs an OS build on demand — updates ship from each OEM/carrier on their own cadence, and the device installs what it's offered. Your control surface is scheduling, pressure, and procurement. Used together, they work.
Lever 1SchedulingSystem update policy: windows, postpone, freeze
Lever 2PressurePatch-level compliance wired to Conditional Access
Lever 3ProcurementAER hardware with committed support windows
Automatic — install when offered (good default for phones)
Maintenance window — install only inside a daily window (kiosks, scanners — no noon reboots)
Postpone — defer up to 30 days per update
Freeze periods — block updates entirely for defined date ranges (up to ~90 days each, with a required gap between) — your retail-holiday / exam-season / harvest-window control
30 daysmaximum postpone per update
~90 daysmaximum freeze period — gap required between freezes
2. Pressure — Patch-Level Compliance
The strongest lever in the Android update story: every device reports its security patch level as a date, and compliance policy can require a minimum patch level. Set it on a rolling window (e.g., no older than 60–90 days), wire it to Conditional Access, and devices that don't take updates lose access — converting "please update" into a self-resolving condition. Drive the window from data: the inventory report computes patch age across the fleet.
3. Procurement — Where the Battle Is Actually Won
Update availability is decided when you choose hardware:
Buy from the Android Enterprise Recommended directory and check the OEM's committed support window — current flagships (Pixel, Samsung's premium lines) commit to many years of OS + security updates; bargain hardware commits to roughly nothing.
Rugged fleets: Zebra LifeGuard and Samsung Knox E-FOTA (licensed services) add what the platform lacks — version pinning, tested-firmware targeting, and scheduled rollout of specific builds. If your dedicated fleet runs the business, one of these belongs in the budget.
Insights
Mixed-OEM fleets will straddle Android versions for years — keep app minimums and policies tolerant of N-1/N-2, and let patch-level compliance (not OS-version compliance) carry the security requirement; patch dates normalize across OEMs far better than version numbers.
Watch the long tail quarterly: when an OEM's support window closes, those devices' patch age only grows — the inventory report's aging buckets are your replacement-budget evidence.
The post-reset account lock built into Android — configure it deliberately or meet it for the first time during an incident.
Factory Reset Protection is Google's theft deterrent: after an untrusted factory reset, the device demands credentials of an account that was on it before the wipe. It is superb against thieves — and equally indiscriminate against IT departments that didn't plan for it, because the lock has no way of knowing whether the reset came from a pawn shop or from your own helpdesk bench. On corporate Android, you manage FRP explicitly — never leave it to whatever Google account happened to be present on the device.
Applies toCorporate-owned modes only — BYOD FRP belongs to the user
Key decisionDesignated unlock accounts vs documented disable
Pairs withAccount modification: block, plus zero-touch/KME persistence
Prerequisites
Devices enrolled in a corporate-owned mode — fully managed, dedicated, or COPE. BYOD work profiles are out of scope: the device is the user's, so the FRP accounts are theirs too.
A decision on who holds the post-reset key: one or more dedicated Google accounts (your Android Enterprise service-account family or purpose-built frp-unlock@ accounts) with credentials stored in the team vault.
Access to the corporate-owned device restrictions template, which carries the Factory Reset Protection settings.
Step-by-Step Configuration
Create or designate the corporate unlock accounts. Keep the list short and purpose-built — dedicated frp-unlock@ accounts beat personal admin accounts because they survive staff turnover and their credentials can live in the vault without exposing anyone's working identity.
Designate those accounts in the Factory Reset Protection settings of the corporate-owned device restrictions profile, so that only they can activate a device after reset. This is the recommended posture: theft protection stays on, and IT always holds the key.
Or disable FRP entirely where the trade-off genuinely favors it — dedicated kiosk fleets living behind physical security, where re-provisioning velocity beats theft deterrence. Make this an explicit, documented exception rather than a default you drifted into.
Pair with account modification: block in the same baseline so users can't add personal Google accounts that would otherwise enter the FRP picture. Without this, the unlock-account list you just configured competes with whatever accounts appear on the device later.
Document which accounts unlock FRP in the same vault entry as the MGP binding, so the person doing 2 a.m. incident response can actually find them.
Verification
Test the full unlock flow once in the lab, not first during an incident: factory-reset a lab device through an untrusted path, confirm the FRP challenge appears, and confirm a designated unlock account activates the device. An unlock procedure that has never been exercised is a hope, not a control.
How It Plays With Wipes and Enrollment
An Intune wipe of a corporate device with configured FRP leads to a reset that your designated accounts can always activate — clean redeploys.
Zero-touch/KME devices add the best layer: post-reset, the device also forces re-enrollment into your tenant regardless — FRP + wipe-persistent enrollment together is the strongest theft-resale deterrent Android offers.
Returning or selling devices: release them from zero-touch/KME and ensure a clean FRP state (a managed reset with FRP handled) before hardware leaves the fleet — a locked device in a buyer's hands is a support call and a refund waiting to happen.
Do
Designate dedicated frp-unlock@ accounts with vaulted credentials
Exercise the full unlock flow on a lab device
Release zero-touch/KME and clear FRP before hardware leaves the fleet
Don't
Leave FRP to whichever Google account happens to be on the device
Use a personal admin account as the unlock key
Sell or return devices with FRP still armed
Insights
The classic incident: a departed employee's personal Google account on a (mis-deployed) corporate device + a helpdesk factory reset = bricked hardware and an awkward phone call. Every line of the baseline above exists to make that sentence impossible.
BYOD work profiles don't involve corporate FRP — the device is the user's, their accounts, their FRP. Scope this whole page to corporate-owned fleets.
Device locks, work profile challenges, biometrics, and the two-password model BYOD users actually live with.
Android's lock story has a structural twist worth designing around deliberately: on work profile devices, there are potentially two locks — the device lock (the user's own) and the work profile challenge (yours). Designing them as a pair is the whole skill.
The Two-Lock Model
Device password policy applies to the whole-device lock. On BYOD you can require a lock of minimum strength — reasonable — but heavy-handed device-lock rules on personal phones generate justified resentment.
Work profile challenge: a separate unlock gating only the work container. The defensible BYOD posture: modest device-lock floor + real work-profile challenge — your strong auth protects your data; their phone stays theirs. On fully managed devices there's one lock and it's yours: set it like you mean it.
the device is BYOD with a work profileTwo-lock pairModest device-lock floor + real work-profile challenge — strong auth on your data, their phone stays theirs.
the device is fully managedOne corporate-grade lockThere's one lock and it's yours — apply the full corporate standard.
the fleet is dedicatedWorkflow-tolerant lockWhatever the workflow tolerates, with short timeouts doing the heavy lifting.
Step-by-Step: Building the Lock Policy
Decide the posture per enrollment mode before touching settings. BYOD gets the two-lock pair (light device-lock floor, real work-profile challenge); fully managed gets one corporate-grade device lock; dedicated devices get whatever the workflow tolerates, with short timeouts doing the heavy lifting.
Set the device password requirement. On BYOD, a minimum-strength floor is the defensible ask; on fully managed hardware, apply the full corporate standard — the device is yours and this lock is the front door.
Configure the work profile challenge separately. This is the unlock that actually guards corporate data on BYOD — require real strength here, and let the user's whole-device lock remain their business.
Prefer complexity bands over composition rules. Android's password-complexity bands (low/medium/high) beat character-recipe micromanagement — HIGH plus a length requirement is clean, auditable, and survives OS UI changes.
Allow biometrics; govern the fallback. Fingerprint/face unlocking a strong underlying credential is better security and better UX than PIN-typing fatigue — control the fallback credential, not the convenience. Decide trusted-agent features (Smart Lock-style unlocks) deliberately; most corporate postures disable them on managed devices.
Set lock timeout and max-failures-to-wipe per fleet. Timeout short on dedicated devices, humane on knowledge workers; failure-wipe only where the data classification truly warrants the foot-gun.
Verification
Compliance attests the result — policy sets the lock, compliance proves it, Conditional Access enforces it; the standing trio.
Test the lost-biometric path (sweaty-glove frontline reality): the fallback experience under your timeout/failure settings is part of the policy, not an afterthought.
Password changes near enrollment can race profile delivery — a device flapping noncompliant on password rules right after enrollment usually needs one sync cycle, not a ticket.
Insights
The work-profile challenge prompt confuses users exactly once ("why two PINs?") — one comms line fixes it: the second unlock is the door to the work side only; we never see or control your phone's main lock on BYOD.
Always-on, per-app, and Microsoft Tunnel — getting work traffic home without touching personal traffic.
Android VPN under management has one headline capability the personal world lacks: per-app VPN scoped to the work side — corporate apps tunnel, personal traffic never does, and the privacy wall extends to the network layer.
HeadlinePer-app VPN scoped to the work side — personal traffic never tunnels
Client modelVendor app from Managed Google Play + app configuration policy
RequiresCertificate chain in place where auth is certificate-based
Microsoft optionTunnel — Defender for Endpoint as the client app
The Profile Anatomy
A VPN profile pairs the client app (deployed via Managed Google Play) with connection configuration (server, auth, certificates) — most modern clients receive their config via app configuration policy rather than the legacy VPN profile type, so check the vendor's documented keys first.
Prerequisites
The VPN client app approved and ready to assign through Managed Google Play.
Certificate infrastructure in place where authentication is certificate-based — the SCEP chain is the standard.
The vendor's managed-configuration documentation in hand: the keys it publishes define what you can actually configure.
Step-by-Step Deployment
Land the client certificate first. Certificate-based authentication via your SCEP chain is the standard; the cert profile must arrive before the VPN can work — sequence assignments accordingly.
Assign the VPN client app as Required to the target fleet so the tunnel software is present before its configuration arrives.
Deliver the connection configuration — server, identity, routing — through the app configuration keys the vendor documents (or the legacy VPN profile type where that remains the supported path).
Decide the always-on posture. Always-on VPN (device or work-profile scoped) means the OS establishes and maintains the tunnel without user action, with optional lockdown (no traffic outside the tunnel) for high-assurance fleets — lockdown on a misconfigured tunnel is a self-inflicted outage, so pilot it with the escape hatch documented.
Scope per-app VPN deliberately. Enumerate the work apps that tunnel; on work-profile devices this is naturally container-scoped, so personal traffic stays untouched by design.
Microsoft Tunnel
For Microsoft-stack orgs, Tunnel is the Intune-native gateway: a containerized Linux gateway on-prem/cloud-edge, with Defender for Endpoint as the client app doing double duty (MTD + VPN). Per-app and full-device modes, configuration entirely via Intune profiles, and conditional launch ties into the compliance loop. If you're standing up Android VPN fresh and own the Microsoft stack, evaluate Tunnel before buying a parallel appliance.
The Strategic Note
If the VPN's only job is reaching two legacy internal apps, that's an app-modernization conversation (identity-aware proxy, ZTNA) wearing a VPN costume. Per-app VPN is often the bridge, not the destination — build it well, and plan its retirement in the same document.
Verification
The triage chain for "VPN won't connect" doubles as the rollout checklist: cert present? (device-side check) → app config delivered? → server reachable on that network? Three questions, in order, ends most tickets — and walking a pilot device through them proves the deployment before the fleet assignment goes out.
Check 1Certificate present?Device-side credential check first
Check 3Server reachable?Gateway up and routable from that network
Insights
Battery is the silent killer of Android VPN rollouts — always-on tunnels with aggressive keep-alives drain frontline devices; test on the worst battery in the fleet and tune server-side timeouts before the pilot, not after the complaints.
Tuning the wall between work and personal — contacts, copy/paste, notifications, and the connected-apps question.
The work profile wall is absolute by default; these settings poke deliberate, user-serving holes in it. Each hole trades a little separation for a lot of usability — make each trade on purpose.
The Settings That Shape Daily Life
Cross-profile contact search and caller ID: allow it. Without it, incoming calls from colleagues show as bare numbers because the work contacts live behind the wall — the single most complained-about default in BYOD history. Allowing search/caller-ID exposes lookups, not the contact store.
Cross-profile copy/paste: the genuine dilemma. Blocking it (work→personal) is real DLP with real friction; pair the decision with your App Protection cut/copy policy so the managed-app layer and the profile layer agree — users experience the stricter of the two, and disagreement between them produces "it works in Outlook but not Chrome" mysteries.
Cross-profile data sharing / intents: governs share-sheet flows (sharing a personal photo into work apps is commonly allowed; work→personal blocked). Test the actual share-sheet experience — intent rules read abstract and feel concrete.
Work notifications on the lock screen: redact content (show app, hide preview) as the middle path between leaking meeting titles on a personal lock screen and making notifications useless.
Connected apps / cross-profile app pairs: the OS-level mechanism letting specific app pairs (where the developer supports it) see across the wall. Most corporate postures leave this disabled — every pair is a documented exception or it's a hole.
The Design Doctrine
Defaults closed, holes opened by user-experience evidence: contacts/caller-ID immediately (the evidence is universal), clipboard and sharing per data-classification appetite, everything else by exception. Write the matrix once and the BYOD comms can honestly describe the wall — which is what makes users trust it.
Do
Allow cross-profile contact search and caller ID
Redact work notification content on the lock screen
Pair the clipboard decision with the APP cut/copy policy
Test the actual share-sheet experience
Don't
Enable connected-app pairs without a documented exception each
Let the profile layer and the managed-app layer disagree
Copy the BYOD matrix onto COPE unexamined
Insights
These settings interact with COPE's inverted ownership — the same toggles exist but the personal side is the guest; revisit the matrix per mode rather than copying the BYOD profile.
When a cross-profile behavior "stopped working," check OS-version changes first — Android tightens cross-profile defaults across releases, and the annual OS validation pass should include this matrix.
Bluetooth, NFC, tethering, USB data, and Wi-Fi behavior — locking down the side doors on corporate-owned fleets.
Every radio and port is a data path. On fully managed and dedicated fleets, the restrictions catalog gives you each one as a switch; this page is the cookbook for which switches matter and which combinations bite.
The Control Surface
Bluetooth: full disable for the strictest environments; contact sharing over Bluetooth off as the lighter default (blocks the car-kit contact slurp without killing headsets). Configurable on company-owned modes; the work profile on BYOD deliberately can't reach the device's radios — that's the personal side's property.
NFC: disable beam/data-sharing flows where data exfil matters; leave NFC itself alive if payment/badge workflows ride it — the distinction between "NFC off" and "NFC sharing off" prevents breaking the door badges.
Tethering/hotspot: off on dedicated fleets (a kiosk does not need to be a router); on knowledge-worker devices it's a policy decision with a real-world cost — field staff tether laptops legitimately.
USB: USB file transfer/data off is the high-value, low-friction control on corporate devices (charging unaffected); USB debugging blocked is non-negotiable outside the lab — and Play Integrity plus compliance backstop devices where someone tried.
Wi-Fi behavior: lock Wi-Fi config changes on dedicated devices (the kiosk stays on its deployed profile); allow user networks on 1:1 devices — people work from homes and hotels.
Airplane/cellular toggles: lockable on dedicated hardware where "the scanner went offline" usually means a curious finger.
Do
Turn off USB file transfer and block USB debugging
Prefer contact-sharing off over disabling Bluetooth outright
Distinguish NFC off from NFC data-sharing off
Keep the posture table in the tier-1 runbook
Don't
Disable NFC where payment or badge workflows ride it
Leave tethering on for kiosks — a kiosk is not a router
Expect work-profile policy to reach BYOD radios — they belong to the personal side
Posture by Fleet
Knowledge worker (fully managed)
Dedicated/kiosk
Bluetooth
On; contact-share off
Off unless peripheral-required
Tethering
Decide per field reality
Off
USB data / debugging
Off / Off
Off / Off
Wi-Fi changes
Allowed
Locked
Insights
Radio restrictions are where OEMConfig earns its keep — Knox and rugged-OEM schemas expose port and radio controls beyond the standard catalog (USB host-mode policy, specific-peripheral allow-lists) when the standard switches are too blunt.
Every disabled radio is a future mystery ticket ("scanner won't pair") — keep the posture table above in the runbook so tier-1 checks policy before hardware.
Owner identification, support messaging, and the small-surface branding that pays for itself in returned hardware.
Android's branding surface is deliberately small — but the pieces that exist are the ones that matter operationally: lock screen identification and management transparency messages. Spend the effort where it pays: the string that gets lost hardware returned, and the policy messages users actually read.
Lock Screen Message (Device Owner)
On fully managed and dedicated devices, policy sets a persistent lock screen message — the corporate-asset string visible to whoever finds the device:
Property of <Org> — if found: <helpdesk number / email>
This is the recovered-hardware play: a finder acts on what the lock screen tells them, and "property of, call here" measurably converts lost devices into returned ones. Template the string with real, answered contact details — a branding message pointing at a dead mailbox helps no one and quietly advertises that nobody is watching.
Management Transparency Strings
The restrictions surface carries short/long support messages — the text Android shows when a user hits a managed boundary ("this action is disabled by your organization" moments). Customize them: the default OS phrasing is cold and uninformative; "Disabled by <Org> IT policy — questions? helpdesk@…" turns a frustration moment into a routed question. Cheap goodwill, permanently deployed.
Wallpaper and Visual Identity
Whole-device wallpaper control is mode- and OEM-dependent rather than universal — where the fleet is Samsung, Knox Service Plugin exposes wallpaper/boot-animation controls the standard catalog doesn't; on dedicated devices, Managed Home Screen's theming (logo, colors, layout) is the visual identity and does the branding job properly. Knowledge-worker fully-managed fleets mostly skip wallpaper enforcement — the lock message carries the asset-ID value without the "IT redecorated my phone" energy.
Insights
Work profile BYOD branding is deliberately near-nil — it's the user's device and the wall works both ways; the badge on work apps is the brand presence, and that's correct.
Treat the lock message as managed data, not set-and-forget: helpdesk numbers change. An annual policy-review pass that re-validates the contact string costs a minute and saves the embarrassment of branded devices advertising a disconnected line.
Personal accounts, managed identities, and the Play Protect settings underneath your app-source story.
Account policy decides whose Google lives on the device — and on Android, the account model quietly defines the app-source and data-path story.
Accounts by Mode
Work profile (BYOD): the personal side keeps the user's own Google account untouched (their device); the work side runs on the managed Google Play account Intune provisions invisibly per the MGP binding — no user-visible Google identity to manage, which is the design's elegance.
Fully managed: the high-leverage control is account-add restrictions — block adding personal Google accounts and the device cannot sideload an identity that brings consumer Play, consumer sync, and consumer data paths onto corporate hardware. The defensible default: blocked, with the managed account doing all the work.
Dedicated: no user accounts at all, by design — account-add blocked is implicit in the mode's posture.
The account-restriction setting accepts allow-list nuance (specific account types) for the genuine exceptions; treat each as documented architecture.
Play Protect and App Source Integrity
The restrictions catalog carries the app-source integrity stack — set it as a unit:
Play Protect verify-apps: enforced — Google's on-device scanning stays on; compliance can attest it
The classic confusion ticket: a fully-managed user trying to add their personal Gmail and reading the block as "my email is broken." One line in onboarding comms — corporate devices run corporate identity; personal mail lives on personal devices — converts the ticket into a policy the user already heard.
Auditing account posture fleet-wide is a Graph query away — the device-account surface plus restriction-policy reporting answers "could anyone have added an account" with evidence rather than assumption.
Pre-deciding the permission prompts — global defaults, per-app grants, and the frontline case for silence.
Every Android app's first run is a parade of permission prompts — location, camera, notifications — and on managed fleets you can answer them by policy instead of by user: globally, and per-app per-permission.
the fleet is dedicated or frontlineAuto-grant the workflow app's permissionsNo personal context — prompts stall shifts and protect nothing.
knowledge workers carry fully managed devicesPrompt globally, pre-approve the security stackAuto-grant only what the security tooling needs to activate silently.
the device is BYOD with a work profileLighter touchGovern work-side grants to match the BYOD social contract.
The Two Levels
Global default (device restrictions, corporate-owned modes): what happens when a managed app requests a runtime permission — prompt (consumer behavior), auto-grant, or auto-deny.
Per-app overrides (app configuration policies): the surgical layer — this app gets location auto-granted, that one gets camera auto-denied — overriding the global default for the named permission on the named app.
The Right Call per Fleet
Dedicated/frontline: auto-grant the workflow app's required permissions, full stop — a kiosk scanner asking a warehouse picker to approve camera access is a workflow stall, not a privacy win. The device has no personal context; the prompts protect nothing and cost minutes per shift.
Fully managed knowledge workers: keep prompt as the global default (the prompts carry real signal on a device a human lives with), auto-grant only the corporate stack's table-stakes permissions (Defender's requirements, the VPN client's notification rights) so security tooling activates without a consent scavenger hunt. The principle: pre-approve what the security stack needs to function silently, and leave the judgment calls with the human holding the device.
Work profile BYOD: lighter touch by design — the work-side apps' grants are governable; the posture should match what the BYOD social contract promised.
The Edges Worth Knowing
A few permission classes sit outside the auto-grant reach by platform design — the special-access tier (overlay, usage access, and kin) follows its own rules, and location on newer Android versions carries extra user-consent ceremony even under management for certain grant types. Test the actual first-run on a bench device per OS release; the permission model is one of Android's most actively renovated rooms.
Insights
Auto-deny is the underused half: a corporate fleet whose policy auto-denies camera/microphone for the long tail of apps — granting only the named exceptions — converts the hardening baseline's intent into per-app reality without touching the OS-level radio switches.
The preinstalled layer — enable, disable, and govern what shipped on the device before you did.
Every Android arrives carrying a payload you didn't choose: OEM utilities, carrier additions, Google's suite. On corporate-owned modes, system apps are policy surface — and the defaults matter more than they look.
The Baseline Decision
Provisioning establishes the posture: corporate-owned enrollments can start with system apps broadly disabled (the lean default — the device exposes only what you enable) or left enabled (consumer-familiar, everything present). The provisioning payload and enrollment profile carry the choice; changing philosophy later means touching the fleet, so decide it with the mode decision, not after.
the fleet is dedicatedDisabled-by-defaultEnable the named few — every visible icon is workflow or distraction.
knowledge workers carry the devicesEnabled-by-default + block listBlock the genuinely objectionable; disabling the OEM gallery buys resentment, not security.
The Per-App Layer
Above the baseline, Intune's app surface manages named system apps: adding a system app entry (by package name) with a Required-style assignment enables it on devices where the baseline disabled it — how a lean dedicated fleet gets exactly the OEM camera and nothing else. The restrictions side carries the inverse muscle for blocking what must not run.
What to Do per Fleet
Dedicated: disabled-by-default + enable the named few — every visible icon on a kiosk is either workflow or distraction, and the lean posture is also the attack-surface posture
Fully managed knowledge workers: enabled-by-default with a block list for the genuinely objectionable (carrier bloat with data-path implications, duplicate stores) — disabling the OEM gallery on someone's daily phone buys resentment, not security
The carrier dimension is real: identical models from different channels carry different preloads — the two-model fleet discipline extends to channels, and the preload diff belongs in procurement acceptance
Insights
Package names are the whole game and OEMs don't advertise them — the bench technique: provision one device per model/channel, dump the package list via adb on a lab unit, and build the enable/block lists from observed reality rather than vendor documentation. Thirty minutes per model, versioned in the repo, done per hardware generation.
"The camera disappeared" tickets after enrollment are this page in disguise: lean-baseline fleets must enable the obvious utilities in the same change that disables the world — the gap between the two is your ticket volume.
Android app deployment is refreshingly low-ceremony: no licenses to count, no annual token expiry, no location juggling. Approve, sync, assign. Here's the full loop and the few places it still bites.
Step 1ApproveApps > Android > Add — pick from the embedded storefront
Step 2SyncAutomatic on a cadence; the Sync button for right now
Step 3AssignRequired installs silently; Available populates the managed store
Step 4ConfigureManaged configuration rides alongside most enterprise apps
The Loop
Approve: Apps > Android > Add > Managed Google Play app — Intune embeds the MGP storefront; search, open the app, Approve/Select. (Permission-change handling: choose to keep the app approved when permissions change, or you'll re-approve every update cycle.)
Sync: approved apps appear in Intune after a sync — automatic on a cadence, immediate via the Sync button (Apps list, or the MGP connector page). "I approved it and it's not in Intune" = press Sync.
Assign: Required installs silently on corporate modes and into work profiles; Available populates the managed Play store (the badged store in a work profile; the only store on fully managed/dedicated). Filters shape per-fleet.
Google Play updates managed apps using its own logic (idle + Wi-Fi + charging heuristics). Two controls worth knowing:
Update priority per app (in the app's Managed Google Play settings): High priority pushes the update as soon as Google publishes it — reserve for security-critical apps; Postpone holds ~90 days for change-controlled fleets.
App update pace is otherwise Google's; if a kiosk must run a pinned version, that's an argument for private app channel control, not a setting you're missing.
What About Paid Apps?
The honest answer: Managed Google Play's enterprise distribution is built around free apps and your own private apps. There is no bulk purchase-and-assign mechanism for paid consumer Play titles — in practice, enterprise Android runs on free clients + LOB. Plan procurement accordingly (vendors with paid consumer apps almost always offer an enterprise/private build), and see paid apps and licensing for the full procurement map.
Insights
Collections (store layout, edited in the MGP iframe) turn the managed store from an alphabet soup into a curated storefront — "Core", "Field Tools", "HR" — ten minutes of effort, outsized adoption payoff.
Permission auto-grant policy (in app assignment/config) silences runtime permission prompts on corporate fleets — kiosk and frontline apps especially should never be waiting on a tap for camera access.
The App Install Status script is platform-agnostic — point it at an Android app's display name and the same failure triage applies.
Managed configurations — pre-configuring apps so they open ready to work.
Android's managed configurations follow a clean contract: the app publishes a schema of admin-settable keys; Intune delivers values; the app launches pre-configured. The mechanism is native to Android Enterprise and powers everything from Outlook account setup to OEMConfig itself (which is literally a managed configuration with a huge schema).
Step 1App publishes its schemaAdmin-settable keys, declared by the app version
Step 2Intune delivers the valuesConfiguration designer or JSON, with tokens resolving per user and device
Step 3App launches pre-configuredFirst open is already set up — no helpdesk onboarding call
Creating One
Create the policy under Apps > App configuration policies > Add > Managed devices (platform Android Enterprise):
Target the app. Point the policy at the MGP app — the Configuration designer renders the app's published schema as a form; the JSON editor exists for schemas the designer renders poorly or for source control.
Set the values, tokenized where possible. Tokens make values dynamic: {{userprincipalname}}, {{mail}}, {{DeviceName}}, {{AAD_Device_ID}} — one policy configures every user correctly.
Assign alongside the app. Assignment follows the app's groups; the config arrives with (or right after) the install. Deploy app and policy together so first launch is already configured.
The Managed apps channel variant targets APP-protected apps instead — the MAM-without-enrollment path for configuring, say, Edge on an unenrolled BYOD device.
The Greatest Hits
Outlook: account auto-setup from UPN tokens, default signature posture, contact-sync policy — the difference between "open and work" and a helpdesk onboarding call.
Microsoft Launcher / Managed Home Screen: the entire kiosk experience is one big app config.
Certificate alias keys on LOB and vendor apps — silent client-cert auth wiring, per the certificates page.
VPN clients: per-app routing and connection definitions ride this channel on Android, as covered in Wi-Fi and VPN.
Insights
The schema belongs to the app version — after major app updates, revisit the policy for new/renamed keys (same discipline as OEMConfig schema versioning).
Config arriving after first launch can leave an app half-set-up; for required apps with critical config, deploy app and policy together and verify on a lab device before fleet assignment.
When a key seems ignored: confirm the app actually received the config (most Microsoft apps expose a diagnostic view listing applied managed config) before blaming Intune delivery.
Publishing your own APKs through Managed Google Play — minutes to deploy, private to your org.
Your in-house Android app doesn't need the public Play review gauntlet. Managed Google Play private apps publish an APK/AAB to your organization only, live in minutes, updated through the same pipe as everything else. It has fully replaced the legacy sideload-style LOB pattern for Android Enterprise.
Applies toAndroid Enterprise — visible to your MGP enterprise only
Console pathApps > Android > Add > Managed Google Play app > Private apps
Publish timeMinutes — plan ~10, not days
UpdatesUpload a higher versionCode to the same listing
Publishing a Private App
Apps > Android > Add > Managed Google Play app → in the embedded storefront, open Private apps (the lock icon) > +.
Name it, upload the APK/AAB, save. Google runs a light automated pass; the app is typically deployable in minutes (plan ~10, not days).
It now behaves like any MGP app: sync, assign Required/Available, attach managed config, done.
Updates = upload a new artifact with a higher versionCode to the same listing; Google Play delivers it fleet-wide on its update cadence. Your CI can do this through the Play Developer publishing path once the app graduates to a real release pipeline.
Web Apps
Same Private apps panel, web apps tab: give a URL, title, icon, and display mode — MGP wraps it into an installable app users get like any other. Best for intranet portals, dashboards, and line-of-business web tools that deserve a real icon in the launcher rather than a bookmark nobody finds.
What About Direct LOB APK Upload?
Intune's "Line-of-business app" (direct APK) type is the legacy device-admin-era path. On Android Enterprise, prefer MGP private apps every time: real update delivery, store presence, managed-config support, no sideload posture. If a vendor hands you a bare APK and shrugs, publish it as your private app — that's the supported pattern.
Insights
Private apps are bound to your MGP enterprise — one more reason that Google service account binding is crown-jewels infrastructure.
versionCode discipline saves weekends: monotonically increasing, mapped to your release tags, recorded in the repo. "Why didn't the fleet update" is almost always a versionCode that didn't increase.
Need the same app public later? A private listing can graduate via the Play Console — design package naming as if the app might someday escape.
MAM on Android — the data-layer shield that protects corporate data with or without device enrollment.
App Protection Policies put the control on the data rather than the device: policy travels with the app's corporate identity and data, enrollment or not. On Android the framework is mature, deeply wired into the work-profile and device-integrity stack, and carries controls that make security teams genuinely happy. This page covers what APP does on Android and how to layer it per fleet.
Applies toEnrolled and unenrolled devices — policy travels with the app
ProtectsCorporate identity and data inside managed apps
OffboardingSelective wipe — instant, surgical, no device touch
The Android Capability Set
Screenshot blocking works. APP can block screen capture of protected-app content on Android. Regulated-data orgs: it belongs in the same posture conversation as the hardening baseline.
Conditional Launch carries device gates: minimum OS, minimum security patch level (the patch-pressure lever reaching even unenrolled BYOD), rooted-device block, Play Integrity verdict requirements, and Defender-reported max allowed threat level. For MAM-only fleets, Conditional Launch is your compliance engine.
Encryption/backup: APP enforces app-data encryption posture and blocks protected data from Google backup paths — corporate data stays out of consumer cloud backups by policy rather than by trust.
Approved keyboards: optionally restrict protected apps to specified keyboard packages (third-party keyboards are a real exfil vector this policy exists for).
High-priority, postponed, and default update behavior — controlling when Managed Google Play moves your apps.
Managed Google Play keeps apps current automatically — the gift of the model — but when matters: a VoIP app updating mid-shift on a dedicated fleet is an outage with release notes. Update modes give you the throttle.
Set wherePer app, in its Managed Google Play configuration
ModesDefault · High priority · Postponed
Postpone window90 days — a deferral, not a pin
The Three Modes (Per App)
Set in the app's Managed Google Play configuration:
Mode
Behavior
Use for
Default
Updates on Play's normal logic — device idle, on Wi-Fi, charging-friendly windows
Most apps, most fleets
High priority
Updates pushed as soon as the developer publishes, constraints relaxed
Postponed is a deferral, not a pin — the window expires and the update lands; permanent version-freezing isn't the model (and fights the platform). For true pinning needs, the answer is process: coordinate with the vendor's release tracks, or own the app via private publishing where you control publish timing outright.
The Doctrine by App Class
The doctrine, by app class:
Security agents → high priority. A stale sensor is the one update lag with a blast radius.
The business-critical workflow app on dedicated devices → postponed, with a standing monthly validation rhythm so the 90-day clock never expires unvalidated.
Everything else → default, and stop thinking about it — that's the MGP value proposition.
Insights
Postponed mode pairs naturally with the developer-side track strategy: vendors and your own apps using closed testing tracks give you the pre-release gate; postponed gives you the post-release buffer. Together they're a full change-control story without owning a packaging pipeline.
Update timing on dedicated fleets also rides device state — kiosks that are never idle/charging per Play's heuristics can lag even on default mode; the maintenance-window thinking from OS updates applies to app updates too. A custom compliance or inventory check on the critical app's version closes the verification loop.
Closed testing through Managed Google Play — ringing your own APKs like you ring everything else.
Your private apps deserve the same ring discipline as OS updates and policies — and Google Play's track system provides it natively: production, plus closed-testing tracks, selectable per Intune assignment.
How It Works
Publisher side (Play Console, for apps published via the full console rather than the iframe quick-path): the developer maintains tracks — production and one or more closed tracks (alpha/beta-style) — uploading candidate builds to the testing track first.
Intune side: the Managed Google Play app's assignment surface exposes track selection — assign the closed track to your pilot group and production to the fleet. Same app, two populations, two versions, native plumbing.
Promotion is publisher-side: build proves out in the closed track → promote to production → the fleet's update mode takes it from there.
Stage 1Upload to the closed trackPublisher side — the candidate build lands in testing first
Stage 2Assign the track to ring-1Intune assignment — pilot group on closed, fleet on production
Stage 3Bake and verifyA versionCode check proves the pilot runs the candidate
Stage 4Promote to productionPublisher side — the fleet's update mode takes it from there
The Operating Pattern
Pilot group = the same ring-1 humans as your OS update rings — IT plus volunteer power users of the actual app; a dynamic group keeps it stable.
Bake time matched to risk: a UI tweak needs days; a scanning-workflow change on frontline hardware needs a representative site for a full cycle.
The track is for builds, not configuration — config experiments ride app configuration policies on the same build; don't fork builds to change settings.
The Iframe-Published Caveat
Apps published through the Managed Google Play iframe's quick private-app path get simplicity at the cost of the full track surface — fleets that outgrow single-track publishing graduate to a proper Play Console developer account for the app. That graduation moment is usually "the first time a bad build hit everyone at once."
Insights
Track assignments are the answer to the perennial "can we test the new version with just the warehouse team first?" — yes, natively, without sideloading, parallel app IDs, or unknown-sources heresy.
Close the loop with verification: a custom inventory check on versionCode per population proves the pilot is actually running the candidate before anyone calls the bake done.
Edge and Chrome under management — app configuration, the default-browser decision, and where web data lives.
The browser is the most-used app on the device and the leakiest if unmanaged. Android gives you real levers: managed app configuration for the major browsers, plus the policy context of whichever management mode frames it.
Microsoft Edge (the MAM-Native Choice)
Edge on Android is deeply App Protection-aware — corporate-identity tabs live inside the APP boundary (cut/copy/save-as rules apply to web content), making it the natural default where MAM is the data-control layer. Its app configuration surface covers homepage, bookmarks set, the identity behaviors, and the proxy/redirect settings your security stack wants. Deploy via MGP, configure by policy, and the BYOD web story is handled without touching the personal browser.
Chrome (the Managed-Config Heavyweight)
Chrome's managed configuration schema is enormous — URL allow/block lists, homepage/startup control, password-manager and autofill toggles, extension-adjacent and content settings — delivered through the standard app-config mechanism. On fully managed and dedicated fleets where Chrome is the deployed browser, that schema is your web policy engine; the discipline is the usual one: configure by documented intent, version the JSON in the repo, and resist configuring all four hundred keys because they exist.
MAM/APP is your data-control layer (BYOD)Microsoft EdgeCorporate-identity tabs live inside the APP boundary — selective wipe reaches web data.
a corporate-owned fleet needs deep web policyChromeEnormous managed-config schema — URL allow/block lists, startup control, content settings.
The Decisions That Matter
One sanctioned work browser per fleet, set as the work-side default — split browser populations split your policy story and your troubleshooting matrix.
Where does web data live? With APP-protected Edge, corporate web data sits inside the managed boundary and selective wipe reaches it; with unmanaged-context browsing allowed to corporate sites, it doesn't — which is exactly what Conditional Access app-enforced restrictions or APP-required policies exist to prevent.
Kiosk browsing is its own discipline — locked-down single-site browsing on dedicated devices wants the kiosk-browser pattern, not a hardened general browser.
Insights
Browser app config is the highest-leverage app configuration policy you'll write — one JSON shapes the majority of daily interaction surface.
Test config changes against signed-in sync behavior: a managed homepage fighting a user's synced personal Chrome profile produces "policy isn't applying" tickets that are actually identity-context confusion — the work-profile wall usually resolves it once you check which side the browser instance lives on.
What Intune can see, what privacy hides, and how to build the app-truth your security team asks for.
"What apps are on our Android devices?" has a mode-dependent answer — and knowing why it's mode-dependent keeps you from promising reports the architecture forbids.
Full inventory (and it should be a short, boring list)
Write this table into the security team's expectations before the audit request arrives — "we cannot see personal apps on BYOD" delivered proactively is architecture; delivered reactively it sounds like an excuse.
The Reporting Surfaces
Discovered apps (per-device and aggregate): the raw inventory, refreshed on the device-reporting cadence — the "is VLC installed anywhere" answer.
Managed app install status: per-deployment success/failure truth for everything you assigned — the App Install Status script automates it at fleet scale.
App Protection status for the MAM estate: which users' app instances are policy-current — the BYOD-side health metric that is available without device visibility.
Version-floor watching: the inventory's per-app version spread tells you whether update modes are doing their job — chart the critical apps' version distribution monthly, same rhythm as the patch-age buckets.
Unexpected-app triage on corporate modes: anything outside the sanctioned set on a fully-managed device means a source-control hole — investigate the door, not just the app.
Insights
Inventory freshness follows check‑in rhythm: a device asleep in a drawer reports stale truth. Filter inventory analysis to recently-synced devices or the version-spread numbers lie pessimistically.
The most useful "report" is often a delta: this month's discovered-apps set minus last month's — new arrivals fleet-wide surface in one diff, and Graph makes the snapshot trivial.
Do
Deliver the BYOD visibility boundary proactively, before the audit request
Filter inventory analysis to recently-synced devices
Chart critical apps' version distribution monthly
Don't
Promise personal-side app visibility on work-profile devices
Read a stale device's inventory as current truth
Stop at the app — an unexpected install means a source-control hole
The return path — how managed apps report status back, and what to do with the signal.
App configuration is famous as a one-way street: admin pushes JSON, app obeys. Android Enterprise also built the return lane — the managed configurations feedback channel, where apps report keyed app states back up the management stack: named key/value status pairs with severity and timestamps.
Managed appemits keyed app states
→
Management stackcarries the feedback channel
→
Console / Graphwhere you read the states
What Flows Back
A feedback-capable app reports states the developer chose to expose: configuration accepted/rejected per key, signed-in account, sync health, error conditions with messages. The canonical consumer is config validation — you pushed an app config with a malformed server URL, and instead of silence-until-ticket, the app reports the rejected key with a reason. For dedicated fleets running one critical workflow app, keyed states are the closest thing to application-level health telemetry the platform offers.
Two Hard Dependencies
Two dependencies gate the value, and both are outside your console:
The app must implement it — feedback is developer opt-in; Google's own enterprise apps and the better MDM-aware vendors do, the long tail doesn't. The procurement question ("does your app report keyed app states?") belongs in the RFP for workflow-critical apps — and it's a feature your ownprivate apps should implement, since you control both ends.
Surfacing varies by EMM and release — the states ride the Android management stack; how much your console exposes, and where, evolves. Where the UI is thin, the Graph layer is the fallback inspection path; verify current surfacing rather than assuming.
The Operating Pattern
For the apps that report: define the interesting keys with the vendor (config-rejection and auth-failure states first), wire them into the same review rhythm as install-status reporting, and treat a config push without a clean feedback pass as undeployed — the verification-loop habit, now with the app itself as witness.
Insights
The strategic frame: keyed app states turn management from polling into listening — the stack learning to tell you instead of waiting to be asked. Build the habit of consuming declared status now; every management surface is converging on it.
A straight map of paying for Android apps at fleet scale — what Managed Google Play does and doesn't do.
The single most important procurement fact about Android app deployment gets its own page: Managed Google Play has no general paid-app license store. There is no bulk purchase-and-assign mechanism for paid consumer Play titles in the MGP model — free apps distribute beautifully, and everything commercial happens outside the storefront. Plan around that fact rather than discovering it mid-rollout.
Store licensingNone — no bulk purchase-and-assign in Managed Google Play
Dominant modelFree store app + vendor-direct license via app config
License truthVendor portals — reconcile quarterly against install reporting
ReclamationA deactivation step in the offboarding runbook, not a console feature
How Paid Actually Works on Android
The patterns that exist, in order of prevalence:
Vendor-direct licensing + free app: the dominant enterprise model — the app is free on Managed Google Play; the license is a vendor relationship activated by app configuration (license keys, tenant IDs) or sign-in entitlement. Your "paid app" deployment is a free install plus a managed config carrying the proof of purchase.
Private apps for bespoke/contracted builds — the vendor publishes privately to your enterprise; commercial terms live in the contract, not the store.
Subscription-in-identity: licensing follows the user account (the Microsoft 365 pattern) — nothing to manage at the app layer at all.
The corollary for app selection: a vendor whose Android enterprise story is "users buy it on Play" hasn't built an enterprise story — that's a procurement-gate finding, same RFP list.
The Operational Hygiene
License truth lives in vendor portals, not your console — so build the ledger yourself: app → license model → count → renewal date, reconciled against install reporting quarterly. Reclaiming licenses when devices retire is a deactivation workflow, not a console feature: app uninstall and retirement gains a "release the vendor license" step that nothing automates for you, so write it into the offboarding runbook explicitly.
Insights
Write the licensing reality into your app-intake form once: Android = vendor-direct licensing required; no store-side bulk purchasing. One row in a template, and every future "can't we just buy it on Play" conversation is a link instead of a meeting.
Play Integrity, patch-level floors, and root detection — the Android compliance levers and how hard to pull them.
Android compliance plugs into the tenant's Conditional Access engine and brings unusually sharp instruments to the evaluation: hardware-attested integrity verdicts and date-based patch enforcement. Built well, an Android compliance policy leaves a compromised or neglected device very little room to argue its way past the front door.
Console pathDevices > Android > Compliance
ScopeOne policy per enrollment-mode family
RequiresDefender connector first, if gating on threat level
Enforced byConditional Access — compliance informs, CA acts
Prerequisites
Enrollment modes settled per the management-mode decision — corporate-owned and personally-owned work profile fleets get separate compliance policies.
If you intend to gate on threat level, Defender for Endpoint deployed and its connector feeding risk scores into Intune first.
A patch-cadence position you can defend — the minimum patch level works best driven by fleet data, not aspiration.
Step-by-Step: Building the Policy
Create policies under Devices > Android > Compliance, one per enrollment-mode family:
Rooted devices: Block. Non-negotiable, every fleet.
Require a Play Integrity verdict — Google's device-attestation service (SafetyNet's successor). Require device integrity (certified, untampered device); the strong/hardware-backed evaluation option raises assurance further on supporting hardware. This single setting filters out rooted, unlock-tampered, and uncertified devices with Google doing the attestation math.
Set a minimum security patch level — the patch-pressure mechanism: a rolling date floor (60–90 days back is a common production posture). Drive it from fleet data, move it monthly, announce the cadence so it's weather, not surprise.
Set minimum/maximum OS version — the floor to your support reality (N-2 typical); use the max only during controlled major-version validation windows.
Require password and encryption posture. Encryption is default-on for modern Android; require it anyway for the audit line. Password complexity to your standard; on BYOD this evaluates the work profile challenge.
Cap the allowed Defender threat level — if MTD is deployed, this is the live-signal half of compliance: an active threat changes the verdict now, not at the next audit.
Configure actions for noncompliance: grace period (24–72h) → user notification → mark noncompliant. The compliance policy informs; Conditional Access enforces.
Assign per mode family and pilot first — a misjudged patch floor marks half the fleet noncompliant at once, so land it on a known-good ring before broad assignment.
60–90 daystypical rolling patch-level floor
N-2common minimum-OS support floor
24–72 hoursgrace period before noncompliant
Mode-Specific Notes
Work profile (BYOD): compliance evaluates the work container and device-integrity signals — it cannot and does not audit personal-side content; say so in enrollment comms.
Dedicated devices: no user affinity means user-targeted CA isn't the lever — keep dedicated fleets healthy via monitoring and restrict their identities' scope instead.
AOSP: reduced signal set (no Play Integrity without GMS) — compensate with network-level posture and tighter physical control.
Verification
Watch the per-policy compliance report as assignments land: the noncompliant population should be explainable (stale devices, genuinely behind on patches), not surprising. Then validate the enforcement end — a deliberately noncompliant lab device should lose access per your Conditional Access design and regain it after remediation. A compliance policy that never demonstrably blocks anything is decoration.
Insights
Play Integrity failures on legitimate hardware almost always mean uncertified devices (gray imports, some budget OEMs) — a procurement finding wearing a compliance costume. The AER directory prevents it upstream.
Patch-level compliance is the rare control that improves fleet hygiene without admin effort per device — the noncompliant population self-identifies and self-resolves. Pull this lever before buying tooling that does less.
The enforcement layer — turning compliance verdicts and app protection into allow-or-block decisions at every sign-in.
Compliance describes the device; Conditional Access (CA) is the Entra ID engine that acts on the description. Two enforcement families matter on Android — device-based CA for the enrolled estate and app-based CA for the data layer — and one rollout discipline keeps either from locking out the wrong people.
Rollout ruleReport-only first, then rings — break-glass excluded everywhere
Device-Based CA: Enforcing the Compliance Verdict
The chain: the compliance policy evaluates → Intune writes the verdict onto the device's Entra record → a CA policy with the grant Require device to be marked as compliant reads that record at sign-in, after authentication. The chain is only as strong as the verdict — and on Android it's unusually strong, because Play Integrity anchors it in hardware-backed attestation: a tampered device can misreport its passcode posture but can't lie to attestation, so the access decision bottoms out in silicon. Two timing facts: a device in its noncompliance grace period still evaluates as compliant, and verdicts refresh on check‑in — the compliance schedule, not the CA policy, sets enforcement latency.
Compliance policyevaluates the device
→
Entra device recordcarries the compliant flag
→
CA policygrants or blocks access
App-Based CA: Protecting Data Without Claiming the Device
Require app protection policy admits a sign-in only from an app governed by an App Protection Policy — real enforcement for unenrolled BYOD: no device claim, corporate data confined to policy-governed apps. The older Require approved client app grant has reached retirement and is read-only; build anything new on the app-protection grant alone. App-based CA still requires Entra registration (not enrollment): a broker — Company Portal or Microsoft Authenticator — completes it, installing on demand at first sign-in.
Fleet
Grant pattern that works
Corporate-owned (fully managed, corporate-owned work profile)
Require compliant device, evaluated for the signed-in worker in SDM-aware apps
The Work-Profile Boundary and Browser Sign-Ins
On work-profile devices the Entra registration lives inside the container: badged apps and browsers can present device identity; the personal-side browser is an unregistered context and fails the compliant-device check by design. Microsoft Edge and Chrome support device authentication on Android — the first browser sign-in prompts for the device certificate — but never in private browsing, with cookies blocked, or from WebViews inside apps. So deploy a managed browser into the work profile, make it the documented path to corporate web apps, and teach the helpdesk that "mail works, browser blocked" on BYOD usually means the personal-side browser, not a CA failure.
Dedicated and User-Less Devices
CA evaluates at user sign-in, and a standard dedicated device has no user — user-scoped policies never fire for that hardware, and users can't sign in to CA-protected resources from it at all, compliant or not. Don't read an "all users — require compliant device" policy as kiosk coverage; it neither protects nor blocks that estate. The plays: compliance at device groups so the fleet still reports posture, narrowly scoped device-bound identities, and Entra Shared Device Mode where workers genuinely sign in — SDM makes the worker's sign-in evaluable, so the compliant-device grant works in SDM-aware apps.
Prerequisites
Compliance policies deployed per mode family, with a report you can explain — never gate on an unvalidated verdict.
Entra ID P1 licensing for Conditional Access.
A break-glass account excluded from every CA policy — tested before the incident, not during it.
A pilot group spanning your modes, plus comms covering what a block looks like and the way back.
Step-by-Step: First Device-Based Policy, Report-Only First
Create the policy under Endpoint security > Conditional Access. Name it like you'll eventually have fifty: CA-Android-RequireCompliant-Pilot.
Scope users deliberately. Include the pilot group; exclude break-glass and enrollment-operations accounts.
Pick target resources surgically. The Office 365 grouping is the classic first target — not All resources. If you do go all-in, exclude the Microsoft Intune Enrollment cloud app so enrollment sign-ins survive.
Condition on the platform: device platforms → Android only, keeping the blast radius to the fleet you validated.
Set the grant: Require device to be marked as compliant.
Enable in Report-only and create — nothing blocks yet; every matching sign-in records what would have happened.
Soak one to two weeks, then work the report-only results in the sign-in logs: stale registrations, forgotten device populations, service accounts — all cheaper to fix before enforcement.
Flip to On for the pilot, widen in rings, and consider All resources only once ring data is boring.
Verification
Prove both directions. A compliant pilot device signs into a protected app and the sign-in log's Conditional Access detail shows the compliant-device grant satisfied. A lab device forced noncompliant (the patch floor is the easy lever) gets blocked — and the path back through the Intune app or Company Portal actually works. On a work-profile device, the badged browser passes while the personal-side browser is refused. A policy you can't demonstrate blocking something isn't enforcement yet.
The Lockout Pitfalls
Blocking the enrollment apps themselves. Requiring a compliant device on All resources catches the sign-in that happens during enrollment — the device can't become compliant because it can't finish enrolling. The symptom is the Company Portal sign-in loop; the fix is excluding Microsoft Intune Enrollment from compliance-requiring policies.
No exclusion groups. CA applies to the admins who author it; without the break-glass exclusion, a bad policy locks out the only accounts that could repair it.
Grant logic surprises. "Require all the selected controls" with compliant-device and app-protection selected strands unenrolled BYOD; mixed estates almost always want Require one of the selected controls.
Counting the kiosks as covered. User-scoped CA doesn't see the dedicated fleet — its safety net is device-group compliance and monitoring.
Insights
The sign-in log names the policy and the exact grant that failed — splitting every CA ticket into "identity problem" (stale registration, wrong side of the work-profile boundary) or "compliance problem" in one look.
Report-only finds the population nobody modeled: long-enrolled devices with broken registrations, compliant in Intune yet still blocked. Fix those first, or day one buries the project in tickets.
Treat exceptions as debt with a date — every "temporary" exclusion group becomes the permanent bypass an auditor finds later. Review exclusions on the cadence you move the patch floor.
Mobile threat defense for Android — deployment, the risk-score loop, and the BYOD privacy story.
Defender for Endpoint on Android closes the mobile threat defense loop end to end: the device carries a risk score, compliance caps the acceptable score, and Conditional Access acts on the result. Threats change access now, not at the next audit.
Web protection / anti-phishing via a local VPN construct (traffic inspection on-device — not a tunnel to Microsoft), with the option to pair actual tunneling through Microsoft Tunnel in the same app (VPN page).
Malware and unwanted-app detection — meaningful on a platform where sideloading exists; complements (doesn't replace) Play Protect and Play Integrity gating.
Risky-device signal: root and tamper indicators, dangerous configurations, network threats — distilled into the risk score Intune consumes.
Deployment
Approve/assign the Microsoft Defender app via Managed Google Play — required on corporate fleets, required-with-comms on work profiles.
Connect the Defender for Endpoint connector (Endpoint security > Microsoft Defender for Endpoint) so risk scores flow into compliance.
Ship an app configuration policy for Defender — this is where low-touch onboarding and feature toggles (web protection on/off per fleet, VPN behavior) live, trimming the user's setup to nearly nothing.
Add the device risk score rule to Android compliance policies. The loop is closed.
The Work-Profile Privacy Note (Have This Ready)
On BYOD work profiles, Defender installs inside the work profile and scans the work side — the personal profile stays outside its view, consistent with the whole work-profile privacy architecture. The web-protection VPN likewise scopes to the profile. Publish that sentence with your rollout; the "is IT reading my phone" question arrives either way, and the correct answer is reassuring.
Insights
Sequence connector → app → config → then the compliance rule, piloted: flipping the risk-score rule onto a fleet before Defender saturates marks healthy devices noncompliant and turns your rollout into a helpdesk event.
Defender's threat level also feeds APP Conditional Launch — meaning even MAM-only unenrolled devices participate in the risk loop. Few orgs use this; the good ones do.
Verdicts, hardware-backed attestation, and what actually trips integrity failures — the trust signal under Android compliance.
Compliance names Play Integrity as a checkbox; this page is what the checkbox means — because when a device fails it, the triage runs through this anatomy.
The Verdict Levels
Play Integrity evaluates the device and returns layered verdicts; in Intune compliance terms you choose the bar:
Basic integrity: the device isn't obviously compromised — but the check tolerates more (some uncertified or tampered states can pass basic while failing higher bars). A floor, not a posture.
Device integrity (certified): the device is a GMS-certified unit running a genuine, untampered build — the standard corporate bar.
Strong/hardware-backed: the verdict is rooted in hardware-backed key attestation — the TEE vouches, not just software. The bar for high-assurance fleets; older hardware can't always meet it, so check the fleet's capability before mandating it (procurement again).
Pick the level as policy, document why, and apply it through compliance → Conditional Access.
you only need a floor against obvious compromiseBasic integrityTolerates more — some uncertified or tampered states still pass. A floor, not a posture.
you want the standard corporate barDevice integrityGMS-certified hardware running a genuine, untampered build.
the fleet is high-assurance and the hardware supports itStrong integrityHardware-backed key attestation — the TEE vouches. Check fleet capability first.
What Actually Trips Failures
In rough order of real-world frequency:
Unlocked bootloader / custom ROM / root — the intended catch; the device is modified and the verdict says so.
Uncertified hardware — gray-market or non-GMS devices that never could pass; a procurement leak surfacing as a compliance ticket.
Transient evaluation states — fresh enrollments and devices long offline can lag a verdict cycle; one sync and a recheck beats escalation.
OS-level oddities post-update — rare, usually OEM-firmware-specific, and the reason ring-1 exists.
Play Integrity succeeded SafetyNet — older docs, vendor checklists, and audit templates saying "SafetyNet attestation" mean this system; translate silently and move on.
Insights
Integrity is the signal that makes Android compliance more than self-reporting — a rooted device can lie about its password policy but not to hardware-backed attestation. That's the line to use when security review asks why the checkbox matters.
Don't build allow-list exceptions for failing devices "temporarily" — an integrity exception is an attested-compromised device with corporate access. The exception process is replacement, not tolerance.
Plugging third-party MTD — or Defender — into the compliance loop, and running the risk-score economy honestly.
Mobile Threat Defense is the live-threat layer: an on-device sensor scoring the device's risk (malware, network attacks, OS exploits, risky configs), with the score feeding compliance so Conditional Access can act on it. Defender is the Microsoft-native implementation; this page is the pattern — including when the sensor is Lookout, Zimperium, Check Point, or another partner.
Console pathTenant administration > Connectors > Mobile Threat Defense
RequiresA working compliance-to-Conditional-Access loop
Sensor deliveryRequired app via Managed Google Play, zero-touch activation
Hard ruleOne MTD sensor per device — never two
Prerequisites
One MTD vendor chosen per fleet — Defender or a partner (decision guidance below); the non-negotiable is a single sensor per device.
A working compliance-to-Conditional-Access loop — the risk score only matters if it has an enforcement path to land in.
A healthy Managed Google Play pipeline, because the sensor ships to every device as a required app.
Admin access to the MTD vendor's console — activation health and threat detail live there, not in Intune.
Step-by-Step: The Integration Anatomy (Any Vendor)
Establish the connector. Tenant administration > Connectors > Mobile Threat Defense — this creates the Intune↔MTD-vendor trust and is the channel risk scores ride. Enable the Android compliance-policy evaluation for the connector so the vendor's scores are permitted to drive device state.
Deploy the sensor app. Push it via Managed Google Play as required, configure it via app config, and let it enroll to the vendor's backend. Most vendors support zero-touch activation under management — insist on it; manual activation is a coverage hole generator, because every user who never opens the app is an unprotected device that reports as deployed.
Point compliance at the score. Add device threat level at or under X to the compliance policy — the policy line that converts detection into enforcement. Without it, the sensor is a dashboard, not a control.
Optionally, extend to the MAM-only population.App Protection conditional launch consumes MTD signals for devices you don't manage — threat defense for the unenrolled tier.
Verification
Measure coverage before any threat metric: % of fleet with a healthy, activated sensor — an MTD program at 60% activation is a coin-flip control. Inventory the sensor app's status like the security agent it is, and reconcile it against the vendor console's activation list.
Rehearse the response path end-to-end once per quarter: plant a test detection, watch score → compliance → CA block → remediation → restoration. The loop you've rehearsed is the loop that works at 2 a.m.
Choosing the Threat-Level Bar
The vendor scores Low/Medium/High-style; your compliance bar decides the trigger. The honest calibration: start at High (act on confirmed-bad), watch the alert economy for a quarter, tighten to Medium when the false-positive rate proves the vendor's tuning. Starting strict on day one converts every vendor heuristic hiccup into a user lockout — and lockout fatigue is how security tools get politically killed.
Defender vs Partner: the Decision
Microsoft-stack orgs default to Defender (one connector, Tunnel co-residency, one console). Partners win on specific strengths — existing enterprise agreements, specialized detection claims, multi-MDM estates. What doesn't work: two MTD sensors on one device — they fight, drain, and double-report; one sensor per fleet, chosen deliberately.
you run a Microsoft-stack shopDefenderOne connector, Tunnel co-residency, one console.
an enterprise agreement, specialized detection, or a multi-MDM estate points elsewherePartner MTDLookout, Zimperium, Check Point — same connector pattern; threat detail lives in the vendor console.
The restriction set that constitutes "hardened" on corporate Android — assembled, justified, and ready to defend in review.
Scattered across the restrictions, radios, and account-control pages is a de-facto security baseline. This page assembles it into one defensible artifact: opinionated defaults, every line justified, organized so a security review can walk it top to bottom.
Applies toCorporate-owned fleets, with a shorter BYOD counterpart
Five pillarsSource integrity · data paths · crypto · updates · recovery
ArtifactA versioned profile set in the repo, with change notes
The Corporate-Owned Baseline (Fully Managed / Dedicated)
Identity and integrity:
Personal account add: blocked · Unknown sources: blocked · Developer options/USB debugging: blocked · Play Protect: enforced — the source-integrity stack as one unit
Play Integrity at device integrity minimum in compliance
Data paths:
USB file transfer: off · Bluetooth contact sharing: off · Tethering per fleet decision · Backup to personal Google: blocked
Screen capture: per data classification (blocked on regulated fleets; the APP layer covers app-level capture on BYOD)
The work-profile baseline is shorter by design — the wall does most of the work: work-profile challenge required, cross-profile matrix decided, APP policy carrying the data controls, Play Integrity in compliance. Resist porting device-owner controls into the profile; half don't apply and the other half violate the social contract.
Operating the Baseline
Keep one baseline profile set, versioned in the repo. The baseline is an artifact with a history, not a pile of console toggles — exported profiles and change notes make every delta explainable a year later.
Handle deviations as documented variant profiles. The kiosk that needs USB host mode gets a named exception via OEMConfig, not an edited baseline — the moment the baseline itself bends for one fleet, it stops being a baseline.
Run an annual review pass against the new OS release. Each major Android version adds and retires controls; the yearly pass keeps the baseline current instead of fossilized.
Do
Version the baseline in the repo with change notes
Handle deviations as named variant profiles
Re-review against each major OS release
Don't
Bend the baseline itself for one fleet's exception
Port device-owner controls into work profiles
Let the baseline fossilize as console toggles with no history
Frameworks & Benchmarks: CIS + Android Enterprise
Read this section before you argue Android hardening with an auditor. The single most important fact about Android on Intune is the one Microsoft will never put in a marketing deck: there is no Microsoft security baseline for Android. The Intune security-baselines surface is Windows-only — the overview page is literally titled "security baselines for Windows devices," and every shipping instance is Windows 10/11 MDM, Microsoft Defender for Endpoint, Microsoft 365 Apps, Microsoft Edge, HoloLens 2, or Windows 365. There is no Android (or iOS) entry in Endpoint security > Security baselines, and there never has been. So when someone asks "where's our Android CIS L1 baseline profile," the honest answer is that the authoritative hardening for Android comes from a different stack entirely: the CIS Google Android Benchmark, the Android Enterprise management model (which you already configured above as the corporate/BYOD restriction sets), the Intune App Protection / Data Protection Framework, and OEM hardening such as Samsung Knox. Your Settings Catalog restriction profiles are how you implement those controls — but the control catalog itself lives upstream.
MS Android baselineNone — Intune baselines are Windows-only
CIS Google Androidv1.6.0 — single benchmark, free PDF (non-commercial)
App Protection levels3 (basic / enhanced / high)
AttestationPlay Integrity API (SafetyNet turned down Jan 2025)
CIS Google Android Benchmark — And Why It's Thinner Than Apple/Windows
The CIS Google Android Benchmark is the closest thing to a vendor-neutral, consensus hardening standard for the platform, and the current published version is v1.6.0. Be honest with your stakeholders about what it is and is not. Unlike the CIS macOS benchmarks (which split cleanly into Level 1 and Level 2 profiles and track each yearly OS release alongside Apple's own macOS Security Compliance Project), or the CIS Microsoft Windows benchmarks (with L1/L2 workstation, L1 server, BitLocker and Next-Generation Windows Security profiles per release), the Android coverage is comparatively thin and slower-moving: it ships as essentially one benchmark, it is not partitioned into the same crisp L1/L2 workstation tiers, and it is not re-cut tightly against every annual Android dessert release. Practically, that means you cannot point Intune at a "CIS Android L1" template and call it done. You read the benchmark PDF, map each recommendation to a Settings Catalog or device-restriction setting under the relevant Android Enterprise profile (work profile vs fully managed change which controls even exist), and you own the drift.
Operational gotchas a real fleet hits: (1) profile surface differs by management mode — a personally owned work profile cannot enforce most device-wide controls, so a CIS recommendation that assumes full device ownership simply has no knob in BYOD; budget for two mappings, not one. (2) Version skew is brutal on Android — a setting present on a Pixel running current Android may be absent or behave differently on a two-year-old OEM build, so validate per device family before you assert compliance. (3) Audit evidence doesn't come from Intune's baseline reporting (there is none for Android) — you build it from device-configuration profile assignment status, compliance-policy state, and exported Graph reports, then reconcile that back to the benchmark line items by hand or with a script.
For the implementation side of mapping benchmark items to actual profiles, see Android device restriction profiles (the same Settings Catalog authoring model applies) and the platform-level compliance policies that gate access on the controls you set.
Android Enterprise: The Real Hardening Model (Work Profile Separation)
Where CIS gives you settings, the Android Enterprise management model gives you the isolation architecture those settings sit inside — and this is genuinely strong, often stronger than the equivalent on other platforms. The whole point is work-profile separation: on a personally owned device, Android Enterprise provisions a cryptographically separated work profile with its own encrypted storage, its own managed Google Play instance, and a hard data boundary the OS enforces — IT manages everything inside the badge and nothing outside it. For corporate-owned hardware you escalate to fully managed (COBO), dedicated/kiosk (COSU), or corporate-owned work profile (COPE), each exposing progressively more device-wide control. (These four modes are exactly the corporate/BYOD restriction sets configured earlier on this page — the framework context here is why they exist, not a re-listing of their settings.)
Two hard truths for operators: Android device administrator (DA) management is deprecated and is no longer available on devices with Google Mobile Services — if you still have DA enrollments, migrate them to an Android Enterprise mode now, because you are running on borrowed time. And the device-quality floor matters: Google's Android Enterprise Recommended program is the validated shortlist of business devices and EMM solutions that meet elevated requirements. The current knowledge-worker minimum is Android 16.0 (6 GB RAM, 32 GB storage), and OEMs must publish their security-update cadence (commonly every 30 or 90 days) plus a Security Maintenance Release end date and support at least one major OS upgrade. Buying off that shortlist is how you avoid the version-skew and patch-latency problems that otherwise wreck your CIS mapping.
App Protection Framework: Three Levels, Even With No Device Baseline
Even on a device you do not manage at all, you still have a real hardening lever: the Intune App Protection / Data Protection Framework, delivered through App Protection Policies (MAM). Microsoft organizes it into three prescriptive levels — Level 1 enterprise basic, Level 2 enterprise enhanced, and Level 3 enterprise high — and each level is additive (Level 2 includes all of Level 1; Level 3 includes all of Level 2). This is the mobile analogue of the Windows security-configuration taxonomy, and it is the one place Microsoft does ship leveled prescriptive guidance for Android.
Level 1 (basic): require an app PIN, encrypt org data, allow selective wipe, block on rooted devices, and turn on Google Play device attestation ("Basic integrity and certified devices") plus the Verify Apps threat scan. This replaces legacy Exchange device-access policy for most users.
Level 2 (enhanced): clamp data transfer to policy-managed apps, block backup and screen capture, require a minimum OS version and minimum security patch date (YYYY-MM-DD), step up to the hardware-backed key attestation evaluation type, and add Samsung Knox device attestation = Block access for Knox hardware.
Level 3 (high): six-digit non-simple PIN, Class 3 biometrics, approved-keyboards only, block printing and open-into-org-documents, escalate Knox attestation to Wipe data, and wire in Mobile Threat Defense (max-allowed-threat-level = Secured) for targeted high-risk users.
The operational payoff: App Protection works on enrolled and unenrolled devices, so it's your enforcement floor for BYOD where you have no MDM authority — gate it with Conditional Access requiring an app-protection policy. For how this ties into device-side enforcement on the platforms that do have baselines, compare against Defender and endpoint security and the Windows security baselines.
Play Integrity: The Attestation Layer Behind Compliance
The trust signal under all of the above is hardware/Google-backed attestation, and the important change for anyone still copying old runbooks: SafetyNet Attestation is gone. Per Google, the SafetyNet Attestation API "was deprecated in 2022 and fully turned down in January 2025" — calls to it now fail with an error. Its successor is the Play Integrity API, which consolidates the old SafetyNet integrity verdict into a single API that attests the app is an unmodified binary installed by Google Play, running on a genuine, untampered Android device. Intune's conditional-launch settings (labeled "SafetyNet device attestation" in the older UI, and the "hardware-backed key" evaluation type) ride on this Play Integrity machinery, and Knox attestation layers OEM-level hardware verification on top for Samsung fleets.
For a real deployment, plumb the attestation result through to compliance: a failed integrity verdict should flip the device non-compliant, and Conditional Access then blocks the corporate resource. That chain — Play Integrity verdict, Intune attestation/compliance evaluation, Conditional Access grant control — is your actual root/tamper defense, and it's worth testing per device family because attestation behavior is exactly where OEM and Android-version skew shows up first. See conditional access for the gating side.
The review-meeting cheat code: this page's structure is the security questionnaire's structure — source integrity, data paths, crypto, updates, recovery. Map your profile export to those five headings and the audit reads itself.
File-based encryption, the work-profile crypto boundary, and where corporate data actually lives.
Android's encryption story is quietly excellent — file-based encryption is mandatory and default since Android 10, hardware-backed on certified devices — which shifts the admin's job from enabling crypto to attesting and bounding it: prove the protection is present, then control where the protected data is allowed to travel.
EncryptionFile-based, mandatory and default since Android 10
Key anchorDevice credentials + hardware keystore
Work profileA separately-keyed encryption domain
Your jobAttest via compliance; keep the unlock credential real
The Encryption Layer
File-based encryption (FBE) encrypts per-file with keys bound to device credentials and hardware keystore — credential-encrypted storage stays sealed until first unlock. Your job: attest it via compliance (require encryption — on certified modern hardware this passes by construction, and the rare failure is a hardware-integrity red flag, not a settings problem), and keep the credential real (passcode policy) since FBE's strength inherits from the unlock secret.
The Work-Profile Crypto Boundary
On work profile and COPE devices, the profile is a separately-keyed encryption domain — the work-profile challenge gates its keys independently. This is why profile removal is cryptographically clean (retire = the keys die with the profile) and why the wall isn't just UI: personal and work data are different key domains on the same flash.
Where Corporate Data Actually Lives (the Boundary Map)
The defense-in-depth map worth drawing once:
Device layer: FBE + lock credential — protects against the lost/stolen-hardware case
Profile layer: the work container's separate key domain — protects the corporate set specifically
App layer: App Protection Policies — protects data in use (cut/copy/save-as/PIN) and survives onto unmanaged devices
Service layer: Conditional Access riding compliance — protects the cloud side regardless of any device's fate
Backups are the classic boundary leak: block backup of work data to personal Google accounts in the account controls — an encrypted device faithfully exporting plaintext-equivalent data to a consumer cloud is the architecture defeating itself politely.
Insights
When security review asks "is the data encrypted at rest," the strong answer is the four-layer map, not "yes" — encryption-at-rest is table stakes; the layered boundary is the design.
Selective wipe's credibility rests on this anatomy: retire kills the profile keys, APP wipe kills the managed-app data — both are key destruction, not best-effort deletion, and that's worth saying out loud in the data-handling document.
What telemetry actually exists — platform capability versus console surfacing, and the audit story you can honestly promise.
"What security logs do we get from the Android fleet?" deserves a precise answer, because the platform's capability and your console's surfacing are different layers — and audit promises built on the wrong layer become findings. The discipline below is tier-by-tier honesty: name each telemetry layer, what it actually emits, and which promises it can carry.
Never promise"Full device logging" — structurally false for BYOD
The Layers, Honestly
Android Enterprise's platform capability: the management framework defines security and network logging features for corporate-owned devices — security-relevant events (auth attempts, app installs, ADB/USB activity) and network-level logs (DNS/connection records), retrievable by the device's management stack. Defined is the operative word: how much of this any EMM ingests and exposes varies — verify Intune's current surfacing against documentation before promising it to an auditor, and assume thin until proven.
What Intune reliably gives you today: the management-plane audit trail — enrollment events, compliance state history, policy and app deployment records, admin actions — all Graph-queryable and SIEM-shippable. This is solid audit material; it's fleet truth, not on-device event truth.
The MTD/EDR layer: Defender or your MTD partner is the on-device security-event sensor in practice — threat detections, risky-app findings, network-protection events flowing into its own portal and your SIEM. For most estates, this is the on-device security telemetry story, and sensor coverage % is therefore an audit metric.
The attestation layer: Play Integrity verdicts as point-in-time integrity evidence — not a log stream, but the strongest single signal in the stack.
The Promise You Can Write Down
The defensible sentence for the audit doc: management-plane events from Graph, on-device threat telemetry from the MTD sensor at N% coverage, hardware-backed integrity verdicts in compliance — three named sources, each verifiable. The sentence to avoid: "full device logging," which the work-profile privacy wall makes structurally false for BYOD anyway, by design and for good reason.
Insights
Rehearse one retrieval: pick a question ("what did this lost device's last day look like?"), answer it from your actual sources, time it. The gap between the architecture slide and that stopwatch is your real logging posture.
The Android lost-device playbook — lock-with-message, locate, and the action ladder from misplaced to gone.
Corporate-owned Android carries a complete lost-device kit — remote lock with a message, a formal lost mode with locate, and the escalation ladder beyond — and the playbook deserves to be written before the first frantic call.
Applies toCorporate-owned — fully managed and dedicated
BYOD reachThe work profile only — no device locate, no device wipe
LocateAn incident power in lost mode, not a standing one
Remote lock (+ message): the immediate move — screen locked, and the lock-message capability (the branding page's recovered-hardware play) carrying "Property of <Org> — call helpdesk" to whoever finds it. Reversible, costless, fire it early.
Lost mode (corporate-owned, where supported by mode and OS): the formal state — device locked into a lost posture with your message/callback, and location retrieval permitted in this state on devices where it's otherwise restricted; the privacy architecture is the point: locating is an incident power, not a standing one. Exit is admin-driven when the device resurfaces.
Passcode reset where the mode supports it — the recovery path when the device is found but the user's credential isn't.
Wipe/retire: the mode-appropriate end state — factory reset for corporate-owned with FRP standing guard against the thief's fresh start, profile removal for BYOD. Bulk actions carry the Monday-morning batch version.
Rung 1Remote lock + messageReversible and costless — fire it early
Rung 2Lost modeLocked posture; locate becomes permitted in this state
Rung 3Passcode resetDevice found, credential lost
Rung 4Wipe or retireFRP stands guard against the fresh start
BYOD reality check: the work profile's wall means no device locate, no device wipe — your reach is the profile. Say so in the BYOD policy before someone's personal phone goes missing, not after.
The Playbook Mechanics
Write the one-pager before you need it, in four sections:
Authority per rung: who may invoke each action — locate especially, which should be RBAC-scoped, logged, and justified per use; an incident power that quietly becomes a standing habit is a privacy finding waiting to be written.
User-comms templates: the "we've locked your device, here's what happens next" messages, drafted calmly in advance rather than improvised mid-incident.
The deterrence facts: FRP plus zero-touch re-enrollment make a stolen corporate Android nearly worthless to fence — write that down where the security team and the insurer can both cite it.
The evidence trail: for the devices that were taken rather than lost — action history, timestamps, and any lawfully captured location data — assembled the same day, while the record is fresh.
Insights
The deterrence story compounds: lock-message + FRP + supply-chain re-enrollment + Play Integrity catching tampered returns means a corporate Android resists theft at four layers — worth one slide in security review, because the layers were configured on four different pages and nobody's seen them as one system.
When system update policy isn't enough — pinning, staging, and scheduling firmware through the OEM services.
System update policy shapes when Google-delivered updates land; it can't pin a fleet to a specific firmware build or stage OS versions through validation gates. That capability lives in the OEM FOTA services — Samsung Knox E-FOTA, Zebra LifeGuard, and the rugged-vendor equivalents — and this page is when they're worth the license.
Driven fromThe OEM's console — pinning, rings and schedules live there, not in Intune
Hard ruleOne update authority per fleet
What FOTA Services Add
Version pinning: the fleet holds build X until you promote — the capability postponed app updates provide for apps, extended to the OS itself
Staged campaigns: target build Y to the ring-1 group, validate, promote by group — real rings for firmware, with scheduling windows that respect shift calendars
Forced currency: the inverse muscle — push the fleet up to a minimum build on your date, closing the stragglers system-update policy can only nag
The Integration Shape
Deploy the FOTA agent and its configuration via OEMConfig and managed config — the agent on the device is what actually executes the campaign.
License and drive campaigns in the OEM's console — build pinning, ring definitions, and schedules live there, not in Intune.
Set your Intune-side update policy to not fight it. One authority owns the update calendar per fleet — two systems steering firmware at once produces deferral conflicts and devices that update on neither schedule.
Who Actually Needs This
The short list: validation-gated fleets — a workflow app vendor certifying against specific builds, regulated environments where OS changes are change-controlled, dedicated devices where a surprise firmware UI shift breaks a kiosk flow. Knowledge-worker fleets on AER hardware generally don't: standard update policy's deferral windows cover their risk, and the FOTA license buys ceremony they won't use.
OS changes are validation-gated or change-controlledOEM FOTA servicePin, stage by ring, schedule around shifts — with a promotion calendar, never indefinitely.
it's a knowledge-worker fleet on AER hardwareStandard update policyDeferral windows cover the risk; the FOTA license buys ceremony you won't use.
The Discipline That Comes With the Power
Pinning is a security loan: every month on build X is a month of unpatched CVEs accruing interest. The operating covenant — pin with a promotion calendar, never indefinitely; track the patch-age buckets against the pin, and let the compliance patch floor define the never-cross line that no validation backlog excuses.
Insights
The procurement tie-in completes the loop: FOTA capability is OEM- and license-bound, so the lifecycle ledger gains a column — firmware-control coverage — and a mixed fleet where only half the hardware can be staged is a half-implemented change-control story; know which half before the auditor asks.
Single-app and multi-app kiosks on dedicated Android — built on the Managed Home Screen launcher.
An Android kiosk is a dedicated enrollment plus a locked launcher. Microsoft's Managed Home Screen (MHS) app is that launcher: a replace-the-home-screen shell showing only what you allow, with branding, PINs, and session behavior all under policy control.
The kiosk profile lives at Devices > Android > Configuration > Device restrictions (corporate-owned template) > Dedicated devices / Kiosk, and the first decision is the mode:
Single-app: one designated app owns the screen — Android pins it (lock task mode); the user can't leave. Signage, check‑in stations, single-purpose scanners.
Multi-app: the device locks to Managed Home Screen, which presents a curated grid of your chosen apps. Frontline and shared-purpose devices live here.
Prerequisites
A dedicated enrollment profile and token — kiosk mode is a corporate-owned, dedicated-device story.
MHS and every kiosk app approved in Managed Google Play, ready to assign as Required.
A device group that captures dedicated enrollments, so apps and policy target the same population from the first boot.
Step-by-Step: Standing Up a Multi-App Kiosk
Assign the apps first. MHS and every payload app go to the dedicated group as RequiredMGP apps. Ordering matters at imaging time: enroll → apps land (MHS + payload apps) → kiosk policy applies. Locking the launcher before apps exist strands the device in an empty shell — stage assignments so the dedicated enrollment group gets apps and policy together.
Create the kiosk profile. In the corporate-owned device-restrictions template, choose multi-app kiosk and select MHS plus every app that should appear in the launcher grid.
Configure MHS through its app configuration policy. The kiosk profile only locks the device to MHS; the experience — branding, PINs, sessions, screensaver — is all app config (next section).
Enroll a pilot device and watch the sequence land: enrollment completes, apps install, launcher locks. Only then widen assignment to the fleet group.
Step 1EnrollDedicated token; the device joins the kiosk device group
Step 2Apps landMHS + payload apps install as Required
Step 3Kiosk policy appliesThe launcher locks — never before the apps exist
Step 4Pilot, then widenWatch the sequence land before fleet assignment
Branding: wallpaper, icon size/grid, app ordering, folder structure — the launcher is the device's entire visual identity, so curate it deliberately
Session PIN / sign-in: require a PIN to use or to exit kiosk for maintenance; integrate sign-in for Shared Device Mode fleets
Screensaver with inactivity timeout (brand it; it's free signage)
Auto-launch an app on session start; exit-kiosk maintenance access for technicians (guard it with a strong PIN, rotate it like a credential)
Virtual home/back button behavior, status-bar exposure, Wi-Fi/Bluetooth user toggles — every one a deliberate decision on a public-facing device
Verification
On the pilot unit, confirm the lock holds: home, recents, and notification-shade escapes should go nowhere the profile didn't allow.
Walk the maintenance path end to end — exit PIN in, service action, return to kiosk — before the first field incident needs it.
Insights
Keep a documented maintenance path (exit PIN + what techs may touch) or field staff will factory-reset their way out of problems — and with zero-touch + FRP configured, that's recoverable, but it shouldn't be the workflow.
Entra Shared Device Mode — one tap signs a frontline worker into every app, one tap signs them out of everything.
Shared hardware with rotating humans is the frontline reality — and per-app sign-in/sign-out across a shift change is how shared devices fail. Microsoft Entra Shared Device Mode (SDM) fixes the identity layer: a worker signs in once at the device level, every SDM-aware app picks up the session, and sign-out is global and data-clearing. The handoff problem is solved at the account layer, so the hardware itself never needs re-provisioning between workers.
RequiresDedicated enrollment with the Entra Shared Mode token — set at enrollment
BrokerMicrosoft Authenticator, deployed as required
LauncherManaged Home Screen with sign-in enabled
App requirementSDM-aware apps — MSAL shared-device support in vendor asks
Prerequisites
Corporate-owned hardware destined for dedicated enrollment — the mode is set at enrollment time, so plan it before devices are provisioned.
Microsoft Authenticator ready to deploy as a required app; it brokers the device-level account state.
Managed Home Screen as the launcher, with its app configuration prepared to enable sign-in.
An honest app inventory: which of your frontline apps are SDM-aware — and for line-of-business apps, MSAL shared-device support written into the vendor requirements.
Step-by-Step: How It's Built
Create the enrollment profile. A corporate-owned dedicated devices profile with the Microsoft Entra Shared Mode token type. The mode is set at enrollment — existing dedicated devices need re-enrollment to convert.
Deploy the broker.Microsoft Authenticator deploys as required; it brokers the device-level account state.
Deploy the launcher.Managed Home Screen with sign-in enabled in its app config — MHS presents the badge-in screen, drives session start/end, and can auto-sign-out on inactivity.
Deploy the apps. SDM-aware apps deliver the experience — Teams and the frontline Microsoft suite lead the list; line-of-business apps participate by integrating MSAL's shared-device support (a one-line requirement to put in your vendor conversations).
Shift flow: badge in on MHS → Teams and friends are already signed in → work → sign out (or timeout) → every app's session and cached data clears → next worker badges in. No identity residue between humans.
Badge inOne sign-in on MHSEvery SDM-aware app picks up the session
WorkTheir Teams, their tasksFull per-user experience on shared hardware
Sign outGlobal and data-clearingOr the inactivity timeout fires
Next workerClean sessionZero identity residue between humans
SDM vs Plain Multi-App Kiosk
Multi-app kiosk
Shared Device Mode
Who is signed in
Nobody / a device account
The current worker, globally
Per-user experience
None
Full (their Teams, their tasks)
Sign-out hygiene
Per app, trusted to humans
Global, enforced
Fit
Signage, lookup stations
Shift-based frontline work
Verification
Pilot the session boundary hard: badge out, hand the device to a second tester, verify zero residual access in every deployed app — that test is the product. Apps that fail it aren't SDM-aware no matter what the brochure said.
Confirm the inactivity sign-out fires on the schedule the floor agreed to, and that the next badge-in lands in a completely clean session.
Insights
Conditional Access applies to the signing-in user as usual — frontline CA policies (compliant shared device + location) compose cleanly with SDM, and the compliance loop still evaluates the device underneath.
Inactivity sign-out timing is a floor-operations decision, not an IT default — set it with the people running the shift, then enforce it in MHS config.
The MHS configuration cookbook — sessions, PINs, screensavers, virtual buttons, and the settings that make kiosks humane.
The kiosk page establishes Managed Home Screen as the multi-app kiosk launcher; this page is the settings cookbook — MHS has a deep app configuration surface, and the difference between a tolerable kiosk and a great one lives in it.
The Configuration Surface That Matters
Layout and identity:
Grid layout, app ordering, folders — curate deliberately; a kiosk launcher with one screen of exactly-the-workflow beats a corporate app dump
Branding: logo, background, theme colors — the visual identity layer for dedicated fleets lives here
Session and sign-in:
Session PIN / sign-in behavior: the complexity dial for shared-pattern kiosks — auto sign-out on inactivity, session PIN for quick re-entry, the end-of-shift reset rhythm
Auto-launch: single-dominant-app fleets can auto-open the workflow app while keeping MHS underneath as the escape-hatch frame
Screen behavior:
Screensaver/media mode: idle-time branding or instructions — the lobby kiosk's attract loop is an MHS setting, not a separate signage product
Virtual home/back buttons where hardware buttons are blocked — without them, some workflows trap users in sub-screens
Admin exit: the PIN-protected path out of MHS for the tech servicing the device — set it, vault the PIN, and the bench visit stops requiring a wipe
Controlled access to specific settings (Wi-Fi picker for travel carts, volume) without opening Settings wholesale
Operating Notes
MHS config is JSON via app configuration policy — treat every change to it like a production release:
Version it in the repo like the production UI definition it is — each key change gets a commit and a reason.
Stage changes through a pilot device group and let them soak through a real shift; a bad MHS push redecorates every kiosk in the fleet simultaneously.
Promote to the fleet group only after the pilot survives contact with real users — and keep the previous config version archived as the rollback.
Do
Version every MHS config change in the repo with a reason
Soak changes through a real shift on a pilot group
Watch a real user at the device for ten minutes
Keep the previous config archived as the rollback
Don't
Push MHS config straight to the fleet — a bad push redecorates every kiosk at once
Let the launcher update mid-shift — postponed/validated track for dedicated fleets
Treat MHS config as console toggles rather than a production release
Insights
The highest-ROI hour in any kiosk program: stand at the device and watch a real user for ten minutes — the missing back button, the too-short timeout, and the un-findable Wi-Fi picker all reveal themselves immediately, and every one is an MHS key away from fixed.
MHS updates itself via Managed Google Play — put it on the postponed/validated track for dedicated fleets; the launcher updating mid-shift is the one app update users can't ignore.
One app, locked tight, running forever — the configuration and operations of Android's appliance mode.
Multi-app kiosks get Managed Home Screen; when the device's entire existence is one app — signage, a queue display, a single-workflow scanner — single-app kiosk mode is the cleaner instrument: the app is the device.
Hardware dialsBrightness and charge behavior via OEMConfig
Prerequisites
A dedicated-enrolled device — single-app pinning is part of the corporate-owned kiosk profile.
The target app deployed via MGP (or as a private app), assigned as required to the kiosk device group.
For hardware-level screen control (brightness schedules, charge behavior), the OEM's OEMConfig app on hardware that exposes those dials.
Step-by-Step: The Configuration
The kiosk profile pins the single app via Android's lock-task plumbing:
Designate the kiosk target. The deployed app is selected in the kiosk profile; it launches at boot and the OS confines the session to it.
Set the lock-task features deliberately. These are the granular dials — status bar visibility (system info yes/no), keyguard off for signage, home/recents suppressed, notifications hidden. Signage wants everything suppressed; interactive kiosks may keep the status bar for connectivity truth.
Tune screen and power for 24/7 duty. Screen always-on plus power behavior: stay-awake-while-powered for plugged signage, and brightness/schedule via OEMConfig where the hardware exposes it.
For web-content signage, pin a managed kiosk-browser app single-app, with its URL and refresh behavior set via app config — signage-as-a-URL without a CMS purchase.
Verification
Power-cycle the pilot unit and confirm the app relaunches and re-pins at boot with no human touch — boot-to-app is the whole contract.
Try to escape: home, recents, notification shade, status-bar pulls — every suppressed path should go nowhere.
Pull the network and watch the app's offline behavior; signage that dies into an error screen needs a cached fallback before rollout.
The 24/7 Operations Reality
Appliances fail silently — there is no user to notice, complain, or file the ticket, so the operations design has to do the noticing:
Check-in alerting: a dedicated device missing its sync rhythm is your only smoke signal — wire the stale-device query into an alert, not a monthly report
Update windows: OS and app updates in maintenance windows, because a signage screen showing a Play update dialog is the brand experience nobody designed
Remote recovery ladder: sync → restart action → reprovision — and because zero-touch makes reprovisioning unattended-ish, the ladder's last rung is "unplug it and plug it back in" performed by whoever's nearest, with enrollment doing the rest
Rung 1SyncThe check‑in rhythm is the only smoke signal
Rung 2Restart actionThe remote power-cycle
Rung 3ReprovisionPower-cycle by whoever's nearest — zero-touch enrollment does the rest
Insights
The single-app vs MHS decision is reversible but disruptive (it's a provisioning-profile matter) — when in doubt, MHS with auto-launch gives single-app behavior with multi-app headroom.
Burn-in is real on always-on displays: signage apps with static corporate chrome want pixel-shift/screensaver behavior — a hardware-lifecycle line item (AER again) masquerading as a software setting.
Shared scanners, shift sign-in, and the blueprint that combines Shared Device Mode, MHS, and APP into a working frontline fleet.
Frontline is where every Android capability composes or collapses: shared hardware, shift rhythms, gloves, drops, and users who measure IT by sign-in seconds. This page is the blueprint, assembling pieces documented elsewhere into the three patterns that cover most frontline reality.
Pattern 1 — Shared Workflow Device (the warehouse scanner)
Dedicated enrollment + Entra Shared Device Mode + MHS with the curated app set. Worker signs in once at shift start (Shared Device Mode's single sign-in/sign-out across participating apps is the whole UX win), works, signs out at handoff — next shift, next identity, zero residue. Hardware via zero-touch/KME so spares provision themselves; session timeouts tuned with the supervisors who actually run the shift, so the security posture matches how the floor works.
Pattern 2 — Personally-Assigned Frontline (the store associate's device)
Fully managed, one user, the hardening baseline, and the workflow apps required-installed. Simpler identity story, richer per-user accountability — choose it when devices genuinely live with one human.
Pattern 3 — BYOD Frontline (scheduling and comms only)
hardware is shared and workers rotate by shiftPattern 1 — Dedicated + SDM + MHSOne badge-in per shift, global sign-out, zero identity residue.
the device genuinely lives with one humanPattern 2 — Fully managed 1:1Hardening baseline plus required workflow apps; richer per-user accountability.
there's no corporate hardware — schedules and comms onlyPattern 3 — APP-only BYODProtected apps, no enrollment; the personal phone stays personal.
The Cross-Cutting Disciplines
Spare-pool math: frontline availability = (devices − broken − charging) ÷ shifts; the spare pool plus self-service provisioning is the SLA
Update windows aligned to shift calendars — the 2 p.m. reboot during peak picking is a self-inflicted incident
Accessory reality: cases, holsters, and charging cradles decided with the hardware (AER ruggedness) — fleet damage rates are a procurement variable wearing an ops costume
Ten-minute floor test before any rollout: gloves on, real lighting, real Wi-Fi dead spots — the MHS layout and Wi-Fi roaming behavior that survive the floor are the ones that ship
Insights
Pick the pattern per workflow, not per org — most frontline estates run all three simultaneously, and the mode-decision matrix plus this page's blueprints keep the fleets coherent rather than accidental.
Charging discipline, battery telemetry, and the hardware-health rhythms that keep frontline fleets on shift.
Frontline Android dies by battery before it dies by anything else — and battery is manageable: charging behavior by policy, health by telemetry, replacement by rhythm instead of by emergency.
Control layerOEMConfig — charge-limit thresholds, dock/USB behavior
Charge capNear 80-85% on dock-resident devices — the biggest longevity lever
ReplacementBy cohort at the curve's knee, not one emergency at a time
The Charging Discipline
The OEM layer carries the real controls (OEMConfig, per the Knox/rugged services map): charge-limit thresholds (capping charge near 80-85% on dock-resident devices — the single biggest battery-longevity lever for signage and cradled kiosks that would otherwise float at 100% for years), dock/USB behavior, and on rugged lines, battery cycle and health attributes exposed as readable state. The facility side is policy too: pooled-device programs live or die on charging-cradle discipline — slots per shift, the spare-pool math, and the end-of-shift cradle habit enforced by supervisors, not scripts.
The Telemetry Loop
What you can watch, watch: device battery health/cycle attributes where the OEM exposes them (Graph-collected into the inventory rhythm), and the behavioral proxy everywhere else — devices that die mid-shift show up as check‑in gaps and shortened active windows. Chart per-model battery-health distribution by fleet age and the replacement curve writes itself: batteries (or devices, on sealed hardware) replaced by cohort at the curve's knee, not one emergency at a time.
The Configuration Adjacencies
Battery burn is partly your policy diet: always-on VPN keep-alives, aggressive sync, bright kiosk screens without idle behavior — the same audit that tunes performance tunes endurance. And exempt the management stack from battery optimization where the platform allows, or the OS's power saver becomes your sync-health mystery.
Insights
Sealed-battery hardware turns battery policy into procurement policy: the AER spec-sheet review should price replaceable-battery rugged units against the fleet's real cradle reality — a warehouse that can't enforce cradle discipline needs swappable batteries more than it needs another policy.
The recurring enrollment failures by mode — and the five-minute fixes for each.
Android enrollment failures cluster tightly by management mode. Identify the mode, then work the matching list — the fix is almost always in the first two entries.
Step 1Identify the modeFailures cluster tightly by management mode
Step 2Work the matching listThe fix is almost always in the first two entries
Step 3Capture evidence, then escalateExact error + mode + logs; a lab-device test splits device from profile
Corporate-Owned (QR / token / zero-touch)
"Device not factory-fresh." All corporate modes provision only during setup. Any prior setup progress — even a skipped Google sign-in — taints it. Factory reset, start clean. This is half of all corporate enrollment tickets.
Expired or wrong token. Enrollment tokens have validity windows; QR codes circulate longer than they should. Regenerate from the enrollment profile and reissue — and check the QR maps to the intended profile (a dedicated token on a 1:1 phone enrolls fine and behaves "wrong" forever).
Date/time skew. A device that sat in a warehouse boots with a stale clock → TLS to enrollment endpoints fails with opaque errors. Set time, retry.
No GMS / uncertified hardware. Gray-import or uncertified devices can't reach Android Enterprise provisioning. Verify certification; see the GMS dependency.
Zero-touch device skipped enrollment. It isn't registered (reseller miss), or no default configuration is set in the zero-touch portal, or it was registered after first boot — re-check registration, set the default config, factory reset.
Network can't reach Google/Microsoft provisioning endpoints — provisioning Wi-Fi behind aggressive filtering breaks setup; stage on a clean VLAN.
Work Profile (BYOD)
"Couldn't create work profile." Leading causes: a leftover device-admin or old MDM remnant (Settings > check for stale device admin apps / work profiles — remove, retry), critically low storage, or an OEM skin quirk (reboot, retry — genuinely).
Blocked by enrollment restrictions. Personally-owned Android blocked or the user's group excluded under Devices > Enrollment restrictions — the error users report is generic; the cause is policy.
"Device already enrolled." A stale Intune record from a previous life — delete the old object, retry.
Company Portal sign-in loops — usually Conditional Access requiring compliance from a device that can't become compliant until enrolled; confirm your CA exclusions for the enrollment flow.
When the List Fails
Capture evidence before escalating: exact on-screen error + the mode + Company Portal logs, and test the same token/flow on a known-good lab device to split "this device" from "this profile."
Where the evidence lives — Company Portal logs, bug reports, MHS diagnostics, and adb.
Android troubleshooting rewards knowing exactly where each log lives — because there are several, and the right one resolves the ticket while the wrong one wastes an afternoon.
First reachCompany Portal / Intune app > Help > send logs — returns an incident ID
Portal sideThe device's Troubleshooting + support pane
Kiosk fleetsMHS built-in diagnostics — enable before the first incident
Deep cutsBug report, adb logcat, OEM tools
First Reach: Company Portal / Intune App Logs
On the device: Company Portal (or the Intune app on fully managed) > menu > Help > send logs — uploads diagnostics to Microsoft and returns an incident ID to attach to support cases. For self-service triage, the same menu surfaces sync status and applied-policy state. This covers most enrollment and policy-delivery questions.
Portal-side, the device's Troubleshooting + support pane (per-user) shows enrollment status, policy and app assignment results — correlate device-side logs with what Intune thinks it delivered.
Managed Home Screen Diagnostics
MHS ships a built-in diagnostics surface (enabled via its app configuration) for kiosk fleets — applied configuration, sign-in state, and logs without exiting kiosk. Turn it on for your dedicated fleet before the first incident; retrieving logs from a locked kiosk without it means a maintenance-PIN visit.
Deep Cuts: Bug Reports and adb
Full bug report: Settings > Developer options > Take bug report (or adb bugreport) — the everything-dump OEM and Microsoft support ask for on gnarly device-behavior cases. On corporate fleets where developer options are rightly blocked, remote-collect via Intune's collect diagnostics device action instead.
adb logcat on a lab device streams live system logs — filter by tag/package to watch an enrollment or app-config delivery in real time. Transformative for "what exactly happens when…" questions, because it shows the platform's side of the conversation rather than the console's.
OEM tools (Samsung dumpstate et al.) add manufacturer detail when an OEM escalation demands it.
Insights
Log with a question: "did the device receive policy X" (Company Portal applied-state + portal Troubleshooting pane) is a different hunt from "why does app Y crash" (logcat/bug report). Naming the question first picks the log and halves the time.
For app config disputes, most Microsoft apps expose an in-app diagnostic view listing the managed configuration they actually received — check the receipt before debugging the sender.
Profiles that won't create, profiles that vanish, and forgotten work-profile passcodes — the BYOD failure catalog.
Personally-owned work profile enrollment is the highest-volume Android flow in most orgs, so its failures get their own page. Almost every ticket is one of three things: the profile won't create, a working profile disappeared, or the user forgot the work-profile passcode. Identify which, then work the matching section.
Device-side first moveCompany Portal > Settings > Sync, then check the work-profile pause toggle
Passcode recoveryReset passcode device action (resets the work-profile challenge, not the device lock)
1. The profile won't create
Enrollment runs, the user signs in, then it fails at the "creating work profile" step. Work these in order, cheapest first:
A leftover work profile from a previous employer. Android allows exactly one work profile per device, so an old one the user forgot about blocks the new one. Have them remove it: Settings > Accounts (or Settings > Passwords & accounts, varies by OEM) > Work profile > Remove work profile, then retry enrollment. This is the single most common cause.
A leftover device-admin or old-MDM agent. A device that was previously managed via the deprecated device-admin API can refuse profile creation. Check Settings > Security > Device admin apps, deactivate and uninstall the old agent, then retry.
Storage or battery starvation. Profile creation needs free space and a charged battery; a 98%-full budget phone fails with a vague error. Free space and charge above ~20% before retrying.
The device can't host a profile. An OS version below your enrollment-restriction floor, or an uncertified/gray-market build with broken Android Enterprise support. Rare on AER-certified hardware; common on imports.
An enrollment restriction or licensing block. Personally-owned Android blocked, or the user's group excluded, under Devices > Enrollment > Enrollment restrictions. The user sees a generic "couldn't enroll" message; the cause is policy. Also confirm the user has an Intune license assigned. The enrollment-errors page identity checklist applies.
2. A working profile vanished
Apps that were badged go grey, work mail goes silent, or the work profile is simply gone. Before assuming a defect, check the device's Recent activity in the console (Devices > the device) — most "it disappeared" cases are an action that fired:
The user removed it. Android lets the user delete the work profile by design — that is the consent-based BYOD contract. Conditional Access catches the now-noncompliant device at the next access attempt, which is your detection signal. Re-enroll and coach.
A retire or wipe fired. An admin bulk action, a compliance-triggered retire, or the user's own "Remove device" in Company Portal. The action history names which.
An OS-update casualty. Rare and OEM-specific. If one model sheds work profiles after a specific OS build, that's an OEM support case — attach your ring-1 update evidence.
3. Forgotten work-profile passcode
The user set a separate work-profile challenge (the prompt that gates badged apps) and forgot it. You do not need to reset the device lock or re-create the profile. Use the Reset passcode device action:
In the console, open Devices > the device and select Reset passcode (labeled Remove passcode on some device types). On a work-profile device this clears the work-profile challenge specifically.
The device receives the action on its next check-in — push Sync from the device's Company Portal if it's slow.
The user sets a new work-profile passcode the next time a badged app prompts for it.
This action is gated by the password policy you've assigned, so confirm a reset is permitted for the profile before promising it to the user.
Insights
Half of "my work apps died" tickets are the pause feature working as intended. Android lets users pause the work profile (badged apps grey out, work mail stops) — a paused profile looks identical to a broken one. First move on any profile weirdness: Company Portal > Settings > Sync, then check the pause toggle and have the user un-pause before you debug anything.
Per-device truth lives in the Company Portal logs and the device's Recent activity; fleet-level removal patterns live in enrollment reporting. A removal spike right after a comms change or an OS rollout is a signal worth chasing, not coincidence.
Pending-forever installs, licensing ghosts, and the triage ladder from assignment to APK on disk.
App install triage on Android is a ladder from assignment to APK on disk. An app "not installing" is one of five things — check them in order, because each rung is cheaper to test than the one after it.
Rung 1Assigned here at all?Groups and filters first, always
Rung 2Reached Managed Google Play?Approved and synced publisher-side
Rung 3Can this device take it?API level, architecture, country availability
Rung 4Is the pipe clogged?Storage, doze, Wi-Fi-only constraints
Rung 5Actually failing?logcat names the package-manager error
The Ladder
Was it ever assigned here?Filters and groups first, always — the device not in scope explains the install that never started. The device's managed apps view shows what Intune believes it owes this device.
Did the assignment reach Managed Google Play?MGP apps flow Intune → Google → device; the app must be approved/synced in the MGP connection (setup page) — an app revoked or unapproved publisher-side strands assignments in pending.
Can this device take it? Compatibility gates fail quietly: minimum API level below the device's OS, architecture/feature requirements, or country availability on the Play listing. The Play listing's requirements vs the device's reality answers it.
Is the pipe clogged? Storage-full devices and doze-deep devices defer installs indefinitely; Wi-Fi-only update constraints hold large APKs hostage on cellular fleets. A sync + charge + Wi-Fi session clears the honest backlog.
Is it actually failing? True failures (signature conflicts with a sideloaded copy of the same package, corrupted previous installs) surface in the device-side logs — logcat during an install attempt names the package-manager error precisely.
Private-App Specials
Private apps add two rungs: versionCode discipline (a "new" build with an unchanged versionCode is invisible — the most common private-app "update isn't deploying" cause) and track targeting (the device's assignment track vs where the build was published).
Fleet-Level Reading
One device failing is a device problem; a cohort failing is a pattern — the App Install Status report groups failures by error and device family, and the cohort's common attribute (model, OS, mode, network site) is usually the answer wearing a uniform.
Insights
"Pending" is not "failed" — MGP installs queue politely behind device conditions, and the impatient re-assignment dance accomplishes nothing the next check‑in wouldn't. Diagnose conditions for pending; diagnose errors for failed.
Devices that stopped talking — doze, dead push, network filters, and the rhythm of Android check‑ins.
Half of "policy isn't applying" tickets are actually "device isn't checking in." Understanding Android's check‑in rhythm — and what breaks it — converts those tickets into two-minute closures.
The Rhythm
Managed Androids check in on a periodic schedule plus push-triggered syncs (an admin sync action or pending change nudges the device through Google's push plumbing). Healthy devices show lastSyncDateTime within the expected cadence; everything else on this page explains the unhealthy ones.
Intunesync action / pending change
→
Google push plumbingthe wake-up channel
→
Devicechecks in on schedule + on push
The Usual Suspects, in Order
Power state: Android's doze/battery optimization is the great deferrer — a device idle in a drawer batches its check‑ins aggressively. Not broken; asleep. Wake-and-charge resolves it, and dedicated fleets get exempted-from-optimization treatment for the management components where the OEM/OS surface allows.
Push path blocked: corporate networks filtering Google's push/notification endpoints sever the nudge channel — devices still poll, but "sync now" stops being now. The fix is a network conversation with the firewall team, with Google's published endpoint requirements as the engineering evidence — the connectivity anatomy maps every strand.
Company Portal / Intune app health: force-stopped, battery-restricted, or storage-starved management apps can't do their job — the device-side check is the app's battery/permissions state.
Identity expiry: long-offline devices return with stale tokens; a sign-in refresh through the Conditional Access re-evaluation restores the relationship.
It's actually retired: check the action history before resurrecting a ghost — a wiped/retired device not syncing is the system working.
Reading Fleet Health
lastSyncDateTime distribution is the fleet's pulse: the stale-device query buckets it, and the operational thresholds differ by fleet — a knowledge-worker phone quiet for 5 days is vacation; a signage unit quiet for 5 hours is an outage. Set per-fleet alert thresholds, not one global number.
Insights
Force the question precisely: portal-side Sync proves the server→push→device path; device-side Company Portal sync proves the device→service path. Which direction fails localizes the break in one move.
Seasonal patterns are real — summer drawers and January returns produce stale-device waves that look like incidents and are actually calendars. The cleanup rhythm absorbs them gracefully.
Why a device fails the Play Integrity compliance check, and how to tell a transient lag from uncertified hardware from a genuinely modified device.
A device that fails Play Integrity in a compliance policy is one of three things: a transient verdict that will clear itself, hardware that can never pass, or a genuinely modified device. The response differs completely, so identify which before you act. Play Integrity returns up to three verdicts — device integrity (MEETS_DEVICE_INTEGRITY), basic integrity (MEETS_BASIC_INTEGRITY), and strong integrity (MEETS_STRONG_INTEGRITY) — and Intune's compliance setting maps to one of these; knowing which one your policy requires tells you what a failure means.
Compliance settingDevices > Compliance > the Android policy > "Require the device to pass Play Integrity / SafetyNet"
Per-device stateDevices > the device > Compliance — which setting failed
Failure rate over timeReports > Device compliance, charted monthly
Never the fixAn integrity exception or per-incident lowering of the bar
1. Is it transient?
Fresh enrollments, devices returning from a long sleep, and devices mid-OS-update can lag a verdict cycle. Sync the device, wait one compliance evaluation pass, recheck. A verdict that clears on its own was never a finding, and this step closes a large share of tickets at zero cost. If the device isn't checking in at all, fix that first via sync and check-in issues — a device that can't talk to the service can't report an attestation either.
2. Could the device ever pass?
Pull the device's identity (model, OEM, source) from Devices > the device > Hardware. Uncertified hardware fails device integrity by design, not because it's compromised:
Gray-market imports without Google Mobile Services certification.
Non-GMS / AOSP devices accidentally enrolled into a GMS-managed fleet — these have no Play Integrity at all.
White-label or budget hardware never submitted to Google for certification.
The fix is procurement-side: the device leaves the GMS-managed fleet (replacement, or honest reclassification to AOSP mode where Intune supports it). Tightening the AER procurement discipline prevents the next one. Confirm against Google's Android Enterprise Recommended directory and Intune's supported-device list.
3. Is the device modified?
What's left is the case the check is meant to catch: unlocked bootloader, custom ROM, or a root framework (Magisk and similar). Corroborate before accusing anyone — on a bench, check the OS build string, the reported security-patch level against the model's norms, and the bootloader state; a real modification tells a consistent story across all three. Then handle by ownership:
Personal device in a BYOD program: a policy conversation, not an accusation. The device can't meet the access bar as configured; offer the app-protection-only tier or a corporate device.
Corporate-owned device returned modified: an HR / security incident, handled through that process — corporate hardware should not be rooted.
What not to do
Do not create an integrity exception. An allow-listed failing device is attested-untrustworthy hardware holding corporate access — exactly what the control exists to stop. Pressure to grant one tends to arrive with a senior title attached; the answer is still no.
Do not lower the bar per incident. If strong integrity fails across a swath of older hardware, that's a deliberate policy-calibration decision made in a review, with the model list in hand — not an ad-hoc Tuesday change.
Insights
Chart the integrity-failure rate monthly (Reports > Device compliance). A stable trickle is normal BYOD reality; a step change correlates with something concrete — an OS rollout, a procurement batch of a new model, or a verdict-system change Google shipped — and your ring-1 canary fleet usually felt it first.
When the OEM layer misbehaves — schema drift, apply-order races, and the silent-failure patterns unique to vendor schemas.
OEMConfig is powerful precisely because it's a vendor app applying vendor schema — which gives its failures a flavor standard policy doesn't have. The triage map:
The Failure Families
The OEMConfig app itself isn't healthy: it's a Managed Google Play app like any other — not installed, stale version, or install-pending means no schema applies, however perfect your config. First check, always: app present and current on the failing device.
Schema drift: the vendor shipped a new app version with a changed schema; your saved configuration references keys that moved or retired. Symptom: settings that "stopped applying" after an invisible app update — the reason the update-modes guidance puts OEMConfig apps on validated tracks, and why config reviews belong in the same change as app-version promotions.
Apply-order races: OEMConfig settings landing before their dependencies (a KSP policy referencing a certificate not yet issued, a scanner profile racing the workflow app's install) — classic sequencing discipline, vendor-schema edition: deploy the dependency first, then the OEMConfig payload that references it.
Silent per-key rejection: vendor schemas often apply what they can and skip what they can't (unsupported on this model/firmware tier, license-gated features without the license) — the config "applied" while the one key you cared about didn't.
Where the Truth Lives
Three layers, checked in order: Intune's app-config deployment status (did the JSON reach the app), the OEMConfig app's own debug/status surface (most vendors ship one — KSP's feedback reporting, rugged vendors' result screens; learn yours, it's the per-key truth), and the keyed-app-states channel where the vendor implements it — OEMConfig apps are exactly the class that should, and the better ones do. Bench-side, adb-level inspection closes what consoles can't.
Layer 1Intune deployment statusDid the JSON reach the app at all?
Layer 2The vendor app's debug surfacePer-key truth — feedback reporting, result screens
Layer 3Keyed app states + adbWhere implemented; the bench closes what consoles can't
Insights
Maintain a schema-version ledger per OEMConfig app: app version → schema snapshot → your config version, in the repo. When drift hits, the diff is a lookup; without the ledger it's archaeology against a vendor changelog that may not exist.
The endpoints Android management must reach, how a blocked path presents, and the allow-list to hand the firewall team.
Android management depends on three groups of services — Google push, Google Play / Managed Google Play, and Intune/Entra — plus the provisioning endpoints a device touches at first boot. A network that filters aggressively tends to break one group at a time, and each break has a distinct symptom. Match the symptom to the group, then hand the firewall team the matching endpoint list. The authoritative lists are Microsoft's Intune network endpoints and Google's Android Enterprise network requirements — review both on a calendar, because both move.
Apps pend, policy flowsGoogle Play / Managed Google Play path blocked
Nothing until device-side SyncGoogle push (FCM) path blocked
Check-in / compliance deadIntune or Entra endpoints blocked
Google push (FCM-class). The wake-up channel that tells a device to check in now. Blocked, devices still poll on their periodic schedule but stop responding to immediate nudges. Signature: sync from the console does nothing; sync from the device works. See sync and check-in issues.
Google Play services + Managed Google Play. The entire transport for app delivery. Blocked or mangled by a proxy, installs sit in pending forever while policy applies normally, and Play Integrity verdicts go stale or fail transiently at scale.
Intune / Entra endpoints. The management conversation itself — check-in, compliance reporting, and Company Portal / Authenticator authentication. Blocked, the device looks dead to the service entirely.
Provisioning-time dependencies. At first boot, before any of your config exists, a device contacts Google's provisioning services (play.google.com, android.com provisioning hosts) and Intune enrollment endpoints. The strictest network in the building is often the one new devices boot on, so keep an enrollment hedge: a lightly-filtered provisioning SSID or VLAN. The provisioning payload reference covers the first-boot sequence.
Diagnose by symptom, before touching a device
Localize by the symptom pair. Policy applies but apps don't → Play group. Nothing moves until a device-side manual sync → push group. Everything is dead → Intune/Entra group or identity. The pair names the firewall conversation before anyone picks up a device.
Suspect TLS inspection first. Google services use certificate pinning, so a decrypting proxy breaks them even when the hostnames are allowed. The fix is a documented bypass (no SSL inspection) for the Google and Microsoft endpoint ranges, handed to the proxy team as standing architecture — not a per-incident exception.
Confirm site shape. One location's fleet lagging together is a network finding. Prove it in five minutes: filter the device list or a lastSyncDateTime query by site and look for a cluster of stale devices in one place.
What to give the firewall team
Don't hand them per-host tickets. Hand them the two published endpoint documents above as a standing allow-list, with these specifics called out:
Allow Google's Play, FCM, and provisioning endpoints and exempt them from TLS/SSL inspection.
Allow the Intune service and Entra/login endpoints from the Microsoft list.
Keep a lightly-filtered enrollment SSID/VLAN for first-boot provisioning.
Schedule a recurring review of both lists, since Microsoft and Google add ranges over time.
Insights
Build a bench probe once: a script on a lab device that exercises each group from inside the corporate network — receive a push, run a test Managed Google Play install, force a check-in. Run it whenever networking insists "nothing changed"; the group that fails names the change they made.
Twenty-plus vetted open-source projects for the Android Enterprise admin — Google's own lab tools to app-vetting heavyweights.
The Android admin's shelf — Google's reference tooling, support workhorses, and the app-vetting stack, plus the tenant-level Intune core every estate leans on.
Google's Reference Tooling
googlesamples/android-testdpc — Test DPC, Google's reference device policy controller: every Android Enterprise policy as a toggle on a lab device. The single best way to learn what the platform can do before Intune's UI mediates it
Genymobile/scrcpy — flawless screen mirror/control over ADB; the remote-support and documentation workhorse for frontline device walkthroughs
PeterCxy/Shelter — an open-source work-profile manager; instructive for understanding the profile model from the inside (lab insight, not a fleet tool)
Test DPC deserves a standing slot in your lab rotation: when Intune's UI lags a new Android Enterprise capability, Test DPC shows you the platform truth — which turns "does Android support X" from a forum thread into a five-minute experiment.
The vetting stack's output belongs in procurement: an APK that fails a MobSF pass before purchase is a finding; the same APK discovered post-deployment is an incident. Same tools, very different meetings.
How Intune manages Windows — the MDM stack, join types, and where ConfigMgr and Group Policy fit (or don't).
Windows is where Intune started competing with twenty years of incumbent tooling, so the first job is a clean mental model of what manages what — because in most orgs, three management planes coexist during the cloud transition.
The Stack
Intune speaks to Windows through the MDM stack: policies map to CSPs (Configuration Service Providers) — the OS-native policy surface that the Settings Catalog exposes. Apps and scripts ride a second channel, the Intune Management Extension (IME) — a lightweight agent that handles Win32 apps, PowerShell scripts, and Remediations. MDM for policy, IME for payloads: two channels, both yours.
Intunepolicy authority
→
CSPsOS-native policy surface
→
Windowssettings enforced
Intuneapp & script source
→
IMEon-device agent
→
WindowsWin32 apps, scripts, Remediations
Identity Decides Everything
Every management behavior on Windows hangs off the join type — the identity relationship between the device and your tenant. Decide it first; enrollment, authentication, and policy scope all inherit the decision:
Join type
Identity
Use
Entra joined
Cloud-native
The target state for corporate Windows — Autopilot builds these
Hybrid joined
AD + Entra
Transitional; carries on-prem dependency forever — see the strategy page
Group Policy: still authoritative on hybrid devices for whatever it already manages — but every new policy should be born in Intune. The Settings Catalog covers the vast majority of GPO territory (ADMX-backed settings); Group Policy analytics in Intune scores your existing GPOs for migratability.
Configuration Manager: coexists via co-management — workloads (compliance, updates, apps…) slide from ConfigMgr to Intune one at a time. The realistic enterprise path is co-management with workloads migrating cloud-ward, ending (someday) with ConfigMgr retired.
The cloud-native endpoint — Entra joined + Autopilot + Intune-only — is the design target for new fleets and the migration destination for old ones.
Operational Realities
Device onboarding authority lives in Autopilot registration — devices become known to your tenant through OEM registration at purchase or hardware-hash import, and that registration list deserves the same auditing rigor as any identity store.
Windows policy has latency personality: MDM sync cadence plus IME check‑ins mean "applied" can take a sync cycle or three — the troubleshooting page covers reading the actual state.
The update model is its own discipline — deferrals and deadlines per ring, and the deadlines genuinely enforce: polite installs during deferral, scheduled restarts at deadline, forced restarts once grace expires.
Autopilot, bulk provisioning, GPO auto-enrollment, co-management — the Windows decision tree.
The governing rule: the enrollment path sets the ceiling — capabilities you skip at enrollment are capabilities you re-enroll to regain. Pick per fleet, in writing, before hardware ships.
you're buying new corporate hardware for a cloud-native fleetAutopilot user-drivenEntra join, sealed-box self-deploy — the default answer.
IT preps devices first, or no user existsPre-provisioning / self-deployingTech phase plus reseal, or kiosk and signage builds.
an AD-joined fleet with ConfigMgr is already in placeCo-management + GPO auto-enrollmentSlide workloads cloud-ward; no user touch, no reimage.
you're covering labs, shared carts, and odd cornersProvisioning packageQuick and limited — fine for what it is.
the hardware is personal (BYOD)Entra registration + App ProtectionMAM and Conditional Access cover the data without claiming the laptop.
The Decision Tree
New corporate device, cloud-native target? → Autopilot user-driven (Entra join). The default answer for modern corporate Windows — ship sealed boxes, users self-deploy.
Same, but IT preps devices or no user exists? → Autopilot pre-provisioning (tech phase + reseal) or self-deploying mode for kiosks/signage.
Existing AD-joined fleet, ConfigMgr in place? → Co-management: enable cloud attach, slide workloads to Intune; GPO auto-enrollment brings hybrid-joined devices into Intune without touching users (bulk page).
Labs, shared carts, odd corners? → Provisioning package (bulk enrollment via Windows Configuration Designer) — quick, limited, fine for what it is.
BYOD? → Don't device-enroll it. Entra-register + App Protection (MAM for Windows) + Conditional Access covers the data without claiming the laptop.
Autopilot + Entra join is the default; treat every exception as debt with a retirement date.
Don't reimage your way into Intune — the existing fleet's path is co-management + GPO auto-enrollment today and attrition-replacement with Autopilot devices over the hardware cycle. Migration patterns apply.
Get OEM Autopilot registration into the procurement contract — devices should land in your tenant already registered, with your Group Tag convention applied at the source. Hash-harvesting deployed machines is the fallback, not the plan.
The identity decision under your Windows estate — and why hybrid is a bridge, not a destination.
This is the Architecture Corner-grade decision of the Windows world: it shapes enrollment, authentication, app access, and how long you keep domain controllers in the blast radius.
What Each Actually Means
Entra joined: the device's identity lives in Entra ID, full stop. Sign-in with Entra credentials (+ Windows Hello), policy from Intune, no line of sight to a DC ever required. Cloud-native.
Hybrid joined: computer object in AD and registered in Entra. Sign-in against AD; GPO still applies; the device needs DC connectivity rhythms. It exists to keep legacy estates coherent during transition.
The On-Prem Resource Myth
The reason orgs cling to hybrid — "we need AD for file shares and printers" — is mostly obsolete: Entra-joined devices access on-prem AD resources fine. The user's Entra sign-in obtains Kerberos tickets for on-prem services via cloud Kerberos trust (Hello for Business formalizes it). SMB shares, print servers, and most AD-integrated apps just work. The genuine hybrid-forcing dependencies are narrower: machine-account-authenticated services, some legacy NPS/802.1X designs, and apps doing computer-object lookups — enumerate yours honestly before declaring hybrid necessary.
Entra sign-incloud credentials on an Entra-joined device
→
Kerberos ticketsissued for on-prem services
→
AD resourcesfile shares, print servers, AD-integrated apps
Keep hybrid on those devices; auto-enroll them to Intune; replace with Entra-joined at refresh
Autopilot hybrid join
Exists; avoid for new design — it reintroduces DC dependencies into a cloud workflow and Microsoft's own guidance has moved decisively toward Entra join
BYOD
Entra registered only — registration isn't a join, and that's the point
Insights
Run dsregcmd /status on any contested device — the AzureAdJoined / DomainJoined pair tells you exactly what you have, ending many meetings.
Mixed estates should make join type visible everywhere: dynamic groups and filters on join/ownership properties keep hybrid-only policy (GPO-overlap guards) off cloud-native machines, and the Windows inventory report reports the split as a migration KPI.
The hybrid endgame is measured in hardware cycles, not projects: every refresh quarter shifts the ratio if procurement defaults are set correctly. Set them once and the estate migrates itself.
The reference architecture — every Windows page on this site, composed into one coherent design.
Individual pages teach components; this page is the composite — the cloud-native Windows endpoint as one design, the way you'd draw it for an architecture review.
Every layer is declarative and recoverable: the device's entire state derives from tenant configuration, so the device itself is disposable — lost, stolen, or broken hardware is replaced by any Autopilot-registered unit and the user is whole within the hour. "Reset it" becomes a legitimate tier-1 fix because nothing of value lives only on the endpoint. That property — not any individual feature — is what "cloud-native" buys.
Tenant configurationthe single source of truth
→
Device statederived, disposable, rebuildable
→
Conditional Accessholds the keys
The Honest Deltas From Most Real Estates
Real orgs run this blueprint minus two or three layers — usually hybrid join lingering, local admins surviving, or update deadlines unset. The blueprint's value is making the deltas visible: each gap is a named project with a named page, and the inventory report's KPIs measure the closure.
Insights
Present this composite as one slide in design reviews — component-by-component approval invites component-by-component exceptions; the architecture defended as a whole survives contact with stakeholders far better.
EPM, Enterprise App Management, Advanced Analytics, Remote Help, and Cloud PKI — the paid tier, honestly assessed.
The Intune Suite is the add-on tier above the Plan 1 license most orgs run — a bundle (also sold à la carte) of capabilities that each replace a category of third-party spend or manual toil. The honest evaluation, capability by capability:
The Lineup
Endpoint Privilege Management — rule-based elevation for standard users; the missing piece of the no-local-admins trio. Replaces: third-party privilege managers and the "just make them admin" surrender.
Advanced Analytics — deeper device-health telemetry: anomaly detection, battery/boot/app-reliability scoring, resource analytics beyond the included Endpoint Analytics floor. Replaces: digital-experience-monitoring point products, partially.
Remote Help — identity-integrated, RBAC-governed remote assistance with compliance warnings and session audit. Replaces: the consumer remote tool your helpdesk uses that security pretends not to know about.
Cloud PKI — Microsoft-hosted CAs issuing via SCEP, retiring the Certificate Connector + AD CS plumbing for orgs without other PKI needs.
(Microsoft Tunnel for MAM and adjacent capabilities round the bundle out per current packaging — verify the lineup at evaluation time; it has grown release over release.)
The Evaluation Frame
Score each against current spend + current toil, not against features-in-the-abstract: EPM against your privilege-manager renewal and your admin-rights exception count; EAM against packaging hours/month; Remote Help against the incumbent tool's license and its audit gaps. The suite wins where two or more lines replace real line items — and individual add-ons exist precisely for the orgs where only one does.
Do
Score each add-on against current spend plus current toil
Trial with production-shaped pilots — your elevation reality, your app list
Buy à la carte where only one capability replaces a real line item
Don't
Evaluate features in the abstract
Predict the renewal from anything less than a production-shaped pilot
Insights
Suite capabilities are first-class Intune surfaces — same RBAC and scope tags, same reporting, same Graph — which is the operational argument over point products even at feature parity: one console, one permission model, one audit trail.
Trial with production-shaped pilots: EPM rules against your messy elevation reality and EAM against your actual app list are the only evaluations that predict the renewal decision.
The workload dials, the real endgame, and the staged exit from Configuration Manager.
Most Windows estates don't arrive at Intune empty-handed — they arrive co-managed: ConfigMgr and Intune sharing the same devices, with per-capability workload sliders deciding which authority owns what. Co-management is a fine bridge and a terrible destination; this page is the map across.
The Model
A co-managed device runs the ConfigMgr client and enrolls in Intune; the workload dials (compliance, device configuration, Windows Update, endpoint protection, client apps, Office, resource access) move each capability ConfigMgr → pilot collection → Intune, independently. The pilot stage is the gift: move compliance to Intune for one collection, validate, expand — ringed migration built into the product.
ConfigMgrWorkload authority on-premThe dial's starting position for each capability
Pilot collectionOne workload, one bounded groupValidate on real devices before anyone notices
IntuneCloud authority, fleet-wideEach dial moved is infrastructure made redundant
Each dial moved is ConfigMgr infrastructure made redundant; the endgame is Intune-native enrollment for new devices (Autopilot, no client) while the co-managed estate drains by hardware refresh cycle.
What ConfigMgr Still Owns
Some things ConfigMgr still does that cloud-native doesn't replicate one-for-one — complex task-sequence imaging (largely obsoleted by Autopilot + reset, with OSDCloud covering bare-metal), and certain on-prem-only scenarios. Name your residuals explicitly; an exception list with owners beats a server farm kept alive by vagueness.
Insights
The KPI is infrastructure, not devices: site servers, distribution points, and SQL instances decommissioned per quarter — co-management "success" with the full ConfigMgr estate still humming is a bridge you're paying double tolls on.
Education mirrors the ladder for its sector; LTSC is the deliberate exception lane (kiosk-class hardware), not a fleet philosophy
Subscription Activation (the Modern Mechanism)
The cloud-native estate doesn't image Enterprise — it steps up: a Pro device whose signed-in user carries a Windows E3/E5 license activates Enterprise automatically through Entra. The consequences worth internalizing: edition follows the user license, OEM Pro hardware is the correct purchase (stop buying Enterprise media), and a device showing Pro when policy assumes Enterprise is a license-assignment finding — check the user's entitlement before debugging the feature. The inventory report's edition column against your license counts is the standing audit.
Step 1Buy OEM Pro hardwareThe correct purchase — stop buying Enterprise media
Step 2User signs inThe Windows E3/E5 license rides the user, not the image
Step 3Edition steps upEnterprise activates automatically through Entra
Where Licensing Bites in Practice
The repeat offenders: a Credential Guard or advanced-security profile "not applying" on Pro stragglers; Intune Suite capabilities assumed present because Intune is; E5-tier Defender features configured fleet-wide with E3 licensing; and group-based license assignment lag producing day-one devices that activate Enterprise on day two. Each is a five-minute lookup if edition-vs-entitlement is your first check.
Insights
Put one slide in the architecture doc: feature → minimum edition/license → how this org entitles it. Licensing truth decays quietly as Microsoft repackages — date the slide, review it annually, and the security-baseline review stops tripping over entitlement surprises.
The flagship Windows enrollment — sealed boxes that become corporate, compliant endpoints at first sign-in.
User-driven Autopilot is the flagship Windows enrollment: the device is registered to your tenant before it ever boots, OOBE transforms into a corporate onboarding, and the user unboxes a sealed device straight into a managed, Entra-joined machine — no imaging bench, no IT visit.
Applies toNew corporate devices, shipped sealed
RequiresAutopilot registration, Intune license, MDM user scope
Join typeEntra join, standard user
Console pathDevices > Enrollment > Windows > Deployment Profiles
Prerequisites
Tenant plumbing verified: the MDM user scope covers the enrolling users, Intune licenses are assigned, and enrollment restrictions permit the fleet — broken plumbing masquerades as a hundred different OOBE errors.
An Enrollment Status Page profile with a short, security-relevant blocking list — the ESP defines what "ready" means at first boot.
A registration source decided: OEM/reseller registration written into procurement, with hash-harvesting (step 1) as the documented fallback.
Step-by-Step
Register devices by hardware hash. The right way: your OEM/reseller registers devices at purchase (with your Group Tag convention) — contractual, automatic, hands-off for IT; put it in the purchase contract so devices land in your tenant already known. The fallback: harvest hashes yourself — Get-WindowsAutopilotInfo -Online on the device uploads directly with Graph auth, or collect CSVs and import under Devices > Enrollment > Windows > Devices.
Route fleets with Group Tags. Group Tags are your fleet labels (Corp-Standard, Kiosk-Lobby) — build dynamic groups on the Autopilot device attributes (ZTDID/group tag patterns) so each tag routes automatically to the right profile.
Create the deployment profile under Devices > Enrollment > Windows > Deployment Profiles. The decisions that matter:
User account type: Standard — Autopilot is your once-in-a-generation chance to ship a fleet without local admins; pair with LAPS for break-glass
Device name template — CFA-%SERIAL% style; serial-anchored names keep the console object, the asset label, and the purchase record in agreement (see naming discipline)
Assign the profile to the dynamic group from step 2 — assignment is what arms the OOBE transformation for those devices.
Ship the sealed box. First boot: the user connects to a network → OOBE checks in and recognizes the hash → branded Entra sign-in → the device joins, enrolls, and the Enrollment Status Page holds the session until the security baseline and blocking apps land → desktop. Compliance and Conditional Access take it from there.
UnboxUser connects to a networkSealed box, no IT visit
RecognizeOOBE checks in, hash matchesThe device is already yours before first boot
Join + enrollEntra join, Intune enrollmentStandard user, name template applied
ESP gateSession held until readyBaseline and blocking apps land, then desktop
Verification
Prove it on a pilot device before the first pallet ships: dsregcmd /status reports the device as Entra joined, the console shows it enrolled with the name template applied, the signed-in user is a standard user, every ESP-blocking app reports installed, and the Autopilot deployment report shows per-phase timings you could live with on the worst network your users will meet.
Insights
A small note on the newer "device preparation" profile type: Microsoft ships a next-generation Autopilot flavor alongside classic profiles. The classic model above remains the deployed-everywhere standard; evaluate the new one deliberately, not by accident of which blade you clicked.
Pilot the worst network you'll meet — home Wi-Fi behind hotel-grade captive portals is where first boots go to die. The ESP page covers the timeout math.
Deleting a device from Intune does not unregister it from Autopilot — the hash registration persists (that's the theft-deterrent feature: a wiped device boots straight back into your tenant's enrollment, still claimed). Decommissioning means removing the Autopilot device object too.
White-glove tech prep and user-less kiosk deployment — the other two Autopilot flavors.
User-driven covers the mainline; these two cover the edges: devices IT preps before handoff, and devices no user will ever own.
IT preps devices before handoff — heavy app stacks, VIP handoffs, day-one eventsPre-provisioningTechnician phase on the bench, reseal, five-minute user phase.
no user will ever own the device — kiosks, signage, shared labsSelf-deploying modeTPM-attested, Entra-joins as a device, no credentials typed.
Pre-Provisioning (White Glove)
The technician phase runs the device-targeted half of deployment on the bench, so the user later completes only the user half — sign-in plus user-targeted payloads — turning a 40-minute first boot into a 5-minute one. The bench flow:
Boot the device to the first OOBE screen.
Press the Windows key five times to open the deployment menu, and choose pre-provisioning.
Confirm the summary screen — it shows the deployment profile and organization the device resolved to; a wrong or missing profile is cheapest to fix right here.
Run provisioning: the device Entra-joins and applies device-targeted apps and policies while still on the bench.
Reseal the device for handoff once the run completes.
When it earns its keep: heavy Win32 app stacks, VIP handoffs, shipping-day events where 200 people start Monday. Requirements worth knowing: a wired/solid network on the bench, TPM attestation capability, and device-targeted assignments — anything user-targeted waits for the user phase by design, so target the blocking stack to device groups.
The bench flow ends with a green/red status screen — red means fix it now, on the bench, where it's cheap. That screen is the entire ROI of pre-provisioning.
Self-Deploying Mode
No user at all: the device boots, TPM-attests its identity to your tenant, Entra-joins as a device, and applies device policy + apps — nobody types credentials, ever, which is the entire design.
Built for: kiosks, digital signage, shared lab machines fronted by other sign-in mechanisms. Pair with the kiosk configuration profile (assigned-access single/multi-app) and the appliance disciplines unattended fleets demand: no-user monitoring, maintenance-window updates, restrained lock-screen surface.
Hard requirement: physical TPM 2.0 attestation — which is why VMs and some odd hardware fail self-deploying with attestation errors; test your exact SKU before promising a signage rollout.
Insights
Pre-provisioning doesn't change what deploys, only when — if user-driven is broken, white glove is broken with extra steps. Stabilize the ESP-blocking stack first.
Self-deploying devices have no user to blame and no user to notice: a failed policy at 2 a.m. is invisible until the lobby screen is. Alerting on check‑in gaps is part of the deployment, not an afterthought.
The most consequential screen in Windows deployment — tuning what blocks, what doesn't, and how long.
The ESP is the gate between "enrolling" and "desktop": it holds the user while security-critical payloads land. Tuned well, it guarantees no device reaches a user half-built. Tuned badly, it's a 60-minute spinner that defines your project's reputation. Most Autopilot misery is ESP misery.
Applies toFirst boot — the gate between enrolling and desktop
Console pathDevices > Enrollment > Windows > Enrollment Status Page
Timeout60 minutes default — size it to the blocking payload
ScopeGenerally OOBE-provisioned devices only
The Settings That Matter
Devices > Enrollment > Windows > Enrollment Status Page:
Show app and profile configuration progress: Yes — the whole point.
Block device use until these required apps are installed: the crux. Select a short, security-relevant list — Defender bits, VPN client if day-one-required, your core agent. Not Office. Not the 14-app "standard load." Everything else installs post-desktop while the user works.
Timeout: 60 minutes default; the right value is (blocking payload time on bad Wi-Fi) + margin — which is exactly why the blocking list must be short.
Allow users to reset/retry on failure: yes for user-driven fleets; a dead-end error screen creates tickets a retry button wouldn't.
Only show page to devices provisioned by OOBE: generally yes — spares existing devices an ESP surprise after a re-sync.
The Tuning Doctrine
Block the minimum. Every blocking app multiplies failure probability and wait time. The question is never "what should the device have" — it's "what can it not be used without for one hour."
Device-target the blockers so pre-provisioning absorbs them on the bench.
Measure, then trim: Autopilot deployment reports show per-phase timings — the app that costs eight minutes on every enrollment should justify its blocking seat quarterly.
Do
Block the short, security-relevant set — Defender bits, day-one VPN, the core agent
Device-target blockers so pre-provisioning absorbs them
Allow reset/retry on user-driven fleets
Review per-phase timings quarterly and trim
Don't
Block Office or the 14-app standard load
Raise the timeout as the fix — that's tuning the fuse, not the short circuit
Spawn one ESP profile per department
When It Fails Anyway
The classic 0x800705B4 is a timeout, not a cause — something in the blocking list stalled. The diagnosis path lives in Autopilot and ESP Failures: per-app status via IME logs, the MDM diagnostics cab, and the "which app never reported" hunt. Resist raising the timeout as the fix; you'd be tuning the fuse instead of the short circuit.
Insights
One ESP profile per real scenario, not per department — ESP sprawl with conflicting blocking lists produces the least debuggable failures in Intune.
The ESP's perceived speed is brandable: the org name and progress phases are the user's first impression of IT. Sweat the branding and the phase names — a screen that explains what it's doing buys patience a generic spinner never earns.
Bringing the existing estate into Intune — hybrid auto-enrollment, provisioning packages, and co-management.
Autopilot handles new hardware; this page handles the thousands of machines you already have — without reimaging a single one.
the fleet is hybrid-joined and GPO-governed todayGPO auto-enrollmentOne policy; devices enroll silently at next refresh.
ConfigMgr runs the estateCo-managementCloud attach, then workload sliders move per capability.
you're enrolling lab carts or refurb batchesProvisioning packageBulk token in a .ppkg — a utility knife, not a strategy.
the hardware is newly purchasedAutopilotNew devices skip this page entirely.
GPO Auto-Enrollment (the Existing-Fleet Workhorse)
For hybrid-joined estates: one Group Policy and every in-scope device silently enrolls into Intune at next policy refresh, using the signed-in user's Entra identity. No user action, no visit, no reimage.
Prerequisites
Devices are hybrid-joined with Entra Connect sync healthy — auto-enrollment rides the device's existing Entra registration.
Users hold an Intune license — enrollment happens as the signed-in user, and an unlicensed user is a silent no-op.
The MDM user scope is set (Entra ID > Mobility > Microsoft Intune) to cover the enrolling population.
Step-by-Step
Pick the first ring: an OU or security group that defines a bounded population — ring it, don't big-bang it.
Enable the policyEnable automatic MDM enrollment using default Azure AD credentials in a GPO linked to that scope, exactly like any other Group Policy rollout.
Let a policy refresh cycle pass — devices enroll silently as users sign in and policy applies; no reboot ceremony required.
Verify before widening: spot-check dsregcmd /status for join truth and the device's management blade for enrollment truth, then expand ring by ring.
The result is a fleet that's enrolled but still GPO-governed — which is the correct intermediate state. From here, policy migrates Catalog-ward on your schedule, and hardware migrates Entra-join-ward on the refresh cycle.
Co-Management (ConfigMgr Estates)
Where Configuration Manager runs the world, cloud attach enrolls the ConfigMgr fleet into Intune and exposes workload sliders — compliance, device configuration, Windows Update, apps, Endpoint Protection — each movable Pilot → Intune independently. The pragmatic sequence most orgs run: compliance first (unlocks Conditional Access gating via Windows compliance policies), Windows Update second (WUfB beats maintaining ADRs), apps last (the Win32 repackaging effort is real). Each slider moved is ConfigMgr infrastructure you eventually retire.
Provisioning Packages
Windows Configuration Designer builds a .ppkg carrying a bulk-enrollment token — double-click (or apply during OOBE) and the device bulk-joins Entra and enrolls. Honest scope: lab carts, donation/refurb batches, environments without Autopilot registration. Limits to respect: a shared bulk token (treat like a credential, expire it), device-context enrollment without rich user affinity, none of Autopilot's lifecycle glue. It's a utility knife, not a strategy.
Insights
These paths are complementary, not competing: GPO auto-enroll for the standing hybrid estate, co-management where ConfigMgr lives, Autopilot for everything newly purchased. Write the matrix down once and procurement plus attrition execute the migration for you.
Whatever the path in, verify the same way: dsregcmd /status for join truth, the device's management blade for enrollment truth, and the Windows inventory report for the fleet-level join/enrollment split as your migration KPI.
The next-generation Autopilot profile honestly compared with classic — what changes, what's missing, and how to choose.
The user-driven page flagged it; this page gives the newer Autopilot device preparation model its full treatment — because both coexist in the console, and choosing by accident is the common failure.
What Device Preparation Changes
The design goals are simplification and reliability: a single policy object (replacing the profile + ESP + assignment choreography), deploy-time progress with cleaner per-phase reporting, device-group just-in-time membership via a security group the policy owns, and a delivery flow engineered around the classic model's most fragile moments. Devices don't strictly require pre-registered hardware hashes in the same way — corporate identity can establish during the flow — which softens the registration-pipeline dependency that classic deployments live and die by.
What It Doesn't (Yet) Cover
The trade is breadth: feature coverage has lagged classic Autopilot — historically including the pre-provisioning/self-deploying flavors, hybrid-join paths (which you shouldn't want anyway), and assorted edge options — with the gap narrowing release over release. Check current-state coverage against your requirements at decision time; this is the one Autopilot area where a six-month-old blog post is reliably wrong in some direction.
The Decision Matrix
Your situation
Choose
Greenfield, user-driven Entra-join only, standard fleet
Device preparation — the simpler model, built for exactly this
Need white-glove, self-deploying, or other classic-only features
Classic until coverage lands
Established classic estate, working
Stay; migrate deliberately when a device-prep feature you want justifies it — not for novelty
Run both knowingly during transitions — distinct device populations, distinct policies, documented split — rather than discovering the org runs both by archaeology.
Insights
The reporting alone justifies pilots: device preparation's deployment view answers "where did it die" with a precision the classic cab-file hunt only approximates.
Whatever the model, the doctrine constants survive: minimal blocking payloads, standard users, ringed rollout — the profile type changes the plumbing, not the principles.
Personal-device gates, platform restrictions, and the MDM-scope and DNS plumbing enrollments ride on.
Two related disciplines share this page: who may enroll (restrictions) and what enrollment rides on (the tenant plumbing that, when broken, masquerades as a hundred different errors).
Restrictions
Devices > Enrollment > Restrictions, Windows edition:
Block personally owned Windows devices — the high-leverage default for corporate-only programs: Autopilot-registered and bulk-enrolled devices are inherently corporate and pass; the family laptop with a work account doesn't device-enroll. The personal population is served properly by Entra registration + MAM for Windows + Conditional Access instead.
OS version floors at the door — cheaper than catching museum builds in compliance later.
Device limit restrictions — per-user device counts; Windows fleets hit these during hardware refreshes when old devices linger (a standing stale-device cleanup rhythm is the systemic fix).
Priority-ordered, group-assigned, documented — restriction hygiene that future you, and your auditors, will thank you for.
The Plumbing
The unglamorous tenant-side settings every enrollment silently traverses:
MDM user scope (Entra ID > Mobility > Microsoft Intune): the population whose devices auto-enroll — Some vs All, with the GPO-auto-enroll and Autopilot flows both depending on the signed-in user being in scope. The classic "everything's configured but enrollment fails" answer.
MAM user scope interplay: users in both scopes follow precedence rules that have surprised many a pilot — corporate enrollment flows want MDM scope winning for corporate devices.
CNAME records (enterpriseenrollment / enterpriseregistration pointing at Microsoft's endpoints): smooths manual/legacy enrollment paths' server discovery. Modern Entra-driven flows lean on it less, but the records cost nothing and their absence produces vintage error codes worth never seeing.
Licensing: the user needs an Intune license at enrollment moment — group-based licensing lag is a real race condition on day-one new hires.
Check 1MDM user scopeIs the enrolling user actually in scope?
Check 2Intune licensePresent at the enrollment moment, not an hour later
Check 3RestrictionsPersonal-device block, OS floor, device limit
Restriction changes don't evict the already-enrolled — pair posture changes with a deliberate cleanup of the now-out-of-policy stock: retire, wipe, or re-enroll what no longer meets the bar.
When enrollment fails mysteriously, walk the plumbing in order — scope, license, restriction, CNAME — before touching the device; four tenant-side checks, two minutes, and the device-side hunt often never starts.
Cloud PCs and virtual desktops as managed endpoints — what transfers, what differs, and the policies that need forking.
Cloud PCs (Windows 365) and Azure Virtual Desktop session hosts enroll into Intune and look like devices in the console — and mostly manage like them, which makes the deltas the dangerous part. This page is the deltas.
What Transfers Cleanly
Settings Catalog policy, compliance, Win32/Store apps, scripts and Remediations, Defender policy — the management plane is the management plane. Windows 365 enrolls Cloud PCs automatically at provisioning (Entra-joined or hybrid per your provisioning policy); AVD hosts arrive via your image/automation pipeline's enrollment step.
The Deltas That Need Forking
Updates: single-session Cloud PCs ride WUfB like physical; multi-session AVD hosts don't — pooled hosts update via image refresh/host-pool rotation in your AVD pipeline, and pointing deadline-driven update rings at a pooled host is how Tuesday's session host reboots out from under forty users. Filter them out of physical-device rings explicitly (the deviceModel/Cloud PC-pattern and AVD-naming properties make clean filters).
Physical-hardware policy is noise here: BitLocker (platform-managed storage encryption applies), Hello biometrics, power/firmware (DFCI) — exclude virtual fleets from these via the same filters or live with permanent not-applicable clutter.
Multi-session policy semantics: per-user vs per-device settings matter intensely on session hosts — FSLogix owns the profile story, and user-context scripts need multi-session awareness.
Compliance posture: virtual fleets get their own compliance policy — the physical fleet's TPM/encryption checks expressed appropriately for the platform, so Conditional Access gates Cloud PC access on signals that can actually pass.
The Operating Pattern
One management plane, forked targeting: Physical, CloudPC, AVD-MultiSession as first-class fleet dimensions in your group/filter taxonomy, with every update/security/hardware policy consciously aimed. The inventory report split by those dimensions becomes the coverage proof.
the device is physical hardwarePhysical targetingThe full stack applies — updates, encryption, biometrics, firmware.
it's a single-session Cloud PCCloudPC targetingWUfB rides like physical; filter out physical-hardware policy.
it's a pooled multi-session hostAVD-MultiSession targetingUpdates via image refresh and host-pool rotation — never deadline rings.
Insights
The Cloud PC's superpower is the blueprint property taken to its limit — reprovision is the fix, minutes not hours; build runbooks that reach for it early.
Watch the double-management trap on AVD: image-baked configuration fighting Intune policy produces drift archaeology — decide per setting which pipeline owns it, the one-home rule at architecture scale.
Getting user-less and many-user Windows devices into management — self-deploying, provisioning packages, and the populations they create.
Kiosk configuration and shared PC mode are policy stories; this page is the enrollment story underneath them — because user-less and many-user devices can't ride the user-driven flow built around a primary human.
the device is a true kiosk — no user, everSelf-deploying modeTPM-attests, joins as a device; everything targets device groups.
a frontline or lab fleet where Entra users rotateSelf-deploying or pre-provisioning + shared PC modeMany users, no primary user, accounts managed by policy.
quick-turn carts and donation-grade hardwareProvisioning packageBounded ambitions, bounded effort.
Kiosk Devices: Self-Deploying Mode
The canonical path: Autopilot self-deploying — the device TPM-attests, Entra-joins as a device, and applies device-targeted policy and apps with no credentials typed. The resulting device has no primary user, which is exactly right and has consequences worth pre-deciding:
Licensing and compliance posture for user-less devices decided up front (device-based compliance, no user-targeted anything)
Hardware reality: self-deploying's physical TPM 2.0 attestation requirement — validated per SKU before promising the lobby rollout
Shared PCs: the Path Depends on the Population
Frontline/lab fleets with Entra users: self-deploying or pre-provisioning enrollment + shared PC mode policy + guest/account behavior configured — many users, no primary user, accounts managed by the mode's deletion policies
Quick-turn carts and donation-grade hardware: the provisioning package bulk-enroll remains the honest utility path — bounded ambitions, bounded effort
The anti-pattern: user-driven enrolling shared hardware under whoever set it up — that human becomes the accidental primary user, their departure becomes the device's identity crisis, and primary-user cleanup becomes your hobby. Enroll shared as shared from minute one.
Insights
The fleet-dimension discipline from virtual desktops applies: Kiosk and SharedPC as first-class targeting dimensions, consciously included/excluded from every ring and baseline — a kiosk in the knowledge-worker update ring reboots mid-lobby-demo on schedule.
No user means no complainer: alert on check‑in gaps, run updates in maintenance windows, and keep the lock-screen surface minimal — silent fleets need instrumented silence.
Naming templates, rename realities, and why boring names beat clever ones at fleet scale.
Device names look cosmetic until the first audit, the first stale-device sweep, or the first time helpdesk asks a user to read DESKTOP-7G2K9F3 over the phone. Naming is identity hygiene; the tooling is small and the conventions matter.
The Template Mechanism
The Autopilot profile carries the device name template: a pattern with substitution macros — serial-number and random-digit insertions being the workhorses — applied at provisioning. The pattern that survives contact: a short org/fleet prefix + %SERIAL%-style anchor, e.g. a CF- prefix plus serial. The serial anchor is the choice everything else leans on: it makes the name derivable from the asset — laptop lid, purchase record, and console all agree — which is the entire point.
What templates can't carry: per-user or per-department semantics at provisioning time (the device is named before it knows its human). Resist encoding org structure into names anyway — departments reorganize; serials don't. Ownership semantics belong in group/filter dimensions and primary-user data, where they're queryable and mutable.
Do
Anchor names to the serial — lid, purchase record, and console agree
Keep a short org/fleet prefix (CF-%SERIAL% style)
Put ownership semantics in groups, filters, and primary-user data
Don't
Encode site, floor, or department — reorgs outlive clever schemes
Ship names tier-1 can't take over the phone
Renames After the Fact
Existing estates converge via the rename device action — bulk-driven through Graph for fleet-scale standardization — with the operational notes that the rename lands on sync and a restart finalizes the local truth. Hybrid-joined stragglers carry AD-side naming constraints and ceremony; one more argument for the Entra-native endgame.
The Adjacent Hygiene
Naming is one leg of device identity; the others ride along: primary-user correctness (the shared-device anti-pattern's accidental-owner problem), group-tag taxonomy as the real semantic layer, and duplicate-object cleanup so one physical machine isn't three console identities — the stale-cleanup rhythm's sibling chore.
Insights
The test for any naming scheme: can tier-1 go from a user's phonetic reading to the right console object in one search, and from a console object to the physical asset in one lookup? Serial-anchored prefixes pass both; clever schemes encoding site-floor-department pass neither after the second office move.
Four ways to unmake a Windows device — and how to pick the one whose survivors match your intent.
Enrollment has an exit: the lifecycle actions. Each destroys a different slice of device state and preserves the rest, so the skill is knowing the disposition first — reassign internally, leave the org, or end management on a personal machine — and picking the action whose preserve-list matches. Most cleanup pain is an action chosen before the disposition was.
The Four Actions
Action
User data
Enrollment & join
Autopilot registration & group tag
Right tool for
Wipe
Removed (a keep-enrollment-and-user variant exists for reset-in-place troubleshooting)
Removed; device lands back at OOBE
Survives — next boot re-provisions through Autopilot, tag intact
Offboarding, lost/stolen, clean rebuild
Autopilot Reset
Removed — personal files, apps, settings, and the primary user
Kept — Entra join held; re-enrolls when an Entra user signs in
Survives
Troubleshooting rebuild or OEM debloat, files untouched
Retire
Kept — only company data, Intune-deployed apps, and profiles removed (certificates revoked)
Removed at next check‑in
Survives if registered
Ending management on personally owned devices
Two rows carry traps. Retire on a corporate Entra-joined machine unjoins it — afterward no Entra account can sign in; recovery means a local-admin path. Retire is the BYOD tool. And Fresh Start withoutretain user data lands at an OOBE-completed state with the built-in administrator account — for a clean machine, Wipe re-provisions through Autopilot instead.
Encryption and Recovery Keys
Know the disk encryption interactions before, not after. Retiring or deleting the Intune object of an Entra-joined, encrypted device triggers a safeguard that removes key protectors and suspends encryption on the OS volume — capture the recovery key, and anything you need off the disk, first. Recovery keys escrow to the Entra device object: delete the record and the keys go with it. And after any wipe or reset, the rebuilt device silently re-encrypts and escrows a new key — old keys going stale post-rebuild is normal, not an incident.
Step-by-Step: Reassign with Autopilot Reset
Prerequisites: the device is Entra joined (hybrid-joined devices aren't supported — they take the full Wipe path and can need up to a day before redeploying), enrolled, and carrying a healthy Windows Recovery Environment — a disabled WinRE fails the reset immediately.
Capture what departs with the old user: confirm recovery-key escrow and save any local data — the reset removes personal files and the primary user.
Trigger the action from the device's blade under Devices > All devices. The device restarts into the reset; the user watches the machine rebuild and is blocked from the desktop until provisioning packages reapply and an Intune sync completes — no one touches a half-configured machine.
Watch the console: the device record never leaves Intune — same object, name, and group memberships, with the action's state on the device overview. A remote reset clears the primary user.
Hand off: the next person to sign in becomes primary user and Entra owner, their user-targeted apps and policy arriving with that session. Update any assignment metadata your naming and tagging hygiene tracks.
Verification: the device lands at a sign-in screen rather than OOBE, the new primary user populates after first sign-in, and compliance returns to green once first evaluations run. Shared devices stay shared — no accidental owner.
Step-by-Step: Offboard with Wipe
Harvest before you burn: the recovery key and LAPS password if any forensic or data need exists — record deletion later removes both.
Choose the variant deliberately. Default wipe for ordinary offboarding — interrupted, it attempts rollback. The protected wipe ("continue even if the device loses power") overwrites free space and wipes through interruptions — the lost/stolen choice, with a real trade: it can leave hardware unbootable. Data destruction or device survival; pick which you're buying.
Issue the Wipe and wait. The machine resets to factory state and lands at OOBE; the console shows the action pending until the device checks in, then completed.
Then — and only then — clean up: delete the Intune object and the Entra record once the wipe reports complete.
Decide the Autopilot registration's fate: hardware leaving the org gets deregistered (remove the hardware hash), or its first boot at the next owner lands in your tenant's enrollment; hardware staying in the fleet keeps its registration — that's what makes the next provisioning zero-touch.
Verification: completed shows in the device's action status, the records are gone, and — for departing hardware — the Autopilot devices list no longer carries the serial.
Operational Gotchas
Actions queue against offline devices. A Wipe or Retire sits pending until the device next checks in — potentially forever for a laptop in a drawer; the enrollment certificate's yearly lifetime bounds the wait. The honest model: encryption and access revocation protect offline hardware; the wipe executes only if the device returns.
Wipe, confirm, then delete — never delete first. Deleting the record tears down the management channel, so a queued wipe can never deliver; the machine keeps its data and you lose the lever. This ordering mistake is unrecoverable.
Retire doesn't revoke tokens. A retired device's sessions keep working until tokens expire or Conditional Access cuts them off at the next request.
"Who wiped it?" lives in the audit log — Tenant administration > Audit logs, Initiated By column.
Insights
Write the three dispositions into the offboarding runbook as named lanes — reassign (Autopilot Reset), departs (Wipe → delete → deregister), personal (Retire) — and make the ticket template ask which lane before any button is pressed. The actions are irreversible; the decision should be the slow part.
Autopilot registration surviving Wipe is the feature, not a bug: a wiped device that boots straight back into provisioning is how loaner pools and reassignment benches stay fast. Deregistration is an explicit leave-the-org step, not part of "cleaning up."
The Windows policy surface — how the Catalog maps to CSPs, where ADMX fits, and when OMA-URI is the honest answer.
The Windows Settings Catalog is the modern policy surface — per-setting policies with per-setting reporting — and the substrate underneath is worth understanding: every setting resolves to a CSP (Configuration Service Provider), the OS-native MDM policy surface documented in Microsoft's CSP reference. Knowing the CSP layer is what turns "the toggle didn't work" into a diagnosable event.
Settings Catalog (native CSP-backed) — thousands of settings, searchable by friendly name and CSP path. New policy starts here, full stop.
ADMX-backed settings — the Group Policy universe surfaced through MDM: the Catalog carries an enormous ADMX-backed set (Office, Edge, Windows components), and ADMX import lets you upload third-party ADMX templates (Chrome, Adobe, vendors) so their GPO-style settings deploy via Intune. This is how GPO knowledge transfers instead of dying.
Custom OMA-URI — raw CSP paths for the genuinely unexposed corner. Legitimate, occasionally necessary, always documented with the CSP doc link in the profile description — an undocumented OMA-URI profile is a future incident.
Migrating From Group Policy
Run Group Policy analytics (Devices > Group Policy analytics): import GPO reports, get per-setting MDM-mappability scores. Most modern-relevant settings map; the unmappable tail is usually legacy you should retire, not replicate.
Translate by intent, not 1:1 — twenty years of GPO accumulates contradictions the Catalog forces you to confront. Migration is the audit.
Declare the precedence winner for the overlap era: on hybrid devices, GPO and MDM can both apply; the MDMWinsOverGP policy declares the winner for conflicts. Decide it deliberately and ring it — surprise precedence flips are how transitions earn enemies.
Conflict Rules and Hygiene
Per-setting reporting names conflicts explicitly (two profiles disagreeing show the setting and both sources). The discipline that keeps the estate debuggable: one home per setting, intent documented in the description, naming convention Win-<Area>-<Audience>-v<N>, all under IntuneCD version control.
Insights
The Catalog search accepting CSP paths means Microsoft's CSP documentation doubles as your settings index — when a blog cites ./Device/Vendor/MSFT/Policy/Config/..., paste the leaf into Catalog search before reaching for OMA-URI.
MDM policy applies on a sync cadence, not gpupdate-instantly — pair any "why isn't it applying" hunt with the diagnostics workflow before assuming the policy is wrong.
VersioningNew versions never auto-apply — diff, pilot, migrate
Deploying One Without Breaking Friday
Endpoint security > Security baselines > pick (the core Windows baseline; Defender for Endpoint and Edge baselines exist separately) > create profile from the current version.
Read it before assigning it. Every baseline deployment that "broke the app" skipped this step. The classics that bite: legacy authentication shutoffs, attack-surface settings colliding with old agents, UAC/elevation behavior changes.
Pilot ring → department ring → fleet, exactly like update rings. Baselines are hundreds of simultaneous changes; respect the blast radius.
Customize sparingly and document every deviation in the profile — the delta between Microsoft's recommendation and your reality is precisely what auditors and successors need to read.
Versioning and Drift
Baselines version (e.g., as Microsoft revises guidance) — new versions don't auto-apply. The operating rhythm: when a new baseline version ships, diff it (the comparison view shows changed settings), pilot the new version, migrate profiles deliberately. An org running a three-year-old baseline version has quietly opted out of three years of hardening guidance.
Per-setting reporting doubles as drift detection: a device diverging from baseline shows exactly which setting — investigate, because something (a conflicting profile, a local actor, an agent) is fighting you.
Baselines vs. Your Own Catalog Profiles
They coexist: the baseline carries Microsoft's floor; your Settings Catalog profiles carry org-specific policy. Keep them non-overlapping (the one-home-per-setting rule) or per-setting conflict reports become your hobby. The community OpenIntuneBaseline project (tools page) is a strong Catalog-native alternative philosophy — settings as reviewable code rather than a sealed baseline object; many mature shops run that model instead. Either is defensible; neither is "we'll harden later."
Do
Read every setting before assigning
Ring it: pilot → department → fleet
Document every deviation in the profile
Diff and pilot each new baseline version
Don't
Run a three-year-old baseline version
Overlap baseline and Catalog profiles — one home per setting
Exempt by empty assignment — variants are documented, not silent
Frameworks: Microsoft Baselines & CIS
Two distinct things get casually called "the baseline," and conflating them is how fleets end up with conflicting policy. The Microsoft security baseline is a Microsoft-authored, opinionated set of CSP-backed settings shipped inside Intune under Endpoint security > Security baselines. The CIS Benchmark is a separate, community-consensus configuration standard published by the Center for Internet Security that you map onto Intune yourself (usually via the Settings Catalog). Microsoft is explicit that there is no one-to-one mapping between "CIS-compliant" and its own baselines — they consult bodies like CIS and NIST, but the recommendations are not the same artifact. Treat the Microsoft baseline as your floor and CIS as the contractual/regulated overlay.
Critically, Intune security baselines are a Windows-family-only feature. There is no Intune-delivered Microsoft security baseline for macOS, iOS, or Android — for those platforms you build hardening from the Settings Catalog and (on Mac) the macOS Security Compliance Project. See macOS: CIS & MSCP baselines for the parallel-but-different model on the Apple side.
Win 10/later baselineVersions to 25H2 (also 24H2, 23H2)
Format changeMay 2023: CSP-named settings
CIS profilesL1 workstation / L2 defense-in-depth
The Microsoft Baselines Available In Intune
Under Endpoint security > Security baselines the tile list shows each baseline type, how many profiles you have on it, how many version instances exist, and a Last Published date. The Windows-family baselines Microsoft ships are:
Security Baseline for Windows 10 and later (the MDM baseline) — the floor for managed Windows clients. Each Windows feature update can spawn a new version instance (current line runs 25H2, 24H2, 23H2, back through November 2021 / December 2020 / August 2020). It auto-enables BitLocker on removable drives, requires a password to unlock, disables basic authentication, and similar. The settings are pulled straight from the relevant CSPs.
Microsoft Defender for Endpoint Security Baseline — current instance 24H1 (older: v6, v5, v4, v3). Requires an active MDE license/onboarding; the baseline only configures Defender, it does not entitle it. Microsoft flags this one as optimized for physical devices and not recommended on VMs/VDI, because several settings degrade remote interactive sessions. Pair it with the Defender & Endpoint Security work and your ASR rules.
Microsoft Edge Baseline — versioned to track the browser; current instance is version 139 (April 2026), with 128 (Jan 2025), 117 (Nov 2023) and the 112 (May 2023) reformat behind it. Defaults include Basic-auth-over-HTTP Disabled, site isolation Enabled, SmartScreen Enabled, and Application Bound Encryption Enabled.
Windows 365 Security Baseline — current instance 24H1 (plus the legacy November 2021), tuned for Cloud PC. Use this instead of the MDE physical-device baseline on Cloud PCs, since it accounts for the virtualized session.
Microsoft also ships a Microsoft 365 Apps for Enterprise (Office) baseline (v2306) and HoloLens 2 baselines, but for a standard Windows fleet the four above are the operative set. In May 2023 Intune changed the baseline format so each setting now carries its native CSP name and configuration options — which is why a pre-May-2023 profile cannot be edited in-place and instead must be re-created (with a CSV export to map old values forward). Plan that migration deliberately; it is a one-time, side-by-side recreation rather than an in-place version bump.
Operational reality on versioning: when a new baseline version publishes, your existing profiles do not auto-upgrade — their settings go read-only (you can still edit name/description/assignments). Updating runs Update Version, which creates a new side-by-side instance and asks you to either keep your customizations or discard them to defaults. Assignments and scope tags are not carried over, so the classic post-update mistake is leaving the old instance assigned alongside the new one and generating a conflict. Remove the old assignment as part of the cutover.
Security Compliance Toolkit (SCT) And Policy Analyzer
Before Intune, Microsoft's baselines lived as Group Policy Object backups, and that channel still ships: the Security Compliance Toolkit (SCT). It is the right tool when you are still GPO/AD-joined, when you want to diff Microsoft's recommended settings against your live policy, or when you need to reconcile what an Intune baseline actually enforces versus the on-prem world during a migration. The SCT bundles the GPO baselines plus four utilities:
Policy Analyzer — treats a set of GPOs as one unit, highlights redundant or internally inconsistent settings, diffs baseline versions against each other and against current local policy + local registry, and exports to Excel. This is the workhorse for "what does this baseline version actually change" and for capturing a point-in-time snapshot to detect drift later.
LGPO.exe — command-line apply/export of Local Group Policy from Registry.pol, security templates, audit backups, or "LGPO text"; essential for non-domain-joined test rigs.
GPO2PolicyRules — CLI conversion of GPO backups to Policy Analyzer .PolicyRules files (ships inside the Policy Analyzer download).
As of this writing the SCT Download Center package carries the GPO baselines for Windows 11 25H2 / 24H2 / 23H2, Windows 10 22H2 (and older down to 1507), Windows Server 2025 / 2022 / 2019 / 2016, Microsoft 365 Apps 2512, and Microsoft Edge v139. Use Policy Analyzer to capture a baseline snapshot per feature-update ring, then re-run it after each Windows feature update — that diff is your audit evidence that the new build did not silently regress a control. The Intune baseline UI does not give you a clean cross-version diff, so the SCT remains the better forensic instrument even in a cloud-managed shop.
When a contract or regulator says "CIS," they mean the CIS Microsoft Windows Benchmark — currently Windows 11 Enterprise v5.0.1 / Stand-alone v5.0.0 and Windows 10 Enterprise v4.0.0 / Stand-alone v4.0.0. CIS organizes recommendations into profiles:
Level 1 (L1) — "a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact." This is the realistic floor for a workstation fleet: it reduces attack surface while keeping usability and business function intact.
Level 2 (L2) — "defense in depth ... intended for environments where security is paramount." CIS explicitly warns L2 "can have an adverse effect on your organization if not implemented appropriately or without due care." Expect to suppress or document a meaningful number of L2 items (e.g. aggressive lockout, credential-delegation, and removable-media controls) before they ship to general users.
A STIG profile now exists in place of the older "Level 3," for DISA STIG alignment.
For workstations the practical answer is L1 (workstation) as the deployable target and L2 reserved for high-assurance enclaves; the server benchmarks carry their own L1/L2 split for Domain Controller vs Member Server roles. Measure conformance with CIS-CAT Pro Assessor (the scanner that scores a device against the benchmark and produces the report auditors actually want), and accelerate remediation with CIS Build Kits — the GPO-format remediation content. Both CIS-CAT Pro and the Build Kits are gated behind CIS SecureSuite membership; the benchmark PDFs themselves are free for non-commercial use.
Mapping CIS Into Intune, And Reconciling Drift
CIS Build Kits are GPO artifacts, so on a cloud-managed fleet you do not apply them directly — you re-express the benchmark as Intune policy. Two routes: hand-build a Settings Catalog-style profile set in the Windows Settings Catalog (most CIS items map to a CSP that the catalog surfaces), or start from CIS's own CIS Microsoft Intune for Microsoft Windows Benchmark (Windows 11 / Windows 10 both at v4.0.0), which is written specifically against Intune's policy surface rather than GPO. That Intune-flavored benchmark is the cleaner starting point because each recommendation already names the Intune setting, sparing you the GPO-to-CSP translation. CIS also publishes companion Intune benchmarks for Edge, Microsoft Defender Antivirus, and Office.
The hard part is not the initial deploy — it is conflict resolution and drift. Three rules from production:
One owner per setting. A setting managed by both the Microsoft baseline and a CIS catalog profile, with different values, surfaces as Conflict on the device and the last-writer is non-deterministic. Decide which policy owns each contested setting and remove it from the other. Use the per-device Device configuration report (Devices > All devices > device > Device configuration) to find the offending policy pair.
Baseline is the floor, CIS is the overlay. Deploy the Microsoft Security Baseline for Windows 10 and later first, then layer only the CIS deltas that the baseline does not already satisfy. Do not deploy a full CIS L1 catalog on top of the full Microsoft baseline blind — you will create dozens of redundant or conflicting assignments.
Reconcile every feature update. Both Microsoft baselines and CIS benchmarks version per Windows release (24H2 vs 25H2 carry different settings; CIS bumps major versions). After each feature-update ring lands, re-run CIS-CAT Pro (or a Policy Analyzer snapshot diff) to catch settings that became Not applicable on the new build or that the new baseline version now defaults differently. Capture that report as your audit evidence — "matches default baseline" / "matches custom settings" status in the Intune baseline monitor blade is the per-tenant complement.
Note the licensing seam: an Intune baseline only configures a product, it does not grant it — the MDE baseline does nothing useful without MDE onboarding, and CIS conformance reporting needs SecureSuite. Wire baseline state into compliance policies so a device drifting off the floor loses Conditional Access, rather than relying on the baseline blade alone for enforcement.
Compliance policy and baselines are different jobs: baselines set the posture, compliance attests it to Conditional Access. You need both; they should agree.
Exempt-by-exception, never exempt-by-default: the kiosk that "can't take the baseline" gets a documented variant profile, not an empty assignment.
Rings, deadlines, feature-update pinning, expedited patches, and driver policy — the whole WUfB model.
WUfB is Intune-native update control: Windows Update delivers, your policy decides when and what. It replaces WSUS-era infrastructure with four policy types — learn the deadline model and the rest is scheduling.
1. Update Rings (Monthly Quality Updates)
Devices > Windows updates > Update rings — the heartbeat. A sane three-ring structure:
Ring
Quality deferral
Deadline / grace
Population
Pilot
0 days
2 / 1
IT + volunteers (~5%)
Broad-1
5 days
5 / 2
~30% cross-section
Broad-2
10 days
5 / 2
Remainder
The deadline + grace model is the part that matters: updates install politely during the deferral, then the deadline enforces — scheduled restarts, escalating UX, eventual forced restart after grace. This converts patching from a nagging campaign into physics: the date is policy, not aspiration. Resist deadline-less rings; they're how 90-day-old patches happen.
DeferralUpdate offered, installs politelyPer-ring days of soak before anything is forced
Grace expiredForced restartThe date is policy, not aspiration
2. Feature Update Policy (Annual OS Versions)
Pin each ring's target version (e.g., hold the fleet on the current release, move rings to the new one on your validation schedule). This is declarative version control — you state "the fleet runs version X" and the service converges on it: devices below the pin move up to it; devices on it hold. Decouples the annual feature-update project from the monthly quality rhythm.
3. Expedited Updates
The break-glass lane: an expedite policy pushes a specific security update now, overriding ring deferrals, for the Patch-Tuesday-gone-critical scenario. Keep one drafted and unassigned; assign it the morning you need it.
4. Driver Updates
Driver update policy ends the wild west: Windows Update's driver/firmware offers flow into an approval queue (or auto-approve with deferral, for the brave). Review monthly; approve known-good; the fleet stops self-installing surprise GPU drivers.
Insights
Windows Update reports (and the update ring report views) are the truth source — per-device update state, failure codes, and the alerting feed for "ring 1 is stuck." Wire them into a standing review rhythm: patch-age buckets, per-ring failure counts, and a stragglers list with named owners.
Ring membership via dynamic groups on stable attributes — and put every Windows device in exactly one ring; the unringed device is the unpatched device.
If maintaining even this feels like undifferentiated toil, that's the Autopatch pitch — next page.
Microsoft-operated update management — what it automates, what it costs you in control, and who should say yes.
Autopatch is Microsoft running your WUfB machinery as a service: ring creation and population, progression decisions, pause/rollback on detected regressions, and reporting — for quality updates, feature updates, and the Microsoft 365 Apps/Edge/Teams update streams. You bring eligible licensing (Windows E3/E5-class entitlements, Business Premium tier included); it brings the operational toil reduction.
Applies toWUfB machinery, operated by Microsoft as a service
RequiresWindows E3/E5-class entitlements; Business Premium included
CoversQuality + feature updates, Microsoft 365 Apps, Edge, Teams
Console pathThe Autopatch blade — per-ring health reporting
What It Actually Does
Auto-rings the fleet — devices distribute across test/first/fast/broad-style rings algorithmically; you stop curating ring membership spreadsheets.
Release management — Microsoft watches update health signals across its service telemetry and pauses or rolls progression when a release misbehaves, often before your own ring-1 ticket would have fired.
Covers the app updaters too — Microsoft 365 Apps channel management rides along, retiring another quiet maintenance duty.
Reports the whole thing in the Autopatch blade with per-ring health.
What You Trade
Control granularity. Autopatch's cadence and ring philosophy are its opinions — orgs with hard change-control calendars, regulated freeze windows, or app-validation gates tighter than the service's rhythm will fight it. The escape valves exist (device exclusions, some schedule shaping), but if you're escaping constantly, you wanted hand-rolled rings all along.
The Honest Decision Matrix
You
Verdict
Lean IT, standard-issue fleet, patching is toil not strategy
Move the update workload to Intune first; choose after the dust settles
Mixed
Autopatch the standard fleet; carve the regulated slice into manual rings — the models coexist by group
Insights
Autopatch consumes the WUfB machinery — understanding the previous page is still mandatory; you're choosing who operates it, not whether it exists.
Whichever path: the fleet-level KPI is identical — time-to-patched and stragglers count — and your inventory reporting should track it the same way across both managed populations so the choice stays evidence-based.
Silent enablement, key escrow to Entra, and the recovery workflow — encryption as a non-event.
The goal state: every Windows device encrypts itself silently at enrollment, escrows its recovery key to Entra ID, and no user ever sees a prompt. BitLocker done right is invisible; this page is the checklist that makes it so.
Applies toEvery Windows device, silently at enrollment
RequiresReady TPM; no third-party encryption owning the disk
Console pathEndpoint security > Disk encryption
Key escrowEntra ID — required before encryption begins
Prerequisites (Where Silent Enable Fails)
Silent enable requires all of: a ready TPM, no third-party encryption already owning the disk, no conflicting prompts required by the chosen settings (any setting demanding user input breaks silence — additional PIN-at-startup, notably, trades silence for that control; choose deliberately), and the standard-user allowance below. The classic failures: a vendor encryption agent half-removed during migration, and TPM-less VMs in the lab confusing the pilot data.
Step-by-Step: the Policy
Endpoint security > Disk encryption > BitLocker policy:
Require device encryption, OS drive with the TPM protector — the TPM is what makes unlock invisible to the user.
Hide recovery options and suppress prompts — the silent-enable posture; the user should never be asked to make an encryption decision.
Allow standard users to enable encryption: Yes — critical on Autopilot standard-user fleets; without it, your no-admin design blocks your encryption design.
Escrow the recovery key to Entra ID and require successful backup before encrypting — keys must land before you need them.
Keep the encryption method consistent (XTS-AES) so compliance reads cleanly across the fleet.
Assign ringed — pilot first, watching for the prerequisite failures above before any broad ring.
Verification
On pilot devices: the console shows the device encrypted, manage-bde -status agrees on-device, the recovery key is visible in the device blade (escrow proven, not assumed), and the compliance policy's encryption check reports green. A pilot that encrypts but doesn't escrow is a failed pilot — escrow is the point.
The Recovery Workflow
Keys escrowed to Entra surface in three places: the device blade (admin retrieval, audited), Graph (automatable; the audit log records every read), and the user's own self-service lookup via the My Account portal — the 2 a.m. road-warrior path that saves a helpdesk shift; publicize it.
Operational habits: rotate the recovery key after every disclosure (Intune exposes rotation as a device action and policy can auto-rotate on use), and treat a key-retrieval spike as the incident signal it is.
Compliance Tie-In
Compliance policy attests Require BitLocker / encryption of data storage — closing the loop: policy enables, escrow protects, compliance proves, Conditional Access enforces. The enable→escrow→attest chain makes the audit conversation a single story: every layer's evidence lives in the tenant, queryable on demand.
EnableSilent BitLocker policyTPM protector, no user prompts
EscrowRecovery key lands in Entra IDBackup required before encrypting
AttestCompliance proves itRequire encryption of data storage
EnforceConditional Access holds the keysThe whole chain, queryable on demand
Insights
Measure escrow coverage, not just encryption coverage: an encrypted disk with no escrowed key is a future data-loss ticket wearing a green checkmark. The inventory report reports isEncrypted; pair it with a key-presence audit via Graph for the real number.
Migrating from McAfee/Symantec-era encryption: decrypt → silent BitLocker is the boring, correct sequence. In-place protector swaps are where weekends go to die.
Passwordless sign-in done properly — enrollment scoping, cloud Kerberos trust, and the rollout that doesn't surprise anyone.
Windows Hello for Business (WHfB) replaces the password at sign-in with a device-bound credential unlocked by PIN or biometrics — phishing-resistant by construction, because the secret never leaves the TPM and never transits a network. It's the credential half of the cloud-native endpoint; Entra join is the identity half.
Applies toPer-device credential — each device enrolls its own
The Two Places It Turns On (Pick One Deliberately)
Tenant-wide enrollment policy — Devices > Enrollment > Windows Hello for Business: applies at enrollment time to every newly enrolling device. Blunt. If you're not ready fleet-wide, set this to Disabled and use…
Targeted policy — an Endpoint security Account protection profile assigned to groups: ringable, pilotable, the recommended path for staged rollouts.
The classic misconfiguration is forgetting #1 exists: orgs "piloting" WHfB via #2 while the tenant policy enrolls everyone anyway. Decide the pair together.
Settings That Matter
PIN complexity: minimum length 6+, allow biometrics (the PIN is the fallback; Face/fingerprint is the daily experience)
TPM required: Yes — the credential's whole security story
PIN history/expiration: leave gentle; the PIN unlocks a device-bound key, it isn't a password and shouldn't inherit password-theater rules
The On-Prem Question: Cloud Kerberos Trust
"But our file shares" — answered: cloud Kerberos trust lets WHfB-signed-in users on Entra-joined devices obtain Kerberos tickets for on-prem AD resources, with near-zero PKI ceremony (no per-device certificates, no key-trust object sync sagas). One Entra Connect-side setup, one policy toggle, and the legacy objection dissolves. If you're designing new in the 2020s, cloud Kerberos trust is the default trust model; the older key/certificate trust paths are for documented edge constraints.
Rollout That Lands Well
Ring it like everything else — and communicate the why: users read "set up a PIN" as a downgrade until told the PIN never leaves the laptop and can't be phished. One paragraph of comms converts the rollout from grumbling to gratitude. Pair with standard-user Autopilot and LAPS and the endpoint identity story is complete: no local admins, no reusable passwords, recoverable break-glass.
Do
Set the tenant-wide enrollment policy to Disabled before piloting by group
Keep PIN history and expiration gentle — it unlocks a device-bound key
Tell users the PIN never leaves the laptop and can't be phished
Don't
Pilot via Account protection while the tenant policy enrolls everyone anyway
Inherit password-theater rules for the PIN
Force per-device credential ceremony onto multi-user shared fleets
Insights
WHfB is per-device by design — a user's desktop and laptop each enroll their own credential. Expect and pre-answer the "why am I setting this up again" ticket.
Multi-user shared PCs are WHfB-awkward — a per-device credential per user multiplies enrollment ceremony. Frontline shared fleets usually want different sign-in patterns entirely: assigned access, FIDO2 security keys, or web sign-in depending on the workload.
SCEP issuance, 802.1X Wi-Fi, and Always On VPN — the Windows certificate chain from trusted root to working tunnel.
Certificate-based access on Windows is one architecture with three consumers: trusted roots anchor the chain, SCEP issues device and user identities from a shared backend (Cloud PKI, the Certificate Connector to AD CS, or third parties), and Wi-Fi/VPN profiles consume the result. Build the chain once, deliberately, and 802.1X and Always On VPN become routine consumers of it.
Issuance backendCloud PKI, or Certificate Connector + AD CS
→
Device & user certsidentities, SAN-traceable
→
Wi-Fi + VPN802.1X and Always On consumers
Certificates
Three profile types carry the chain: Trusted certificate (root + issuing), SCEP, PKCS — created under Windows configuration and pointed at one shared issuance backend. Keep a single PKI behind the whole estate; parallel PKI builds are how orgs grow expiring things nobody owns.
Windows adds the user vs device certificate distinction with real teeth: device certs for machine auth (802.1X before sign-in, Always On VPN device tunnel), user certs for user-context auth. Decide per consumer; SAN variables ({{AAD_Device_ID}}, {{UserPrincipalName}}) keep both traceable.
Renewal is Intune-automatic — and renewal failure is silent at fleet scale: nothing tells you until devices start falling off the network. Alert on issuance-backend health, and watch 802.1X failure spikes as the canary.
Wi-Fi (802.1X)
Deploy the chain in dependency order — each profile consumes the one before it:
Trusted certificate profile first — the root (and issuing) CA the device must trust before anything signed by it means anything.
SCEP profile next — issues the device or user identity certificate against that root.
Wi-Fi (Enterprise) profile last — EAP-TLS, the identity certificate reference from step 2, and server trust names for your RADIUS so clients refuse imposter access points.
The Windows wrinkle worth designing for: machine vs user authentication — machine-auth (device cert) keeps the laptop on corporate Wi-Fi at the sign-in screen, which Autopilot first-boots and pre-logon support flows quietly depend on. If your NAC team asks "user or computer auth," the modern answer is usually device-first.
VPN
Always On VPN is the Windows flagship: an IKEv2/SSTP (or vendor-client) profile that establishes automatically — with the device tunnel (device cert, pre-logon, management traffic) / user tunnel (user identity, app traffic) split for orgs that need always-reachable endpoints. Trigger rules (app-, name-based) give per-app-VPN-adjacent behavior.
Vendor clients (Cisco, Palo Alto, Fortinet, Zscaler et al.) deploy as Win32 apps with their config via profile or the vendor's mechanism — the standard app-plus-config pattern: the client arrives as an app, its settings arrive as policy.
The strategic note: for Microsoft-stack orgs, modern access increasingly routes through identity-aware proxies and ZTNA rather than classic VPN — if a VPN profile's only job is reaching two legacy apps, that's an application-modernization conversation wearing a VPN costume.
Insights
Sequence the chain into enrollment-critical, filter-shaped assignments so ESP-blocked first boots land on corporate networks with working auth — a first boot that finishes on open guest Wi-Fi is a device you'll be re-touching.
Test certificate removal: retire a pilot device and confirm Wi-Fi/VPN access actually dies. The revocation story is half the security value and the half nobody rehearses.
Peer-to-peer content delivery — the bandwidth strategy under updates, Store apps, and Win32 content.
Every byte Intune-managed Windows downloads — WUfB updates, Store apps, Win32 content, Defender intelligence — rides Delivery Optimization (DO), and on bandwidth-constrained sites, DO policy is the difference between Patch Tuesday and Patch Outage.
Microsoft CDNupdates, apps, definitions
→
First peersdevices at the site
→
Branch-matespull from peers, not the circuit
Prerequisites
A per-site bandwidth picture: circuit sizes, VLAN/NAT topology, and which sites are thin enough to hurt — the policy decisions below are topology decisions first.
The network team in the room: throttle numbers and peer ports are their domain; the profile simply encodes the agreement you reach with them.
A boundary strategy: decide what "local" means in your estate (per branch, per site, per VLAN cluster) before touching the GroupID dial.
The Download Modes
The core decision is the download mode, set via Settings Catalog:
Mode
Behavior
For
HTTP only
No peering; every device pulls from the CDN
Tiny/cloud-only sites, troubleshooting baseline
LAN peering
Peers within the same NAT
The simple default for single-network offices
Group peering
Peers within a GroupID boundary you define (by Entra tenant, AD site, or explicit GroupID)
Multi-VLAN sites and branch topologies — the enterprise workhorse
Internet peering
Peers beyond the org
Almost never in corporate fleets
Step-by-Step: Building the Policy
Choose the download mode from the table above. Group mode with deliberate GroupIDs is the high-leverage configuration: devices at a branch peer with branch-mates, the WAN carries one-ish copy, and the 200-seat site with a 100 Mb circuit survives a feature update.
Define the GroupID boundary. Group peering honors a boundary you set — by Entra tenant, AD site, or an explicit GroupID per location. Explicit GroupIDs are the precise tool for branch topologies: devices that should peer share an ID; devices that shouldn't, don't.
Set the bandwidth throttles. Percentage or absolute caps, business-hours vs after-hours splits — set the daytime cap from the network team's actual circuit numbers, and let after-hours run wider.
Review the caching dials. Minimum content size to peer, cache size/age, peering-eligibility floors (battery/disk) — defaults are sane; change them only with evidence from a real site.
Add Microsoft Connected Cache where peers aren't enough. A server-side cache appliance/role upstream of peers for the sites where peer density is too low — the branch-office answer when DO alone can't carry the load.
Assign the profile to the broad fleet, with site-specific variants (different GroupIDs, tighter throttles) targeted only where topology demands them.
Verification
DO reports its own efficiency: per-device, Get-DeliveryOptimizationStatus and the DO Settings page show peer-vs-CDN byte splits; fleet-wide, the Windows Update/DO reporting surfaces % from peers — the KPI. A site showing 5% peering under group mode has a broken boundary (GroupID mismatch, blocked peer ports) — diagnose the topology, because the CDN is silently eating your WAN meanwhile.
Insights
DO is invisible until the network team escalates — get ahead of it: the first conversation with networking should hand them the modes table, the throttle policy, and the ports DO peers on, making IT the team that brought a bandwidth plan rather than the one that consumed Tuesday's circuit.
Autopilot day-one events are DO's stress test — 200 simultaneous first-boots pulling the ESP-blocking stack is exactly when group peering pays for the afternoon you spent configuring it.
The browser as managed surface — policy via Catalog, update channels, extensions, and the profile/identity story.
Edge is the most-configured app on a Windows fleet — browser policy is a large share of effective security and UX policy. The good news: Edge's management surface is enormous, native to the Settings Catalog, and the discipline is choosing the slice that matters.
Step-by-Step: The Settings That Earn Their Keep
Settle identity and profiles first. Sign-in behaviors, automatic creation of a separate browser profile for the corporate identity, and clean separation between corporate and personal profiles — the foundation that makes everything else (sync, Conditional Access session controls) coherent.
Set the security floor. SmartScreen enforced (the broader story), TLS/downgrade protections, password-manager policy (corporate decision: Edge's manager configured or blocked in favor of the sanctioned vault), site-isolation defaults left alone.
Install the extension regime. The high-value control — block by default, allow-list the sanctioned set, force-install the corporate-required ones. Unmanaged extensions are unvetted code with page-content access on every device; the allow-list converts that from a standing risk into a review process.
Brand startup, homepage, and new-tab lightly. Homepage and new-tab pointed at the intranet/portal earns goodwill; locking every UX surface earns ridicule.
Pin the update channel. Edge updates ride its own updater — pin the fleet to Stable with the channel policy, and let Autopatch manage the cadence where it's deployed. A canary group on Beta channel is the cheap early-warning system for the line-of-business web app that breaks on next month's engine.
Do
Block extensions by default; allow-list and force-install the sanctioned set
Pin the fleet to Stable with a Beta canary group
Point homepage and new-tab at the intranet — lightly
Don't
Lock every UX surface — that earns ridicule, not security
Leave extensions unmanaged — unvetted code with page-content access
Scatter Edge settings across careless profiles — one home per setting
IE Mode (the Legacy Annex)
Where ancient internal apps demand Trident, IE mode with a managed site list confines them: the listed sites render in the compatibility engine inside Edge, everything else stays modern. Treat the site list as a shrinking artifact with an owner — every entry is modernization debt with a URL.
Verification
On a pilot device, edge://policy lists every applied policy, its value, and its source — the on-device truth for whether the profile landed. Fleet-wide, the per-setting status and conflict reporting confirm the estate agrees with the design before the broad rings receive the profile.
Insights
Write the policy intent once (extension regime, security floor, homepage) and keep it separate from the profiles that express it — intent survives setting renames and engine updates, and an auditor handed intent-plus-implementation signs off faster than one handed four hundred raw settings.
The per-setting conflict reporting matters double for Edge — its settings arrive from baselines, security profiles, and UX profiles simultaneously in careless estates. One Edge profile per intent, one home per setting.
Silent sign-in, KFM, and Files On-Demand — making the endpoint hold nothing irreplaceable.
The cloud-native blueprint's disposability property — any device is replaceable in an hour — rests on one unglamorous pillar: the user's files aren't on the device in any way that matters. OneDrive with Known Folder Move, configured silent, is that pillar.
Prerequisites
Entra-joined identity — silent sign-in rides the device's signed-in identity; that mechanism is what makes activation zero-prompt.
Your tenant ID at hand — KFM policy pins folder redirection to your tenant, not to whichever account happens to be signed in.
A quota and outlier review — know the per-user storage entitlement, and expect the handful of users with enormous local folders to surface during rollout (they will; see Rollout Reality).
Silently sign in users to OneDrive with their Windows credentials — zero-prompt activation riding the Entra-joined identity; the user never "sets up" OneDrive, it's simply on.
Silently move Windows known folders to OneDrive (Desktop/Documents/Pictures), with the tenant ID pinned and user notification per taste — the actual KFM. Pair with prevent users from redirecting known folders back so the posture sticks.
Files On-Demand: enabled — content streams on access, disk holds placeholders + recents; the policy that makes 256 GB devices viable and first-sync non-events.
Add the supporting cast. Block syncing personal OneDrive accounts on corporate devices — the corporate data boundary, enforced at the sync client — plus known-folder-only enforcement where you want it, and upload throttles coordinated with the DO bandwidth plan on thin sites.
Assign in rings, pilot first — the next section explains why this is a migration, not a toggle.
Rollout Reality
KFM on an existing fleet is a data-migration event wearing a policy costume: large Desktops upload, quota questions surface, and the one user storing 400 GB of video in Documents finds you. Ring it like an update — the pilot ring surfaces the outliers, and comms answer "where did my files go" (nowhere — same folders, now protected).
The Payoff, Spelled Out
Device dies → user signs into replacement → Autopilot rebuilds the stack → OneDrive rehydrates Desktop and Documents as placeholders → productive within the hour, zero data conversation. "Reset it" becomes a legitimate fix (the blueprint property) the day KFM coverage hits 100% — which is why KFM coverage % belongs on the same KPI chart as encryption and Autopilot rates.
Device diesLost, stolen, or brokenNothing irreplaceable lives on it
ReplacementUser signs into any registered unit
RebuildAutopilot reprovisions the stack
RehydrateDesktop and Documents return as placeholders
ProductiveWithin the hourZero data conversation
Verification
Verify in three layers. On a single device, the known folders' paths now resolve under the OneDrive root and the sync client reports healthy. Per ring, watch the OneDrive sync-health reporting as the move executes. Fleet-wide, the Remediations channel can report KFM state per device, turning coverage into the number the KPI chart wants.
Insights
The classic silent-KFM blocker is a file open and locked in a known folder during the move — the policy retries, but a pilot-ring eye on the OneDrive sync-health reporting catches the stuck stragglers before broad rollout multiplies them.
Managing UEFI itself through Intune — boot options, cameras, radios, below the OS, tamper-resistant.
Device Firmware Configuration Interface (DFCI) is the deepest control Intune offers on Windows: UEFI firmware settings managed as cloud policy — boot options, hardware radios, cameras — enforced below the operating system, immune to OS reinstalls and local admin ambition. It's also the most prerequisite-laden feature on this site, which is why most orgs who'd benefit have never deployed it.
Applies toDFCI-capable hardware only — verify per model line
RequiresAutopilot registration via the OEM/partner channel — harvested hashes don't bind
Console pathEndpoint security > the firmware interface surface
ControlsBoot media, cameras/mics, radios, virtualization — below the OS
What It Controls
A DFCI profile (Endpoint security > the firmware interface surface) manages, hardware permitting: boot from external media/USB (the headline — closing the boot-a-Linux-stick hole that no OS policy can), cameras and microphones at the firmware level (the regulated-environment ask), radios (Wi-Fi/Bluetooth below the OS), and CPU virtualization settings underpinning VBS/Credential Guard. Local UEFI menu changes to managed settings are refused — the firmware trusts the cloud authority, not the keyboard.
The Prerequisites (Read Twice)
DFCI-capable hardware — the OEM must ship UEFI that implements DFCI (Surface lineage and a set of enrolled OEM/model lines; verify your exact models against current OEM support statements).
Autopilot registration via the right channel — DFCI trust chains to Autopilot registration performed by the OEM/partner (or Microsoft-trusted path); hashes you harvested yourself don't establish firmware trust. This is procurement plumbing, decided at purchase.
The device enrolls through Autopilot; the DFCI profile targets the Autopilot device group.
Miss any leg and the profile simply doesn't bind — the classic DFCI "failure" is an ineligible device, not a broken policy.
Deploying It
Confirm hardware eligibility per model against current OEM support statements — eligibility is per model line, not per vendor, and the answer changes over time.
Verify the Autopilot registration channel. Registration must have come through the OEM/partner (or Microsoft-trusted) path; if your devices were hash-harvested in-house, fix procurement first — no profile setting compensates.
Create the DFCI profile (Endpoint security > the firmware interface surface) and define the firmware posture: boot-from-external-media, cameras and microphones, radios, the virtualization settings.
Target the Autopilot device group — DFCI binds to Autopilot-registered devices, so the device group is the natural assignment boundary.
Enroll (or re-enroll) the device through Autopilot. The firmware trust establishes during Autopilot enrollment; an eligible device that enrolled another way binds nothing until it goes through the right front door.
Verification
The profile's per-device status in the console is the first check, but the convincing test is physical: open the UEFI menu on a managed device and watch a managed setting refuse local change — enforcement below the OS, demonstrated once, buys the whole team conviction. Devices reporting as not applicable are the eligibility story above (hardware or registration channel), not a policy bug.
Where It Earns Deployment
High-assurance fleets (boot-path lockdown as audit line item), camera-prohibited environments (firmware-off beats OS-off in every review), and kiosk/signage hardware where physical access is assumed hostile. For the standard knowledge-worker fleet, BitLocker + Secure Boot + standard users already covers the realistic threat model — DFCI is precision equipment, not a default.
Insights
Decommissioning is part of the design: DFCI unenrollment must happen before the device leaves management forever, or you've manufactured firmware-locked e-waste — make unenrollment a standing line on the device retirement checklist; it's the deepest lifecycle landmine on the platform precisely because it survives everything else.
If DFCI is out of reach (hardware/channel), the honest fallbacks: UEFI passwords via OEM tooling and Secure Boot attestation in compliance — weaker, but real.
Single-app and multi-app Windows kiosks — the profile, the account model, and the Edge-kiosk pattern that covers half of all cases.
Windows kiosks ride assigned access: the OS confines a sign-in to a defined app surface. Intune's kiosk profile (Devices > Configuration > the kiosk template) expresses it two ways — and the enrollment story underneath is half the design.
one app, full screen, forever — signage, check‑in, lookupSingle-app modeAuto-logon local account; Edge kiosk + a URL covers half of all cases.
a curated app set behind a restricted shellMulti-app modeAllowed-apps list + Start layout, bound to specific accounts.
interactive frontline work with shift sign-inShared PC mode insteadAssigned access is confinement; shared PC is multi-user hygiene.
A defined app surface: know exactly what the confined session must expose — one app or a curated set — and which account model the floor plan demands.
Building a Single-App Kiosk
One app, full screen, forever:
Create the kiosk profile in single-app mode and let it create and manage the auto-logon local account — the device boots straight into the experience, no credentials in the lobby.
Choose the app. A UWP app, or — the workhorse — Edge in kiosk mode: a URL, full-screen or public-browsing behavior, idle-timeout reset. The "signage/check‑in/lookup screen" class is an Edge-kiosk profile and a URL, no app development required.
Pair the shell suppression with update discipline. The profile handles the shell; align update windows so deadline restarts respect the lobby.
Building a Multi-App Kiosk
A restricted shell exposing a curated app set:
Define the allowed-apps list (UWP and desktop apps by path/AUMID) plus a Start layout defining what the confined user sees.
Bind the configuration to accounts. The kiosk config targets specific local/Entra accounts or groups — which is how one device can be a kiosk for visitors and a workstation for the technician who signs in with a real identity.
Make the escape-hatch decisions explicitly. Taskbar visibility, folder access, every suppressed surface — each one is a workflow you've certified doesn't need it, and that certification belongs in writing, not in assumption.
The Operating Disciplines
The appliance rules: device-group targeting via Autopilot group tags, check‑in alerting because nobody complains for a kiosk, maintenance-window updates, and a remote-recovery ladder ending in reprovision-by-anyone thanks to self-deploying enrollment.
Verification
Test against the hostile-curiosity checklist before the device ships to its lobby: Ctrl+Alt+Del paths, edge-swipe/accessibility invocations, file-dialog escapes from print/save surfaces inside the allowed app. The assigned-access confinement is good, and the app's own dialogs are where determined visitors find Explorer — the allowed app's surface area is the kiosk's attack surface.
Insights
For interactive multi-app frontline scenarios with shift sign-in, compare honestly against shared PC mode + a tight Start layout — assigned access is confinement; shared PC is multi-user hygiene; conflating them produces the wrong tool politely misconfigured.
Many-user Windows done deliberately — account lifecycle, storage hygiene, and the settings that keep shared hardware healthy.
Shared PC mode is a deliberate policy set (the SharedPC configuration surface) that converts a device from "one human's machine" to rotating-population infrastructure — labs, frontline stations, training rooms, library floors — with the account, storage, and maintenance hygiene that rotating populations demand.
What the Mode Actually Does
Account lifecycle management: the headline. Local profiles accumulate on shared hardware until the disk chokes; shared PC mode deletes them by policy — at sign-out (strictest), at disk-space thresholds, or by age. Pick the deletion model per population: training rooms purge at threshold; exam labs purge at sign-out.
Guest/kiosk account options: a no-credential guest experience where the population is anonymous — distinct from assigned access confinement; guest mode is open computing with hygiene, kiosk is a locked surface.
Power and maintenance posture: the mode carries sleep/wake and maintenance-friendly defaults tuned for always-available shared hardware — review them against your update-window design rather than discovering the interactions.
Storage and restriction hygiene: local-storage discouragement pairs naturally with the real answer — OneDrive/KFM so whatever a user touches follows their identity, not the hardware.
every sitting must start clean — exam labsDelete at sign-outThe strictest model; no profile survives the session.
steady rotation where disk space is the constraint — training roomsDelete at thresholdProfiles persist until free space demands the purge.
The Composite Design
A working shared fleet is four pieces aimed at one device population (the enrollment page's dimension discipline):
Enrollment: self-deploying/pre-provisioned, no primary user
Shared PC mode: account lifecycle per the population's rhythm
Identity: Entra sign-in for known users (with Hello realities considered — per-device credential enrollment on rotating populations is friction; FIDO keys or web sign-in often fit shared fleets better) or guest mode for anonymous ones
Apps/policy: device-targeted everything, because user-targeted assignments on rotating populations produce install churn at every sign-in
Verification
Prove the lifecycle policy before the room opens: sign in with two or three test accounts, sign out, and confirm profiles purge per the chosen model (immediately at sign-out, or once the disk crosses the threshold). Then watch the C: drive's free-space and profile-count trend across the first real week of rotation — on a healthy shared fleet, both stay flat.
Insights
The failure smell of unmanaged sharing is always the same: a C: drive full of profile corpses and a stale primary user nobody remembers — shared PC mode is the systemic fix, and the Remediations channel makes a fine drift detector (profile count as an output string) for fleets that should be in the mode and aren't.
Decide the printer/peripheral story per room, not per ticket — shared rooms live and die on "can I print from any station," which is exactly the Universal Print brief.
Layout JSON, pinning policy, and the restraint doctrine — branding the shell without becoming the villain.
Shell customization is where IT's reach most visibly meets the user's sense of ownership — every pin and layout decision is felt daily, which makes this small policy family disproportionately political. The modern tooling is good; the doctrine matters more than the mechanics.
Step-by-Step: The Mechanics
Author the Start layout. Modern Windows takes a JSON pinned-layout definition delivered via Settings Catalog — your curated pins (Company Portal, the LOB suite, Office) in defined order. The historic XML approach belongs to older builds; check which your fleet's OS generation expects and don't mix eras in one estate.
Make the partial-vs-full lockdown decision. A pinned set users can extend versus a locked layout users can't touch. Knowledge workers get the former — seed the pins, surrender the rest. Kiosk and frontline surfaces get the latter, where the layout is the workflow.
Apply the same curate-vs-lock decision to the taskbar, plus the de-noising set — search box presentation, widgets/news feeds off on corporate fleets (consumer content surfaces in an enterprise shell read as unserious), chat/consumer-Teams entry points aligned with your actual collaboration stack.
Finish with the adjacent de-consumering. The Catalog's content-delivery and suggestion settings (app suggestions, welcome experiences, consumer features) — the single most appreciated invisible policy set you'll ship.
The Doctrine
Seed, don't cage. The defensible enterprise posture: a clean first-run (corporate pins present, consumer noise absent) with user freedom thereafter. Full layout lockdown on knowledge workers buys negligible security for maximal resentment — every pin a user can't move is a daily reminder of who owns the machine, and that's a currency you spend on things that matter. Lock layouts where the device is infrastructure (kiosk, shared), seed them where the device is someone's tool.
Do
Seed corporate pins on a clean first-run, then surrender the layout
Lock layouts only where the device is infrastructure — kiosk, shared
Check the result where it actually lands: a pilot-ring device's first sign-in after enrollment should render the curated pins in order with the consumer noise absent — screenshot it, because that first-run surface is the deliverable. For changes to existing devices, the layout applies after the next policy sync (a fresh sign-in is the reliable way to see it); confirm on one machine per OS generation before ringing wider, since the JSON-era and XML-era handling differ.
Insights
The Start layout is a first-impression artifact — it renders during the Autopilot first sign-in alongside the ESP and the branded enrollment; a deliberate layout there says "ready for you" the way a default one says "IT didn't finish."
Version the layout JSON in the repo and ring its changes — a fleet-wide pin reshuffle is a fleet-wide muscle-memory reset, and the pilot ring's grumbling is data.
Cloud-native printing — retiring print servers, deploying printers by policy, and the honest migration map.
Printing is the last on-prem dependency most "cloud-native" fleets quietly retain — Entra-joined laptops still whispering to a print server over VPN. Universal Print is Microsoft's retirement plan: printers registered to the cloud service, discovered by Entra identity, deployed by Intune policy, no print servers, no drivers on clients.
PrintersUP-native, or legacy via the connector
→
Universal Printcloud objects, Entra-group shares
→
Managed devicesuniversal driver — no servers, no driver packaging
The Architecture
Printer side: UP-native printers register directly (most current enterprise fleets from the major vendors); legacy hardware joins via the Universal Print connector — a lightweight Windows service bridging old printers to the cloud (the transitional crutch, not the destination).
Service side: printers live as cloud objects with Entra-group-based share permissions — who can print where becomes group membership, the same targeting muscle as everything else.
Client side: Windows speaks UP natively with the universal driver model — the driver-packaging hobby ends. Intune deploys printers via the Universal Print policy surface: target a group, list the printer shares, optionally set the default; users on managed devices simply have the right printers. Location-based discovery covers the roaming case.
Licensing: UP rides Microsoft 365 entitlements with pooled job allowances — do the volume math against your print reality before the design review does it for you.
The Migration Map
Inventory the print estate: per-printer model (UP-native?), monthly volume, owning group
Pilot one site: native printers direct, stragglers via connector, Intune policy deploying to the pilot group
Cut sites over group by group — the migration choreography in miniature: deploy UP printers, verify, remove legacy connections (a Remediation makes a tidy legacy-printer sweeper)
Retire servers as their queues empty — the actual point; a UP deployment that leaves every print server running bought complexity, not cloud
Verification
Per cutover wave: print a test page from a managed device to every migrated queue, confirm the job appears in Universal Print's service-side job visibility (one of the things you just bought), and sweep for lingering legacy printer connections — the Remediation sweeper from step 3 doubles as proof they're gone. The pilot site's ticket volume is the real scorecard.
Insights
The connector is the honest compromise and the classic permanent-temporary: give every connector-fronted printer a hardware-refresh exit date in the asset lifecycle ledger, or the bridge becomes the architecture.
Print is emotionally critical infrastructure — the pilot's success metric is silence: ring it with the accounting team's blessing during a non-close week, and let the absence of tickets be the case study.
The experience telemetry you already own — startup, reliability, and the evidence layer under "my computer is slow.
Endpoint Analytics is the answer to a question every IT org argues about with anecdotes: is the fleet actually getting slower? It's experience telemetry built into the platform — scores you mostly already license, waiting to be turned on and read.
What It Measures
Startup performance: boot and sign-in phase timings per device and per model — where the slow-logon investigation starts with data instead of a screen recording
Application reliability: crash/hang rates per app across the fleet — the evidence that one LOB app's build is hurting everyone, weeks before the ticket pattern would show it
Restart frequency and the health adjacencies that contextualize the rest
Each rolls into comparative scoring against baselines and your own history — the trend line being the product: direction, per model, per ring, per change.
Turning It On
Confirm the license tier. The core scores ride entitlements most enterprise tenants already hold; the Advanced Analytics tier extends the floor (anomaly detection, battery and resource depth) — evaluate it after you've exhausted the included layer, which most orgs never fully read.
Enable data collection via the Intune health-monitoring policy — scope follows the policy's assignment, so decide deliberately whether analytics covers the whole estate (usually yes) or named populations.
Wait for the baseline. Data populates over days, and the comparative scoring needs history before trend lines mean anything — resist reading week one as truth.
The Operating Patterns
Hardware refresh by evidence: startup scores by model age turn the hardware-refresh budget conversation into a chart — the devices below the line are the refresh list, defensibly
Change validation: ship a baseline or agent change to ring 1 and watch its scores for a week — regression caught as a number, not as a complaint volume
Remediation pairing: analytics finds the pattern, Remediations fixes it at scale, analytics confirms — the closed loop the two features were designed to be
DetectAnalytics finds the patternScores by model, ring, and change
FixRemediations act at scale
ConfirmAnalytics proves the recoveryThe closed loop the two features were designed to be
Insights
The political value equals the technical: "user experience" finally has a number both IT and the business read the same way — which converts the perennial perception fight ("everything's slow since the security agent") into a falsifiable claim with a dashboard. Sometimes the agent really did cost four seconds; now you know — and the vendor conversation starts from evidence instead of anecdote.
The WUfB driver service — approval flows, automatic policies, and bringing the last unmanaged update lane under control.
OS updates got rings and deadlines; apps got pipelines; drivers stayed the wild west — vendor utilities, manual downloads, and hope. The Windows Update driver-management service closes the gap: OEM-published drivers, surfaced per-device-applicable, deployed through Intune policy with the same ring discipline as everything else.
OEMpublishes to the driver catalog
→
Intune driver policyapplicability match + approval queue
→
Fleetringed rollout, reported per device
The Model
Intune's driver update policies ride Windows Update's driver catalog — the same channel OEMs publish through — with two operating modes per policy:
Manual approval: the service surfaces applicable drivers (matched to your actual enrolled hardware — no more guessing which fleet a driver touches); each waits in a review queue until approved, with a scheduled availability date. The change-controlled lane.
Automatic approval: applicable drivers flow on a deferral you set — the default-ring philosophy applied to drivers, appropriate once trust is earned.
Deployment then rides the normal Windows Update plumbing the fleet already trusts — Delivery Optimization, the update UX, the reporting surface.
Step-by-Step: Rings for Drivers
Drivers earn more caution than quality updates — they're the historical HVCI-blocker and safeguard-hold source. Structure the rollout accordingly:
Create a ring-1 policy on automatic approval with a short deferral — the canary fleet absorbing OEM regressions while the blast radius is a handful of devices.
Create the broad-ring policies on manual approval. Drivers reach the wide fleet only by promotion: approve from the review queue with a scheduled availability date, on the strength of ring-1 evidence.
Review firmware-class updates individually, always — a bad driver rolls back; bad firmware is a bench day.
Rehearse the pause and rollback controls once, on purpose, so the first real incident isn't a research project.
Verification
The policy reports name what's applicable, approved, and installed per device — read them after each promotion wave; a driver sitting at applicable-but-not-approved on a broad ring is a promotion you forgot, not a mystery.
What This Retires
The OEM agent sprawl — the vendor update utilities living on every device with their own schedules, elevation, and telemetry. Migrating driver authority to WUfB policy lets a deliberate Uninstall-assignment campaign sweep the agents away, shrinking the very attack-and-update surface they existed to patch.
Insights
Coverage check before victory: the catalog carries what OEMs publish to Windows Update — most enterprise lines are well-covered; specialty hardware may not be. The applicable-drivers report against your model list names the residual fleet that keeps a vendor tool — by choice, and documented.
Governing the AI surface — Windows Copilot, Edge AI features, Recall-class capabilities, and the policy posture that survives renames.
AI features are the fastest-moving policy surface on the platform — shipping, renaming, and re-scoping faster than any documentation cycle. The durable skill isn't a settings list; it's the posture framework plus knowing where each control lives.
Review cadenceQuarterly — every release ships AI policy changes
The Control Locations
Windows Copilot / on-OS AI surfaces: Settings Catalog policies govern presence and behavior of the OS-level assistant surfaces — taskbar entry points, the assistant's availability per device population. Names here churn; the Catalog search ("Copilot," "AI") on each release is the reliable discovery method.
Recall-class capabilities (the screen-snapshotting/recollection features on capable hardware): explicit disable/enable policies exist precisely because the data-governance stakes are obvious — regulated fleets set this first, on purpose, and the data-boundary questions deserve written answers: what gets captured, where it rests, who can query it.
Edge AI features: sidebar/assistant integrations ride Edge management's policy schema — the browser is its own AI surface with its own toggles.
M365 Copilot: licensed and governed service-side (M365 admin and data-governance tooling) — your endpoint policy decides surface visibility; the tenant decides data reach. Don't promise endpoint policy can govern what's a service entitlement.
The Posture Framework
Decide once, per fleet, three questions: (1) Which AI surfaces may exist (visibility), (2) what data may they touch (the DLP/boundary conversation — commercial data protection status, tenant grounding), (3) who's entitled (licensing reality from the editions page). Most estates land tiered: knowledge workers get sanctioned, tenant-grounded AI; regulated fleets get explicit-off on capture-class features; kiosk/shared populations get none, because an assistant on a lobby device is surface without a user.
the population is knowledge workersSanctioned, tenant-grounded AIApproved surfaces stay visible; the data boundary does the governing.
the fleet is regulatedExplicit-off on capture-class featuresRecall-class capabilities disabled first, on purpose, with written data-boundary answers.
the device is kiosk or sharedNo AI surfacesAn assistant on a lobby device is surface without a user.
Insights
Put this policy family on a standing quarterly review: each Windows and Edge release ships AI policy changes, and an unreviewed posture quietly becomes whatever Microsoft's current default is — which is a decision, just not yours.
Write the posture as intent ("no ambient screen capture on regulated fleets") not as setting names — the settings will rename; your one-line intent survives and the quarterly pass re-maps it.
Modern standby, lid-and-button policy, and the power settings that decide update success and battery lifespan.
Power policy looks like preference territory until you notice what rides on it: update installs need devices awake at the right moments, battery lifespan is a fleet cost, and "my laptop was hot in my bag" is a modern-standby story. The Settings Catalog's Power family, organized by what's actually at stake:
Step-by-Step: The Settings That Earn Configuration
Profile sleep, hibernate, and lid/button behavior, AC and DC separately: the corporate defaults conversation — aggressive-enough idle sleep for energy posture, hibernate-on-critical-battery so unsaved work survives, lid-close behavior matched to docking reality (the closed-lid-docked fleet wants do nothing on AC).
Set expectations for modern standby. Connected-standby hardware sleeps "lightly" by design — network-on, occasionally warm. The policy surface tunes the edges; the expectation-setting is yours: bag-heat tickets on modern-standby hardware are mostly physics plus a runaway app (Endpoint Analytics finds the app).
Align power with the update windows. Deadline-driven restarts need devices reachable and awake-able — power policy that hibernates everything into unreachability fights your own WUfB design; align sleep depth and wake permissions with the update rhythm so maintenance windows find devices they can actually wake.
Use the battery health levers where OEM hardware exposes them (charge thresholds via vendor tooling/policy on dock-resident fleets) — hardware that lives at 100% charge on a dock ages its battery fastest, and laptop carts deserve the same longevity discipline as any always-docked fleet.
Defaults per Fleet
Knowledge workers get humane defaults and user freedom inside them (the restraint rule); kiosk/signage gets never-sleep + scheduled-restart discipline; shared carts get the mode's maintenance-friendly posture reviewed, not assumed.
the fleet is knowledge workersHumane defaultsSensible sleep and hibernate posture, user freedom inside it.
the device is kiosk or signageNever-sleep + scheduled restartsAlways-on posture with restart discipline instead of idle sleep.
the fleet is shared cartsMaintenance-friendly posture, reviewedThe mode's defaults are a starting point — review them, don't assume them.
Verification
Validate on real hardware classes, not in the abstract: confirm a docked, lid-closed pilot device stays awake on AC and takes its update-window restart; confirm a battery device hibernates at the critical threshold instead of dying mid-document; and on modern-standby models, powercfg /sleepstudy names whatever kept the device warm in the bag.
Insights
Power policy is the hidden variable in three other pages' mysteries: the update-failure "won't install overnight" class, the sync-health "device asleep for days" class, and the slow-Monday-boot class. When those tickets cluster, audit power before anything clever.
Clock discipline as policy — why skew breaks Kerberos and TLS, the W32Time settings to deploy, and how to verify fleet-wide.
Nobody opens a ticket asking for time policy. They open tickets for what its absence breaks: Kerberos failures against hybrid resources that masquerade as identity mysteries, certificate validation errors around wrong time, 802.1X handshakes failing on skewed clocks, and log timelines that can't be correlated across devices. Kerberos tolerates only minutes of drift; everything downstream inherits the assumption that the fleet agrees what time it is.
ProtocolNTP over UDP 123 outbound
Console pathSettings Catalog > Administrative Templates > System > Windows Time Service > Time Providers
Skew budgetKerberos tolerates only minutes of drift
Verifyw32tm /query /status per device
How Windows Time Works Under Management
The Windows Time service (W32Time) syncs from a source determined by join state: Entra-native devices default to time.windows.com; domain-joined stragglers follow the AD hierarchy until they're migrated off it. Policy is needed exactly twice — when segmented networks block outbound NTP (UDP 123) and devices must use an internal source, and when you want the defaults enforced rather than assumed.
Recommended Configuration
Three moves, then verify:
Create the profile.Settings Catalog → Administrative Templates → System > Windows Time Service > Time Providers.
Set the values from the table below — the point is enforcing the defaults you currently only assume.
Assign to the all-Windows baseline group; firewalled sites get a filter-targeted variant pointing at the internal source.
Setting
Recommended value
Enable Windows NTP Client
Enabled
Configure Windows NTP Client → NtpServer
time.windows.com,0x9 (or your internal NTP source)
Configure Windows NTP Client → Type
NTP (Entra-native) · NT5DS only for domain-hierarchy devices
Configure Windows NTP Client → SpecialPollInterval
3600 (hourly)
Enable Windows NTP Server
Disabled (endpoints serve nothing)
Verification
Per device, w32tm /query /status is the truth (source, stratum, last sync); fleet-wide, a Remediation that flags offset beyond your threshold and triggers a resync turns clock health into a managed property with a compliance-style number attached.
Insights
Install the triage reflex: authentication failures that resist identity-side explanation get a clock check first — skew is a thirty-second test or a week of escalation, depending on when someone thinks of it.
The OT/manufacturing edge case is where this page earns its keep: isolated networks with no internet path need the internal-NTP variant before the first 802.1X rollout there, not after.
Automated disk hygiene by policy — the settings that keep updates installable, with the two dials that need deliberate choices.
Disk-full is the upstream cause of a whole class of failures: updates that won't install, profile bloat, slow sign-ins, and the 128 GB cohort limping through every release wave. Storage Sense is the built-in answer — automated cleanup of temporary files, Recycle Bin aging, and cloud-content dehydration — and under policy it runs fleet-wide without asking anyone to remember it.
Set the values from the table below, and treat the two flagged dials as deliberate decisions rather than defaults — the reasoning follows the table.
Assign broadly — this is baseline hygiene for the whole Windows estate, and the small-disk cohort feels it first.
Setting
Recommended value
Allow Storage Sense Global
Allowed
Config Storage Sense Cadence
7 (weekly) — or 0 to run only on low free space
Allow Storage Sense Temporary Files Cleanup
Allowed
Config Storage Sense Recycle Bin Cleanup Threshold
30 days
Config Storage Sense Downloads Cleanup Threshold
0 (never) — see below
Config Storage Sense Cloud Content Dehydration Threshold
60 days
Two dials carry real consequences. Downloads stays at never: users treat Downloads as storage whether you approve or not, and a policy that silently deletes their files manufactures the worst kind of ticket — data loss with your name on the change record. Dehydration at 60 days is the quiet hero: locally-cached Files On-Demand content reverts to cloud-only after two unused months, which is the single biggest silent disk reclaimer on KFM fleets — and entirely safe, since the files remain one click away.
Do
Leave Downloads cleanup at 0 (never) — users treat Downloads as storage
Set cloud-content dehydration to 60 days on Files On-Demand fleets
Make Storage Sense and Delivery Optimization agree on what "low disk" means
Don't
Ship a policy that silently deletes user files — data loss with your name on the change record
Let cleanup and the DO cache take turns undoing each other
Verification
The win is measurable: free-disk percentiles by model from the inventory rhythm, charted before and after rollout. Endpoint Analytics surfaces the downstream effect as the disk-pressure complaints thin out.
Insights
Pair this page with Delivery Optimization's cache sizing deliberately — DO defends a cache, Storage Sense reclaims space, and the two should agree on what "low disk" means or they'll take turns undoing each other.
The small-disk cohort is the policy's report card: if the 128 GB fleet's free-space curve doesn't lift within a month, the problem isn't hygiene — it's the hardware refresh-spec conversation this chart now lets you have with evidence.
The .intunewin pipeline — packaging, detection, requirements, dependencies, and supersedence done properly.
Win32 is the workhorse Windows app type: any installer (MSI, EXE, scripts-around-either) wrapped into .intunewin, delivered by the Intune Management Extension with real logic around it. The standing rule: package everything as Win32 — the legacy "LOB MSI" type lacks the logic below and mixing types causes more grief than standardizing ever will.
Console pathApps > Windows > Win32
RequiresIntuneWinAppUtil.exe — the Win32 Content Prep Tool
Delivered byIntune Management Extension
LogIntuneManagementExtension.log
The Pipeline
WrapSource → .intunewinContent Prep Tool encrypts the installer
CreateCommands + behaviorSilent install/uninstall, System or User context
DetectThe installed contractMSI code, file, registry, or script
Install / uninstall commands — silent flags are your job (setup.exe /S, msiexec /i app.msi /qn); wrap complex installs in PowerShell, or adopt PSAppDeployToolkit for anything with pre/post logic, user dialogs, or process-closing needs — it's the community standard for a reason.
Install behavior: System for machine-wide (the default posture), User for per-profile apps.
Detection rules — the contract that tells IME "installed": MSI product code (cleanest), file/version, registry, or a custom script (exit 0 + stdout = detected) for anything nuanced. Bad detection is the #1 Win32 failure class: app installs fine, detection never confirms, Intune retries forever.
Requirements — OS floor, architecture, optionally a requirement script (e.g., "only laptops") — requirements gate before install, sparing the failure column from not-applicable noise.
Dependencies: "this app needs the VC++ runtime first" — declared, and IME sequences them. Chains stay shallow or debugging gets archaeological.
Supersedence: new version replaces old — with or without uninstalling the predecessor. This is your in-place upgrade mechanism; pair with versioned detection and app updates become routine instead of events.
Delivery Mechanics Worth Knowing
Content delivers from Intune's CDN (with Delivery Optimization peer-sharing — configure its policy on bandwidth-sensitive sites). IME logs every decision in IntuneManagementExtension.log — the first stop for any install dispute. System-context installs run 64-bit-hosted; scripts touching the registry/filesystem should be bitness-aware (sysnative from 32-bit hosts).
Verification
Before broad assignment, prove the loop on one clean machine: the install lands, the detection rule confirms it (the per-device status flips to installed only after detection passes), and the uninstall command genuinely removes it. Fleet-wide, the app's install-status report is the truth; a climbing failure count nearly always traces to detection logic or a silent-flag regression, and IntuneManagementExtension.log on a failing device settles which.
Insights
Test the uninstall command with the same rigor as install — supersedence, retirement, and "remove the broken version" all depend on it, and nobody tests it until production needs it.
Keep a packaging repo: source, wrapped output, commands, detection logic, version history — Win32 packaging is tribal knowledge that belongs in Git, not in one engineer's Downloads folder.
ESP-blocking Win32 apps get extra scrutiny: every minute of their install time runs on the enrollment clock.
The Microsoft Store (new) app type — winget-backed deployment with auto-update for free.
The Microsoft Store app (new) type is Intune's integration with the winget ecosystem: search the Store catalog from inside Intune, click add, assign — no packaging, no update pipeline, because the Store keeps the app current. For everything it covers, it deletes an entire maintenance category.
Console pathApps > Windows > Add > Microsoft Store app (new)
CoversUWP and vendor-published Win32 in the Store catalog
UpdatesAutomatic — the Store keeps the app current
Verifywinget list shows package and version per device
What It Covers
The modern Store carries both UWP and traditional Win32 apps published by their vendors (Company Portal, browsers, common utilities, a growing long tail). If the app you package quarterly is in the Store catalog, you've been volunteering.
The Loop
Apps > Windows > Add > Microsoft Store app (new) → search the catalog in-blade → select.
Choose install context where offered (System for machine-wide).
Assign Required/Available. Done — IME + the Store plumbing handle delivery, and updates flow from the Store automatically thereafter.
Compare the Win32 page's pipeline length and the value proposition states itself.
Verification
The per-app install status report covers the fleet view; on any single device, winget list shows the installed package and version — useful when you want to confirm the Store's auto-update actually moved the fleet after a vendor release.
The Decision Matrix
App
Type
In the Store catalog, vendor-published, no install customization needed
Store (new) — always
Needs transforms, config files, pre/post logic, or license keys at install
Win32 for the install, accept you own updates — or app-config via policy post-Store-install if the vendor supports it
Company Portal itself is the canonical Store (new) deployment — make it the first one you create.
Insights
Auto-update is the feature and the trade: versions move on the vendor's schedule. The handful of apps your org pins (validated plugin chains, regulated tooling) stay Win32 with supersedence — deliberate version control is the one thing the Store type doesn't sell.
Older "Microsoft Store for Business" content is retired history — if a guide references it, the guide predates the current model; translate to Store (new)/winget.
The same winget engine is scriptable on devices (winget install, via scripts) for edge automation — handy in labs, but fleet deployment belongs in the app type where reporting and assignment live.
Required vs Available, Company Portal as the front door, and an update doctrine per app class.
Individual app types are mechanics; this page is the doctrine — how a fleet's app estate stays coherent at scale.
Required vs Available (vs Uninstall)
Required: installs silently, repairs on drift (detection-driven), the device must have it. Reserve for the true core — security agents, the apps the business runs on.
Available: appears in Company Portal for self-service. The default for everything else — every Available app is a helpdesk install request that never happened and an ESP minute never spent.
Uninstall: the retirement assignment — pair with the replacement's Required rollout when sunsetting; don't leave zombie installs to attrition.
Layer with filters: one app, one packaging, many shaped assignments — Required to the department that lives in it, Available to everyone else.
the business runs on it — security agents, the true coreRequiredInstalls silently, repairs on drift; the device must have it.
anyone might want it, nobody must have itAvailableSelf-service in Company Portal — a helpdesk request that never happened.
the app is being sunsetUninstallPair with the replacement's Required rollout; no zombie installs left to attrition.
Company Portal Is a Product — Treat It Like One
Branding (Tenant administration > Customization: logo, support links, categories), app categorization, and featured apps decide whether self-service happens. A curated Portal with ten categorized, described apps beats a 200-item alphabet dump — storefront curation is the difference between a portal users open and one they ticket around. Deploy Company Portal itself via Store (new), Required, fleet-wide.
Vendor auto-update where trustworthy; pinned + superseded where not — decide per agent, in writing
The anti-pattern: no doctrine — where every app updates by whichever mechanism it shipped with, and the vulnerability report becomes a quarterly surprise.
Do
Give every app class a written update mechanism
Decide vendor auto-update per security agent, in writing
Watch the per-device truth with the App Install Status report
Don't
Let every app update by whichever mechanism it shipped with
Treat the vulnerability report as a quarterly surprise
Insights
Enterprise App Management (the Intune Suite add-on catalog of pre-packaged, Microsoft-maintained third-party apps with update handling) is worth an evaluation if Win32 packaging volume is a real cost center — it's purchased toil-reduction for exactly the table row above that hurts most.
Measure the estate: point the App Install Status script at any Windows app for the per-device truth, and run failure triage with a consistent ladder — the Win32 failure taxonomy is the deep-dive when a specific app's numbers turn red.
One-shot PowerShell and detect-fix pairs — the automation layer that closes the gap between policy and reality.
Two script vehicles ride the Intune Management Extension, and choosing correctly between them is the difference between automation and entropy.
it's one-time state that policy can't expressPlatform scriptRuns once per device — migration cleanups, legacy agent removal, initial state-sets.
it must stay trueRemediationDetect + fix on a schedule — drift gets noticed, corrected, and reported.
you only need fleet telemetryDetect-only pairA remediation that never fires — a free scheduled audit, output string as the data column.
Platform Scripts (One-Shot)
Devices > Scripts and remediations > Platform scripts: a PowerShell script that runs once per device (re-running only if the script changes). Context (System/User), 64-bit host toggle, signature enforcement optional.
Right uses: one-time configuration that policy can't express — a migration cleanup, a legacy agent removal, an initial state-set. Wrong use: anything that must stay true — a one-shot script can't notice drift, which is precisely the next section's job.
Remediations (Detect + Fix, on a Schedule)
The crown jewel: paired scripts — detection (exit 0 = healthy, exit 1 = remediate) and remediation (the fix) — running on a schedule (hourly/daily) with fleet-wide reporting of detected/remediated counts and per-device output strings.
This is desired-state enforcement for everything between policy's reach and reality:
Service X must be running and auto-start → detect checks, fix corrects
The legacy agent must stay gone → detect finds remnants, fix removes
Registry/config drift on settings no CSP covers → detected, corrected, reported
Fleet telemetry: a detect-only pair (remediation never fires) is a free scheduled audit with the output string as your data column
Doctrine: detection scripts are fast and side-effect-free; remediation scripts are idempotent (safe to run twice); both write one terse, meaningful line to stdout — that string is your report.
Building a Pair, Step by Step
Author the detection script against the doctrine above: check the condition, write one line to stdout, exit 0 (healthy) or 1 (remediate) — nothing else.
Author the remediation as a script you'd be comfortable running twice on the same machine, because the schedule eventually will.
Create the pair under Devices > Scripts and remediations: upload both scripts, set run context (System for machine state, User for per-profile state), and the 64-bit toggle for anything touching the native registry/filesystem views.
Set the schedule — daily is right for most pairs; hourly is for the few that earn it (see Insights).
Assign to a pilot group first and read the detected/remediated counts and per-device output strings before broadening — a detection bug at fleet scale is a fleet-scale false alarm, or worse, a fleet-scale fix for a problem that wasn't there.
The Hierarchy of Enforcement
Reach for tools in this order: Settings Catalog/CSP (the OS enforces) → Remediation (you enforce on a schedule) → Platform script (you set once and hope). Every remediation is a small confession that policy couldn't express the need — fine, but when a Catalog setting later appears for it, retire the script. Script estates only grow unless gardened.
FirstSettings Catalog / CSPThe OS enforces it
ThenRemediationYou enforce it on a schedule
LastPlatform scriptYou set it once and hope
Insights
Version control the lot (the repo discipline) — scripts-in-portal-only is how orgs lose the why behind forty remediations.
Output strings are queryable via Graph — a detect-only remediation plus a scheduled Graph pull is a poor admin's fleet telemetry pipeline, and frequently all you need before buying one.
Mind the schedule budget: forty hourly remediations on battery-powered laptops is a power-and-CPU tax; daily is right for most, hourly for the few that earn it.
The built-in suite app type, channel strategy, and the XML decisions that shape every desktop's Office.
The Office suite is most fleets' largest deployment, and Intune ships it a first-class app type: Microsoft 365 Apps for Windows — the Office Deployment Tool's machinery wrapped in a designer (or fed your own XML), with the update story handled by channel policy rather than packaging.
Console pathApps > Windows > Microsoft 365 Apps
Architecture64-bit, at this point unconditionally
Corporate default channelMonthly Enterprise
ESP postureRequired, never blocking
Step-by-Step: Creating the Deployment
Create the app: Apps > Windows > Microsoft 365 Apps — the designer view covers the common path, or feed it your own XML.
Compose the suite deliberately. Deselect the apps your org genuinely doesn't deploy — Access on 5,000 devices that need it on 50 is support surface for nothing.
Pick the architecture: 64-bit, at this point unconditionally.
Choose the update channel — the decision the next section unpacks, because the channel is the update policy.
Switch to the XML configuration view when the designer runs out: language packs, shared computer activation (shared PC and multi-session AVD fleets need it), exclusions, and pinned-version scenarios — the full ODT vocabulary.
Assign in rings — the channel section below covers the pilot-to-fleet pattern and which authority owns the dial.
The Channel Decision
The channel is the update policy:
Channel
Rhythm
For
Monthly Enterprise
Monthly, predictable, enterprise-targeted
The corporate default — change-controlled cadence with security currency
Current
Features as they ship
The canary ring and the teams who asked
Semi-Annual Enterprise
Twice yearly
Regulated/validation-gated estates; increasingly a niche posture
Ring it like everything else: a Current-channel pilot population feeding a Monthly Enterprise fleet, with channel set via the app XML or Settings Catalog policy — and if Autopatch runs your estate, it operates these channels for you; know which authority owns the dial.
Configuration Is a Separate Layer
The app type installs; behavior comes from policy — the Office ADMX-backed Catalog set (macro security tiers, privacy/telemetry options, the feature toggles your security review cares about) plus the Cloud Policy service for user-identity-following settings. Deployment, update channel, configuration — three layers, three owners, documented.
Layer 1DeploymentThe suite app type installs Office
Layer 2Update channelChannel policy owns the cadence
Layer 3ConfigurationADMX-backed Catalog set + Cloud Policy
Verification
On a pilot device, any Office app's Account page states the channel and build — confirm both match the design before trusting the fleet view. At scale, the app's install status plus the per-setting policy reports tell you deployment and configuration both landed; the classic miss is a device that installed fine but rides the wrong channel because two authorities disagree.
Insights
The suite app is the classic ESP-blocking temptation and the classic mistake — Office is enormous, and no one needs Word in the enrollment hour. Deploy Required, never blocking; the pre-provisioning bench absorbs it where day-one-complete genuinely matters.
Migrating estates with MSI-era Office or vendor-bundled trials: the XML's remove-MSI directive and a deliberate cleanup pass beat coexistence archaeology — Office side-by-side states generate the weirdest tickets in the catalog.
The curated Win32 catalog — Microsoft-packaged third-party apps with update handling, honestly evaluated against your packaging treadmill.
Win32 packaging is a craft; Enterprise App Management (the Intune Suite capability) is the offer to buy your way out of a chunk of it: a Microsoft-maintained catalog of pre-packaged third-party Windows apps — install logic, detection, and crucially update lifecycle handled — deployed through the same Apps blade as everything else.
LicenseIntune Suite
CoversThe common third-party Win32 canon — curated, Microsoft-packaged
UpdatesCatalog-packaged, with controls for how they roll
UnderneathStandard Win32 — IME delivery, supersedence, filters
What It Actually Does
Catalog apps: browse/search the curated set (the common-third-party canon: readers, browsers, runtimes, utilities, the long tail growing by release), add, assign — no IntuneWinAppUtil, no silent-switch archaeology, no detection-rule authorship.
Update management: the headline. When the vendor ships a new version, the catalog packages it and surfaces the update — with controls for how it rolls — converting "who repackages 7-Zip this month" from a rota item into a review click. Self-updating apps get their updaters handled consistently rather than per-app folklore.
Same machinery underneath: catalog apps are Win32 apps in the end — IME delivery, supersedence semantics, standard reporting, filters — so nothing about your assignment doctrine changes.
The Honest Evaluation
Score it the suite way: your app list ∩ the catalog, priced in packaging-hours saved. Estates whose Win32 load is mostly common third-party apps see the treadmill shrink dramatically; estates whose load is internal LOB and exotic vendors keep packaging regardless — the catalog can't carry what only you have. Most real fleets land mixed: catalog for the canon, hand-packaging + PSADT for the rest, and the doctrine table gains a row.
Where It Sits vs Store (New)
Store/winget apps already auto-update for vendor-published Store entries — the catalog's territory is the Win32 world beyond the Store, with enterprise update governance the Store's auto-pilot doesn't offer (controlled rollout vs vendor-schedule). Decision order per app: Store (new) → Enterprise App Catalog → hand-packaged Win32 — first match wins.
FirstStore (new)Vendor-published, auto-updating
SecondEnterprise App CatalogWin32 beyond the Store, updates governed
FallbackHand-packaged Win32Internal LOB and exotic vendors
Insights
The strategic value is risk, not just hours: stale third-party apps are a top vulnerability class, and the catalog converts "patching Chrome-adjacent utilities" from best-effort to managed — pull your Defender vulnerability data for third-party app findings and price the catalog against that list for the security-budget conversation.
App protection on personal Windows devices — the Edge-anchored model, what it covers, and where it honestly stops.
The BYOD answer on Windows is MAM for Windows: App Protection Policy thinking applied to personal PCs, anchored in Microsoft Edge with Windows Security Center health signals as the device-trust input. It's a deliberately narrow surface, and used for what it is, it closes a real gap.
Applies toPersonal, unenrolled Windows PCs
AnchorMicrosoft Edge — the signed-in corporate profile
Trust inputWindows Security Center health signals
RequiresConditional Access steering — without it, a policy waiting for traffic
The Model
The protected surface: corporate identity in Edge — the signed-in corporate profile's tabs become the managed boundary, with APP-style controls (cut/copy/paste restrictions toward unmanaged surfaces, save-as governance — the data-egress vocabulary of app protection) applied to corporate web sessions and the web-app estate they carry.
Health-based conditional launch: the policy consumes device health attestation-adjacent signals via the Windows Security Center integration — threat level, basic posture — gating corporate access in Edge on a device you don't manage.
The enforcement pair: Conditional Access policies targeting the unmanaged-Windows population route corporate access through protected Edge — without CA steering, MAM for Windows is a policy waiting for traffic.
Standing It Up
Draw the corporate/personal line first: enrollment restrictions decide who can enroll, which is what makes "personal device" a deliberate population instead of an accident.
Create the App Protection Policy for Windows — the Edge-anchored controls above, including the health-signal conditional-launch thresholds — and assign it to the BYOD user population.
Create the Conditional Access steering: policies that require the protection-policy-covered Edge path for corporate access from unmanaged Windows devices, so the only door is the governed one.
Pilot before broadening — and pilot the workload, not the feature; the Insights bullet below is the test plan.
Verification
From a personal, unenrolled test device: sign into a corporate web app through Edge and confirm the protection actually applies — try the copy/paste you claimed to block — then confirm that going around Edge fails closed under the CA policy rather than open. In the console, the app protection report shows the policy reaching users; the sign-in logs show the steering firing.
Where It Honestly Stops
This is browser-and-web-estate protection, not device-wide MAM: the native desktop Outlook on a personal PC is not inside this boundary — the personal-device answers for thick clients remain "don't" (web/VDI instead), Windows 365 (the corporate desktop as a service is the strongest personal-device story Microsoft sells), or enrollment after all. Set the scope expectation in the design doc before someone discovers it in an incident review.
The Population Architecture
The complete Windows access-tier table: corporate (enrolled, the blueprint) → personal, web-sufficient workload (MAM for Windows + CA) → personal, full-desktop workload (Cloud PC) → refusers (browser-only with CA session controls, or nothing). Every user lands in exactly one row, enrollment restrictions enforce the corporate/personal line, and the BYOD policy writes itself.
the device is corporateEnrolled — the blueprintFull management; compliance proves the device.
it's personal and the workload is web-sufficientMAM for Windows + CACorporate access through protected Edge, no enrollment.
it's personal and the workload needs a full desktopWindows 365 Cloud PCThe corporate desktop as a service.
the user refuses all of itBrowser-only with CA session controls — or nothingNothing reaches corporate data ungoverned.
Insights
Pilot with the workload test, not the feature test: pick ten real BYOD users, inventory what they actually touch, and verify the web estate covers it — MAM for Windows succeeds or fails on workload fit, and discovering the thick-client dependency in week one beats month three.
The container-adjacent package format — where it shines, where Win32 remains king, and how the two coexist in one estate.
MSIX is Windows' modern package format: declarative install, clean uninstall (no registry archaeology left behind), per-package isolation, and differential updates that ship only changed bytes. It's also a decade into "the future of Windows packaging" while Win32/.intunewin still carries most enterprise freight — this page is the honest map of both facts.
What MSIX Genuinely Buys
Lifecycle hygiene: installs are transactional, uninstalls are complete, and "the app left debris that breaks the reinstall" exits your troubleshooting taxonomy for these apps
Update efficiency: block-level differential updates — a 2 GB suite shipping a 40 MB patch matters at bandwidth-constrained sites
Deployment simplicity: Intune's MSIX line-of-business path needs no wrapping, no detection-rule authorship (identity and version are the package's own metadata)
The Constraints That Keep Win32 King
MSIX's containment model constrains apps that expect the old world — services, drivers, deep shell integration, installers with imperative logic. Vendor MSIX adoption concentrated in well-behaved app classes; the legacy long tail and anything needing PSADT-grade choreography stays Win32. Signing is non-negotiable: MSIX must be signed by a certificate the fleet trusts — vendor-signed ideally; your own packages signed with an org cert whose trust you deploy (the certificate chain earning another job).
The Estate Doctrine
Format follows the artifact, decision order per app: vendor ships MSIX → take it (the benefits are free); Store (new) carries it → even easier (Store packages ride this machinery under the hood); repackage-to-MSIX yourself → only with a reason (the repackaging effort buys lifecycle hygiene for apps that tolerate containment — a deliberate modernization project, not a default); everything else → Win32 without apology. One estate, one doctrine table, formats coexisting by design.
the vendor ships MSIXTake itThe lifecycle and update benefits are free.
Store (new) carries the appEven easierStore packages ride this machinery under the hood.
you'd be repackaging to MSIX yourselfOnly with a reasonA deliberate modernization project, not a default.
App attach is MSIX's killer app in AVD estates: packages mounted into sessions at sign-in rather than baked into images — the image-sprawl cure for pooled hosts, and the strongest single reason a Windows admin learns this format deeply.
Certificate expiry on self-signed MSIX is a delayed-action outage — the package that installs fine today refuses on machines tomorrow; treat signing certs as renewable infrastructure with named owners and calendar reminders, the same discipline you apply to every other expiring trust anchor in the estate.
Running your own winget REST source — internal packages with package-manager ergonomics, honestly scoped.
Store apps and winget covers the public catalog; the natural next question is "can our internal apps live in winget too?" Yes — via a private winget REST source — and the full answer includes when that's worth running versus letting Win32/Enterprise App Management carry the load.
The Model
The winget client speaks to sources; beyond the public catalog, it federates any endpoint implementing the REST source API. Microsoft ships the reference implementation — winget-cli-restsource, an Azure-deployable service — and your internal packages publish into it as manifests pointing at your installers.
Internal installersversioned like the software they describe
Standing One Up
Deploy the REST source: winget-cli-restsource into your Azure subscription, fronted from day one by the access controls the Insights bullet insists on.
Author and publish the manifests for your internal packages — metadata plus installer locations, versioned like the software they describe.
Test the loop: on a configured device, winget source list shows the private source, and winget install your-internal-app works exactly like the public catalog.
Bridge into Intune where you want push rather than pull — WinTuner-class tooling converts packages into Intune assignments, so the same artifact serves both delivery models.
Where It Earns Its Keep
Developer and power-user fleets: populations that live in package managers get internal tools in their native workflow, version-pinnable and scriptable
CI/build infrastructure: agents installing internal toolchains by manifest, no Intune dependency in the build path
The self-service tier: a curated internal catalog as the Company Portal complement for the CLI-fluent
Where It Doesn't
The general fleet's required-app delivery: that's IME and the Apps blade — reporting, supersedence, and install-status truth that a pull-based source doesn't replicate. A private source complements the pipeline; teams that try to replace Intune app deployment with it rediscover why deployment reporting exists.
Insights
The security posture writes itself if you start there: manifests and installers signed, the source behind identity-aware access, and the repo treated as software supply chain — because that's exactly what it is, and "internal" is not a trust level.
BitLocker, Secure Boot, TPM, Defender signals, and build floors — attesting the posture you configured.
The contract has two halves: compliance attests, Conditional Access enforces. A compliance policy never blocks anything on its own — it renders a verdict on the device object, and Conditional Access reads that verdict at every token request. The Windows policy's distinguishing power is hardware-rooted attestation — the device proves its security state, not just reports it.
Compliance policyattests — renders the verdict
→
Device objectcompliant / noncompliant
→
Conditional Accessenforces the verdict
Prerequisites
Configuration before attestation: the BitLocker policy and update rings you intend to attest must already be deployed — the compliance requirement and the configuration policy must agree, or new devices flap noncompliant while configuration catches up.
Defender for Endpoint connector active if you plan to consume machine risk score — flip it on in the Defender integration before the compliance setting that references it.
A Conditional Access design ready to consume the verdict — compliance without the enforcement half is a report nobody reads.
Step-by-Step: Building the Policy
Create the policy under Devices > Windows > Compliance policies and work the settings in this order:
Require BitLocker. The attestation half of the encryption story; the pair must agree or new devices flap noncompliant during their first encrypt cycle — grace periods exist for exactly this window, so set one that covers the silent-enablement timeline.
Require Secure Boot and require code integrity. Boot-chain health, measured at boot rather than self-reported.
Require TPM. The hardware root the rest of the policy stands on.
Set the Defender posture: antimalware on, real-time protection on, signatures current — and machine risk score (via the Defender for Endpoint connector) at your ceiling: the live-threat half of compliance.
Express the minimum OS version as build floors that track your update rings: set the floor at ring-pace minus grace (e.g., last month's build once the broad ring completes), and "unpatched" becomes "loses access" — patch pressure expressed as an access decision instead of a nag.
Add password/lock requirements only where Hello doesn't already make them moot.
Configure actions for noncompliance: grace (1–3 days) → user notification → noncompliant → Conditional Access gates. The grace window absorbs transient states; the gate is what makes the verdict real.
Assign to device groups that cover the whole estate — assignment decides which devices get a verdict at all.
Verification
After the first evaluation cycle, read the compliance reports: every assigned device should show as evaluated, and the noncompliant population should be explainable — new devices in grace, known stragglers, nothing mysterious.
Walk the loop end to end on one test device: break a requirement (suspend BitLocker), sync, and confirm the verdict flips and a token request actually gets blocked — then remediate and watch access restore. The enforcement half is only proven once you've seen it deny.
Operating Notes
One policy per posture, not per team — compliance evaluates ALL assigned policies and any failure marks the device; overlapping policies with different floors create unexplainable states.
The built-in default policy ("mark devices with no policy as noncompliant" — set it that way) catches the unassigned stragglers; an unevaluated device should never read compliant by omission.
Co-managed fleets: the compliance workload slider decides whether ConfigMgr or Intune evaluates — move it first in co-management sequencing, since it unlocks Conditional Access for the whole estate.
Do
One policy per posture, assignments covering the whole estate
Mark devices with no assigned policy as noncompliant
Deploy the configuration before the attestation that checks it
Don't
Overlap policies with different floors — unexplainable states
Let an unevaluated device read compliant by omission
Reference the machine risk score before the Defender connector is on
Insights
Build-floor compliance is your only update enforcement on devices users control politically — executives who ignore deadlines don't ignore losing access to mail.
Watch the noncompliant-reason distribution in reports monthly: a spike in one signal (BitLocker, risk score) is an upstream system telling you something — escrow broke, or Defender's having a week — not three hundred coincidences.
The PRT, the compliant-or-hybrid grant, and device filters — where the fleet's compliance verdicts become access decisions.
The compliance page ends with a verdict on the device object; this page is what reads it. Conditional Access evaluates every token request and grants or denies there — it gates cloud resources, not the desktop. A noncompliant laptop still boots and signs in locally; what it loses is mail, files, and every Entra-protected app.
Evaluated atEvery token request
GatesCloud resources — not the local desktop
Device proofThe PRT, presented by the WAM broker
First diagnosticdsregcmd /status — join state plus PRT health
How a Windows Device Proves Itself: the PRT
When a user signs in to an Entra-joined or hybrid-joined device, Entra ID issues a Primary Refresh Token — an opaque, device-bound artifact carrying the user and device claims. The Web Account Manager (WAM) broker presents the PRT whenever apps request tokens, so every access token inherits the device's identity and Conditional Access can ask "is this device compliant?" at each request. The PRT refreshes on unlock and sign-in, keeping device-based policy continuous. Two consequences: a sign-in without a registered-device PRT reads as unknown device and fails every device-based grant; and dsregcmd /status — join state plus PRT health — answers most "why was I blocked?" tickets in one paste.
Entra IDissues the device-bound PRT at sign-in
→
WAM brokerpresents it for every token request
→
Conditional Accessgrants or denies per request
The Grant: Compliant Device OR Hybrid Joined
Grant control
What it asserts
When it's the right tool
Require device to be marked as compliant
Intune evaluated the device against compliance policy and it passed — a posture statement
The end state for every enrolled device; the only grant that says anything about health
Require Microsoft Entra hybrid joined device
The device is domain-joined and registered — an identity statement with no posture content
A bridge for hybrid fleets not yet enrolled or not yet evaluating compliance
Mid-migration estates select both with Require one of the selected controls — the "compliant OR hybrid joined" pattern. Treat the OR as a ratchet: the hybrid arm admits any domain-joined machine regardless of its state, so as enrollment coverage grows, retire it and stand on compliance alone.
Browser SSO and the Wrong-Profile Trap
Edge signed in with the work account rides WAM natively — device claims flow into browser sign-ins without ceremony. Other browsers need their enterprise SSO support explicitly enabled before they can present the PRT, and private-browsing sessions don't present hybrid-join state at all. The failure you'll actually meet: a user in a personal browser profile — or wrong account — requests a token with no device claims, and compliant hardware gets blocked as unmanaged. The sign-in log shows the tell: device info empty. Train tier-1 to check which profile before anyone debugs policy.
Device Filters
The filter for devices condition scopes a policy by device attributes — model, ownership, trust type, extension attributes — independent of user assignment. Two workhorse patterns: exclude a fenced population (kiosk and shared devices that can't survive interactive grants) from broad policy, and include-only designated admin workstations in a policy locking privileged roles to hardened hardware.
The Unmanaged Lane: BYOD
Personal Windows devices get a deliberately narrower deal: the Require app protection policy grant steers them into MAM for Windows — corporate access through protected Edge, with no enrollment — so enrolled devices prove compliance, personal devices ride the protected-browser lane, and nothing reaches corporate data ungoverned.
Prerequisites
Compliance policies deployed and reporting, with at least one known-compliant device — a compliant-device grant with no compliant devices is a tenant-wide block.
Break-glass accounts created and documented — excluded from this and every CA policy you ever write.
A pilot group you can actually talk to.
Step-by-Step: the First Device-Based Policy
Create the policy under Entra ID > Conditional Access > Policies, named to your convention.
Assign users: include the pilot group; exclude the break-glass accounts and (in synced tenants) the Directory Synchronization Accounts role. The exclusions are the difference between a bad day and a locked tenant.
Target resources: All resources — per-app carve-outs accumulate into holes; let the pilot users carry the blast radius instead.
Set the grant: Require device to be marked as compliant — plus Require Microsoft Entra hybrid joined device with Require one of the selected controls if you're mid-migration.
Enable in report-only mode. Report-only evaluates every real sign-in and records what would have happened — your only preview of the lockouts you didn't predict.
Read the results for a week in the sign-in logs, fix what surfaces (unenrolled stragglers, service accounts, the conference-room PC), widen the include ring, then flip to On.
Verification
On a compliant test device: sign in and confirm in the sign-in logs that the policy applied with a Success grant — the claims chain proven end to end.
Break compliance deliberately (suspend encryption, sync, let the verdict flip) and confirm the next token request is blocked; remediate and watch access restore. Enforcement is only proven once you've seen it deny.
Lockout Pitfalls
Freshly provisioned devices race their first compliance evaluation. Enrollment itself isn't blocked by the compliant-device grant, but a device fresh off the bench can sit in "not evaluated" while its user tries to work. Compliance grace periods and a sync-on-handoff habit absorb the window.
Kiosk and shared devices: user-less and many-user fleets break interactive assumptions — and one noncompliant shared device blocks every account that walks up to it. Decide their lane explicitly: device filters, dedicated policy, or exclusion with compensating controls.
Break-glass exclusions are load-bearing. A policy that locks every admin out during a service incident is a story you only get to tell once.
Do
Start in report-only and read a week of sign-in logs
Exclude break-glass accounts from this and every CA policy
Target All resources and let the pilot group carry the blast radius
Retire the hybrid-joined OR arm as enrollment coverage grows
Don't
Flip to On without reading what report-only surfaced
Leave kiosk and shared fleets to meet interactive grants undecided
Accumulate per-app carve-outs — they become holes
Insights
Report-only always surprises. Every tenant has sign-ins nobody remembered — scanners, scheduled tasks, an executive's home PC — and finding them in a report beats finding them on the phone.
Measure the OR: track the share of sign-ins satisfied by the hybrid arm versus compliance, and remove it when that share approaches zero — every month it lingers, it's an unmonitored side door.
Pair device grants with Hello for Business and the daily experience is fewer prompts, not more — strong device identity is what lets you stop interrogating the human.
AV policy, ASR rules, firewall, and MDE onboarding — the security stack as Intune profiles.
The Endpoint security node is where Windows security policy lives as focused profile types — and where Microsoft Defender for Endpoint (MDE) onboarding turns Intune-managed devices into sensor-reporting, risk-scored endpoints. The architecture is a loop: Intune deploys the sensor, Defender scores the device, compliance consumes the score, and Conditional Access acts on the verdict.
Intunedeploys the sensor
→
Defenderscores the device
→
Complianceconsumes the score
→
Conditional Accessacts on it
The Profile Family
Antivirus — Defender AV configuration: real-time/cloud protection, scan scheduling, exclusions (govern exclusions like the attack surface they are — reviewed, justified, minimal), tamper protection on.
Attack surface reduction (ASR) — the rules that block macro/script/credential-theft tradecraft. The non-negotiable rollout doctrine: Audit mode first, mine the audit events for business-process collisions (that one Excel macro pipeline), then flip rules to Block individually. Big-banging ASR to Block is the classic self-inflicted outage.
Firewall — Defender Firewall profiles and granular rules; default-deny inbound is the easy win most fleets still haven't taken.
These profiles overlap territory with security baselines — pick the owner per area (baseline floor + Endpoint security specifics is the common split) and hold the one-home-per-setting line.
Do
Keep tamper protection on
Roll ASR rules out in audit mode and mine the collisions first
Govern AV exclusions — reviewed, justified, minimal
Pick one owner per setting area: baseline floor + Endpoint security specifics
Don't
Big-bang ASR rules to Block — the classic self-inflicted outage
Carry unexplained exclusions into your next audit
Let baselines and Endpoint security profiles fight over one setting
MDE Onboarding and the Risk Loop
Connect the tenants: Defender portal settings flip the Intune connection; Endpoint security > Microsoft Defender for Endpoint confirms it.
EDR policy with onboarding from the connector deploys the sensor blob fleet-wide — no per-device packages.
Compliance consumes the machine risk score; CA acts on compliance. A device that catches fire loses access while it burns — the entire point.
Bonus circuit: MDE's vulnerability management feeds back the patch and app debt your update and app doctrine pages exist to retire.
Insights
Security settings management extends these same Intune profiles to devices MDE sees but Intune doesn't manage — useful mid-migration; know it exists before building a parallel mechanism.
ASR audit data is the cheapest security telemetry you'll ever get: even rules you never intend to block document what's running where.
Keep the exclusion list in version control with reasons and owners — an unexplained exclusion is a finding in every audit framework that will ever read it.
No standing local admins, rotating break-glass credentials, and the retrieval workflow — the endgame for endpoint privilege.
The target state, achievable today: users run standard (Autopilot sets it), no shared local admin password exists anywhere, and break-glass is a per-device, auto-rotating credential retrieved on demand and rotated after use. Windows LAPS — built into the OS, managed by Intune — is the whole mechanism.
Console pathEndpoint security > Account protection > Windows LAPS
EscrowThe Entra ID device object — the object is the vault
Password20+ characters, complex, rotated every 7–30 days
After usePost-authentication rotation burns the credential
Prerequisites
Decide the managed account first: the built-in Administrator, or better, a dedicated break-glass account that your baseline or a script creates on every device. LAPS rotates the account you point it at, so the account must exist everywhere before the policy means anything.
Standard-user posture under way: LAPS is the break-glass half of the no-local-admins program — the value compounds when users actually run standard and sanctioned elevation has its own governed path.
Healthy device objects in Entra ID: passwords escrow to the device object, so the object is the vault — stale or duplicate device records become retrieval failures later.
Step-by-Step: The Policy
Create the policy under Endpoint security > Account protection > Local admin password solution (Windows LAPS):
Set the backup directory to Entra ID — passwords escrow to the device object (the cloud-native posture; AD backup exists for hybrid estates that need it).
Name the administrator account the policy manages: the built-in Administrator, or better, the dedicated break-glass account — managing a renamed/dedicated account beats advertising the well-known one.
Set password complexity, length, and age: long (20+), complex, rotate every 7–30 days.
Configure post-authentication actions: rotate after the password is used (+ optional logoff/restart of the session) — every retrieval burns the credential, automatically.
Close the hygiene loop: pair with an account-management profile or remediation that guarantees the target account exists and no other local admins do — the rotation is the product's job; the fleet hygiene around it is yours.
The Retrieval Workflow
Per-device: the Intune device blade's Local admin password view (audited), or Graph for automation — every read is logged, which is the governance story. Helpdesk runbook: retrieve → use → confirm post-auth rotation fired → done; no password ever written on a sticky note because no password is valid for long.
RetrieveDevice blade or GraphEvery read is logged — that's the governance story
UseSign in with the credentialThe break-glass moment itself
RotatePost-auth action firesThe password you just used stops working
DoneNothing reusable remainsNo retrieval leaves a standing credential
Verification
On a pilot device, retrieve the password from the device blade, sign in with it, and confirm the post-authentication rotation fires — the credential you just used should stop working on schedule.
Check escrow coverage across the fleet: every targeted device should hold a current password on its device object; gaps usually mean the policy's account name and the account that actually exists on the device disagree.
Why This Trio Closes the Chapter
Standard users + Hello for Business + LAPS = no standing admin rights, no phishable sign-in secret, no reusable local credential — the three classic lateral-movement gifts, individually wrapped and returned. It's the rare security project that reduces helpdesk load (self-service-less elevation requests drop once the temporary-elevation path is defined) while deleting an entire attack class.
Insights
The "but I need admin sometimes" population gets a process (temporary elevation via your chosen mechanism — Intune's Endpoint Privilege Management add-on being the native option), not an exemption. Exemptions are how LAPS projects die at 80%.
Audit retrievals monthly: the access pattern is telemetry — a device retrieved weekly has an unsolved underlying problem wearing a break-glass costume.
Migrating from legacy LAPS (the AD-era MSI)? Windows LAPS is the in-OS successor; don't run both against one account — pick the policy source and decommission the old client deliberately.
Rule-based elevation for standard users — the missing piece that makes the no-local-admins posture livable.
Removing local admin rights is the single highest-value Windows hardening move — and the reason orgs don't do it is the exception flood: the engineer who needs to install drivers, the analyst whose ancient tool demands elevation. Endpoint Privilege Management (EPM, an Intune Suite capability) is the answer: standard users everywhere, with policy-governed elevation for exactly the operations you've blessed.
Rule identityCertificate + attributes ideally; hash for unsigned; path last
Default answerUser confirmed — automatic earns its way in per file
The Model
EPM policies live under Endpoint security and come in two parts:
Elevation settings policy: turns the EPM client on per device population and sets the default posture — including what happens for elevations no rule covers (deny, or allow user-confirmed with justification, per fleet temperament).
Elevation rules policies: the allow-list. Each rule identifies a file (by certificate + attributes ideally, file hash for the unsigned stragglers, path only as a last resort — paths are spoofable) and assigns an elevation type:
Elevation type
Behavior
Use for
User confirmed
User attests (optionally with justification/auth) and elevates
The everyday case — driver installers, the blessed utility set
Support approved
Elevation waits on an admin approval in the console
High-risk tools; break-glass-adjacent operations
Automatic
Elevates silently
Sparingly — updaters and agents that must elevate unattended
Rules ride assignments and filters like everything else, so the CAD team's rule set doesn't follow them onto loaner hardware.
Do
Identify files by certificate + attributes
Default new rules to user confirmed
Let elevation reporting build the rule backlog before removing admin rights
Don't
Write path-only rules — paths are spoofable
Grant automatic elevation under helpdesk pressure — every silent rule is invisible privilege
Add an automatic rule without a written reason
The Rollout Pattern
Inventory reality first: EPM's elevation reporting shows what's actually elevating fleet-wide (including unmanaged elevations on devices where users still hold admin) — your rule backlog, pre-sorted by frequency.
Remove admin rights ring by ring (the LAPS page's choreography), with EPM rules landing first so day one of standard-user life already covers the known elevation diet.
Tune by exception data: denied-elevation reports become rule candidates or coaching moments; the support-approved queue's latency becomes a staffing signal.
Insights
EPM completes a trio: LAPS owns the break-glass account, EPM owns sanctioned elevation, and standard-user-by-default owns everything else. Present the three together in security review — each covers the others' "but what about" questions.
Resist the automatic-elevation temptation under helpdesk pressure: every silent rule is invisible privilege, and the audit trail's value comes precisely from the confirmation/approval friction. The default answer is user confirmed; automatic earns its way in per file, with a written reason.
Virtualization-based security, memory integrity, and the credential isolation that makes pass-the-hash a museum piece.
Virtualization-based security (VBS) is Windows using the hypervisor against attackers: carving out hardware-isolated memory enclaves the OS kernel itself can't read. Two headline tenants live there — memory integrity (HVCI) guarding kernel code, and Credential Guard sealing domain secrets — and on modern fleets your job is less "enable them" than "attest and keep them on."
Memory integrity (HVCI): kernel-mode code integrity enforced from the enclave — unsigned or tampered drivers can't load. The historic enablement blocker was that one ancient driver; the Settings Catalog policy plus a ring-based rollout surfaces incompatible drivers in ring 1 where they're a ticket, not an outage.
Credential Guard: LSA secrets (NTLM hashes, Kerberos tickets) isolated in the enclave — the pass-the-hash and credential-dump killers. Default-enabled on current Windows 11 Enterprise/Education on capable hardware, which converts your task to verifying it's on and preventing it from being turned off.
LSA protection (the non-VBS cousin): LSASS as a protected process — on by default on modern installs, part of the same attestation story.
Prerequisites
The hardware floor: UEFI with Secure Boot, virtualization extensions, and TPM 2.0 — met by definition on a current Windows 11 fleet, worth confirming on anything older.
A driver census for HVCI: the historic enablement blocker is that one ancient kernel driver; know which populations carry unusual peripherals before enforcement, and seed ring 1 with their owners.
Baseline awareness: read the security baseline's positions on VBS, HVCI, and Credential Guard first, so your policy aligns with them rather than fighting them.
Step-by-Step: Enablement
Configure the policy via the device-security surface of the Settings Catalog: VBS on, memory integrity (HVCI) on, Credential Guard on.
Make the UEFI-lock decision deliberately. Locking Credential Guard in firmware prevents remote disablement — including by you. It's the right posture for high-assurance fleets, with the understanding that undoing it means touching machines.
Roll out ring by ring on the update-ring cadence, so an incompatible driver surfaces in ring 1 as a ticket rather than fleet-wide as an outage.
Verification
Then prove it: device health attestation and compliance carry the boot-measured truth, and the fleet-wide "is Credential Guard actually running" answer is a Graph/report query, not an assumption — attest the running state rather than trusting the policy deployment report.
Insights
The blast radius of HVCI lives in peripherals: the badge-reader vendor's 2017 driver, the lab instrument's kernel module. The ring-1 canary population should deliberately include the weird-hardware owners — that's what canaries are for.
When security review asks "are we protected against credential theft," the layered answer is this page plus Hello for Business: Credential Guard protects secrets that exist; Hello reduces how many exist at all.
Attack surface reduction rule by rule — what each blocks, what each breaks, and the audit-to-block path for all of them.
The Defender page names attack surface reduction as a pillar; this page is the cookbook — because ASR is deployed rule by rule, and each rule has its own blast radius. The universal method first, then the roster.
Step 2Read the telemetryTwo to four weeks: which rules would fire, on what, for whom
Step 3Block in wavesSilent rules first; noisy triggers get investigated
Step 4Warn where neededThe override-with-audit-trail middle path
Everything starts in audit mode — fleet-wide, immediately. Audit costs nothing and starts generating the evidence.
Read the audit telemetry (Defender portal's ASR report or advanced hunting) for two-to-four weeks: which rules would have fired, on what, for whom.
Block in waves by noise level: silent rules go straight to block; noisy rules get their triggers investigated — most "noise" is one legacy app or one team's macro habit, which becomes a targeted exclusion or (better) a remediation.
Warn mode is the middle path for user-facing friction: the block with an override button and audit trail.
The Roster, By Family
The quiet wins (block early, almost nowhere breaks):
Block abuse of exploited vulnerable signed drivers
Block executable content from email client and webmail
The Office family (block after macro-reality triage):
Block Office apps from creating child processes — the malware-chain breaker; finance macro suites are the classic exception
Block Office apps from creating executable content / injecting into other processes
Block Win32 API calls from Office macros
Block execution of potentially obfuscated scripts; block JS/VBScript from launching downloaded executables — pairs with your macro-security Catalog policy
The behavioral big guns (audit longest):
Block executable files unless they meet prevalence/age/trusted-list criteria — the rule most likely to catch your own LOB installers; exclusions or signing discipline required
Use advanced protection against ransomware
Block untrusted/unsigned processes from USB
Per-rule exclusions exist and should be named, owned, and reviewed — an ASR exclusion list nobody audits is an allow-list for the next attacker who reads your config.
Insights
ASR findings in audit are free security telemetry even before blocking: a workstation tripping the LSASS rule today is an investigation, not a future policy note.
Track the portfolio as a KPI: rules-in-block ÷ total applicable, fleet-wide. It's the single most legible "attack surface is shrinking" number you can hand leadership, and the compliance/CA loop doesn't capture it — this one's yours to chart.
Boot-time truth from the TPM — how Windows proves Secure Boot, BitLocker, and code integrity actually ran.
Compliance policies contain a quiet superpower: settings the device cannot lie about. Device Health Attestation (DHA) is the mechanism — boot-time measurements sealed in the TPM, validated by Microsoft's attestation service, and delivered to Intune as cryptographic fact rather than agent self-report. When a security review asks how much of the compliance verdict survives device compromise, the DHA-backed settings are the part that holds.
How the Proof Works
During boot, UEFI and the OS loader extend measurements of each boot stage into TPM PCRs — a hash chain recording what actually executed. At attestation time the TPM signs a quote of those registers with a key rooted in the hardware; the health attestation service validates the quote and issues the verdict Intune consumes. An attacker who disabled Secure Boot or stripped code integrity after boot can't rewrite the registers — the lie is cryptographically unavailable.
Boot chainUEFI + loader extend measurements
→
TPMsigns the quote with a hardware-rooted key
→
Attestation servicevalidates the registers
→
Intune complianceconsumes cryptographic fact
What Compliance Can Attest
The compliance policy's device-health block consumes DHA verdicts:
BitLocker (boot-measured, distinct from the configuration-side BitLocker policy — policy sets, attestation proves)
Secure Boot enabled
Code integrity enabled
Three checkboxes, each backed by the TPM rather than a registry read — turn them on for any fleet whose Conditional Access posture means anything, and pair them with the VBS/Credential Guard attestation story for the full boot-chain narrative.
Operational Notes
Hardware floor: TPM 2.0 — the Windows 11 fleet baseline already guarantees it; legacy stragglers fail attestation eligibility, not attestation, and read differently in reports.
Transient failure ≠ compromise: attestation hiccups (service reachability, fresh enrollments, post-reset states) clear on sync and re-evaluation — triage the transient causes first, before treating any verdict as a security event.
A device persistently failing Secure Boot attestation that policy says should pass is a finding: someone with firmware access changed the boot posture. That's an investigation route, not a compliance-exception route.
Insights
DHA is the difference between "the agent says we're encrypted" and "the silicon proves we booted encrypted" — when an auditor pushes on evidence quality, this page is the answer, and the inventory report's encryption column inherits its credibility from it.
DFCI fleets get a pleasing symmetry: cloud-managed firmware setting the boot posture, TPM-attested truth proving it — configuration and verification meeting below the OS.
Reputation checks to full allow-listing — the spectrum of execution control, and where your fleet should sit on it.
"Only intended software runs" is a spectrum on Windows, from reputation nudges to cryptographic allow-listing. This page maps the whole spectrum so the fleet's position on it is a decision, not a default.
The floorSmartScreen enforcedOn, not user-overridable — catches the commodity tier
The middleApp Control in auditGathering evidence, costing nothing
The ceilingApp Control enforcedKernel-enforced allow-listing with managed installer
SmartScreen (the Reputation Floor)
Microsoft Defender SmartScreen checks apps, files, and URLs against reputation services — the floor every fleet should enforce via Settings Catalog: SmartScreen for apps/files on and not user-overridable for downloaded executables, plus the Edge-side enforcement for web-borne threats. Cheap, quiet, catches the commodity tier. The security baseline already takes these positions; your job is not contradicting it.
App Control for Business (the Ceiling)
App Control for Business (the WDAC lineage) is the real thing: kernel-enforced code-integrity policy where only explicitly trusted code executes — trusted by signer, hash, path rule, or reputation tier. Intune deploys it natively via the Endpoint security app-control surface:
Start from the built-in base modes: trust Windows + Microsoft Store + managed installer — the pragmatic enterprise opening position
Managed installer is the keystone: designating the Intune Management Extension as a managed installer means everything you deploy through Intune is automatically trusted — the allow-list maintains itself for the sanctioned channel, and unsanctioned arrivals (downloads, USB sticks) face the policy
The ISG option (Intelligent Security Graph) adds reputation-based allowing for fleets that can't fully enumerate — a deliberate looseness, chosen knowingly
Audit mode first, always: app-control events (8003/8004 family in the CodeIntegrity log) for weeks before enforcement; the ASR method at higher stakes, because a wrong block here is "the app won't launch," fleet-wide
Supplemental policies carry the exceptions — versioned in the repo, owned, reviewed, exactly like every other trust list on this site
AppLocker still exists for legacy scenarios, but new designs start with App Control for Business — it's where the engineering investment lives.
Do
Start from the built-in base modes — Windows + Store + managed installer
Run audit mode for weeks and read the CodeIntegrity 8003/8004 events
Carry exceptions in supplemental policies — versioned, owned, reviewed
Don't
Enforce before the audit evidence is read — a wrong block is "the app won't launch," fleet-wide
Contradict the security baseline's SmartScreen positions
Start new designs on AppLocker — the investment lives in App Control
Choosing the Fleet's Position
Fleet
Position
Knowledge workers, modern apps
SmartScreen enforced + audit-mode App Control (gathering evidence, costing nothing)
Enforced App Control with managed installer — bounded app diet makes allow-listing nearly free, and these devices face physical-access threats
High-assurance/regulated
Enforced App Control as the audit centerpiece, with DHA attesting code integrity ran
Insights
The managed-installer pattern quietly rewards app-deployment discipline: a fleet where everything arrives via Intune gets allow-listing almost for free, while shadow-IT-heavy estates feel the enforcement pain in proportion to their sprawl. App Control is, among other things, a mirror.
Governing the Administrators group from the cloud — membership policy, Entra role mapping, and the drift that creeps back.
LAPS secures the break-glass account and EPM handles elevation — between them sits the question this page owns: who is in the local Administrators group at all, governed as policy instead of folklore.
The Policy Surface
Endpoint security > Account protection carries the local user group membership policy: per built-in group (Administrators, Remote Desktop Users, and kin), declare an action — add, remove, or replace — with members expressed as Entra users/groups or SIDs. The posture choice is the action verb: replace is the strong posture (the group's membership is the policy — drift gets reverted at evaluation), add/remove the surgical one for estates not ready to enumerate completely.
you can enumerate the intended membership completelyReplaceThe group's membership is the policy — drift reverts at every evaluation.
the estate isn't ready to enumerateAdd / removeThe surgical option — adjust known members without claiming the whole group.
The Entra-Native Reality Worth Knowing
On Entra-joined devices, two memberships exist implicitly: the device's enrolling/assigned local-admin behavior per tenant settings, and the Entra role mapping — Global Administrator and the Entra-Joined-Device-Local-Administrator role land in the local Administrators group by token, invisible to local inspection habits. Your effective-admins answer = explicit policy members + role-mapped principals + local stragglers — audit all three, because the auditor will ask for one number.
The Operating Pattern
Inventory reality first: a Remediation/script reporting actual Administrators membership fleet-wide — the drift census that always surprises
Replace-mode policy declaring the intended state: LAPS-managed account + the named break-glass principals, nothing else — composing the no-local-admins trio into an enforced invariant
Tenant-side hygiene: scope the Entra local-admin role tightly (it's fleet-wide admin granted through an identity role), and let PIM-style just-in-time elevation own the exceptions
Re-census quarterly — the same script, now measuring policy compliance instead of chaos
Insights
The replace action's underrated property is self-healing: the technician who hand-adds themselves "temporarily" gets reverted on the next evaluation cycle — which converts admin-group hygiene from an audit finding you remediate annually into a property the fleet maintains hourly.
Profiles, rule policy, and logging — running the built-in firewall as managed infrastructure instead of a default.
The Defender overview confirms the firewall is on; this page runs it like infrastructure — because the built-in firewall under policy is a genuinely capable host-isolation layer most estates leave at factory settings.
Console pathEndpoint security > Firewall
ProfilesDomain, private, public — independently configured
Corporate floorAll three enabled, inbound default-block
Design questionLocal rule merge — policy-only truth vs audited accumulation
The Profile Model
Three firewall profiles keyed to network location — domain, private, public — each independently configured via Endpoint security > Firewall: enabled state, default inbound/outbound actions, notification and local-rule-merge behavior. The corporate floor: all three enabled, inbound default-block, with the sharp design question being local rule merge — whether device-local rules (the kind installers add) combine with policy rules. Strong posture disables merge on locked-down fleets (policy is the whole truth); pragmatic posture allows it on knowledge workers and audits the accumulation.
Rule Policy
Firewall rules deploy as policy objects: direction, action, ports/protocols, scoped by app path, package, or service, profile-targeted. The patterns that matter:
Inbound stays near-zero on endpoints: clients rarely need listening ports; every inbound allow is a named, owned exception — the trust-list discipline again
The lateral-movement cut: blocking workstation-to-workstation inbound (allowing only management/infrastructure sources) is the cheapest meaningful containment control on the platform — ransomware's favorite road, closed by policy
App-scoped allows for the genuine listeners (softphones, collaboration screen-share) rather than port-wide doors
Do
Keep endpoint inbound near-zero — every allow named and owned
Block workstation-to-workstation inbound — the cheapest containment on the platform
Scope allows to the app, not the port
Don't
Open port-wide doors for one app's sake
Let years of installer-merged local rules accumulate unowned
Logging and Verification
Firewall logging configuration (per profile: dropped packets, successful connections, log size) feeds your security-telemetry pipeline — dropped-inbound logs on server-adjacent endpoints are cheap detection signal. Verification is a Remediation reading effective profile state fleet-wide, plus the reporting surface — enabled-by-policy and enabled-in-fact are different claims; attest the second.
Insights
Rule sprawl is the failure mode: years of installer-merged local rules nobody owns. The reset play — disable merge + a deliberate policy ruleset + a cleanup script — is a ring-1 project with outsized audit payoff, and the App Control mirror-effect applies: fleets with disciplined app pipelines barely feel it.
The second encryption layer — identity-bound file protection above BitLocker, and where it fits.
BitLocker protects the volume — strong against the stolen-laptop-powered-off case, silent once Windows boots. Personal Data Encryption (PDE) adds the layer BitLocker structurally can't: file-level encryption whose keys bind to the user's Windows Hello sign-in, so protected files stay sealed until that user authenticates — and reseal at lock.
RequiresCurrent Windows 11 Enterprise
Join stateEntra-joined — not hybrid
Keys bind toThe user's Hello for Business sign-in
Console pathSettings Catalog > PDE family
The Model
PDE encrypts designated content under keys derived through Hello for Business — meaning the protection follows identity presence, not machine power state. The threat it addresses is the post-boot gap: a signed-out or locked device whose disk is technically "unlocked" at the BitLocker layer; an attacker with the powered-on device (or an extracted-while-running attack path) meets sealed files anyway. The composition slide writes itself: BitLocker = at-rest volume, PDE = identity-gated files, DHA = boot-proof, Hello = the credential — four layers, one story.
Prerequisites
The prerequisites stack tightly, and each one is a hard gate:
Entra-joined (not hybrid) — another vote for the cloud-native endgame.
Hello for Business as the sign-in, since the keys hang off it — a population still on passwords has nothing for PDE to bind to.
Step-by-Step: Enablement
Create the policy in the Settings Catalog's PDE family: enablement plus the protected-content levels Microsoft defines.
Verify the current protection scope rather than assuming it. The protected-content levels have expanded by release (known-folder coverage being the headline arc) — confirm what the builds you're deploying to actually protect.
Read the documented interop notes per release. The feature carries compatibility considerations with certain recovery/management scenarios that the docs enumerate — they evolve, so re-read before each ring expansion.
Pilot on a population that exercises the lock/unlock rhythm — the value and the edge cases both live where devices lock often.
Verification
On a pilot device, confirm the seal actually behaves: protected files readable after the user's Hello sign-in, sealed at the lock screen and for any other account. Then check the policy's per-setting status in reporting — deployed and protecting are different claims, and the second one is the audit answer.
Where It Earns Deployment
Regulated and high-value-data fleets where the unattended-but-running device is a named threat scenario — executive travel fleets, clinical floors, anywhere screens lock more often than machines power off. The standard knowledge-worker fleet should land BitLocker + Hello + auto-lock discipline first; PDE is the precision layer above a finished foundation, not a substitute for one.
Insights
Rehearse the recovery story before ring 2: PDE-protected files on a device whose Hello container resets (PIN forgotten, device repair) follow a different recovery path than BitLocker's — bring the same escrow discipline you apply to recovery keys, because the rehearsed path is the difference between a help-desk script and a data-loss conversation.
Beyond the blunt USB switch — Defender Device Control's allow-list model for peripherals and removable media.
Blocking ports outright is the blunt instrument; Windows carries a far sharper one: Microsoft Defender Device Control — policy over removable storage and peripheral classes that goes past on/off into which devices, for whom, doing what, with audit evidence attached.
The Model
Device Control policy (Endpoint security, the attack-surface-reduction family) composes groups (device sets matched by IDs — vendor/product, serial, device class) with rules (allow/deny/audit per access type — read, write, execute) applied to those groups. The expressive power is the point: deny removable storage write fleet-wide; allow the named encrypted-drive product for the field-engineering group; audit reads everywhere is three rules, not a wish.
The Rollout Ladder
Rung 1Audit everythingThe plugged-in census — security telemetry by itself
Rung 3Deny executeCode from removable media has no fleet-wide story
Rung 4Named exceptionsSerial-pinned drives, owned and reviewed
Audit first, always — the ASR method verbatim: audit-mode events build the census of what's actually plugged in where, which is itself security telemetry (the unknown-USB map surprises every org that draws it)
Block write before block all: write-blocking removable media kills the exfiltration path while leaving read workflows (the conference-room USB deck) alive — the highest value per unit of friction on the ladder
Execute-deny as standing policy: code running from removable media has no legitimate fleet-wide story — pairs with the USB ASR rule and App Control posture
Named-exception allow-lists for the genuine needs — serial-pinned encrypted drives for the populations that earn them, owned and reviewed like every trust list
Printer and broader peripheral-class controls ride the same framework where the estate's data-handling rules reach that far.
Evidence and Verification
Device Control events flow into the Defender portal's reporting — per-device, per-rule, advanced-hunting-queryable — which makes the audit answer ("can data leave on USB, and who tried") a query instead of a shrug. The reporting rhythm gains a column; the DLP conversation gains a floor.
Insights
The exception process is the control: a serial-pinned allow-list with an owner and an expiry converts "we block USB (except everyone who asked)" into governed reality — and the audit-mode census tells you in advance exactly how many askers to budget for.
Vulnerability Remediation with Defender and Intune
Closing the loop — Defender's vulnerability findings flowing into Intune security tasks, and the rhythm that burns down exposure.
Two consoles, one loop: Defender Vulnerability Management finds the exposure; Intune owns the machinery that fixes it. The integration that joins them — security tasks — is the most underused handoff in the Microsoft security stack.
Defender's vulnerability layer continuously inventories software, versions, and configurations against the CVE world, scoring exposure per device and recommendation — the what's broken where truth, with your third-party app sprawl usually headlining
Security tasks: from a Defender recommendation, security creates a task targeted at Intune — the request crosses consoles with its evidence attached and lands in Intune's Security tasks queue
Close the task — status flows back to the security console, and the recommendation's exposure score reflects reality on the next evaluation
The connector prerequisite is the Defender-Intune integration most estates already run; the process prerequisite is the missing piece — agreeing who triages the queue and on what clock.
The Operating Rhythm
Treat exposure like patch-age buckets: a weekly triage of incoming tasks (severity-sorted, the exploited-in-the-wild class jumping the queue — actively exploited findings run on an hours-to-days clock, not the monthly rhythm), remediation routed to the owning lane, and the burn-down chart — exposure score and open-task age trended monthly — as the artifact both security and IT leadership read. The chart is the relationship: it replaces the perennial "IT ignores our findings" / "security throws PDFs over the wall" theater with a shared queue and a slope.
Insights
The highest-yield standing fix is upstream of any single CVE: the apps that recur in findings are the apps without an update lane — every repeat offender adopted into the catalog/pipeline removes a family of future tasks, which is the difference between vulnerability whack-a-mole and vulnerability management.
The timeout that isn't the cause, the error codes that matter, and the bench diagnosis sequence.
Autopilot failures look dramatic and resolve formulaically. The discipline: identify the phase (device prep → device setup → account setup), then work that phase's short list.
Phase 1Device prepJoin and enrollment — the device becomes managed
Phase 2Device setupDevice-targeted apps and policies land
Phase 3Account setupUser-targeted payload after sign-in
The Greatest Hits
0x800705B4 (timeout) — the most-Googled, least-informative code: the ESP hit its limit while something in the blocking list stalled. The fix is finding the something, not raising the limit. Diagnosis: the cab/IME logs below show per-app status — the app stuck "in progress" forever is your culprit; its own install log says why (bad silent switch, dependency wait, content download stall on hostile Wi-Fi).
"This device hasn't been set up for your organization" / profile not found — the hash isn't registered, registered to the wrong tenant, or the profile assignment hasn't flowed (assignment can lag after registration — check the Autopilot devices blade shows assigned).
TPM attestation errors (self-deploying/pre-provisioning) — firmware TPM quirks, VMs, or vendor firmware needing an update; attestation is a hardware conversation, validate the exact SKU.
Sign-in succeeds, enrollment fails — licensing (no Intune license), enrollment restrictions blocking the platform, or the MDM user scope not covering the user.
Network at OOBE — captive portals, TLS inspection, and filtered guest Wi-Fi break first contact; the staging VLAN exists for a reason.
The Diagnosis Kit
On the failure screen: the diagnostics option exports logs to USB right there — collect before rebooting away the evidence.
IME log (%ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log) — the per-app truth during ESP, readable with CMTrace-style viewers.
Reproduce on the bench under the user's network conditions (hotspot mimicking home Wi-Fi) before declaring "works for me" — half of Autopilot tickets are network-environmental.
Keep one known-good reference device per hardware model: "does the golden unit deploy?" splits fleet problems from device problems in twenty minutes.
After any fix, the clean retest is a full reset (wipe/Sysprep-fresh) — partial OOBE retries carry contaminated state and produce phantom second failures.
Where Intune truth lives on a Windows endpoint — IME logs, MDM diagnostics, event channels, and the remote collect action.
Windows offers an enormous diagnostic surface — the skill is knowing which log answers which question, so the right five minutes replaces the wrong afternoon.
Match the Question to the Log
Question
Source
Did this app/script/remediation run, and what happened?
IME log: %ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log (+ AgentExecutor for scripts) — every detection check, download, install exit code
Did this policy arrive and apply?
Event Viewer: Applications and Services > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin — the MDM session log; pair with the portal's per-setting report for the server-side view
What's the join/identity state?
dsregcmd /status — AzureAdJoined, DomainJoined, PRT health; ends most "is it even joined" debates in one paste
Everything, packaged
MDMDiagnosticsTool -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab — the support-case bundle
Enrollment plumbing specifics
Task Scheduler > Microsoft > Windows > EnterpriseMgmt (the sync tasks) + the same event channel
The Remote Path: Collect Diagnostics
The device blade's Collect diagnostics action pulls the standard bundle (event logs, IME logs, registry exports, config state) from a device you'll never touch — downloadable from the portal under Device diagnostics. For remote-workforce fleets this action is the bench; train tier-2 on reading its contents and half your escalations stop requiring a user's lunch hour.
Forcing and Verifying Sync
Sync from the portal (device action), from the device (Settings > Accounts > Access work or school > Info > Sync), or just wait — MDM checks in on its own cadence and IME on its own (~hourly) rhythm. Reading the timestamps in the sources above beats re-mashing Sync: "last session succeeded five minutes ago" reframes the question from delivery to content.
Insights
CMTrace/OneTrace-style viewers make IME logs legible — rolling logs, color-coded severity; reading them in Notepad is a self-imposed handicap.
The IME log rolls over fast on busy devices — collect promptly after reproducing, not tomorrow.
Build the habit: log with a question. The table above is the routing layer; the answer is usually three lines once you're in the right file.
When two authorities disagree — per-setting conflict triage, MDMWinsOverGP, and the registry where MDM truth lives.
A setting "not applying" on Windows usually means a setting applying twice — two Intune profiles disagreeing, or Group Policy and MDM both claiming a domain-joined device. This page is the disambiguation kit.
two Intune profiles disagreePer-setting reportRead the Conflict state, apply the one-home rule, delete the duplicate claim.
Group Policy and MDM both claim the areaMDMWinsOverGPFlip precedence for supported areas — transition tooling, not permanent architecture.
reports and reality disagreePolicyManager registryHKLM\SOFTWARE\Microsoft\PolicyManager — resolved values and per-authority deliveries.
Intune vs Intune
The Settings Catalog's per-setting reporting is the tool: Devices > the device > the per-setting status view shows every applied setting, its winning value, and Conflict states naming the contending profiles. The triage is mechanical:
Pull the conflicting setting's two (or more) source profiles from the report
Apply the one-home rule — every setting lives in exactly one profile per intent; the fix is deleting the duplicate claim, not nudging values until they coincidentally match
Recheck after sync — conflict states clear on re-evaluation
Baseline overlap is the classic source: baselines take positions on hundreds of settings, and any ad-hoc profile touching the same surface collides. Diff before deploying alongside a baseline.
GPO vs MDM (the Co-Managed and Hybrid Estate Special)
On hybrid-joined devices still in GPO's reach, both authorities can write the same policy area. The rules of engagement:
Default: for many ADMX-backed areas, GPO historically wins on conflict
MDMWinsOverGP (ControlPolicyConflict policy): flips precedence to MDM for supported policy areas — the migration-era lever that lets Intune take authority before the device leaves AD. It covers GP-vs-MDM for those areas; it is not a magic eraser for every legacy setting class
The endgame is not needing the lever: each policy area migrated deliberately, GPO scoped away from migrated devices, precedence flags as transition tooling rather than permanent architecture
Reading Device-Side Truth
When reports and reality disagree, the registry arbitrates: the PolicyManager hive at HKLM\SOFTWARE\Microsoft\PolicyManager — current\device shows the resolved MDM value per area; providers\<EnrollmentGUID> shows what each authority delivered. Pair with MDM Diagnostics (the logs page) and gpresult on hybrid devices, and you can name the winning authority for any setting in five minutes.
Insights
Conflicts are an architecture smell, not an incident class — a fleet generating steady conflict tickets has a profile taxonomy problem (one setting, one home) or a half-finished GPO migration; fix the taxonomy and the ticket class disappears.
During migrations, keep a dual-authority ledger: which policy areas have moved to Intune, which remain GPO, dated. The ledger converts "why is this setting weird" from archaeology into a lookup.
IME triage — detection loops, exit codes, download stalls, and the log lines that name the failure.
Win32 deployment rides the Intune Management Extension, and IME failures cluster into four families. Work them in order — targeting, download, execution, detection — because each family's evidence rules out the next.
Family 1Never startedTargeting, filters, applicability rules
Family 2Download failedProxy/SSL inspection, disk, firewall
Family 3Exited badlyThe installer's exit code tells the truth
Family 4Detection didn't confirmInstalled and working — reported failed
Family 1 — Never Started
No install attempt visible: targeting first, always — assignment, group, filter, and the applicability rules on the app itself (architecture, minimum OS, disk). The IME log shows apps it evaluated; an app absent from evaluation was never owed to this device. Sync health covers the device that isn't hearing about anything.
Family 2 — Download Failures
Content stalls: the IME log's download phase names it — proxy/SSL inspection mangling the CDN connection (the classic network-team conversation, with DO endpoints and your inspection exemptions as the agenda), disk space, or corporate firewall rules. Large-app stalls on thin sites are a DO design question wearing an incident costume.
Family 3 — Install Ran, Exited Badly
The contract: your installer's exit code tells IME the truth. The log records the command line executed and the code returned — reproduce that exact command in a SYSTEM-context shell on a test device and the mystery usually names itself: a per-user installer packaged in the wrong context, a dependency absent, a silent switch that wasn't. Map nonzero-but-benign vendor codes (the famous reboot-required values) in the app's return-code table so success stops reading as failure.
Family 4 — Installed, Then "Failed" Anyway
Detection did not confirm — the signature failure mode: install succeeded, the detection rule looked in the wrong place (32/64-bit registry redirection, version-string vs file-version mismatch, per-user paths checked in SYSTEM context), and IME reports failure while the app sits there working. Worse is the detection loop: detection passes before install (over-broad rule), so IME thinks it's done and supersedence/updates never fire. Author detection as carefully as the install (the packaging page's craft); validate both states — present and absent.
Where the Truth Lives
%ProgramData%\Microsoft\IntuneManagementExtension\Logs — IntuneManagementExtension.log and the AppWorkload/ActionProcessor companions, readable with CMTrace-style tooling. One device's story lives there; the fleet's story lives in the App Install Status report — cohort failures by error code, where the pattern (one site, one model, one OS ring) is usually the diagnosis.
Insights
The single highest-yield habit: test in SYSTEM context before assigning (the psexec-style local rehearsal) — ninety seconds that pre-empts Families 3 and 4 entirely, because you've already run exactly what IME will run.
A device stuck on an old build — how to tell whether it's policy, a safeguard hold, a broken update stack, or a failed expedite, and what to do for each.
A Windows device behind the update-ring curve has one of four causes. Three of the four are not device faults, so determine which one you have before touching the device. Start with the per-device state in Reports > Windows updates > Windows Update for Business reports (or the per-policy report under Devices > Windows > Update rings) — it tells you whether the device is on schedule, held, or genuinely failing.
Fleet viewReports > Windows updates (Windows Update for Business reports)
Per-device stateDevices > Windows > the device > check the assigned Update ring report
Device-side logEvent Viewer > Applications and Services > Microsoft > Windows > WindowsUpdateClient > Operational; plus C:\Windows\Logs\WindowsUpdate\
Error decodeMost WU error codes are documented; decode against Microsoft's published tables, don't guess
1. It isn't actually stuck — the policy math says wait
Your own deferral, deadline, and active-hours settings can legitimately place a device weeks behind the newest build. Walk the math first: offer date + feature/quality deferral days + deadline window + grace period. A device inside that envelope is compliant with your design, not broken — the fix for "too slow" is the ring policy conversation, not a device ticket.
The Windows Update for Business report's per-device state names where in the pipeline the device sits: Offered, Installing/Downloading, Pending reboot, Deadline pending, or Installed. A device in Pending reboot for days has downloaded the update and is waiting on a restart — that is a deadline-design question, not a delivery failure.
2. A safeguard hold is blocking the offer
Microsoft blocks feature-update offers to devices with a known compatibility issue (a driver, app, or firmware signature it has flagged). The device will sit on its current build no matter how aggressive your ring is. The Windows Update for Business reports surface hold status and the safeguard hold ID.
Confirm the hold in the report (the device shows as held with a hold ID rather than failing with an error code).
Treat the hold as information: it names a real incompatibility. Find and remediate the offending driver/app/firmware — that is the actual fix.
The DisableWUfBSafeguards CSP (surfaced in the update ring as the opt-out for safeguard holds) exists for lab/test devices that knowingly accept the risk. Do not opt a production fleet past a hold; you are overriding a real compatibility block.
3. The update stack on the device is broken
The device-side update components can wedge: store corruption, disk pressure, or a Delivery Optimization path that can't fetch content. Symptoms are real error codes in the WindowsUpdateClient event channel (e.g. 0x80070070 low disk, 0x80240034 / 0x8024200B download or install failures, 0x800F0922 on cumulative updates). Decode the code against Microsoft's published tables before improvising. The repair ladder, cheapest first:
Free disk space — feature updates need several GB. cleanmgr or Storage Sense; confirm the WU error wasn't simply 0x80070070.
Run the in-box update troubleshooter — Settings > System > Troubleshoot > Other troubleshooters > Windows Update.
Component repair — DISM /Online /Cleanup-Image /RestoreHealth then sfc /scannow.
Reset the update stack — stop the services, clear the cache, restart: net stop wuauserv bits, rename C:\Windows\SoftwareDistribution and C:\Windows\System32\catroot2, then net start wuauserv bits.
For the fleet-scale version, package that ladder as a Proactive Remediation (a detection script that flags wedged stacks by error code, a remediation script that runs the reset) so you fix the scatter without hand-touching each device.
4. An expedited update didn't land
Expedited quality updates bypass deferrals for a critical patch, but they still require the Windows Update health tools component (the update-health add-on installs automatically when you create an expedite policy) and an eligible servicing state. An expedite that "isn't working" is usually a case 3 problem wearing urgency. Check, in order:
The expedite policy actually targeted the device (Devices > Windows > the device > the expedite policy reports applied).
The device already has, or can install, the latest cumulative baseline the expedite builds on — expedites accelerate the offer, they don't skip prerequisites.
If both are true and it still fails, work case 3 (the stack is wedged).
Read the fleet by the shape of the lag
The KPI is the distribution: percentage of devices on the latest quality update within N days of release, charted per ring (pull it from the Windows Update for Business reports or the inventory report's patch columns). The pattern tells you the cause:
A whole ring lagging → policy (deferral/deadline) or a safeguard wave hitting that population.
A scattered set lagging → wedged update stacks (case 3) — these are the Remediation candidates.
One site lagging → bandwidth / Delivery Optimization can't fetch content efficiently there.
Insights
Restart avoidance is the silent majority of "stuck" tickets. A device in Pending reboot has already downloaded and staged the update — that's a deadline and grace-period design question (covered on the WUfB page), not a delivery failure. The per-device update state distinguishes won't-download from won't-reboot in one glance; they're different problems with the same user complaint.
Why a device stops getting policy or apps — the two independent channels (MDM sync and the IME), how to check each, and how to force a fresh cycle.
A Windows device holds two separate conversations with Intune, and they fail independently. The MDM sync delivers policy and compliance over the OMA-DM channel; the Intune Management Extension (IME) delivers Win32 apps and PowerShell scripts/Remediations. A device can apply policy perfectly while installing no apps, and vice versa — so identify the affected channel first, then run that channel's checks. The single most useful symptom-to-channel mapping: policy applies but apps don't install means MDM is healthy and the IME is sick; apps install but compliance goes stale is the reverse.
Force sync (portal)Devices > the device > Sync — pushes a WNS wake-up to the device
Force sync (device)Settings > Accounts > Access work or school > the work account > Info > Sync
Join/identity truthdsregcmd /status
IME serviceMicrosoft Intune Management Extension (IntuneManagementExtension)
The MDM sync channel
After enrollment the device checks in frequently, then settles into the steady-state schedule (roughly every 8 hours), plus push-triggered syncs over WNS when an admin clicks Sync or a policy changes. When sync stops, work these in order:
Scheduled-task plumbing. The sync is fired by the scheduled tasks under Task Scheduler > Microsoft > Windows > EnterpriseMgmt > {EnrollmentGUID}. A device with mangled task state only syncs when poked manually. Confirm the tasks exist and aren't disabled; the DeviceManagement-Enterprise-Diagnostics-Provider event channel (Admin) shows attempt-vs-success per session.
WNS reachability. Push sync rides Windows Notification Service. Networks that filter or SSL-inspect it sever the push channel — the device still polls on schedule, but "Sync now" stops being now. Get the WNS endpoints (*.notify.windows.com, *.wns.windows.com) onto the proxy / SSL-inspection bypass list with the network team. Microsoft's published network-endpoint list is the source of truth for the full set.
Identity staleness. A long-offline device returns with an expired token; a fresh user sign-in restores the channel. dsregcmd /status is the device-side truth for the join/registration state — check AzureAdJoined, TenantId, and the AzureAdPrt (PRT) status.
Isolate direction as always: a portal-side Sync tests service→device (does the push arrive?); the device-side Sync button tests device→service (can the device reach Intune?).
The IME channel
The IME is a Windows service with its own lifecycle, separate from MDM sync:
Confirm it exists and is running. Look for the Microsoft Intune Management Extension service (services.msc, or Get-Service IntuneManagementExtension). It installs only when the device receives its first Win32 app or script assignment — a device that has never been targeted has no IME at all, which surprises people who expect it on every enrolled machine.
Read the log heartbeat.%ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log — recent timestamps mean the IME is cycling; a log that stopped writing means the agent is wedged. See the Win32 app failures page for reading per-app outcomes.
Restart for a fresh cycle.Restart-Service IntuneManagementExtension forces a fresh evaluation of all assigned apps and scripts — the legitimate "turn it off and on again" of Win32 delivery.
The IME also self-updates. A fleet pinned on an old IME version when delivery misbehaves at scale is worth a Graph query against the agent version.
Fleet hygiene
The fleet's pulse is the lastSyncDateTime distribution — the spread of how recently each device checked in (visible in Devices > All devices as the Last check-in column, or via Graph). Set thresholds per fleet, not one global number: a kiosk quiet for a day is an outage, while a laptop quiet for a week may just be on vacation.
Insights
Always name the channel before you start fixing. "Policy applies but apps don't install" is MDM-healthy / IME-sick — go straight to the IME service and log. "Apps install but compliance is stale" is the reverse — check the EnterpriseMgmt tasks and token freshness. Identifying the channel halves the candidate fix list before you run a single command.
Turning "my computer is slow" into a named cause — which phase is slow, where to read the data, and the common culprits per phase.
"Slow" is undiagnosable until you decompose it into a phase. Decide which of the three phases the user means, then pull that phase's data. The fastest first move is Endpoint Analytics (Reports > Endpoint analytics), which scores boot and sign-in time per device and per model, so you can see whether one machine or a whole cohort is affected before you touch anything.
Per-device boot timingEvent Viewer > Applications and Services > Microsoft > Windows > Diagnostics-Performance > Operational (event IDs 100-110)
Startup-app censusTask Manager > Startup apps; or Get-CimInstance Win32_StartupCommand via a script
Phase 1 — Boot (power to the sign-in screen)
This is firmware, driver, and core-service territory — it happens before any user logs in. Endpoint Analytics' Startup performance tab breaks boot time into core boot, group policy, and other phases, scored per device and per model.
A fleet-wide slow boot clustered by model is almost always firmware or a driver — work the driver and firmware update lane for that model.
A slow boot that appeared on a date, across mixed models, is usually an agent or policy change — correlate the start date against your deployment timeline and check whether the canary/pilot ring saw it first.
Phase 2 — Sign-in (credential to a usable desktop)
This is the phase users actually mean by "slow logon." It covers profile load, policy processing, and everything that runs at logon. Read it from the Diagnostics-Performance event channel (event ID 100/101 record boot and logon durations and flag the slow component). The usual culprits, ranked by frequency:
Startup-app accumulation — every agent's helper and every installer's auto-updater launching at sign-in. Census them (Task Manager > Startup apps, or a Get-CimInstance Win32_StartupCommand inventory script) and prune the non-essential ones by policy.
Legacy logon scripts and drive-mapping surviving from the GPO era — synchronous logon scripts and mapped-drive reconnects serialize sign-in. Migrate or retire them.
Profile bloat where OneDrive Known Folder Move isn't redirecting the heavy folders, so the profile loads gigabytes at sign-in.
First-sign-in profile creation on shared PCs — a brand-new profile being built looks like slowness but is expected; only repeat sign-ins should be fast.
Phase 3 — In-session (during the working day)
App hangs and general sluggishness once the desktop is up. Endpoint Analytics' App reliability and Resource performance views surface the offending app and CPU/memory pressure per device. The classic pattern here is agent contention — two security products scanning each other or the same files. Resolve it only with vendor-documented mutual exclusions (the exclusion lists each vendor publishes for the other), never improvised exclusions that punch real holes in protection.
The data sources, in order
Endpoint Analytics for the fleet shape — which phase, which cohort, since when.
The per-device event channels (Diagnostics-Performance for boot/logon timing) for the named machine.
An A/B against a clean device — a freshly reset unit of the same model as a control. If the reset twin is fast, the delta is the accumulated state on the user's device, and a wipe-and-redeploy is often faster than chasing the cause.
Insights
Performance regressions are usually changes, not gradual decay. Before profiling, correlate the start date of the complaint cluster against your deployment timeline — new agent versions, baseline changes, new startup apps. The change calendar resolves more performance tickets than any profiler.
Publish the fleet's sign-in time p50/p90 from Endpoint Analytics quarterly even when nobody asks. The trend line is nearly free to produce and turns the next "everything got slower" escalation into a conversation about a chart with a baseline.
PSADT plus Evergreen plus WinTuner composes into a near-free internal app pipeline — three projects, one afternoon of glue, and the Enterprise App Catalog evaluation gets a credible open-source baseline to price against.
SyncMLViewer changes how you think: once you've watched a Settings Catalog policy become OMA-URI traffic, conflict tickets stop being mysterious and start being readable.
How Intune manages Macs — the MDM channel, the agent, and what changes when the Apple device has a keyboard.
MacOS management with Intune rests on Apple's shared device-management foundation — ABM, APNs, VPP — then adds the realities of a desktop OS: local admin questions, agents, packages, and users who've owned Macs longer than IT has managed them.
The Two Channels
MDM — Apple's native management protocol: configuration profiles, DDM declarations, restrictions, app installs, device actions, all delivered via APNs. Nothing extra is installed to make this channel work — the capability ships with the OS and activates at enrollment.
The Microsoft Intune management agent — installed automatically when you assign shell scripts; it handles scripts and custom attributes — the operational glue the MDM protocol doesn't carry.
MDM for policy and apps; the agent for scripted glue. Knowing which channel owns what is half of troubleshooting.
Intunepolicy authority
→
APNswake-up channel
→
Macchecks in for profiles, declarations, actions
Device Identity in Entra ID
Macs register with Entra ID — they do not join. What varies is how strong that registration is and how the signed-in browser proves it; the device identity guide goes deep:
Path
Entra identity
What Conditional Access sees
Company Portal enrollment
Entra registered during enrollment sign-in
User + device compliance verdict
ADE enrollment
Entra registered, corporate record from first boot
User + compliance, supervision-grade management behind it
+ Platform SSO
Registration bound to the local account's Secure Enclave key
Browser SSO that carries device identity — the modern posture for device-based grants
What Makes Mac Management Distinct
Supervision comes with ADE enrollment and unlocks the deeper management controls — and because Macs run arbitrary third-party software, the management surface extends into PPPC privacy grants, system extensions, and packages: the approval layer that decides whether your security tooling actually runs.
Local accounts exist: admin-or-standard is a real decision (enrollment page), and Platform SSO is the modern answer to binding them to Entra identity.
No VPP-or-nothing: apps arrive as VPP, PKG, DMG, or script-installed — choosing correctly per app is a skill, and the choice determines update behavior, reporting fidelity, and uninstall cleanliness later.
What's Different From Jamf-Era Expectations
Mac admins arriving from Jamf will look for Smart Groups and policies-with-triggers; the Intune equivalents are dynamic groups + filters, shell scripts, and a configuration model that leans on Settings Catalog plus custom profiles. The capabilities map well; the idioms differ — this section teaches the Intune idiom rather than transliterating the old one.
The Honest Scope Statement
Intune's MacOS surface has matured fast (DDM updates, Platform SSO, PKG/DMG types, managed local-admin password rotation arriving across recent releases) — but Apple ships new management features every June, and adoption into Intune follows. The operating habit: check the What's new feed after each MacOS release, and where a gap is real, the custom profile escape hatch usually covers it.
ABM, APNs, and VPP — the Apple-side plumbing every managed Mac depends on: what each piece does, how to stand it up, and the renewal calendar that keeps it alive.
Apple runs one device-management foundation across its platforms, and your Mac fleet rides it end to end: Apple Business Manager anchors device ownership, APNs carries every management conversation, and Apps & Books (VPP) licenses App Store software. If another Apple fleet already lives in your tenant, most of the MacOS groundwork is already done — verify each component below and move on. If the Mac estate is your first Apple footprint, work this page top to bottom; it is the setup order.
Applies toEvery Apple device in the tenant
RequiresABM org + a dedicated IT role Apple Account
RenewalAPNs cert, ADE token, VPP token — all annual
Console pathIntune admin center > Apple enrollment settings
Prerequisites
An Apple Business Manager organization at business.apple.com — the verified org identity that anchors device ownership, with your reseller/carrier numbers registered so purchased Macs flow into ABM automatically.
A dedicated, documented Apple Account for IT (a role account, not a person's) to own the APNs certificate — this one decision prevents the worst renewal accident in Apple fleet management.
Intune administrator rights sufficient to upload certificates and enrollment tokens.
The Components, in Setup Order
Step 1APNs certificateRenew annually, always from the same Apple Account
Step 2ABM ↔ Intune tokenABM-owned serials flow in for ADE
Step 3MDM server defaultsNew hardware lands assigned, no human touch
Step 5Managed Apple AccountsFederation and naming strategy decided
Step 6Stray intake pathApple Configurator brings retail strays into ABM
Create the APNs certificate — nothing works without it. In the Intune admin center's Apple enrollment settings, download the certificate signing request; sign in to Apple's Push Certificates Portal (identity.apple.com) with the IT role account, create the certificate from that CSR, and upload the result back into Intune. One certificate serves every Apple device in the tenant. It expires annually: renew, never recreate, and always from the same Apple Account — a replacement certificate from a different account breaks the trust chain and forces the entire fleet to re-enroll. Put the expiry on a shared calendar and automate the watch with the connector health-check script.
Connect ABM to Intune (the enrollment token). In ABM, add Intune as an MDM server (uploading the public key Intune provides), download the server token, and upload it into Intune's enrollment configuration. This token is what lets ABM-owned Mac serials flow into Intune for Automated Device Enrollment — and it renews annually, on the same calendar and the same health check.
Set MDM server assignment defaults. In ABM's device settings, point the Mac default at the Intune server entry so newly purchased hardware lands assigned without a human touch — ABM routes each device type to its own default, which also matters if you ever run a transitional second MDM during a migration.
Stand up Apps & Books (VPP). Acquire Mac App Store apps in ABM, download the location token, upload it to Intune — licensed apps then deploy with no Apple Account sign-in required on the device. The token renews annually; license posture stays auditable with the VPP license report.
Decide the Managed Apple Accounts strategy — federation, naming, and who gets one; the strategy page carries the full decision.
Build the intake path for strays. Channel-purchased Macs appear in ABM automatically; retail-purchased and acquisition Macs can be added through an Apple Configurator intake flow so they too become ABM-known and ADE-eligible. Build this path before you need it — every fleet accumulates strays.
Verification
APNs: the certificate shows active with a future expiry, and a test Mac enrolls and responds to a sync within minutes — a dead or mismatched certificate presents as silence, not as an error.
Enrollment token: ABM-assigned Mac serials appear in Intune's enrollment device list after a token sync.
VPP: a licensed app assigns to a test Mac and installs without prompting for any Apple sign-in.
Because APNs and the ADE token are tenant-shared, the Apple connector calendar protects your Macs already — no new annually-expiring credentials arrive with the Mac fleet. The health-check script covers the full connector set in one run.
ABM-side hygiene: give Mac fleets their own MDM server default by device type (ABM routes each device type to its own default) if you ever run a transitional second MDM — the migration playbook's reassignment mechanics apply identically to Macs.
ADE versus user-approved Company Portal enrollment — and the local-admin decision that rides along.
Two real paths onto a Mac, and the same site-wide law: the path sets the ceiling.
the Mac is org-owned and ABM-knownAutomated Device EnrollmentSupervised, wipe-persistent, Setup Assistant onboards the user — nearly every corporate Mac.
it's org-owned but not in ABM yetApple Configurator intake, then ADEUser-approved enrollment is only the stopgap while the intake happens.
it's genuinely BYO hardwareUser-approved enrollment — or noneRestrained policy set, or browser-only access gated by Conditional Access. Decide as policy, not per-ticket.
The Decision
Org-owned Mac? → Automated Device Enrollment. ABM-known, supervised, enrollment survives erase-and-reinstall, Setup Assistant onboards the user. This should be nearly every corporate Mac.
Org-owned but not in ABM (acquisition strays, old purchases)? → Get it into ABM via Apple Configurator intake where feasible (the shared-foundation page covers the intake path) — then ADE. User-approved enrollment is the stopgap while you do.
Genuinely BYO Mac? → User-approved Company Portal enrollment with a restrained policy set — or, often better, no enrollment: App Protection-style data controls are not a meaningful option on MacOS, so the honest BYO-Mac choices are light enrollment or browser-only access gated by Conditional Access. Decide as policy, not per-ticket.
ADE's Setup Assistant flow lets you decide the first user's privilege (admin vs standard) and create a hidden managed admin account. The defensible modern posture is a trio: standard users, a managed local admin for break-glass (rotated per the local-admin rotation patterns), and Platform SSO binding identity to Entra. The countervailing Mac-culture reality — developers and power users with legitimate admin needs — is solved with a defined elevation path, not blanket admin. Write the policy before the first ADE profile, because retrofitting privilege downward is a political project.
Insights
A Mac's enrollment story is verifiable in seconds: profiles status -type enrollment answers ADE-known/enrolled/supervised in one command — the diagnostics page builds on it.
Mixed Jamf-to-Intune estates: Macs cross over on the migration playbook's mechanics — ABM server reassignment + erase for ADE fleets; there is no dual-MDM Mac.
OS support windows, Apple silicon realities, and the procurement-to-retirement arithmetic for MacOS fleets.
Lifecycle discipline for a MacOS fleet runs on its own constants: Apple's hardware lasts longer than most refresh plans assume, the OS support model is convention rather than contract, and the silicon transition still shapes purchasing. This page is the procurement-to-retirement arithmetic.
1/yrmajor MacOS release cadence
n-2oldest release still receiving security updates, by convention
4–5 ycommon Mac refresh cycle — budget on OS-eligibility, not failure
The OS Support Reality
Apple ships a major MacOS annually and, by long-standing convention rather than published commitment, delivers security updates to the current release plus the two prior. The planning consequences:
Your update policy floor rides that n / n-1 / n-2 window — a fleet on the oldest supported release has zero buffer when the next major ships
Hardware ages out of OS eligibility: each major release drops older models; a Mac that can't take the current OS begins a countdown the compliance patch floor will eventually enforce. Track OS-eligibility horizon per model in a fleet EOL ledger — model, purchase window, last eligible OS, planned exit date — reviewed quarterly
Major-release adoption on Mac deserves deliberate lag: let the ring-1 population and your agent vendors validate against the new release — the annual "our security agent broke on the new MacOS" cycle is real, and the ledger of vendor-support statements is the antidote
Apple Silicon as a Fleet Property
Intel stragglers in a silicon fleet are a management split, not just a speed gap: Rosetta deployment for translated apps, divergent recovery flows, different security architecture underneath FileVault and boot security. Most orgs should be silicon-complete by now; if Intel units persist, give them their own filter dimension and a retirement date.
The Refresh Arithmetic
Mac refresh cycles run longer (4–5 years is common) — budget against the OS-eligibility horizon rather than hardware failure: a Mac is fleet-viable while it runs a securely-updated OS and your agent stack supports that OS. Residual value is real on Mac — buyback programs materially offset refresh cost, which is a finance conversation worth having with ABM procurement data in hand.
Retirement Checklist
Activation Lock release first, wipe second (Erase All Content and Settings on silicon — the recovery page covers the mechanics and the Activation Lock discipline), ABM unassignment for devices leaving the org, and Intune object cleanup on a scheduled stale-device rhythm. The Activation Lock line is the one that bites resale: a locked Mac is worthless to the buyback program until released.
Step 1Release Activation LockA locked Mac is worthless to the buyback program
Step 2WipeErase All Content and Settings on silicon
Step 3Unassign in ABMFor devices leaving the org
Step 4Clean up Intune objectsOn the scheduled stale-device rhythm
Insights
Run the lifecycle KPI trio: average fleet age, % on supported OS, % past OS-eligibility — three numbers that turn Mac refresh budgeting from negotiation into evidence.
The Mac-specific migration playbook — re-enrollment mechanics, artifact mapping, and what doesn't translate.
Mac estates arriving at Intune usually arrive from Jamf, and the move is the universal migration choreography with Apple-specific mechanics: MDM enrollment is exclusive, so every Mac re-enrolls, and the artifact translation is real work.
The Non-Negotiable Mechanics
One MDM at a time: the Mac must unenroll from Jamf before Intune can manage it — there is no coexistence period per device, only per fleet.
ADE devices re-anchor in Apple Business Manager: reassign the device's MDM server assignment from the Jamf instance to Intune's enrollment token — the supervision and ADE benefits carry; the enrollment itself still requires the device to re-enroll (an EACS-or-wipe decision on silicon, or a user-driven re-enrollment flow for gentler waves).
FileVault keys do not migrate: escrowed keys live in Jamf; the Intune-side escrow populates on key rotation post-enrollment — sequence the rotation profile early and verify escrow coverage before anyone declares victory, because the gap window is real.
The Artifact Translation Map
Jamf artifact
Intune destination
Configuration profiles
Settings Catalog first, custom .mobileconfig for the remainder — audit each profile's payloads rather than bulk-importing a decade of accretion
Policies + scripts
Shell scripts and the app pipeline — Jamf "policies" decompose into Intune scripts, apps, or profiles depending on what they did
The translation is also the audit: most Jamf estates carry years of one-off policies; migrate intent, not inventory.
Do
Reassign the ABM MDM server entry from Jamf to Intune before each wave
Sequence the FileVault key-rotation profile early and verify escrow coverage per wave
Audit each Jamf profile's payloads — migrate intent, not inventory
Don't
Plan for per-device MDM coexistence — enrollment is exclusive
Bulk-import a decade of profile accretion
Declare victory while escrowed keys still live only in Jamf
The Wave Design
Agent kit staged first (PPPC/extensions for your security stack pre-approved in Intune before any Mac arrives), pilot wave of IT's own Macs, then population waves with compliance plus Conditional Access as the deadline lever — with the FileVault escrow check added to each wave's exit criteria.
Stage 1Agent kit pre-stagedPPPC and extensions approved in Intune before any Mac arrives
Stage 2Pilot waveIT's own Macs cross first
Stage 3Population wavesCompliance + Conditional Access as the deadline lever
Stage 4Wave exit checkFileVault escrow verified before the next wave
Insights
Run the capability-gap review before committing dates: deep Jamf estates use features (complex Smart Group logic, patch-title automation, extension-attribute-driven workflows) whose Intune equivalents are adjacent rather than identical — the honest-differences conversation up front converts surprises into design inputs.
Rosetta, universal binaries, virtualization, and the silicon-specific facts that shape Mac fleet operations.
The lifecycle page treats Apple silicon as a procurement fact; this page treats it as an operations fact — the handful of silicon-specific behaviors that surface in deployment, security, and the lab.
Rosetta 2: the Translation Layer
Intel-built software runs on silicon through Rosetta — installed on demand, which under management means you install it up front, by script: the one-line scripted install during enrollment for any fleet whose app estate isn't verifiably universal, because the alternative is per-user prompts and "bad CPU type" tickets. The audit side: a custom attribute censusing translated processes tells you which vendors still owe you universal builds — the lane-orphan review's architecture cousin, and a renewal-conversation lever.
The Security Architecture Dividends
Silicon is why the modern Mac security pages work the way they do: the Secure Enclave underwrites Managed Device Attestation and Platform SSO's key-based modes; sealed system volumes and boot security feed the recovery model — EACS's minutes-not-hours erase is a silicon-era cryptographic property, and DFU revive is its bench-side sibling. One slide in the architecture doc connecting these makes every later review faster.
Virtualization: the Lab Multiplier
Silicon Macs virtualize MacOS natively (Apple's Virtualization framework, with UTM as the open-source face) — disposable MacOS VMs for profile testing, enrollment rehearsals, and OS-release validation without a hardware drawer. The constraints: VMs aren't ABM-known hardware, so ADE-specific flows and attestation-grade scenarios still want a physical bench unit or two; everything else — payload behavior, script validation, agent-kit dry-runs — virtualizes beautifully. Licensing terms bound VM counts; read them once and design the lab inside the lines.
Insights
The Intel-straggler dimension deserves explicit filter treatment until it's zero: divergent recovery, no MDA, different performance envelopes — a fleet that can't say "we are N% silicon" by query is carrying an invisible operational fork, and the retirement date for the fork belongs in the lifecycle ledger, not in vibes.
What enrollment actually creates in Entra ID — the registered device record, the Platform SSO upgrade, and why stale records quietly break access.
Every managed Mac exists twice: as an Intune device object (management — policy, apps, inventory) and as a Microsoft Entra ID device record (identity — what Conditional Access actually evaluates). Intune computes the compliance verdict against its object and stamps it onto the Entra record; access decisions read it from there. Most "enrolled but blocked" mysteries are daylight between those two records.
Trust typeMicrosoft Entra registered — never joined
BrokerEnterprise SSO plug-in inside Company Portal
Upgrade pathPlatform SSO binds the local account to Entra ID
What Enrollment Produces in Entra ID
When a Mac registers, Entra mints a device record with trust type Microsoft Entra registered, and the Mac receives a workplace join (WPJ) certificate — hardware-bound, and accessible only to the Microsoft Enterprise SSO plug-in that ships inside Company Portal. That certificate is how the Mac proves "I am device X in your directory" when apps and browsers request tokens; the device ID it asserts is the key Conditional Access uses to find the compliance verdict. Every enrollment path produces this same trust type — what differs is when the record lands.
Registered, not joined
Macs register with Entra ID; they do not join it. Registered is the only trust type a Mac record will ever carry, so device-based access for Macs rests entirely on the compliant device grant — a control demanding a joined device can never be satisfied from a Mac.
Three Paths, Three Registration Moments
Enrollment (the MDM relationship) and registration (the Entra record) are separate events, and the gap between them is where first-week tickets are born:
After setup — a Company Portal sign-in at the desktop completes registration
The classic gap: managed but unregistered, and Conditional Access blocks until that sign-in
ADE with Platform SSO registration during enrollment
During enrollment itself — the PSSO payload completes registration before the desktop
Closes the gap; the modern target for corporate Macs
Respect the middle row: a modern-auth ADE Mac reaches the desktop fully managed — and every Conditional Access-protected app bounces the user toward Company Portal until the registration sign-in happens. Write that step into onboarding comms, or let Platform SSO's registration-during-enrollment delete the human step entirely.
The Platform SSO Upgrade
Plain registration gives the Mac an identity; Platform SSO gives it a relationship. The local account binds to Entra ID, the SSO extension becomes the broker for authentication and Conditional Access on the device, and in Secure Enclave mode the credential is hardware-bound and phishing-resistant (the passkeys page continues that thread). For the identity story this changes three things: registration ties to the local account that performed it, sign-in state stays consistent between the OS and Entra, and browsers acquire device identity silently through the broker instead of certificate-picker prompts. Conditional Access stops being something users experience and becomes something simply true of the device.
Compliance Binds to the Record
The sequence that makes a Mac "compliant" in a token: enrollment establishes management → registration creates the Entra record → the first check‑in lets the compliance policy evaluate → the verdict lands on the Entra record → Conditional Access reads it at sign-in. A brand-new Mac showing noncompliant for its first minutes is this sequence mid-flight, not a failure; one stuck there past fifteen minutes usually has an unfinished registration, not a policy problem.
Step 1EnrollEnrollment establishes management
Step 2RegisterEntra mints the device record
Step 3EvaluateFirst check‑in runs the compliance policy
Step 4StampThe verdict lands on the Entra record
Step 5GateConditional Access reads it at sign-in
The Bootstrap Token Is Authority, Not Identity
Two trust fabrics run through a managed Mac, and they never touch. The bootstrap token — escrowed to Intune during ADE enrollment — is Apple-side authority: it lets MDM authorize operations that need SecureToken/volume-ownership powers on Apple silicon, like enforced software updates and kernel-adjacent work. It plays no role in Entra registration, tokens, or Conditional Access. Map symptoms: access blocked → registration/WPJ side; updates refusing to authorize → bootstrap side (profiles status -type bootstraptoken).
Erase, Re-Enroll, and Stale Records
Each registration mints a fresh device ID, so the erase-and-re-enroll loop that makes Mac recovery so fast also manufactures duplicates: one piece of hardware, several Entra records, only one of them live. Stale records don't block access — the Mac presents its current certificate — but they poison dashboards, inflate noncompliant counts, and make dynamic groups lie. Clean deliberately:
Dedupe by serial number, never display name. Serial is the only honest key; a fleet of identical "MacBook Pro" display names will name-match you into deleting live records.
Identify the live record before touching anything — the device ID from a fresh sign-in log entry, or the record Intune currently maps to, marks the survivor.
Clean the Intune side first, with the escrow caution: the escrowed FileVault recovery key rides the Intune device record — confirm the surviving record holds a valid key and rotate after cleanup rather than discovering the gap at unlock time.
Then the Entra side: disable, soak, delete. Filter on the activity timestamp with a generous window, disable first, and delete only after nothing has screamed for a couple of weeks.
Hardening: Managed Device Attestation
Registration as described is still assertion — the record exists because software said so. Managed Device Attestation upgrades the foundation: the Secure Enclave proves genuine hardware and properties to Apple's attestation service, and device certificates become silicon-rooted instead of software-held. As access design leans harder on the device record, MDA makes the record worth trusting.
Insights
"Enrolled but blocked" is a registration diagnosis until proven otherwise: check Company Portal sign-in state before re-pushing policy — the enrollment triage page and the PSSO triage page split the failure modes.
One Mac accumulating several Entra records across its life is normal, not pathological — but dashboards that count records instead of serials report a fleet you don't own. Dedupe by serial before any number leaves your team.
Treat registration as part of enrollment in the runbook: every path that leaves it to a human eventually meets a human who skips it.
ADE on MacOS — the enrollment profile decisions, Setup Assistant account creation, and the bootstrap token.
ADE is the Mac's supply-chain enrollment path: ABM-known serials hit Setup Assistant, management is mandatory and wipe-persistent, and supervision unlocks the full management surface. The Mac adds two consequential dials: local account creation and await final configuration.
Applies toOrg-owned, ABM-known Macs
RequiresHealthy APNs cert + synced ADE token + serial assigned in ABM
Console pathDevices > MacOS > Enrollment
Survives wipeYes — re-enrolls at Setup Assistant
Prerequisites
The shared Apple foundation in place: a healthy APNs certificate, the ABM ↔ Intune enrollment token synced, and the Mac's serial assigned to Intune's MDM server entry in ABM.
The local-account decision made in writing — admin vs standard, and whether a hidden managed admin exists. The profile encodes policy; write the policy first.
The day-one payload identified: FileVault, PPPC grants, and the security stack worth holding Setup Assistant for.
Building the Enrollment Profile
Under Devices > MacOS > Enrollment (ADE token section), create the profile and work the decisions in order:
Set user affinity. Enroll with affinity for 1:1 Macs (the norm); Setup Assistant authenticates with Entra (modern auth via Company Portal flow per current platform guidance), tying the device to its primary user for licensing, compliance, and self-service.
Decide account creation — the big one. Create the primary user as standard (recommended; see local account strategies) and define a hidden managed administrator account for IT break-glass. This is where the no-standing-admin posture is born; retrofitting it later is a political project.
Enable await final configuration. Setup Assistant holds until critical profiles land, so FileVault, PPPC grants, and the security stack arrive before the desktop does — the difference between a Mac that is compliant at first login and one racing its own policies.
Trim Setup Assistant panes. Skip the consumer panes (Apple Intelligence, Siri, Screen Time, analytics) per fleet taste — every retained pane is a decision delegated to the user; the Setup Assistant page carries the full strategy.
Assign the profile via the token's device list, and build enrollment-profile-based dynamic groups downstream so day-one targeting follows the enrollment path automatically.
The Bootstrap Token (Quietly Critical)
On ADE Macs, the bootstrap token escrows to Intune automatically — it's what lets MDM authorize things that need SecureToken/volume-ownership powers on Apple silicon: kernel-adjacent operations, some software-update and account flows. You don't configure it so much as verify it (profiles status -type bootstraptoken) when deep operations misbehave — a missing bootstrap token is a classic root cause on Macs that enrolled through odd paths.
First-Boot Flow and Verification
Unbox → Setup Assistant → Remote Management screen → Entra sign-in → account created per profile → await-config holds while the assigned-at-enrollment stack lands → desktop with compliance evaluating and Conditional Access gating. Verify a pilot unit end to end before fleet rollout: profiles status -type enrollment reports the Mac as ADE-known and enrolled, the hidden admin exists but stays off the login window, and the security stack is already running at first desktop. The user experience brief writes itself: "sign in, wait two minutes, work."
Step 1UnboxSetup Assistant on first power-on
Step 2Remote ManagementThe Mac learns it's managed
Step 3Entra sign-inUser affinity established
Step 4Account createdPer profile — standard user + hidden managed admin
Step 5Await config holdsFileVault, PPPC, security stack land first
Erase-and-reinstall is your friend: ADE re-enrollment after erase makes "wipe it" a legitimate, fast fix on Macs — Erase All Content and Settings (Apple silicon) brings a Mac back to Remote Management in minutes, not the reimage-afternoon of old.
Pilot the account-creation matrix explicitly: admin/standard × hidden-admin presence × Platform SSO later — these interact, and the Platform SSO page assumes you landed on standard-user + managed admin.
The non-ADE path — what it's for, what it can't do, and how to keep it from becoming the accidental default.
User-approved MDM enrollment via Company Portal is the Mac's manual path: the user downloads Company Portal, signs in, and approves the management profile by hand. Legitimate for its niche; corrosive when it quietly becomes how corporate Macs enroll.
SupervisionNo — the deeper restriction set stays out of reach
Survives wipeNo — erase returns an unmanaged Mac
The Flow
User installs Company Portal for Mac (from your portal link or pushed guidance), signs in with Entra credentials.
The enrollment walks them through downloading and approving the management profile in System Settings — the "user-approved" act that grants MDM its powers (without approval, large parts of MDM are inert by Apple's design).
Device enrolls, policy applies, compliance and CA take over.
What You Don't Get
No supervision — the deeper restriction set and several modern features stay out of reach.
Removable management — the user approved it; the user can revoke it. Access dies with the profile (CA sees to that), but the device was never anchored.
No wipe-persistence — erase the Mac and it returns as an unmanaged retail device; compare ADE's gravity.
No Setup Assistant account control — the local-account posture is whatever the user already built.
Where It's the Right Answer
Genuine BYO Macs, with a deliberately light policy set and the BYO-Mac strategy decision made consciously.
Stopgaps: the acquisition's fifty Macs get user-approved enrollment for compliance-gated access this month, and ABM intake + erase-to-ADE on the migration plan next quarter.
Lab/eval machines where ABM ceremony isn't worth it.
Keeping It Contained
Enrollment restrictions can fence who may use this path; reporting tells you whether the fence holds — put the enrollment-type split on a monthly review and watch it trend toward ADE. A corporate Mac discovered on user-approved enrollment isn't a config error, it's a procurement-to-ABM pipeline leak — fix the pipe, then re-enroll the Mac properly.
Insights
The approval ceremony confuses users exactly once per Mac — a three-screenshot guide in your portal text reduces the "it says profile not approved" tickets to near zero.
MacOS prompts are security theater to users until explained: one line — "this is what lets your Mac pass the company's access checks" — converts suspicion into a tap.
Designing the Mac out-of-box experience — pane skipping, the await-configuration gate, and what lands before the desktop.
The ADE page establishes the pipeline; this page designs the experience — what a user sees between power-on and desktop, and what your tenant guarantees has landed before they get there.
The enrollment profile's Setup Assistant section skips panes per your design. The doctrine: skip everything that delays value or invites configuration drift — Apple Account sign-in (corporate Macs run corporate identity), Siri, Screen Time, analytics, the personalization parade — and keep only what the flow genuinely needs (network, and the account-creation step your account strategy dictates). Every retained pane is a support-call generator during enrollment week; every skipped pane is a decision your profiles make instead.
Awaiting Configuration: the Provisioning Gate
The await device configured behavior in the enrollment profile holds the device in Setup Assistant while the MDM delivers the critical initial payload, rather than racing the user to the desktop. What belongs in that window is a deliberately short list — the agent-enablement kit (PPPC, extensions, login items so security tooling activates without prompts), FileVault enablement posture, core restrictions — and not the 6 GB app suite, which streams post-desktop while the human works.
The await window surfaces little granular user-facing status while it runs, so set expectations by time-boxing the window in your design (decide what must land, measure how long it takes) and validating it in ring-1 enrollment rehearsals on real hardware over real networks.
The First-Login Sequence
Post-Setup-Assistant, the remaining stack arrives in rough order: profiles complete, scripts fire, the app pipeline (VPP first, PKG lanes after) streams, Platform SSO registration prompts on schedule. Document the expected first-hour timeline for the helpdesk — "Slack appears within 20 minutes" written down converts day-one anxiety into a checklist.
Insights
Rehearse the bad-network enrollment deliberately: hotel Wi-Fi, captive portals, 802.1X-gated office jacks — the await-configuration window's failure modes live there, and the enrollment-failure triage you write afterward will be the most-used page in your internal runbook.
The pane-skip list needs an annual pass: each MacOS release adds Setup Assistant steps, and an unreviewed profile greets next year's hires with panes you never decided to show.
Admin or standard, hidden managed admins, and identity-linked account creation — deciding who the Mac thinks its users are.
Every managed Mac asks a foundational question: who gets the local account, and with what rights? The answer shapes your security posture, your helpdesk load, and your Platform SSO design.
The Primary Decision: Standard vs Admin
The ADE profile's account-creation settings decide what the user becomes:
Standard user — the defensible default: malware runs with user rights, configuration drift drops, audit posture improves. The historic Mac objection ("everything prompts for admin") has aged badly — managed software arrives via the app pipeline, settings via profiles, and the genuine elevation long-tail is smaller than folklore claims.
Admin user — still common in Mac culture, especially developer fleets; if you grant it, grant it knowingly with compensating controls (Gatekeeper posture, EDR, and the honesty that admin users can alter both).
The pragmatic middle that many estates land on: standard users fleet-wide, admin by documented exception for the populations whose workflow genuinely demands it. Intune has no native just-in-time elevation story for the Mac yet, so third-party elevation tools fill that slot where the exception list grows — and the principle stands either way: elevation should be an audited event, not a standing right.
the workflow has no genuine elevation needStandard userThe defensible default — malware runs with user rights, drift drops, audit posture improves.
the population's workflow genuinely demands elevationAdmin by documented exceptionGranted knowingly with compensating controls — or a third-party elevation tool making elevation an audited event.
The Managed Administrator Account
The enrollment profile can create a hidden managed admin during ADE — the break-glass identity that makes standard-user fleets serviceable. Treat its credential as a managed secret: unique-per-device or rotated (the rotation page covers the patterns), hidden from the login window, used by process rather than memory.
Identity Linkage
Account creation can ride the enrollment's identity flow — the local account taking shape from the Entra sign-in — and Platform SSO then keeps local and cloud credentials aligned from day one. Naming discipline matters more than it looks: a fleet of jsmith-style short names created consistently beats the archaeology of user-invented account names three years later.
Insights
Migrating existing Macs to standard-user is its own mini-project: demote by script in waves, with the managed-admin and elevation story landed first — removing rights before the elevation path exists generates the exact ticket spike that discredits the whole project.
Whatever the strategy, write down the account model per fleet (who's standard, who's admin, what the hidden admin is for) — it's two paragraphs, and it's the document every security review and every new admin asks for.
Gating which Macs enroll and how — personal-device blocks, version floors, and the corporate-channel guarantees.
Enrollment restrictions are the tenant's door policy for Macs: corporate machines through the ADE front door, personal Macs handled deliberately or not at all — and the restriction set is what makes that intent enforceable rather than aspirational.
The Restriction Surface
Device platform restrictions, MacOS edition:
Block personally owned MacOS devices — the high-leverage gate. ADE devices are corporate by ABM construction and pass; the personal MacBook with a Company Portal download doesn't device-enroll. The personal-Mac population then gets the deliberate tier: browser access under Conditional Access session controls, or nothing — MacOS offers no meaningful MAM tier, so the access-tier table has fewer rows and the design doc should say so plainly.
Minimum OS version at the door — aligned with the n / n-1 / n-2 support window so museum builds bounce at enrollment rather than aging inside compliance.
Device limits — Macs accumulate per user across refresh cycles; the limit plus a scheduled stale-device cleanup keeps the per-user pile honest.
The Channel Guarantees
Restrictions decide whether; the enrollment channel decides how much management you get:
ADE: supervision, await-configuration, mandatory MDM, the full feature surface — the only channel corporate Macs should ride
User-approved/Company Portal enrollment: real management with consent-shaped edges — appropriate for the transitional estate (mid-migration Macs and the pre-ABM long tail), with a plan to converge on ADE at refresh
The restriction set should make the unintended channels impossible: with personal devices blocked and corporate hardware ABM-assigned, every enrolled Mac arrived supervised through the front door — which is the property your security baseline silently assumes
Do
Block personally owned MacOS devices so only ABM-built hardware device-enrolls
Set the minimum-OS floor at the door, aligned to the n / n-1 / n-2 window
Review the enrollment-type split quarterly and trend it toward ADE
Don't
Expect a restriction change to fix already-enrolled stock — it gates new enrollments only
Let user-approved enrollment become the accidental corporate default
Leave the personal-Mac tier undecided — browser-only under Conditional Access, or nothing
Insights
Audit the channel mix quarterly: the enrollment report split by enrollment type should trend toward ADE-total; a persistent user-approved population marks either ABM-assignment gaps in procurement (fixable at the reseller) or a BYOD-Mac shadow program that deserves a real decision instead of an accident.
Restriction changes are forward-looking — they gate new enrollments only — so pair posture tightening with a sweep of the already-enrolled stock that no longer fits.
Erase All Content and Settings, recovery flows, and DFU revival — getting Macs back to managed from any state.
The cloud-native promise — any device returns to known-good fast — needs MacOS mechanics. Modern Apple silicon makes this genuinely good; this page is the ladder from gentle to forensic.
Rung 1EACSCryptographic erase to out-of-box in minutes — ADE catches it at Setup Assistant
Rung 2RecoveryOSMacOS reinstalls, startup security, disk repair
Rung 3DFU revive / restoreBench operation via a second Mac running Apple Configurator
Rung 1 — Erase All Content and Settings (EACS)
On Apple silicon (and T2-era hardware), EACS is the transformative tool: a cryptographic erase that resets the Mac to out-of-box without reinstalling MacOS — minutes, not hours. Issued locally or as the MDM erase action, the device reboots into Setup Assistant where ADE re-enrollment catches it automatically. The practical consequences:
"Reprovision it" becomes a tier-1 fix — the synced-data posture (user files living in OneDrive or equivalent managed sync) decides how true that is; a Mac whose user data lives in synced services rebuilds in under an hour
Offboarding, device transfers between users, and the migration waves all ride this rung
Activation Lock discipline decides whether the next hour is smooth: a locked Mac post-erase is a paperweight until released — the bypass-code escrow and ABM-release flow belong in the runbook before the first erase
Rung 2 — RecoveryOS
The local recovery environment handles the mid-tier: MacOS reinstalls for genuinely corrupted systems, startup security settings, disk repair. Under management, recovery access intersects your security posture — the recovery lock / firmware-password story (set via MDM on supported hardware) gates what an unauthorized hand can do from recovery, and the lock's escrow is another credential-rotation citizen.
Rung 3 — DFU Revive and Restore
Apple silicon's last resort: a Mac that won't boot at all connects to a second Mac running Apple Configurator for a revive (firmware repair, data preserved) or restore (full re-flash, data gone). It's a bench operation — cable, second Mac, current Configurator — and a fleet of any size should have one bench rehearsed on it, because the alternative is a depot ticket and a week.
Insights
The ladder's existence changes troubleshooting economics: past thirty minutes of diagnosis on a weird-state Mac, EACS-and-re-enroll is usually the cheaper path — if the data posture and Activation Lock discipline make it casual. Those two prerequisites are the actual project.
Rehearse the full loop quarterly: erase a lab Mac, watch it land back at the desktop fully managed, time it. That number — not the architecture diagram — is your real recovery SLA.
The MacOS configuration surface — Catalog first, custom .mobileconfig for the gaps, preference files for app settings.
Three layers configure a Mac, in strict order of preference: the Settings Catalog, custom configuration profiles, and preference-file payloads for application settings. Master the order and the Jamf-refugee question — "where do my config profiles go?" — answers itself.
the Settings Catalog surfaces the settingSettings CatalogThe default home for new MacOS policy — one setting, one home.
the payload isn't in the Catalog yetCustom .mobileconfigThe escape hatch — versioned in Git, retired when the Catalog catches up.
you're configuring an app's own settingsPreference file payloadManaged values pushed into the app's preference domain.
1. Settings Catalog (Default Home)
The Settings Catalog is the default home for new MacOS policy, with a deep payload set: restrictions, login window, FileVault-adjacent settings, Platform SSO, PPPC, extensions and login items, Microsoft AutoUpdate and Office preferences, and more — searchable by friendly name and Apple's payload keys, with Apple's Device Management documentation as the authoritative key reference. New policy starts here; one setting gets one home, and profile conflicts are resolved by never creating them.
2. Custom .mobileconfig (The Escape Hatch)
For payloads the Catalog hasn't absorbed: build the profile in iMazing Profile Editor (the community standard — every Apple payload, documented inline), upload under Devices > MacOS > Configuration > Templates > Custom. The custom-profile discipline applies — versioned in Git, descriptions explaining why, retired when the Catalog catches up. A custom profile is a dated artifact, not a permanent home.
3. Preference Files (App Settings)
MacOS apps read settings from preference domains (com.vendor.app plists) — and the Preference file payload pushes managed values into any domain: Office behaviors, Chrome policies (com.google.Chrome), your LOB app's config. The pattern: find the vendor's documented keys (or read them from an existing plist with defaults read), deliver them managed, and the app launches configured. Managed preferences generally win over user-set values while the profile is present — which is the point.
Insights
Test profile removal, not just installation — Mac profiles can leave configured state behind differently per payload; the retire/offboard behavior belongs in your pilot checklist.
sudo profiles show (and profiles list) on a lab Mac shows exactly what landed, from where — the ground-truth companion to the portal's per-setting report; full workflow in diagnostics.
Naming and repo discipline as everywhere: Mac-<Area>-<Audience>-v<N>, IntuneCD-backed — config-as-code is platform-agnostic hygiene.
Declarative update enforcement on MacOS — deadline-driven, evaluated on-device, and the single biggest upgrade to Mac fleet hygiene in a decade.
MacOS 14+ brought Declarative Device Management (DDM) software updates to the Mac — an enforce-by-deadline engine that turns Mac patching from a request into a policy, and the most consequential change to Mac fleet hygiene in years. This page is the model, the configuration, and the ringing strategy.
Applies toMacOS 14+ fleets
RequiresEscrowed bootstrap token on Apple silicon
EnforcementOn-device and declarative — survives being offline
DeferralRestriction supports up to 90 days
The Model
A DDM software update policy declares: target version (or latest), enforcement deadline, quiet-period behavior — the Mac downloads, nudges the user with escalating OS-native prompts, and at deadline installs and restarts. Enforcement lives on-device (declarative state, not command-chasing), which is why it works on the laptop that's offline every time legacy MDM commands fired.
Step 1DeclareTarget version (or latest) + enforcement deadline
Step 2Download & nudgeEscalating OS-native prompts as the deadline nears
Step 3EnforceAt deadline the Mac installs and restarts
Step 4ReportDDM status channel returns per-device state to Intune
Configuring and Ringing It
Create the update policy under the MacOS update policy surface (DDM-based where the OS supports it): target version or latest, the enforcement deadline, and the quiet-period behavior users will see.
Ring the fleet: a pilot ring at deadline-minus-aggressive, broad rings on a relaxed cadence, and the compliance floor trailing as the backstop that catches whatever the rings miss.
Add the deferral restriction (up to 90 days) so eager users stay off day-one major releases while validation runs.
Mac-Specific Realities
Apple silicon + bootstrap token: MDM-driven updates on modern Macs lean on the escrowed bootstrap token for authorization — ADE-enrolled fleets have it automatically; oddly-enrolled Macs that refuse updates often trace here.
Major-version upgrades (the annual MacOS release) ride the same declarations: pin the fleet on current-major, move rings to the new major on your validation calendar — the deferral window buys the validation time.
The restart is real: a Mac update interrupts a workday if deadlines land carelessly — schedule enforcement windows with the humans in mind: deadlines at end of week, prompts visible days ahead, no surprise lunchtime restarts.
Verifying and Reporting
The DDM status channel reports per-device declaration state back to Intune — actual installed version, pending enforcement, deadline countdown. Fleet-wide, the patch KPI is the triplet: current / lagging / stragglers, with the stragglers list cross-referenced against enrollment oddities before anyone blames the policy. Per-device failures get the update-failure triage.
Insights
Communicate the deadline behavior once, fleet-wide: "your Mac will give you N days of gentle warnings, then it will restart itself" converts the first enforced restart from outrage into a shrug.
Keep one deferral-free canary ring (IT volunteers) on day-one releases — the June-beta-to-September-GA cycle rewards orgs that find their breakages before enforcement does.
Silent enforcement, personal recovery key escrow, and rotation — Mac disk encryption as a non-event.
The disk-encryption doctrine on a managed Mac: encryption enables silently, the recovery key escrows before anyone needs it, and the user experience is one dialog at most. FileVault via Intune delivers all three when configured in the right order.
Console pathEndpoint security > Disk encryption > MacOS (FileVault)
Key escrowPersonal recovery key (PRK) to Intune — non-negotiable
RotationDevice action; rotate after every disclosure
Verifyfdesetup status + PRK visible in the device blade
The Policy
Endpoint security > Disk encryption > MacOS (FileVault):
Enable FileVault: Yes, with escrow the personal recovery key (PRK) to Intune — non-negotiable; an encrypted Mac without an escrowed key is a future data-loss incident.
Defer enablement until sign-out: the polite path — FileVault activates at the user's next logout rather than ambushing the session; pair with a number of times allowed to bypass (small, e.g. 1–3) so deferral can't become forever.
Hide recovery key from user: Yes for corporate fleets — the key lives in escrow and the self-service retrieval path; on-screen keys get photographed onto personal phones.
Disable the ability to turn off FileVault via restriction, closing the loop.
On ADE fleets with await-final-configuration, the profile lands before the desktop and the first sign-out completes the story — most users never consciously experience "encrypting."
Recovery
The PRK surfaces in the device blade (admin retrieval, audited) and via Graph; users get a self-service recovery key view through the Company Portal/Intune portal path — publicize it for the 2 a.m. password-forgotten moment, so the helpdesk isn't the only door back in.
Rotate after every disclosure: Intune supports PRK rotation as a device action — retrieval-then-rotation should be one helpdesk motion, and policy-level rotation hygiene keeps long-lived keys from accumulating.
Compliance Tie-In and Verification
MacOS compliance attests encryption required; Conditional Access enforces it. Enable → escrow → attest → enforce. Verify the chain on the pilot ring: fdesetup status on-device reports FileVault on, the PRK is visible in the device blade, and the compliance report shows the device encrypted — escrow gaps have a dedicated triage page.
Step 1EnableSilently, deferred to the next sign-out
Step 2EscrowThe PRK lands in Intune before anyone needs it
Step 3AttestCompliance reports encryption required: met
Step 4EnforceConditional Access gates on the verdict
Insights
Measure escrow, not encryption: the dangerous population is "encrypted, key not escrowed" — usually Macs encrypted before enrollment (user-enabled FileVault). The fix is key rotation under management (rotation generates a new, escrowed PRK), not re-encryption — a one-action remediation for what looks like a scary gap.
Apple silicon's hardware encryption makes FileVault's performance cost effectively zero — the last legitimate objection retired with Intel.
The headline modern Mac feature — Entra-bound local accounts, Touch ID into everything, and the end of password drift.
Platform SSO (PSSO) is the deepest identity integration MacOS has ever offered third-party IdPs: the local Mac account binds to Entra ID, sign-in satisfies Entra (with SSO flowing into apps and web), and — in its strongest mode — the credential is a hardware-bound key in the Secure Enclave: phishing-resistant, Touch ID-unlocked, the strongest sign-in posture a Mac can offer.
RequiresSupported modern MacOS + Company Portal + enrollment
The Three Authentication Methods (Choose Deliberately)
Method
What signs in
Character
Secure Enclave key
Hardware-bound key + Touch ID/password unlock
The passwordless target state; phishing-resistant; recommended for new design
Password sync
Local password kept in sync with Entra password
The pragmatic middle — ends local/cloud password drift, keeps a familiar model
Smart card
PIV/CAC-style
Regulated/government fleets
The chronic Mac ailment PSSO cures regardless of method: the local password and Entra password drifting apart until FileVault unlocks with one and the portal wants the other — password sync alone is worth the deployment for fleets not ready for full passwordless.
Deployment
Prerequisites: a supported modern MacOS, Company Portal installed (it hosts the SSO extension/broker), and the device enrolled — ADE + standard-user posture is the natural pairing.
The profile: Settings Catalog > the Platform SSO / Extensible Single Sign-On payload — Microsoft's Entra extension identifiers, your chosen authentication method, and registration behavior. Microsoft's Intune docs carry the current canonical values; build from those rather than blog-archaeology, as the payload matured across releases.
User registration: after the profile lands, MacOS prompts the user to register (a one-time, guided moment — a short comms note sent ahead of rollout pays for itself in avoided tickets). Post-registration: Entra sign-in state on the Mac, SSO into Microsoft and SSO-extension-aware apps, Conditional Access seeing a registered, compliant device.
Insights
Pilot the lifecycle, not the happy path: password change at the IdP, FileVault unlock after, lost-Touch-ID fallback, offboarding — PSSO touches the local account, so the edge cases are account edge cases. A two-week pilot with deliberate password churn finds them all.
PSSO + standard users + FileVault form the Mac endpoint-identity trio — pitch them internally as one posture and the security review happens once. Registration problems have a dedicated triage page.
Pre-granting TCC permissions so your agents work on day one — the profile every Mac security tool depends on.
MacOS's privacy framework (TCC) makes apps ask the user for sensitive access — Full Disk Access, accessibility, and friends. Admirable for consumers; fatal for fleet agents, because a security tool waiting on a user click is a security tool that's off. PPPC profiles are management's answer: pre-grant (or deny) those permissions by policy, on supervised/managed Macs, so Defender, backup agents, and EDR sensors work at deployment, not after a help-desk campaign.
Applies toSupervised/managed Macs
TargetingBundle ID + code-signing requirement, per app
Console pathSettings Catalog (PPPC payload) or custom profile
Hard limitScreen capture stays a user click — policy only lowers the bar
How a Grant Is Targeted
A PPPC entry identifies the app by bundle identifier + code-signing requirement — the pair that prevents impostor binaries inheriting grants:
Bundle ID: com.microsoft.wdav-style, from the vendor's docs or osascript/inspection.
Code requirement: from the signed binary itself — codesign -dr - /Applications/App.app prints it; vendors of management-aware software publish theirs (always prefer the published one).
Then per-service: Allow (Full Disk Access — the big one for security/backup tooling), Deny, or for a few services Apple deliberately fences (screen capture, input monitoring in part), the strongest grantable posture is "standard user can approve" — policy can lower the bar to a user click but not remove the click; design your comms for those.
Building Profiles
The Settings Catalog carries the PPPC payload; for complex multi-service grants the community-standard PPPC Utility (tools page) builds the profile from the actual app bundle — point it at the installed app, tick services, export, upload as a custom profile. Vendors with mature Mac support (Microsoft included) publish ready-made PPPC profiles — deploy theirs verbatim and version-watch them.
Step 1IdentifyBundle ID + code requirement (codesign -dr -)
Step 2BuildVendor's published profile, or PPPC Utility against the real bundle
Step 3DeploySettings Catalog payload or custom profile upload
Step 4SequenceLand with — ideally before — the app, in the await-config wave
Operating Discipline
Sequence PPPC with (ideally before) the app — an agent installing ahead of its grants spends its first hours degraded; bundle them in the same await-configuration wave.
Audit the grant estate like firewall rules: every Full Disk Access entry is real power; review owners and necessity on a recurring cadence alongside the rest of your endpoint security posture.
App updates that change signing identity (rare, but vendor acquisitions do it) silently orphan grants — a working agent that breaks after a version bump should send you straight to its code requirement.
Insights
PPPC failures present as app failures ("Defender shows limited protection"), not policy failures — make "check PPPC grants" the first move in any Mac-agent triage, via System Settings > Privacy & Security on a reference device against your profile.
PPPC pairs with system extensions and login items as the three-profile enablement kit nearly every Mac agent ships with — treat them as a set.
Approving the kernel-adjacent bits and locking the off switch — the other two-thirds of the Mac agent-enablement kit.
PPPC grants an agent its permissions; this page grants its existence: system extensions approval so security tooling loads without user clicks, and managed login items so users can't quietly switch the agent off afterward. Together the three profiles form the enablement kit nearly every Mac agent ships with.
System Extensions
Modern MacOS replaced kernel extensions with system extensions — network extensions (content filters, the Defender network protection), endpoint security extensions (EDR sensors), and driver extensions. Unmanaged, each one triggers a user-approval dance in System Settings; managed, the System Extensions payload (Settings Catalog) pre-approves them:
Allow by team identifier — the practical unit: approve the vendor's Apple Developer Team ID and every extension they sign is covered (Microsoft's, famously, is UBF8T346G9; take each vendor's from their deployment doc).
Or by specific bundle identifier for tighter scoping.
Removable system extensions settings control whether users can deactivate them — leave that power with management.
Non-removable from UI: pair with the login-items lock below so the whole stack is tamper-resistant.
Deploy this with or before the agent — an EDR sensor whose extension sat unapproved for a week protected nothing, while reporting "installed."
Managed Login Items (Service Management)
MacOS 13 gave users a kill switch — System Settings > General > Login Items lists every background agent with a toggle — and gave admins the counter: the Service Management / managed login items payload, which pins specified items on and greys the toggle. Identify items by team identifier (broad, vendor-wide) or bundle/label (surgical). Every security agent, backup daemon, and management component you deploy belongs in it; an agent users can disable is a recommendation, not a control.
The Three-Profile Kit, Assembled
For any serious Mac agent: PPPC (permissions) + System Extensions (loading) + Managed Login Items (persistence) — built once per vendor, versioned in the repo, assigned in the same await-configuration wave as the app itself. Mature vendors publish all three ready-made; deploy theirs and diff on updates.
PPPCPermissionsTCC grants pre-approved by policy
System ExtensionsLoadingThe extension activates without user clicks
Login ItemsPersistenceThe kill-switch toggle pinned on and greyed out
Insights
Triage order for "agent installed but degraded": PPPC grants → extension approval state (systemextensionsctl list on a reference Mac) → login-item state. Ninety percent of Mac-agent tickets die in that sequence — full workflow in diagnostics.
A vendor changing Team IDs (acquisitions do this) silently orphans all three profiles at once — the same code-requirement vigilance applies kit-wide.
802.1X in system versus user context, network extensions, and the Mac-specific seams in enterprise networking.
Mac Wi-Fi and VPN payloads speak the standard enterprise vocabulary — SSIDs, security types, certificate payloads — with one seam that defines the platform: MacOS distinguishes system and user context, and enterprise Wi-Fi designs live or die on that distinction.
802.1X: the System-vs-User Decision
A certificate-authenticated Wi-Fi profile must answer who authenticates:
System mode — the device joins the network with a device identity, before any user signs in. This is what corporate Macs want: the login window itself is online (critical for Platform SSO registration, first-sign-in flows on shared-style Macs, and management traffic with nobody logged in). The profile deploys device-scoped with a device certificate.
User mode — authentication follows the signed-in user's identity; appropriate where network access genuinely tracks people, with the cost that pre-login connectivity doesn't exist.
Mixed estates (system for the corporate SSID, user for specialized networks) are normal — just declared, because the RADIUS team's policy must match the mode or authentication fails in ways that read as certificate mysteries.
the Mac must be online at the login windowSystem modeThe device joins with a device identity before any user signs in — the corporate default.
The certificate dependency chain is the universal sequencing rule: trust + identity profiles land before the Wi-Fi or VPN payload that references them.
VPN: the Extension Era
Modern Mac VPN clients are network extensions — which makes VPN deployment a composite of the agent-enablement kit: the client app via the app pipeline, the system extension approval profile so it activates silently, the VPN payload or vendor-keyed managed preferences carrying configuration, and notification settings so its prompts surface. Per-app VPN exists on MacOS for the associated-domains pattern, but Mac reality leans full-tunnel or split-tunnel clients from the VPN vendor's own stack.
The strategic note: every VPN dependency is modernization debt with an IP range; per-app access and ZTNA patterns are the bridge out.
Insights
Validate Wi-Fi profiles on the login window, not just the desktop: the system-mode test is "freshly rebooted Mac, nobody signed in, does it hold the corporate SSID" — passing that proves the design; passing only after login proves you built user mode by accident.
Captive-portal and 802.1X-gated networks are the enrollment-day failure mode — keep one open provisioning SSID or wired path for first-boot flows; it's a cheap hedge that saves enrollment day.
SCEP and PKCS for MacOS — keychain placement, identity preferences, and the renewal rhythms that keep 802.1X quiet.
The MacOS certificate stack is the familiar enterprise trio — trusted-root profiles, SCEP for per-device identities, PKCS where the certificate-connector model fits — with Mac-specific seams around the keychain and context.
The Mac-Specific Seams
Keychain placement: device-scoped certificate payloads land in the System keychain — available pre-login, which is exactly what system-mode 802.1X and always-on agents require. User-scoped deployments land in the user's login keychain and inherit user-context limits. The placement decision is the context decision; mismatches surface as "works after login, fails at the login window."
Access control: a certificate in the keychain isn't automatically usable by every process — payload-delivered identities carry sensible ACLs, but vendor agents occasionally need their access declared, and "the cert is there but the client can't use it" is a keychain-ACL conversation, not a PKI one.
Profile-managed lifecycle: identities delivered by profile renew and remove with the profile — the clean property that makes enrollment-linked PKI hygienic. Resist script-imported certificates for anything load-bearing; they rot outside the management lifecycle.
The Renewal Rhythm
SCEP renewal is automatic within its window — the fleet discipline is watching the tail: the certificate report's expiry distribution should show a healthy renewal wave, and a cluster approaching expiry without renewal marks devices not checking in (the certificate is the canary; the sync health is the disease). Root/intermediate rotations are a multi-quarter project: new chain deployed alongside, services dual-trust, issuance cut over, old chain retired — sequenced, boring, correct.
Step 1Deploy the new chainAlongside the old — nothing cuts over yet
Step 2Dual-trust servicesServices trust both chains during the bridge
Step 3Cut issuance overNew identities come from the new chain
Step 4Retire the old chainSequenced, boring, correct
Verification Kit
Keychain Access (or security find-identity in a diagnostic script) answers presence and placement per device; the MDM-side certificate reports answer fleet coverage; an 802.1X join on a freshly-imaged ring-1 Mac answers the only question that matters end-to-end.
Insights
Build the dependency graph once per estate: which Wi-Fi/VPN/app profiles reference which certificate profiles, which CA issues each. Five minutes of documentation, and certificate incidents become lookups instead of investigations.
Microsoft Cloud PKI reaches MacOS too — estates running AD CS solely to feed Mac SCEP should price the retirement.
The high-value restriction set for MacOS — what to lock, what to leave, and the knowledge-worker/kiosk split.
The Settings Catalog exposes hundreds of MacOS restrictions; this cookbook is the curated set, governed by one rule: every line justified, deviations as named variants.
The Corporate Knowledge-Worker Set
Data boundaries:
iCloud service controls per your data-governance decision — the highest-stakes restriction family on the platform, deserving its own page and review
AirDrop: per data classification (managed-device-only postures exist; full blocks fight Mac culture — decide with eyes open)
Content Caching, Handoff, and continuity features: usually left alone for knowledge workers; restricted on regulated fleets
Security posture (with the honest note that several of these attest via compliance rather than lock):
Gatekeeper settings locked to identified-developers-or-stricter; user override governed deliberately
Password/screen-lock policy via the passcode payload; Touch ID allowed
Software-update deferral handled by the update policy, not scattered restriction toggles — one home per setting
Game Center, in-app purchase surfaces off on corporate fleets
Diagnostics/analytics submissions set deliberately
What Not to Restrict
Leave the personalization layer alone: wallpaper, Dock contents beyond seeding, Finder preferences, and the rest of the look-and-feel stay user-owned on knowledge-worker Macs. Restriction budgets are real — spend them on data boundaries and security posture, not aesthetics; a Mac that feels like a rental gets treated like one.
Do
Spend the restriction budget on data boundaries and security posture
Document intent → setting pairs — one intent justifies four toggles at once
Run an annual pass against each release's additions and deprecations
Don't
Lock wallpaper, Dock, or Finder look-and-feel on knowledge-worker Macs
Scatter update deferrals across restriction toggles — one home per setting
Ship the kiosk posture to knowledge workers — it's a separate named variant
The Kiosk/Fixed-Function Variant
Single-purpose Macs (signage, check‑in stations, lab controllers) flip the doctrine: aggressive restriction sets, managed login windows, app surfaces pinned — a fixed-function posture expressed in Mac payloads, as a separate named profile set targeting a separate device dimension.
Insights
The catalog grows every MacOS release — an annual pass against the new release's additions (and deprecations) keeps the baseline current; the ring-1 population is where new restriction behavior gets discovered before it surprises the fleet.
Document the cookbook as intent → setting pairs, not setting dumps — "block corporate data egress via consumer cloud" justifies four toggles at once and survives the OS renaming any of them.
The pre-desktop surface — auth banners, login window behavior, and the FileVault unlock sequence users actually experience.
The login window is the Mac's pre-desktop policy surface — small, visible, and disproportionately present in audits (the consent banner) and helpdesk calls (the FileVault unlock confusion). Worth an hour of deliberate design.
The Policy Banner
The auth/consent banner — legal text presented before sign-in — is a compliance staple in regulated and government-adjacent estates. MacOS displays banner content placed correctly on the device; under management that's a small deployment task or profile-adjacent configuration carrying your legal team's text. Two operational notes: the text is legal's artifact, IT's deployment (version it, date it, and redeploy on revision — an outdated consent banner is worse in audit than none), and keep it short — the banner gates every sign-in, and seven paragraphs of legalese trains users to click through everything you ever present.
Login Window Behavior
The login-window payload family shapes the surface:
Name-and-password fields vs user list: corporate fleets generally prefer fields (no account enumeration on shared-visibility hardware); the account-strategy page's hidden managed admin stays hidden either way
Visibility controls: hide the admin account, suppress shutdown/restart buttons on kiosk-class Macs, show a custom login-window message — the asset-tag play ("Property of, if found call…") earns its place here
Auto-login: off, attested — the one login-window setting with real security weight, and a compliance-adjacent check worth scripting
The FileVault Unlock Reality
On FileVault-encrypted Macs, the first screen after power-on is the pre-boot unlock — which looks like the login window but runs before MacOS proper. The sequence (pre-boot unlock → possible second login) confuses exactly once per user; one onboarding line ("the first password unlocks the disk, then you may sign in") plus Platform SSO's password alignment keeping credentials identical makes the double-prompt invisible in practice.
Step 1Power-onEncrypted disk, nothing booted yet
Step 2Pre-boot unlockLooks like the login window; runs before MacOS proper
Step 3Login windowThe possible second prompt — invisible when credentials align
Step 4DesktopSigned in
Insights
The login window is also your incident-response surface: recovery-lock posture, the managed admin's reachability, and remote-lock messaging all converge here — rehearse what a locked, lost, and recovered Mac each look like at this screen and the runbook writes itself.
Seeding the Mac shell — Dock layout, Finder defaults, and the restraint doctrine that keeps users on your side.
The Dock is the first thing a user sees and the first surface IT is tempted to control, and it deserves a deliberate answer to the oldest shell question in endpoint management: how much of the user's workspace should IT shape? The tooling exists; the doctrine — seed, don't cage — matters more.
Dock Management
The Dock payload (Settings Catalog or a custom profile carrying the managed preference domain) defines contents — your pinned set (Company Portal, the browser, the collaboration stack, the LOB suite) in deliberate order — plus position/behavior settings and, critically, the merge-vs-lock decision:
Seeded (managed items present, user additions allowed): the knowledge-worker default — a useful day-one Dock that becomes theirs by Friday
Locked (contents immutable): kiosk and fixed-function Macs where the Dock is the workflow surface — lay it out with the deliberateness of a fixed-purpose launcher, because for those users it is the entire menu
Step-by-Step: Deploying a Managed Dock
Decide the pinned set and its order first. Five to eight items, business tools only, arranged in the order of the working day — this is fleet design, and it deserves ten minutes of argument before anyone opens the console.
Build the payload. Settings Catalog where the keys are surfaced; a custom profile carrying the Dock's preference domain for anything beyond it.
Make the merge-vs-lock decision explicitly. Seeded for knowledge workers, locked for fixed-function Macs — and write the choice down, because it is doctrine, not a checkbox.
Validate on a bench Mac. Confirm the managed items land in the intended order, and confirm that what users can still change matches your intent.
Assign so it lands during enrollment. Dock payloads land best during enrollment — re-shaping a tenured user's Dock mid-life is the redecorating-my-office move; ring it and announce it if you must.
Do
Pin five to eight business tools, ordered like the working day
Land the Dock payload during enrollment
Validate on a bench Mac that what users can still change matches intent
Don't
Lock knowledge-worker Docks — locked is for fixed-function Macs
Re-shape a tenured user's Dock mid-life without ringing and announcing it
Cage the workspace — seed it and let it become theirs by Friday
Finder and the Desktop Defaults
Finder management is mostly managed preference domains (the defaults system delivered by profile): new-window targets, extension visibility (show them — security hygiene disguised as a preference: invoice.pdf.app should look wrong), warning behaviors, and desktop iconography. Pair with the de-consumering set from the restrictions cookbook and the first-run experience reads intentional.
The deeper pattern this page introduces: any preference domain is manageable — the same mechanism that sets Finder defaults carries browser policy, Office behavior, and vendor-app settings; Dock and Finder are simply the first domains most admins learn.
Insights
Treat the pinned set as fleet identity: "the same five tools in the same five slots" on every managed Mac is cheap, classy design — users moving between machines feel the coherence, and helpdesk staff walking someone through a screen always know where things are.
The Finder extension-visibility setting plus Gatekeeper plus notification hygiene form a quiet anti-phishing trio on the endpoint — none of them headline a security review, all of them shrink the deception surface.
Queue deployment via profile and script, the driver story, and where Universal Print meets MacOS.
Mac printing under management is a small domain with outsized ticket volume — and a split personality: profiles carry simple queues cleanly, scripts carry everything else, and the print-server retirement question looms over both.
the hardware speaks driverless AirPrint/IPP EverywherePrinting payloadProfile-delivered queues — no driver packaging, one profile per site.
the queue needs exotic options or a vendor driverScript lanelpadmin via shell script, with the driver as a PKG the queue references.
The Two Deployment Lanes
The printing payload (profile-delivered queues): name, address/protocol (IPP being the modern default), location, and basic options — clean for the standard case of network printers speaking driverless AirPrint/IPP Everywhere, which modern office hardware overwhelmingly does. Driverless is the strategy: no driver packaging, no architecture splits, no vendor-installer archaeology.
The script lane (lpadmin via shell scripts): the escape hatch for everything the payload can't express — exotic options, conditional queues by site, and the legacy hardware that genuinely needs a vendor driver (which then becomes a PKG deployment the script's queue references). The script lane is also where removal lives: decommissioned printers linger forever unless something sweeps them, and a queue-hygiene script on a recurring schedule is the systemic fix.
Step-by-Step: Deploying a Site's Queues
Inventory the site's printers first. Per queue: name, address, protocol, location string, and — the fork in the road — whether the hardware speaks driverless AirPrint/IPP Everywhere.
Build the printing payload for the driverless set. One profile per site keeps assignments legible and retirements surgical.
Route the exceptions through the script lane. An lpadmin script per legacy queue, with its vendor driver packaged and deployed as the PKG the script's queue references.
Assign by site dimension (dynamic groups/filters) — the universal pattern: the Indianapolis Macs get the Indianapolis queues, and a device changing sites changes printers at next check‑in.
Verify on a bench Mac per site. The queue appears, a test page prints, and the queue is still present after a reboot — then, and only then, broaden the assignment.
The Universal Print Angle
Universal Print reaches MacOS via its Mac application — relevant for estates consolidating print onto one cloud fabric and retiring their print servers. Evaluate it as the estate decision it is: a Mac-only shop gains little over driverless IPP; an estate mid-migration to Universal Print gains coherence.
Insights
The Mac print triage ladder is short and worth memorizing: queue present? (profile/script landed) → printer reachable on this network? (VPN and VLAN realities) → driverless or driver? (and if driver, is it installed and current) — three questions route nearly every ticket, and the first two are generic delivery diagnostics, not print problems.
Print is where shared-space Macs earn complaints — for labs and hot-desk floors, deploy by location generously (every nearby queue) rather than per-desk precision; users forgive an extra printer in the list and never forgive a missing one.
The corporate-data-versus-consumer-cloud decision — service-by-service iCloud policy, Managed Apple Accounts, and the honest trade-offs.
No Mac restriction family carries more weight than the iCloud set: it decides whether corporate data can flow into consumer cloud storage — and unlike most restrictions, every option has real costs. This page is the decision framework, not just the toggle list.
The Toggle Anatomy
The restrictions surface controls iCloud service by service — sign-in itself, then Drive (with the Desktop & Documents sync as its own high-stakes line), Photos, Keychain sync, Mail/Contacts/Calendars, backup-adjacent services, and Private Relay. The three coherent postures:
Posture
Configuration
Trade
Open
Personal Apple Accounts allowed, services largely on
Maximum user goodwill; corporate files will live in personal iCloud Drive — defensible only where data classification genuinely tolerates it
Boundaried (the common corporate landing)
Sign-in allowed; Drive/Desktop-sync and Keychain sync off, Photos per appetite
Users keep the Apple-ecosystem conveniences; the corporate-document and credential egress paths close. Pair it with OneDrive carrying the sync-and-backup story so users lose a path, not a capability
Closed
Apple Account sign-in blocked
Clean data story; real UX cost (no personal Messages/FaceTime/Find My) — regulated-fleet territory, stated plainly in onboarding
Keychain sync deserves its own sentence: corporate credentials replicating to personal devices via iCloud Keychain is the quiet leak in otherwise-boundaried estates — turn it off early and let the sanctioned password manager be the answer.
Do
Decide this family before enrollment waves, not after
Turn Keychain sync off early — the sanctioned password manager is the answer
Pair Boundaried with OneDrive so users lose a path, not a capability
Attest the load-bearing toggles in the drift-detection rhythm
Don't
Retroactively close iCloud Drive on a fleet that's synced Desktop & Documents for a year — that's a data-migration incident
Let corporate credentials ride iCloud Keychain onto personal devices
Sell the Closed posture as cost-free — state the UX loss plainly in onboarding
Managed Apple Accounts
ABM-issued Managed Apple Accounts — org-owned identities, federable to Entra — are the corporate Apple identity: appropriate for Apple-service workflows under org control, and structurally separate from the personal-account question above. Most knowledge-worker Mac estates today run corporate identity = Entra (via Platform SSO), Apple Account = personal-but-boundaried — a sentence worth writing into the design doc because every auditor asks.
Insights
Decide this family before enrollment waves, not after: retroactively closing iCloud Drive on a fleet that's been syncing Desktop & Documents for a year is a data-migration incident with a policy name. The migration playbook's artifact audit should surface the inherited posture explicitly.
Whatever the posture, attest the load-bearing lines — the toggles that close data paths belong in the drift-detection rhythm, because this is the restriction family someone will eventually ask you to prove.
Pre-approving notification behavior — why your agents' prompts deserve policy, and the alert-style decisions per app.
MacOS asks users to approve each app's notifications — fine for consumer life, corrosive for fleet operations: a security agent whose alerts a user declined in week one is a sensor with its mouth taped shut. The notifications payload settles the question by policy, and it's the most-forgotten member of the agent-enablement kit.
What the Payload Decides
Per bundle identifier, the payload sets the notification posture: notifications allowed, alert style (banner — transient; alert — persists until acted on), lock-screen and Notification Center visibility, sounds, and badge behavior. The user-facing effect: the app simply has its notification rights from first launch — no prompt, no decline, no gap.
the prompt is actionable — compliance nudge, remediation, update deadlineAlert stylePersists until acted on; a banner that auto-dismisses was waved at, not communicated.
it's routine collaboration trafficBanner styleTransient and seeded only — how users tune their own message noise is their business.
Security and management agents (EDR, Company Portal, VPN clients): allowed, alert style for anything actionable — a compliance nudge or remediation prompt that auto-dismisses as a banner wasn't communicated, it was waved at
The collaboration stack (Teams/Slack/Outlook): allowed with standard banner behavior — seeded so day-one messages arrive, not locked beyond that; per the restraint doctrine, how a user tunes their own message noise is their business
Update and self-service prompts: allowed and styled to be seen — the enforcement story leans on users noticing deadlines; the payload is where you guarantee the noticing is possible
Step-by-Step: Shipping the Payload
Inventory the bundle identifiers that need a decided posture. The security and management agents first, then the collaboration stack, then the update and self-service prompts — the matrix above is the worksheet.
Decide each app's line deliberately. Allowed or not, alert vs banner, lock-screen and Notification Center visibility, sounds, badges — and record the why next to each entry, because the matrix outlives its author.
Build the payload entries per bundle ID and deploy them in the enrollment-time kit alongside PPPC, extension approvals, and login items — the four payloads that together mean "our stack activates silently and can speak."
Wire it into the new-agent checklist. Adding an agent later means adding its bundle ID here in the same change; the new-agent checklist should make that automatic.
Verification
Notification Center settings on a test device show each app's effective posture in ten seconds — confirm the agents arrived allowed and styled as decided, and trigger a real prompt (a compliance nudge, a test alert) to prove it surfaces. When the device-side view disagrees with what you shipped, the ManagedClient logs confirm what was actually delivered.
Insights
Diagnose "the agent never told the user" tickets here first: a missing payload entry explains a month of silently-failed compliance nudges, and the ten-second device-side check beats an hour of agent-log archaeology.
Don't blanket-allow everything: the payload's value is deliberateness — an app not on the matrix prompting the user normally is the system working; the matrix exists for the apps whose silence or noise is an operational decision.
Edge, Chrome, and Safari under management — preference domains, the extension regime, and one policy intent expressed three ways.
Browser policy on MacOS pursues a familiar set of intents — identity, security floor, extension regime, light branding — expressed through managed preference domains (the defaults-by-profile mechanism) plus Safari's payload surface.
Edge and Chrome: Preference Domains
Both browsers honor their full enterprise policy schemas on MacOS, delivered as managed preferences (Settings Catalog where surfaced, custom profiles carrying the vendor's domain otherwise — the schema documentation is the vendor's, the delivery is yours):
Identity: profile sign-in behavior, sync governance — decide which identities may sign in and what sync may carry, and apply the decision uniformly, because users notice incoherence between their tools
The extension regime: block-by-default, allow-list, force-install the corporate set — one doctrine, one review process, repo-versioned lists
Update channel: pinned to stable; the browser's updater is a self-updating-app citizen with its own page-worth of doctrine
Step-by-Step: Shipping a Browser Policy
Write the policy intent down first — identity, security floor, extension regime, update channel — and treat that document as the source of truth the profiles merely express.
Source the vendor's current policy schema and map each intent line to its keys; never guess key names — preference domains are case-sensitive contracts (the managed-preferences discipline).
Build the profile: Settings Catalog where the keys are surfaced, a custom profile carrying the vendor's domain otherwise.
Deploy to a test group and verify inside the browser. Both major browsers expose an internal policy page listing every policy in force and its source — the fastest proof that your managed values arrived and are being honored.
Broaden the assignment and version the profile in the repo with the schema-doc link that justified each key.
Safari: the Payload Citizen
Safari manages through Apple's payload surfaces rather than a vendor schema — narrower but real: the high-value lines (download behavior, the security-adjacent toggles, extension governance through its own model) live in the restrictions/Settings Catalog space. Estates that sanction Safari manage it deliberately; estates that don't should still set its floor, because it's present on every Mac regardless of the default-browser decision.
The Default-Browser Question
One sanctioned work browser per fleet — and on Mac the default-browser setting is famously user-adjacent: seed it via script/tooling during enrollment, accept that users can change it, and let Conditional Access and identity routing make the sanctioned browser the path of least resistance rather than fighting the OS for the checkbox.
Do
Write the policy intent down first — profiles merely express it
Verify inside the browser: the internal policy page lists every policy in force
Re-validate preference domains against vendor docs annually
Don't
Guess key names — preference domains are case-sensitive contracts
Fight the OS for the default-browser checkbox — seed it and route identity instead
Leave Safari without a floor just because it isn't the sanctioned browser
Insights
Keep the policy intent as one document and derive every browser's profile from it — configurations that diff to near-zero at the intent level are what auditors reward, and the single source of truth is what your future self rewards.
The Mac-specific trap is domain drift: vendor preference schemas evolve, and a three-year-old custom profile can carry keys the current browser ignores — the annual restriction pass should include re-validating the browser domains against current vendor docs.
The built-in CDN in your closet — caching Apple downloads on-LAN, and when one Mac saves a site's bandwidth.
Every Apple download — OS updates, App Store/VPP installs, iCloud assets — can be served from a Mac on your LAN instead of the internet, via the content caching service built into MacOS. On multi-device sites it's the cheapest bandwidth win available: one always-on Mac, one payload, done.
How It Works
A Mac with content caching enabled registers itself with Apple's infrastructure; client devices on the same network discover it automatically — no client configuration, no profiles on the consumers — and fetch Apple content from it at LAN speed, with the cache populating once from the internet. Any Apple hardware on that LAN fetching Apple content benefits with zero device-side setup, which makes a closet Mac mini the silent hero of provisioning days and OS-release weeks.
Apple CDNorigin — fills the cache once
→
Cache host Macalways-on, registered with Apple
→
Fleet devicesdiscover it automatically, zero setup
The Management Surface
The content-caching payload/settings family configures the cache host by policy: enablement, cache size limits and content types (shared Apple content vs iCloud data — corporate caches typically enable the former, decide the latter per data posture), and the topology options for multi-subnet sites (parent/child cache relationships, served-network ranges) where one closet Mac should answer for the whole building.
Step-by-Step: Standing Up a Cache Host
Pick the hardware for availability, not horsepower. A wired, always-on, never-sleeping Mac with disk headroom — the service is undemanding; the availability is the requirement.
Deploy the content-caching payload to that host: enablement, a deliberate cache size limit, and the content-type decision (shared Apple content on; iCloud data per your data posture).
Configure topology where the site needs it. Multi-subnet buildings want served-network ranges — and parent/child cache relationships on campus-scale sites — so one host answers for everyone.
Sequence it before the big events. Stand the cache up the week before an OS-release wave or a mass-provisioning day; discovering the need mid-saturation is the common order, and the wrong one.
Verification
The cache host reports its own economics — AssetCacheManagerUtil status and the served-bytes metrics make the win measurable: bytes-from-cache vs bytes-from-origin per month is the chart that justifies the mini. Fleet-side, the proof is felt, not configured: update waves that used to saturate the circuit, not saturating it.
Insights
Bring the network team a one-pager — cache host location, served ranges, and the first month's served-bytes chart. Bandwidth wins this cheap are rare, and the chart makes the case for a cache host at every constrained site without a single meeting.
The defaults system under management — domains, levels, cfprefsd realities, and testing plist payloads properly.
Dock and Finder introduced the trick; this page is the full mechanism — because any preference domain is manageable, and the admin who understands the defaults system stops being limited by what the Settings Catalog has surfaced.
The Mechanism
MacOS preferences live in domains (reverse-DNS plist namespaces — the browser's domain, Office's, the vendor agent's), read through the preferences daemon with a defined precedence: managed (MDM-delivered) values win over user-set values, by design. A custom profile carrying a domain's keys makes those keys managed — the app reads your value, Settings shows it locked where the app honors the convention. This is the entire browser-management and self-updater-suppression machinery, generalized.
The Craft
Source the keys from authority: vendor admin documentation first, then empirical capture — set the preference in the GUI on a bench Mac, read the domain's plist, and lift the key/value shape. Never guess key names; domains are case-sensitive contracts.
Force-by-policy vs set-once: profile-managed keys enforce continuously; some intents ("seed a default, let users change it") want a script-set preference instead — the seed-don't-cage doctrine expressed in mechanism choice.
Know the daemon: preferences are cached by the preference daemon — the classic bench confusion is editing a plist file directly and seeing nothing change; read/write through the defaults tool and test app behavior after a relaunch, which is what actually re-reads managed state.
Mind the channel: device vs user delivery decides which preference level your keys land at — the system-vs-user context lesson again.
Do
Source keys from vendor admin docs, then empirical capture on a bench Mac
Read and write through the defaults tool, then relaunch the app
Verify twice — the value arrived and the app honors it
Don't
Guess key names — domains are case-sensitive contracts
Edit plist files directly and expect live change — the daemon caches
Ship a new domain payload straight to the fleet
The Testing Discipline
Run every new domain payload through the same gauntlet:
Stage it on a bench Mac first — set the intended preference in the GUI, read the domain's plist, and confirm your payload's key/value shapes match what the app actually writes.
Deploy to a test group, never straight to the fleet.
Verify twice: defaults read proves the managed value arrived, and observed app behavior proves the app honors it (apps may ignore keys they didn't document — managed ≠ honored).
Version the profile in the repo with the vendor-doc link that justified each key.
This page is a watershed for most Mac admins: once you've watched a managed domain override a user preference live on a bench Mac, vendor-app policy stops being "whatever the Settings Catalog offers" and becomes "whatever the vendor's process reads" — a permanently larger toolbox.
Bridging Macs to Active Directory resources — without binding — for the estates whose file shares aren't done yet.
Platform SSO handles the cloud identity story; plenty of estates still have an on-prem tail — AD-gated file shares, intranet apps, print queues — and the Kerberos SSO extension is Apple's purpose-built bridge: AD tickets without AD binding.
Applies toEstates with an AD-gated on-prem tail
RequiresRealm reachability — on-prem network or VPN
PayloadKerberos SSO extension, targeting your AD realm
One ruleExactly one authority syncs the local password
What It Does
A configuration profile (the extension payload, targeting your AD realm) activates the built-in Kerberos single sign-on extension: the Mac acquires and renews Kerberos tickets for the realm when on-network/VPN, handles AD password expiry awareness and change flows, and can keep the local account password synced to AD where that legacy contract still matters. The user signs in once; the SMB shares and Kerberos-protected web apps stop prompting. The architectural point worth saying in reviews: this is the supported replacement for the bind-the-Mac-to-AD reflex — mobile-account binding is the legacy pattern; the extension delivers the resource access without the directory coupling.
Prerequisites
Realm reachability: tickets need domain-controller reachability — VPN or on-prem presence. The dependency is inherent, and the extension's value is precisely that it handles the acquire/renew rhythm gracefully across that intermittency.
One password-sync authority, decided up front: whether the extension syncs the local password is a design decision made against your Platform SSO design, because two password-sync authorities is the conflict pattern in identity form.
Step-by-Step: Deploying the Extension
Build the extension payload targeting your AD realm: realm and domain mappings, sync behaviors (password sync on or off, per the decision above), credential-UI behaviors, and the per-app/site scoping where needed.
Assign to a test group that can reach the realm and sign in once — tickets are acquired for the realm, and the SMB shares and Kerberos-protected web apps stop prompting.
Test the intermittency rhythm. Leave the network, return (or reconnect VPN), and confirm ticket renewal resumes without user ceremony — that grace is the feature you deployed.
Broaden, then date the retirement milestone. The extension is bridge infrastructure — each share moved to cloud storage and each intranet app modernized shrinks its realm, and the payload's retirement is a milestone worth dating.
Coexisting with Platform SSO
Platform SSO owns the Entra relationship; Kerberos SSO owns the AD realm relationship — they coexist on one Mac serving the hybrid reality, with one rule: exactly one authority syncs the local password.
Verification and Triage
The extension's status (tickets held, realm reachability) is inspectable device-side via the SSO diagnostic surfaces (the Platform SSO triage kit's sibling commands) — "the share prompts again" triages in two minutes as ticket-expiry vs reachability vs password-drift, in that order of likelihood.
Remote Help, screen-sharing permissions, and the consent architecture under every Mac support session.
Remote support on MacOS is a permissions problem before it's a tooling problem: screen recording and control are PPPC-governed, user-consent-anchored capabilities — and a support tool deployed without its enablement kit is a black rectangle at the worst possible moment.
Native optionRemote Help — an Intune Suite capability
Pre-grantableAccessibility and the standard PPPC list
Always user consentScreen Recording — by Apple's design
KitApp + PPPC + notifications + login item
The Tooling Landscape
Microsoft Remote Help (an Intune Suite capability) covers MacOS: identity-integrated, RBAC-scoped sessions with compliance-state visibility — the native pick for Intune estates that want support sessions living inside the same audited, role-scoped console as the rest of their management (session flows are web-based on MacOS; verify current capability scope per release, as the feature set is actively expanding).
Vendor remote tools (the established remote-support suites) remain common — same deployment shape regardless of logo.
Built-in screen sharing covers the technician-to-known-Mac case on managed networks — useful, narrow, not a helpdesk system.
The Enablement Kit (the Part That Actually Fails)
Whatever the tool, it's an agent-kit citizen, and the kit assembles in a known order:
Deploy the app via the pipeline, like any other managed app.
Pre-approve what policy can pre-approve with PPPC — Accessibility and the standard list per the vendor's documented payload — with the platform fact stated plainly: Screen Recording and remote-control-class permissions require user consent on modern MacOS; the capture consent itself is the user's click, by Apple's design.
So the workflow is the design: the user-facing "approve the screen-share prompt" moment scripted into the helpdesk opening ("you'll see a permission dialog — that's us; click Allow"), tested on a bench Mac per OS release, because consent UX moves.
Insights
The consent architecture is a feature in the security review, not a limitation: no silent screen capture is possible on this fleet, including by us is a sentence auditors and privacy officers both like — Apple made it true; you get to take credit for deploying inside it.
Session audit posture differentiates tools more than features do: who connected to what, when, recorded where — the RBAC-and-evidence lens applied to the one tool that literally watches screens.
Time Machine policy, the sync-first strategy, and a real answer to "are the Macs backed up?
"Are the Macs backed up?" deserves a designed answer, because the default one — "users have Time Machine if they set it up" — is a data-loss incident on a delay timer. The strategy has two coherent shapes; pick one on purpose.
the Mac holds nothing irreplaceable — knowledge-worker fleetsSync-firstOneDrive folder protection + the EACS rebuild model; "backup" becomes sync-coverage verification.
the population holds heavy local state — developer and creative fleetsImage-class backupTime Machine governed by payload, or an endpoint-backup agent — named populations, restore rehearsed.
Shape 1 — Sync-First (the Cloud-Native Answer)
The premise: the Mac holds nothing irreplaceable — OneDrive carrying Desktop/Documents (its Mac client supports the folder protection), corporate content living in synced services, and the EACS-and-rebuild recovery model replacing restore-from-backup entirely. Under this shape, "backup" is sync coverage verification: a custom attribute attesting folder-protection state fleet-wide, plus the iCloud-boundary decision ensuring corporate data syncs to corporate services. This is the right default for knowledge-worker fleets, and its KPI — sync coverage % — belongs next to encryption on the dashboard.
Shape 2 — Image-Class Backup (the Exception Tier)
Some populations genuinely hold local state worth versioned backup — developer Macs with heavy local environments, creative fleets with project archives mid-flight. The tools: Time Machine governed by payload (the Time Machine management keys: destination enforcement, excluded paths — notably excluding the corporate-synced folders so you're not backing up the cloud) or a third-party endpoint-backup agent deployed as a standard agent-kit citizen. Either way the rule holds: named populations, named destinations, restore rehearsed — an unverified backup is a hope with a schedule.
What Backup Is Not
FileVault is encryption, not backup; snapshots aid local rollback, not device loss; and personal iCloud backup of corporate content is a data-boundary leak that feels like safety — the account-controls page closes it by design.
Insights
The design test is the lost-MacBook drill: pick a real user, simulate total device loss, and time the path back to productive — sync-first fleets should measure in an hour (the rebuild promise); if the true answer is "hopefully their Time Machine drive," you've found the project.
The full VPP model applies: location tokens, device-based licensing, silent install on managed Macs, license reclaim on retire. Mac App Store coverage is thinner than the third-party canon at large — but where an app lives there (the Microsoft suite doesn't; plenty of utilities do), VPP is the lowest-toil lane and update handling rides the store.
PKG and DMG Types
Both are MDM-channel installs with Intune handling delivery and detection:
PKG: the workhorse for vendor installers. Intune reads the package's included apps (bundle ID + version) for detection — verify the auto-detected list matches reality, especially on multi-component packages, or "install succeeded" reporting lies.
DMG: for the simple drag-drop class; Intune extracts the .app to /Applications and tracks the bundle.
Both prefer signed packages; unsigned internal packages generally still deploy via the management channel, but signing your own (packaging page) removes a class of Gatekeeper-adjacent surprises and is cheap to do.
Scripts and Installomator
When the vendor's distribution defies both types — or you want install-and-keep-updated semantics — a shell script running Installomator (the community's label-driven installer covering hundreds of apps — tools page) downloads the latest version from the vendor, verifies its signature, and installs. One script pattern, many apps, vendor-fresh versions; the trade is that Intune's app reporting doesn't see script-installed apps natively — pair with a custom attribute reporting the installed version, and the gap closes.
Insights
Avoid the legacy "line-of-business" lane for new work — the modern PKG/DMG types with detection rules superseded it; old guides recommending the LOB wrapper predate them.
Update doctrine per lane: VPP → store-managed; PKG/DMG → re-upload new versions on your packaging rhythm; Installomator → vendor-current by design; Microsoft apps → MAU channels. Write the table for your estate once — every app should sit in exactly one row of it.
The Intune agent's two superpowers — scripted glue on a schedule, and fleet inventory columns you define yourself.
Assign a shell script and Intune quietly installs its management agent on the Mac — the layer that runs everything the MDM protocol can't express. Two vehicles ride it: scripts that act, and custom attributes that report.
Console pathDevices > MacOS > Scripts
Run asroot or signed-in user
FrequencyOnce, or recurring — every 15 min to weekly
RequiresIntune management agent — installs with the first script
Shell Scripts
Devices > MacOS > Scripts (and the agent surface): upload a zsh/bash script with settings that matter —
Run as: root (system tasks) or signed-in user (per-user defaults, user-context setup)
Frequency: once, or recurring (every 15 min → daily/weekly) — recurrence turns a script into a lightweight remediation loop: write it idempotent (check state, fix only if wrong, exit) and it enforces rather than just sets
Max retries for transient failures; notifications off for silent fleet work
The use cases: state the MDM protocol can't set, Installomator-driven installs, migration cleanups, the defaults write that has no payload yet. The hierarchy of enforcement: Catalog payload first, recurring script second, one-shot last. And the repo discipline: every script versioned with its why.
Step-by-Step: Deploying a Script Safely
Write it idempotent and test it on a bench Mac in the same context it will run — root vs signed-in user behave differently for paths, keychains, and defaults domains, and context mismatch is the top first-run failure.
Upload with deliberate execution settings: run-as context, frequency, max retries, notifications off for silent fleet work.
Assign to a test group first and read the per-device script results in the console before any broad assignment — a script that worked on the bench meets reality in the first hundred devices.
Broaden, then commit the script to the repo with its why, its rollback, and its owner.
Custom Attributes
The underused gem: a script whose stdout becomes a per-device inventory column in Intune. Declare the return type (string / integer / date), assign, and the agent reports the value on its cadence. Suddenly the console answers questions Intune never shipped:
Last backup timestamp from your backup agent's plist
Hardware truths: Apple silicon vs Intel, specific model capability flags
Any one-line fact a shell command can compute
Doctrine: one fact per attribute, computed fast, output terse (it's a column, not a log), and named like the data dictionary it is (LastBackupDate, InstalledZoomVersion). Attributes are the fleet's self-built telemetry layer — and equally queryable for reporting.
Insights
Script execution logs live in the Intune agent's log directory on-device — the first stop when a script "didn't run" (it usually ran; the log says what it returned).
Recurring scripts run on battery hardware: budget the schedule — daily for most, frequent for the few that earn it.
Scripts run as root on managed Macs are crown-jewel code: repo, review, and least-privilege them like the production automation they are.
Office via MAU channels, Defender with its full enablement kit, and Company Portal — the Microsoft stack done right.
The Microsoft suite is most fleets' first and largest Mac deployment — and a perfect showcase of every pattern this section teaches: PKG delivery, preference-domain configuration, and the three-profile agent kit.
Update engineMicrosoft AutoUpdate (MAU)
MAU channelsCurrent / Monthly Enterprise / Preview
Defender kitSix pieces, one deployment wave
Company PortalRequired, fleet-wide — deploy early
Microsoft 365 Apps
Deploy via the built-in Microsoft 365 Apps for MacOS app type (the one-click suite) or per-app PKGs for granular control. The real management story is Microsoft AutoUpdate (MAU): Office on Mac updates through MAU, and MAU is fully manageable via preference-file settings (com.microsoft.autoupdate2) — set the channel (Current / Monthly Enterprise / Preview) per ring, enforce deadlines, silence the UI to taste. Ring Office updates with the same pilot → broad rhythm you already run for OS updates; MAU's Monthly Enterprise channel exists precisely for change-controlled fleets.
Office configuration (sign-in behaviors, telemetry, macro-adjacent settings) rides preference domains per app (com.microsoft.Word et al.) — the Catalog carries many directly.
Microsoft publishes current versions of these profiles in the Defender-for-Mac deployment docs — deploy theirs, diff on updates. Once healthy, the risk score → compliance → Conditional Access loop closes, and device risk starts gating access exactly the way your security team expects.
Defender sensorcomputes the device risk score
→
Compliance policyconsumes the score into the verdict
→
Conditional Accessgates access on the verdict
Company Portal
Required, fleet-wide — it's the enrollment vehicle for user-approved devices, the Platform SSO broker host, and the user's compliance-status window. Deploy early; everything above assumes it.
Insights
Sequence-test the Defender kit on a wiped lab Mac measuring time-to-protected — the kit deployed out of order produces an installed-but-degraded sensor that looks green in app reporting. The agent-triage sequence verifies the end state.
MAU channel drift is the silent version-sprawl generator: one custom attribute reporting the configured channel keeps the fleet honest.
pkgbuild, signing, and notarization in the amounts a Mac admin actually needs — plus when to skip it all with Installomator.
Sooner or later a vendor hands you a bare .app, a zip, or "just run this" — and you become a packager. The good news: the Mac admin's packaging toolkit is three commands and one decision tree.
Buildpkgbuild wraps the .app--component … --install-location /Applications
Signproductsign with Developer ID InstallerCheap insurance against Gatekeeper friction
Verifypkgutil --check-signature + lab installBefore anything reaches the console
DeployUpload via the PKG app typeDetection rides the bundle version
The Minimum Viable Package
A component package wrapping an app for /Applications:
That artifact deploys via the PKG app type today. For multi-component or scripted installs (pre/postinstall scripts — the layer where install-time logic lives), pkgbuild --scripts and productbuild compose the bigger artifact; keep scripts idempotent and logged, the universal rule.
Signing and Notarization (The Honest Amount)
Signing: a Developer ID Installer certificate (from your org's Apple Developer account) + productsign turns your pkg into a signed one. Cheap insurance: signed packages sidestep a class of Gatekeeper friction and verify provenance forever after.
Notarization: Apple's malware-scan-and-staple for internet-distributed software. MDM-delivered packages live in a gentler trust path than user downloads, so strict notarization of internal wrappers is often skippable — but vendor binaries inside your package should already be signed and notarized by the vendor, and repackaging shouldn't disturb that. Rule of thumb: sign everything you build; notarize what users might ever download outside MDM.
Verify before upload: pkgutil --check-signature MyApp.pkg and a test install on the lab Mac.
Versioning Discipline
Detection rides bundle versions (CFBundleShortVersionString) — keep the pkg filename, the contained app version, and your repo tag in lockstep, treating the version string as a contract across the whole chain. "Why didn't the fleet update" is almost always a version that didn't increment somewhere in that chain.
Or: Don't Package
Installomator exists because most third-party Mac apps are publicly distributed with vendor signatures — a label-driven script that downloads, verifies, and installs the vendor's own artifact beats maintaining a private repackage of it. Reserve real packaging for: internal apps, vendor software without public distribution, and installs needing org-specific scripting. Inspect anything questionable first with Suspicious Package (tools page) — reading a pkg's payload and scripts before deploying it fleet-wide as root is not paranoia, it's the job.
the vendor distributes publicly with their own signed artifactInstallomatorDownload, verify, and install the vendor's own build — no private repackage to maintain.
the app is internal, unpublished, or needs org-specific install scriptingPackage it yourselfpkgbuild + productsign, versioned in the packaging repo.
Insights
Keep a packaging/ repo: source artifact, build script, signing notes, version history. Packaging knowledge is tribal until it's committed.
Apple silicon vs Intel is mostly solved by universal vendor binaries — but your detection and scripts should still handle both (uname -m), because the install paths occasionally differ.
The per-lane update doctrine — who updates what, on whose schedule, and how you prove currency.
Mac app deployment has four lanes; Mac app updating has four corresponding doctrines, and fleets that never wrote them down discover the gaps as vulnerability findings. The table first, the reasoning after:
Lane
Who updates
Your lever
VPP / Mac App Store apps
The MDM/Store machinery
The auto-update posture in VPP settings — turn it on and verify, the closest Mac gets to fire-and-forget
Whether you allow it to run — a real decision with its own page
The Doctrine by App Class
The doctrine, by app class:
Security agents and browsers → fastest lane available: vendor updater allowed or high-frequency Installomator — staleness here is the finding that matters
The business-critical workflow app → the validated lane: pinned deployment or scheduled Installomator behind a ring-1 pass; change control where change hurts
The long tail → automated by default: VPP auto-update plus a weekly Installomator sweep covers the canon without per-app ceremony
Proving Currency
Strategy without verification is hope: a custom-attribute script reporting installed versions for the watched set, rolled into the inventory rhythm, turns "are we current on Chrome" into a column. The audit-grade framing: every app has a named update lane, every lane has a cadence, and the watched set has version telemetry — three sentences that satisfy most security reviews because most estates can't say them.
Insights
The classic Mac failure mode is the lane orphan: an app hand-installed during a migration, in no lane, updating never — a recurring discovered-apps delta review catches them, and the fix is adoption into a lane, not a one-time update.
OS-update and app-update rhythms interact: the annual MacOS release is when self-updaters and agents most need to move fast — pre-stage vendor-support checks in ring 1 so the lanes are proven before the fleet's OS moves.
The community installer engine under Intune — labels, arguments, wrapper patterns, and the operating rhythm.
The deployment-options page names Installomator as the third-party canon's workhorse; this cookbook is the how: the open-source script that knows how to fetch, verify, and install hundreds of common Mac apps directly from vendors — each encoded as a label — turning "package and maintain Chrome forever" into "run the script with the label chrome on a schedule."
EngineInstallomator — open-source, label-driven
CoverageHundreds of common Mac apps, fetched vendor-direct
The wrapper fetches/embeds a pinned Installomator release and invokes it with the label plus your standard arguments — pin the engine version deliberately and update it on your schedule; the wrapper is repo-versioned like all fleet code
Arguments encode the UX doctrine: blocking-process behavior (kill, prompt, or defer when the app is running — choose prompt/defer for knowledge-worker apps and accept slower convergence), notification behavior (pair with the notifications payload so prompts actually surface), and logging verbosity for the triage trail
Verification rides labels too: each label carries the vendor's expected Team ID/signature — the engine refuses tampered downloads, which is the security argument that gets this pattern past review: vendor-direct fetch with cryptographic verification, not "scripts downloading the internet"
Recurring execution is the update engine: the same script on a schedule is the update lane — present-and-current converges every run
The Operating Rhythm
One wrapper, parameterized by label beats forty bespoke scripts — the label list per fleet is data, not code
Ring the schedule: ring-1 Macs run the sweep a few days ahead of fleet; a vendor shipping a broken build burns the canary, not the company
LOB apps (no label — they ride your PKG pipeline), apps under strict change control (the validated lane, not the auto-sweep), and anything whose license terms preclude vendor-direct fetch. Fit it to the canon; don't force the exceptions.
the app has a label and lives in the third-party canonThe Installomator sweepRecurring run — present-and-current converges every cycle.
it's an internal app with no labelYour PKG pipelinePackage, sign, and deploy it yourself.
the app sits under strict change control or license-restricted distributionThe validated lanePinned, ring-validated delivery — not the auto-sweep.
Insights
Read the label source before first deployment of any app — thirty seconds confirms what's fetched, from where, verified how; being able to say you do this is half the security-review battle.
The blocking-process argument is the user-experience signature of your whole rollout: silent kills of running browsers generate the exact resentment that restraint doctrines exist to avoid — defer-style settings cost convergence speed and buy goodwill; spend accordingly.
The Mac self-service surface — what Company Portal offers, where it trails Jamf Self Service, and how to make Available deployments shine.
Mac users — especially those arriving from Jamf estates — expect a self-service app store. Company Portal on MacOS is that surface under Intune: honest assessment, then optimization.
What It Does
Available-assignment storefront: VPP apps, LOB packages, and DMG/PKG deployments assigned as Available appear for on-demand install — the license-frugal, user-respecting alternative to required-everything
Device standing: compliance state and remediation guidance — the user-visible end of the compliance loop, where "your Mac needs an OS update" becomes actionable instead of mysterious
Jamf Self Service is the genre benchmark — arbitrary-script buttons, deep branding, policy-as-catalog-item. Company Portal's Mac catalog is narrower: app installs and compliance actions, yes; "click to run any admin-blessed workflow," less so. Two consequences for migrated estates: port the workflow buttons deliberately (the popular Self Service scripts become scripts on triggers, helpdesk-run device actions, or honest cuts — inventory them during migration, don't discover them as tickets), and set expectations in comms — "the app store part carries over; the magic-button part changes shape."
Making the Storefront Good
The difference between a dusty portal and a used one is curation: a deliberate Available catalog (the apps people actually request, not the license graveyard), naming/icons/descriptions treated as the retail surface they are, and the onboarding guide pointing at it on day one. Pair with notification rights so its compliance nudges surface, and keep the app itself current — it ships via the deployment pipeline like everything else and is the one app whose staleness users see daily.
Do
Curate Available around what users actually request
Treat names, icons, and descriptions as the retail surface they are
Point the day-one onboarding guide at the portal
Keep Company Portal itself current — its staleness is the one users see daily
Don't
Ship the license graveyard as the catalog
Let compliance nudges fire without notification rights
Discover Self Service workflow buttons as tickets — inventory them during migration
Insights
Self-service is your license-economics lever: every app moved from Required-everywhere to Available-on-request stops paying for shelfware — the VPP utilization review quantifies it, and finance conversations go better with the number.
Watch what users search for and can't find — request patterns are your catalog backlog, and a quarterly add-the-asked-for pass keeps the portal alive in the org's muscle memory.
Removing software cleanly on MacOS — what assignment removal does per lane, uninstall scripts, and the license cleanup.
Deployment gets the documentation; removal gets the incidents. Mac app retirement is lane-dependent, and the lanes behave differently enough that "just unassign it" is sometimes a removal and sometimes a shrug.
Removal by Lane
VPP apps: the managed-removal story — Uninstall assignment removes the app, and retiring the assignment frees the license back to the pool (the license-economics loop closing). The clean lane.
LOB PKG installs: here's the honest seam — PKGs install; they don't carry uninstallers. Removal means an uninstall script: stop the processes/agents, remove the app bundle and the vendor's support directories (Application Support, LaunchAgents/Daemons, preference files), and verify. Vendor-documented uninstallers where they exist; your own shell script where they don't — written at packaging time, because the engineer who knows what the installer scattered is the one deploying it, not the one retiring it three years later.
Installomator-managed apps: removal is also script-shaped; stop the recurring label first or the sweep politely reinstalls what you removed — the classic retirement footgun.
DMG-deployed apps: bundle removal is straightforward; the support-directory sweep still applies.
The Retirement Choreography
Stop new installs: Available assignments pulled, labels removed from the sweep
Remove from the installed base: Uninstall assignment or the uninstall script via the script pipeline, ringed like any change
Verify to zero: the discovered-apps view trending to zero is the exit criterion — retirement without verification is a vulnerability finding on a delay timer, because the abandoned app no longer has an update lane
Clean the metadata: licenses reclaimed, PPPC/extension/notification entries for the app pruned from the kit, the repo's label/app lists updated
Do
Write the uninstall script at packaging time
Stop the recurring label before removing the app
Verify discovered-apps trends to zero — the exit criterion
Reclaim licenses and prune the app's kit entries
Don't
Treat "just unassign it" as a removal — lanes differ
Leave LaunchAgents and support directories behind
Let the sweep politely reinstall what you removed
Skip the receipt cleanup (pkgutil --forget)
Insights
The support-directory residue is more than tidiness: leftover LaunchAgents from a half-removed agent can keep running — a retired security tool's orphaned daemon is both a performance ticket and an audit oddity. The uninstall script's completeness is the difference.
Keep a retirement template next to the packaging template — process list, paths, receipt cleanup (pkgutil --forget for the pedantic-clean finish), verification query — so every retirement is a fill-in-the-blanks exercise instead of archaeology.
Xcode, command line tools, Rosetta, and local admin reality — managing the fleet's most opinionated population.
Developer Macs are the hardest Mac population: enormous toolchains, strong opinions, legitimate elevation needs, and outsized blast radius if managed badly — they're also often why the org has Macs. The doctrine: secure the boundaries, stay out of the workflow.
The Toolchain Logistics
Xcode is the headline problem: a multi-gigabyte install that updates often. The lanes — VPP delivery of the App Store Xcode (viable, mind the bandwidth story on release days), or developer-driven installs under a policy that allows them for this population. Either way, first-launch realities (license acceptance, additional-components install) belong in a post-install script so "I installed Xcode but builds fail" stops being a ticket genre.
Command Line Tools: the lighter dependency half the org's scripts assume — deployable headlessly via script; bake it into the developer-fleet enrollment so git works on hour one.
Rosetta 2 on Apple silicon: translated tooling still exists in most shops — install it during enrollment for the developer dimension and the "bad CPU type" mystery never happens.
Package managers (Homebrew et al.): the pragmatic posture is acknowledged and bounded — allowed for this population, with EDR and Gatekeeper posture as the compensating layer, and the fleet's update doctrine noting that brew-installed tools are the developer's own lane. Pretending it's banned while everyone uses it is the worst of both worlds.
The Privilege Reality
Developers make the strongest admin-rights case — Docker-class tooling, simulators, system-adjacent debugging. The honest postures: admin-by-documented-exception for the population (with the hidden managed admin and audit posture intact), or standard-plus-JIT-elevation where third-party tooling provides it. What doesn't survive contact: standard-user-no-exceptions on a working dev team.
The Boundary Set That Stays Firm
Workflow flexibility, boundary rigidity: FileVault, compliance + CA, EDR present and unkillable, iCloud data boundaries, and the secrets-hygiene conversation (signing keys and tokens in the keychain, not in dotfiles synced to personal clouds). Developers accept boundaries they can see the reasoning for; they route around theater.
Do
Hold the boundary set: FileVault, compliance + CA, EDR present and unkillable
Give the population a first-class Dev-Mac dimension and fork deliberately
Install Rosetta 2 and Command Line Tools at enrollment
Pretend the package manager is banned while everyone uses it
Run standard-user-no-exceptions on a working dev team
Accumulate fifty quiet exceptions instead of one documented fork
Insights
Give the population a first-class dimension — Dev-Mac group/filter — and fork deliberately per policy: same security floor, different elevation/install posture, update rings that respect release weeks. A documented fork beats fifty quiet exceptions.
Sparkle frameworks, vendor updaters, and the allow-or-own decision for apps that patch themselves.
A large share of the Mac third-party canon ships its own updater — Sparkle-framework apps, Chrome/Edge's background services, the Zoom/Slack class. Each one asks the same question: let the vendor's updater run, or own the update yourself? Fleets that never answered it per-app are running both strategies at once, which is the same as neither.
the app is a browser or fast-moving, security-sensitive canonAllow the vendor updaterFastest patch latency, zero toil — and zero change control; staleness is the bigger risk here.
the app sits behind validation or change controlOwn the updateSuppress the updater and deliver on your ring cadence — and honor the treadmill, or the app ages silently.
The Two Postures
Allow the updater (vendor-managed currency): fastest patch latency, zero admin toil — and zero change control: the vendor's Tuesday is your Tuesday. Right for browsers and the security-sensitive canon where staleness is the bigger risk, and for fleets without validation-gated apps.
Own the update (suppress/ignore the updater, deliver via Installomator or packaging): your cadence, your ring-1 validation — and the treadmill obligation that comes with it: a suppressed updater plus a missed sweep equals an app aging silently, the worst outcome available.
The doctrine table from the update-strategy page assigns the posture per app class; this page adds the mechanics.
The Mechanics
Suppression is preference-domain work: most major updaters honor managed preferences (Sparkle's automatic-check keys, the browsers' update-policy domains already in your browser profile) — delivered like any managed preference, versioned in the repo
Standard-user interaction: some updaters elevate gracefully for standard users, some prompt for admin credentials forever — an updater that nags non-admins is a de-facto broken lane, and the fix is owning that app's updates rather than training users to ignore prompts
Verification is universal: whichever posture, the version-telemetry attribute proves it's working — vendor-managed currency measured is a strategy; assumed, it's a hope
Insights
Updaters are also launch agents and daemons — they belong in the agent-kit inventory and the retirement sweep: the Google/Microsoft updater daemons outliving their apps is the classic residue pattern.
The honest fleet usually lands split-posture: vendor-managed for the fast-moving canon, owned for the change-controlled few — write the split down, because the difference between "split by design" and "split by accident" is exactly one document.
The package manager your developers already installed — governed, secured, and made useful instead of pretended away.
The developer-Mac page names the honest posture — acknowledged and bounded; this page is the bounding: Homebrew as managed reality on the fleets that run it.
The Governance Model
Sanction it for named populations: the Dev-Mac dimension gets brew; the general fleet doesn't need it and the hardening posture shouldn't carry it. A policy line that says allowed, here, like this beats unenforceable prohibition everywhere.
Install it properly: a managed install script during enrollment for the dev dimension — correct ownership on the prefix, the standard-user account model respected (brew's design expectations and your elevation posture negotiated once, in the script, not per-user) — beats forty hand-installs with forty permission archaeologies.
Brewfiles as the team contract: a repo-versioned Brewfile per team declares the sanctioned toolchain — new-Mac setup becomes one bundle command, and the config-as-code reflex extends to the dev stack.
The Security Posture, Stated for Review
The questions security will ask, pre-answered: formulae install from public taps (supply-chain exposure comparable to any developer package ecosystem — npm/pip precedent applies, and so do its mitigations); the EDR layer watches execution regardless of install path; brew-installed software sits outside your update lanes — it's the developer's own lane, declared as such in the lane table; and an inventory attribute (brew list output, versioned) keeps the estate visible. The unacceptable variant is the unmanaged one: brew on every Mac, no inventory, no posture — which is what prohibition-in-name-only actually produces.
The Boundary
Corporate-deployed apps stay in your lanes — brew is for developer toolchain, not for "easier Chrome installs"; a fleet whose security agent arrived via brew has inverted the trust model. One sentence in the policy draws it.
Do
Sanction brew for named populations — the Dev-Mac dimension
Install it via a managed enrollment script, ownership correct
Declare team toolchains in repo-versioned Brewfiles
Keep a brew list inventory attribute reporting
Don't
Prohibit in name only — that produces the unmanaged variant
Let corporate apps or the security agent arrive via brew
Let casks blur into the corporate-app lane — formulae yes, casks by exception
Insights
The casks question is where most policies wobble: GUI apps via brew blur straight into the corporate-app lane. The clean line — formulae yes (toolchain), casks by exception — keeps the model legible, and Installomator already covers the GUI-app-currency need brew casks would otherwise tempt people with.
Private store distribution for MacOS — Custom Apps through Apple Business Manager, and where the lane beats your PKG pipeline.
Custom Apps are the private-store lane: vendor- or self-published apps delivered privately through Apple Business Manager, with store-grade installs and updates — and the lane has its own decision math against the four deployment lanes.
DistributionApp Store Connect — private audience = your ABM organization
LicenseDevice-licensed through Apps and Books
UpdatesAutomatic, store channel
SigningNone on your side — store-grade install behavior
The Model
The developer publishes to App Store Connect with your ABM organization as the private audience; the app lands in your Apps and Books, licenses like any VPP title, and deploys device-licensed through Intune — supervised-grade install behavior, automatic store-channel updates, no signing ceremony on your side. Updates are the headline win: a Custom App vendor shipping through the store has handed you the VPP auto-update lane, versus the PKG vendor handing you a repackaging treadmill.
The Decision Math
When a vendor offers both delivery shapes, the question is Custom App vs PKG, and the lane choice follows the app's shape: store-distributable apps (sandboxed, store-review-compatible) → Custom Apps, taking the update lane for free; apps needing what the store can't carry (privileged helpers, system extensions, kernel-adjacent components — the security-agent class) → PKG lane by necessity, with Installomator-or-pipeline carrying currency. Most vendor estates split exactly there, and the procurement language writes itself: store-compatible deliverables distribute as Custom Apps to our ABM organization; privileged components ship as signed, notarized PKGs with documented uninstall.
the app is sandboxed and store-review-compatibleCustom AppPrivate store delivery — the auto-update lane comes free.
the app needs privileged helpers, system extensions, or kernel-adjacent componentsPKG laneSigned and notarized, with Installomator-or-pipeline carrying currency.
Operational Notes
The classic stumble is audience configuration: an app that never appears in Apps and Books almost always means the vendor's private-audience setting and your ABM organization ID don't match — verify the org ID with the vendor before escalating anywhere else. License hygiene is standard VPP work (reclaim on retirement, watch utilization). And one platform-specific check: confirm the listing's MacOS availability explicitly — vendors occasionally publish their private audience more narrowly than they intend, and the gap surfaces as "the app isn't there" on deployment day.
Insights
Custom Apps quietly upgrades your trust story too: store distribution means App Review and notarization-by-construction — the Gatekeeper posture's happiest path — which is one more review-meeting sentence the PKG lane can't offer.
Native dialogs as fleet infrastructure — onboarding progress, update nudges, and consent moments, scripted.
swiftDialog turns one command-line call into a polished native dialog — branding, markdown, progress bars, buttons that return exit codes — and in fleet hands it's not a utility, it's the user-communication layer your scripts were missing. Four patterns carry most of the value, and each follows the same skeleton: deploy the binary, call it from a script with deliberate arguments, and route the exit code back into fleet logic.
Step 1Deploy the binaryPinned version, through the app pipeline, before any script calls it
Step 2Call it from a scriptDeliberate arguments from the central branding snippet
Step 3Route the exit codeEach button returns a code; the script branches on it
Prerequisites
The swiftDialog binary, deployed as managed software. Treat it like any other dependency: pin a tested version, deliver it through your app pipeline, and stage it before any script that calls it — a script that assumes the binary exists fails silently on the one Mac where it doesn't.
A central branding snippet. Keep the common arguments — logo path, accent color, window-title conventions — in one sourced include so every team's dialogs look like one fleet rather than five well-meaning experiments.
A notifications payload already in place, so any notification-style output is pre-authorized instead of prompting users mid-flow.
A bench Mac per OS release — dialog chrome and full-screen behavior are OS-version-sensitive, so every flow earns a re-check before your rings move to a new release.
Pattern 1 — The Enrollment Experience
The await-configuration window's one real gap is user-facing progress; the community's answer — Setup-Your-Mac-style swiftDialog flows — is a full-screen, branded "we're building your Mac" dialog driven by your provisioning script, each kit payload and app ticking a checklist as it lands. First impressions are fleet design, and enrollment is the strongest first impression a managed Mac ever makes. The working sequence:
Deploy the dialog binary first in the provisioning script order, so the progress UI exists before anything worth narrating happens.
Launch the full-screen dialog with your branded arguments and one list item per provisioning step.
Drive the checklist through the command-file mechanism: as each payload, agent, and app lands, the script appends a status update to the dialog's command file and the corresponding line ticks complete.
Exit to the desktop on completion — close the dialog deliberately and leave the user on a finished, working Mac rather than a mystery in progress.
Detect the blocking condition in the script: the app is running, the disk is nearly full, the uptime is absurd.
Present the choice as a dialog — "Chrome needs to restart to update — Now / In 1 hour" — offering only deferral options you actually intend to honor.
Route the exit code back into the script's defer logic: each button returns a distinct code, so "Now" proceeds, "In 1 hour" schedules the retry, and a deferral cap eventually converts the nudge into action.
The same skeleton serves restart pressure and disk-space appeals — anywhere the fleet needs something from a human and deserves to ask politely first.
Pattern 3 — Consent and Instruction Moments
The remote-support consent choreography and any workflow needing a guided user click follow one script: show a dialog containing a screenshot of the OS prompt the user is about to see, narrate it — "you'll see this — click Allow" — then trigger the action. Pre-narrated consent converts platform-mandated prompts from confusion into choreography, and it measurably cuts the abandoned-prompt rate that otherwise becomes tickets.
Pattern 4 — Data Capture
Dialog input fields (asset tags at first boot, building codes for printer mapping) returned to the script and written up as a custom attribute — the missing form layer for the handful of facts only humans know. Validate the input in the script before recording it; a free-text asset-tag field collects creative fiction unless the script enforces the expected format.
Verification
Bench-test every dialog flow per OS release: full-screen behavior, notification rights, and the command-file mechanism each deserve a five-minute re-check against the new OS before broad rings move.
Confirm exit-code handling end-to-end — press each button on a test Mac and verify the script takes the branch you expect; a mis-mapped exit code silently turns "defer" into "proceed."
Review the fleet's dialog inventory periodically so retired workflows stop interrupting users.
Insights
It's a dependency, not a script garnish: pin the version, deploy via your pipeline, test per OS release, and centralize the branding arguments — the discipline is what separates a communication layer from a popup generator.
The cultural payoff outruns the technical one: a fleet whose interruptions are branded, polite, and deferral-respecting trains users to read IT dialogs — which is exactly the audience you'll want already trained the day a security moment needs their attention.
FileVault, firewall, SIP, Gatekeeper, and OS floors — attesting the Mac's posture to Conditional Access.
Compliance on the Mac follows the standing contract: the compliance policy attests posture, and Conditional Access enforces access based on that attestation. The Mac policy's distinguishing signals are the OS-integrity trio — SIP, Gatekeeper, firewall — which together answer the question that matters most about a managed Mac: "is this still the Mac we configured?"
Console pathDevices > MacOS > Compliance policies
Applies toEnrolled Macs — ADE and user-approved alike
Key signalsFileVault, SIP, Gatekeeper, firewall, OS floor
Enforced byConditional Access — the policy attests, CA gates
Prerequisites
Enrollment working end-to-end — compliance evaluates enrolled devices only: ADE for corporate Macs, user-approved where it genuinely applies.
A Conditional Access design that consumes the signal — without it, noncompliance is a report, not a control.
Step-by-Step: Building the Policy
Create the policy under Devices > MacOS > Compliance policies, then work the settings deliberately:
Require encryption / FileVault — the attestation half of the FileVault page; grace-period the policy so newly-enrolled Macs mid-first-encrypt don't flap between states.
Require System Integrity Protection — SIP off means someone deliberately weakened the OS's self-defense from recovery mode; on a corporate Mac that's a conversation, and this setting starts it automatically.
Require Gatekeeper (Mac App Store / identified developers) — the unsigned-software floor for the fleet.
Set the minimum OS version — trail your DDM enforcement rings by a grace margin so the compliance floor follows the update rings instead of racing them; a Mac should only fail this check after missing a deadline you already enforced.
Set password requirements — modest where Platform SSO carries the identity story; the local password still gates FileVault unlock, so it can't be theater either.
Add the Defender machine risk score once the full kit is live — cap the acceptable ceiling and the live-threat loop closes.
Actions for Noncompliance
Sequence the actions: grace period (24–72h) → user notification → mark noncompliant → Conditional Access gates access. The ladder gives users room to self-correct while keeping enforcement credible — the design goal is that nobody is ever surprised by a block.
Step 1Grace period24–72 h of room to self-correct
Step 2User notificationThe nudge before consequences
Step 3Mark noncompliantThe verdict lands on the device record
Step 4Access gatedConditional Access enforces the verdict
Mode Notes
ADE and user-approved Macs evaluate the same policies — the difference is leverage: a user-approved Mac that goes noncompliant can simply unenroll, which is precisely why Conditional Access (not the device) holds the access keys, and why corporate Macs belong on ADE where management survives bad moods.
Verification
On a bench Mac, break one signal at a time — disable the firewall, lapse the OS floor — and confirm the policy marks the device noncompliant on the expected schedule and that access is actually gated downstream.
Confirm grace-period behavior on a freshly-enrolled Mac mid-first-encrypt: the device should hold steady through encryption, not flap.
Read the per-setting compliance report after first assignment — a setting reporting "not applicable" fleet-wide usually means a targeting or scoping mistake, not a healthy fleet.
Insights
SIP/Gatekeeper failures are rare and loud by design — alert on them individually rather than letting them blur into the noncompliance count; each one has a story.
The classic Mac false alarm: "encryption noncompliant" on a Mac that is encrypted — usually a PRK-escrow gap or an evaluation lag after enrollment. Check escrow state before re-pushing policy; the fix is rotation, not re-encryption.
Device-based access for Mac fleets — the compliance signal chain, the per-browser reality, and a rollout that locks nobody out.
Conditional Access is where the Mac's compliance verdict becomes enforcement: corporate data opens only on a managed, healthy Mac. The mechanism is a chain — enrollment establishes management, registration creates the Entra device record, compliance stamps the verdict onto it, the browser presents device identity, the policy reads the verdict and grants. Every Mac CA incident is one link failing; build and troubleshoot in chain order.
EnrollManagement establishedIntune manages the Mac
RegisterEntra device record createdThe anchor for the device claim
AttestCompliance stamps the verdictFileVault, SIP, Gatekeeper, firewall, OS floor
PresentBrowser carries device identityBroker, profile sign-in, or extension
GrantPolicy reads the verdictCompliant opens the door
The Device-Based Grant
The Mac's device-based control is Require device to be marked as compliant — the only device grant a Mac can satisfy, which keeps the design honest: the compliance policy is the access bar, so FileVault, SIP, Gatekeeper, firewall, and the OS floor are exactly what a Mac must prove to open the door. Pair it with the MacOS device-platform condition, remembering that platform detection rides user-agent strings: routing, never a security boundary.
The Browser Reality
A token can carry the device claim only if the browser can reach the device's identity. Platform SSO makes that respectable fleet-wide: the SSO extension brokers authentication, and browsers acquire device identity through it instead of certificate prompts. Per browser:
Browser
How it acquires device identity
Field notes
Safari
The device client certificate provisioned at registration; brokered silently where the SSO extension is active
Fully supported; without the broker, users get a one-time certificate-picker prompt — declining it reads as "blocked" in tickets
Microsoft Edge
Native — through the signed-in Edge profile
A signed-out Edge cannot present device identity and fails the policy; profile sign-in is the prerequisite
Chrome
The Microsoft Single Sign On extension, which talks to the SSO broker
Device-blind without it — force-install via managed browser policy rather than hoping users add it
Two universal failure modes: private-browsing windows and disabled cookies both break device checks by design. The extension force-install and profile sign-in defaults belong in your browser management profiles — the CA story is only as strong as the least-configured sanctioned browser.
What Unmanaged Macs Hit
The day device-based CA turns on, every unmanaged Mac touching scoped apps gets a block page — including executives' home machines and the BYO population nobody inventoried. The compliant-device grant deliberately does not block Intune enrollment itself, so the remediation path stays open; staging decides whether that path is smooth or a cliff:
Inventory first: the Entra sign-in logs' device-info detail shows exactly which Macs sign in unmanaged today — that list is the rollout backlog and the comms audience.
Open the enrollment doors before the gates close: ADE for corporate Macs, user-approved enrollment for sanctioned BYO — the BYO-Mac decision made as policy, not per ticket.
Communicate the block before the block: a one-paragraph note with the enrollment link converts most of the backlog before enforcement day.
Prerequisites
A compliance policy assigned and producing verdicts — at least one pilot Mac showing compliant before any CA policy references the signal; a compliant-device grant in front of an empty compliance estate blocks everything it scopes.
Platform SSO (or at minimum the SSO extension via Company Portal) deployed, plus the browser plan for extensions and profile sign-in.
Break-glass accounts: at least two emergency-access accounts excluded from every CA policy, tested on a schedule. Non-negotiable.
Step-by-Step: the First Device-Based Policy
Create the policy under Entra ID > Conditional Access > Policies, named for what it does — "MacOS — require compliant device — pilot".
Scope users to the pilot group and add the exclusions immediately — break-glass accounts and any service accounts that authenticate interactively — while the policy is still harmless.
Target resources: start with a meaningful-but-survivable set (mail and files are the classic), and expand toward all resources as confidence grows.
Set the device-platform condition to MacOS — and decide explicitly what happens to unknown platforms rather than inheriting that answer by accident.
Select the grant — Require device to be marked as compliant — and save in report-only mode, where the policy evaluates and logs every sign-in without enforcing.
Soak for one to two weeks. The report-only results in the sign-in logs show who would have been blocked and why; work that list to zero surprises, then flip to On for the pilot and widen deliberately.
Verification
A compliant pilot Mac signs into scoped apps from every sanctioned browser without prompts; its sign-in log entries carry the device ID and compliant state.
A bench Mac forced noncompliant (break one signal, per the compliance page's drill) is blocked with the message you expect — and recovers after remediation plus a check‑in.
An unenrolled Mac hits the block page and finds the path you designed for it: an enrollment invitation, not a dead end.
A break-glass account signs in from anywhere, unchallenged.
Lockout Pitfalls
The enrollment chicken-and-egg: a freshly enrolled Mac isn't compliant yet — registration plus the first check‑in take minutes — so day-one users can be enrolled and still blocked. Enrollment itself isn't stopped by the compliant-device grant, but anything else stacked into the policy (location fences, app scoping that catches the portals) can wall off the flow that creates compliance. Verify the new-Mac path end to end with the policy enabled.
Local-account vs Entra identity mismatches: registration anchors to the account that performed it. A second local account on the same Mac, or a browser signed in with a different identity than the one that registered, presents no device claim — blocked, despite the "managed" Mac. Multi-user Macs sit outside device-based CA's support envelope; design them out, not around. The PSSO triage page catches the registration-side variants.
Missing break-glass discipline: the lockout that matters is the one where admins scope themselves into a policy whose grant their own devices can't satisfy. Excluded emergency accounts — tested, monitored, documented — are the difference between an incident and an anecdote.
Do
Inventory unmanaged sign-ins from the Entra logs first
Open the enrollment doors before the gates close
Soak every policy in report-only for one to two weeks
Exclude break-glass accounts and test them on a schedule
Don't
Skip report-only — even for "obviously safe" edits
Stack conditions that wall off the enrollment path itself
Scope admins into a policy their own devices can't satisfy
Let per-app policy sprawl replace a few broad policies
Insights
Report-only is free production telemetry — organizations that skip it discover their unmanaged-Mac population at the help desk instead of in a log view. Never skip it, even for "obviously safe" edits to existing policies.
Users experience CA failures as outages, not policy: the block page is a UX surface — name the fix and link the enrollment guide there; ticket volume is set by that screen, not by the policy design.
Per-app policy sprawl ages badly: a few broad policies with deliberate exclusions beat dozens of app-specific ones, because six months in nobody can answer "what happens when a contractor opens the finance app from an unmanaged Mac" across forty policies.
The Endpoint security node's MacOS profiles — firewall, FileVault, Defender AV — and how they compose with compliance.
The Endpoint security node carries the focused MacOS profiles for the security stack — firewall, disk encryption, and the Defender sensor's tuning. The operating pattern: configure posture here, attest it in compliance, enforce through Conditional Access.
ConfigureEndpoint security profiles set the postureFirewall, FileVault, Defender AV tuning
AttestCompliance proves itThe policy reports what the profiles set
EnforceConditional Access gates accessNoncompliance becomes a control, not a report
Firewall
Endpoint security > Firewall (MacOS) is where the application firewall gets its fleet posture. Work it in order:
Enable the application firewall fleet-wide — the non-negotiable baseline.
Decide on block all incoming — aggressive but defensible on laptop fleets that host nothing; pilot it with the people who own AirPlay receivers and dev-mode local servers before enforcing broadly, because those forgotten exceptions surface in week one.
Enable stealth mode (drop probe responses) for the road-warrior posture.
Keep per-app allow/block entries short and reviewed — every entry is an exception estate to govern: minimal, justified, version-controlled.
Disk Encryption
The FileVault policy lives in this node — covered in its own page; mentioned here because audit conversations expect "where is encryption configured" to have one answer per platform, and for the Mac this is it.
Antivirus (Defender for Mac)
Once the Defender kit is deployed, the Antivirus profile (MacOS) manages the sensor's behavior: real-time protection, cloud-delivered protection, scan exclusions (minimal, justified, version-controlled), tamper protection where available. The division of labor: the kit makes Defender exist and function (PPPC + extensions + login items); the AV profile tunes it; MAU keeps it current.
What Deliberately Isn't Here
MacOS restriction-flavored security (Gatekeeper settings, software-source controls, USB-adjacent restrictions) lives in the Settings Catalog, not Endpoint security — the one-home-per-setting doctrine: decide the owner per area (this node for the security stack, the Catalog for OS restrictions) and document the split, or per-setting conflict reports become a hobby.
Verification
After the firewall profile lands, confirm on a test Mac that the firewall reports enabled and that compliance attests it — the profile-sets, compliance-proves loop closing end-to-end is the proof the design works.
Verify the Defender sensor reports healthy in its console after the AV profile applies — a tuned profile on a sensor whose enablement kit never landed is configuration without effect.
Re-check the per-app exception list on a calendar; exception lists only ever grow unless someone owns the review.
Insights
Build the Mac security story as one slide with four verbs: encrypt (FileVault), sense (Defender), gate (compliance + Conditional Access), recover (escrowed keys, rotation). A clean verb-per-control architecture is the selling point to every auditor and CISO who reads it.
Firewall "block all incoming" pilots reveal the forgotten exceptions — AirPlay receivers in conference rooms, dev-mode local servers — in week one; run the pilot with the people who own those workflows, not after them.
MacOS's built-in execution control — notarization checks, quarantine, the background scanners, and what management adds.
Before any EDR agent arrives, MacOS already runs an execution-control stack: Gatekeeper deciding what launches, XProtect scanning for known malware, and the remediation machinery cleaning up. Management's job is locking the posture and not breaking the machinery.
Launch gateGatekeeper evaluates the appCode signature, notarization, quarantine state
Background scanXProtect matches known malwareSignature definitions ride Apple's update plumbing
RemediationThe removal machinery cleans upApple-managed, invisible when healthy
Gatekeeper: the Launch Gate
Gatekeeper evaluates apps at launch — code signature, notarization (Apple's malware-scan-and-ticket for developer-distributed software, the same regime your own PKGs must satisfy), and quarantine state (the download flag that triggers first-launch evaluation). Set the managed posture via restrictions/Settings Catalog:
Set the floor: App Store and identified developers. Signed-and-notarized software runs; random unsigned downloads don't. The corporate default.
Decide the override question deliberately. Users can traditionally approve exceptions (the right-click ritual, OS-version-dependent); managed fleets decide whether that override exists at all. Standard-user fleets with a curated app pipeline can close it; developer fleets generally keep it with EDR as the compensating eye.
Know what your pipeline bypasses. MDM-delivered apps skip quarantine by design — your deployment pipeline is the trusted channel, which is exactly why the pipeline's own signing and notarization hygiene matters as much as the user-facing gate.
XProtect and Friends
The built-in signature scanner (XProtect), the remediation tool that removes what's found, and the background update mechanism that keeps their definitions current — all Apple-managed, all invisible when healthy. The management rules: never block their update path (they ride Apple's update plumbing — network allow-lists that strangle Apple services starve the scanners), and treat them as the floor the EDR conversation builds on, not the enterprise detection story by themselves.
The Composite Posture
Gatekeeper (launch control) + XProtect (known-malware floor) + notarized pipeline + EDR (behavioral detection) + attested boot integrity — five layers, each named in the security review, each covering the others' gaps. Present it exactly that way: a layer model with an owner and an attestation story per layer reads as architecture; a list of enabled checkboxes reads as luck.
Do
Set the floor: App Store and identified developers
Decide the user-override question deliberately, per population
Keep the scanners' Apple update path open on every network
Treat a blocked LOB app as a packaging finding
Don't
Strangle Apple services with allow-lists — definitions starve
Treat XProtect as the enterprise detection story
Bless the agents while leaving the gate unmanaged
Fix a signing problem by weakening fleet posture
Verification
Confirm the posture landed: on a test Mac, attempt to launch an unsigned, non-notarized download — the denial should match your policy's intent, and the denial language should match what your helpdesk documentation tells users to expect.
Confirm the scanners' update path on every managed network configuration, including the most restrictive — a quarterly check against proxy/allow-list changes keeps the malware-definition floor current.
Insights
The classic self-inflicted wound: a PPPC/extension kit meticulously built for the EDR agent, while an unmanaged Gatekeeper posture lets users approve anything — lock the gate the same week you bless the agents.
The passcode payload, Touch ID, lockout behavior, and how Platform SSO changes what the local password even is.
Mac password policy is the familiar lock-policy conversation with one twist particular to this platform: under Platform SSO, the local password's identity changes — it can become the Entra credential's local shadow, which reframes every requirement you set.
The Payload Surface
The passcode payload (Settings Catalog) carries the classics: minimum length and complexity classes, history, maximum age, auto-lock timeout and grace period, and failed-attempt lockout behavior. Calibrate deliberately:
Length over composition theater — a 12+ character minimum beats character-class bingo; modern guidance (and user sanity) favors length + breach-resistance over mandatory punctuation
Rotation: justify it or drop it — forced periodic change is legacy-compliance muscle memory; with FileVault and lockout in place, current guidance leans against arbitrary rotation. If a framework mandates it, document that as the reason
Timeout humane, lockout real: screen-lock minutes that match office reality, failed-attempt thresholds that frustrate brute force without wiping the CFO's Mac over a child's curiosity
Touch ID and the Convenience Layer
Allow it — biometric unlock atop a strong password is better security and better UX, and the payload's biometric toggles let regulated fleets dissent deliberately. The same one-liner resolves the FileVault interaction: Touch ID unlocks the session; the pre-boot unlock still wants the password — one onboarding sentence, zero tickets.
The Platform SSO Reframe
With Platform SSO password sync, the local password aligns with Entra — so Entra's password protection becomes the real policy engine (banned-password lists, smart lockout), and the payload's job shrinks to local hygiene: lock timing, attempt limits, Touch ID posture. Set the payload to complement the identity-side policy rather than duplicate it — two authorities enforcing subtly different complexity rules is the classic two-masters conflict wearing a password costume, and the user at the login window is the one who feels it. (Secure Enclave/key-based Platform SSO modes shift the story further — toward the hardware-bound credential future where the password recedes entirely.)
Pair humane auto-lock timing with a real lockout threshold
Document the framework when rotation is genuinely mandated
Don't
Enforce composition theater — punctuation quotas over length
Force periodic rotation out of legacy muscle memory
Let the payload and Entra enforce dueling complexity rules
Set lockout so tight a child's curiosity wipes a Mac
Verification
Apply the payload to a test Mac and live the policy: set a password that violates it and confirm the OS refuses with comprehensible language; let the auto-lock fire and confirm the timeout and grace period behave as designed.
Walk the failed-attempt ladder on a bench Mac to confirm the lockout threshold and recovery behavior — before a curious child finds them for you.
On Platform SSO fleets, reset a test account's Entra password and confirm the login-window sync behavior matches what your helpdesk script promises.
Insights
Compliance attests the result — payload sets, compliance proves, Conditional Access enforces; the standing trio, Mac edition.
Audit the lockout + recovery path end-to-end once: forgotten password → FileVault recovery-key flow → reset → re-sync — the rehearsed path is a ten-minute helpdesk script; the unrehearsed one is a lost afternoon and an angry executive.
Hardware-rooted device identity on Mac — Secure Enclave attestation, ACME issuance, and the end of trust-by-assertion.
The deepest question in device trust is "how does the service know this is the Mac it thinks it is?" — and for years the answer was assertion: the MDM record said so. Managed Device Attestation (MDA) replaces assertion with cryptography: the Secure Enclave proves the device's identity and properties to Apple's attestation servers, and your infrastructure receives certificates rooted in silicon, not in hope.
Key propertyHardware-bound, non-exportable by construction
How the Proof Works
Through the ACME payload (the modern certificate-issuance protocol with an attestation extension), the Mac requests an identity certificate; the Secure Enclave generates a hardware-bound key (non-exportable, by construction) and Apple's attestation service vouches for the request — attesting the device's genuine-Apple-hardware identity and properties like serial number. The issuing CA can therefore enforce: certificates only for proven hardware, keys that cannot leave it. A cloned or spoofed device can't complete the dance — there's no Enclave to vouch.
Secure Enclavemints the hardware-bound key
→
Apple attestation servicevouches for genuine hardware
→
Issuing CAcertificates only for proven hardware
What It Buys, Concretely
Phishing-resistant device identity: the certificate underpinning 802.1X, VPN, and MDM client identity becomes unstealable — exfiltrated-credential attacks against device certs stop working
Trust-tier honesty: services can distinguish "attested hardware identity" from "asserted identity" — the foundation under serious Conditional Access stories
The strategic arc: MDM communication and enterprise PKI moving from software-held secrets to silicon-held proofs — access decisions anchored below the OS, where malware can't reach
Prerequisites
Apple silicon-era hardware with a Secure Enclave, running a current MacOS.
ACME-capable issuing infrastructure — this is where most estates wait: your PKI must speak the protocol, and Cloud PKI-class services and modern CA platforms are the typical path.
MDM support for delivering the ACME payload, plus the certificate-consuming profiles (network auth, VPN) ready to reference the new issuance chain.
Adoption Path
Start where the value concentrates: the device-identity certificates behind network auth — the certs whose theft would matter most.
Stand up the ACME issuance chain alongside the existing one and issue to a pilot ring first, treating the CA's attestation-enforcement settings as the control under test.
Let SCEP carry the long tail while the ACME estate grows — migrate by certificate class, not by flag day.
Update the trust documentation: which certificate classes are attestation-backed, which are legacy-issued, and what each class is allowed to authenticate to.
Verification
Inspect a pilot Mac's issued certificate: confirm it chains to the ACME issuance path and that the private key reports as hardware-bound.
Attempt issuance without valid attestation against the enforcing CA — the refusal is the control working; file the evidence for the audit binder.
Confirm the consuming services (802.1X, VPN) authenticate with the attested certificate before retiring legacy issuance for that class.
Insights
In security reviews, MDA is the answer to the question auditors are learning to ask: "what stops a cloned device certificate?" — and "the private key physically cannot leave the Secure Enclave, and issuance required hardware attestation" is the strongest sentence in the Mac trust story.
This capability area moves quickly — re-check what your issuing infrastructure and Intune's certificate surface support at deployment time; six-month-old answers expire.
Per-device credential hygiene for the managed administrator — rotation patterns, escrow realities, and honest tooling assessment.
The account-strategy page creates a hidden managed administrator; this page keeps its credential from becoming the fleet's skeleton key. The goal is simple to state and demanding to operate: unique per device, rotated automatically, retrieved auditably — and the honest Mac story is that you assemble this capability rather than toggle it.
The Threat Being Solved
A shared admin password across a Mac fleet is one compromised device away from being a fleet credential — and one departed technician away from being an ex-employee's credential. Static-shared fails both tests; per-device rotation answers both.
The Patterns, Honestly Ranked
Platform/tooling-native rotation where available: the ecosystem is converging on managed local-admin rotation for the Mac — evaluate what your current Intune surface and EDR/management tooling offer at deployment time (this capability area moves; six-month-old answers expire), and prefer native escrow-and-rotate over anything hand-rolled.
Script-based rotation with secure escrow: the established assemble-it pattern — a scheduled script generates a per-device secret, sets it locally, and escrows it to a secured store (a vault/secret-manager via API, with the Graph-automation mindset applied to retrieval auditing). The design tests: where does the secret rest, who can read it, is retrieval logged per event, and what happens when escrow is unreachable mid-rotation. Treat the rotation script itself as security-critical code — repo-versioned, reviewed.
What fails review: rotation that logs the new password anywhere observable (unified log, script output, the MDM's plaintext attribute surface), shared-static "but it's long," and FileVault-key-as-admin-password conflations — the FileVault escrow is its own system with its own rotation story; keep them separate.
Do
Rotate to a unique secret per device
Escrow before set — an outage must never strand a Mac
Log every retrieval as a per-event audit record
Re-roll after every retrieval — post-use rotation is the gold standard
Don't
Log the new password anywhere observable — unified log, script output, plaintext attributes
Accept shared-static "but it's long"
Conflate the FileVault recovery key with the admin credential
Building the Script-Based Pattern
Choose the escrow store first — a secret manager with API access, per-secret ACLs, and per-read audit events. The store's audit log is the control; pick the store for its logging, not its convenience.
Write the rotation script: generate a strong random secret, escrow it, then set it on the managed admin account — escrow before set, so an escrow outage can never strand a Mac with a password nobody holds.
Schedule it through the script pipeline on your chosen cadence, with an additional rotation triggered after every retrieval.
Wire the retrieval workflow: helpdesk requests the credential through the store — RBAC-gated, logged per event — uses it on the bench, and the post-use rotation re-rolls it automatically.
The Operating Loop
Rotation cadence (post-use rotation is the gold standard — every retrieval triggers a re-roll), retrieval rare and auditable, and the credential's use confined to the bench-and-break-glass scenarios it exists for. If helpdesk retrieves admin credentials daily, the finding isn't the rotation system — it's whatever workflow gap (self-service, elevation tooling, device actions) is forcing manual admin access.
Verification
Pull two devices' escrowed credentials and confirm they differ — uniqueness is the entire point, and a generation bug that produces collisions defeats it silently.
Retrieve a credential through the sanctioned workflow, confirm the retrieval logged who/when/which device, and confirm the post-use rotation fired afterward.
Simulate escrow unreachability on a bench Mac and confirm the script's failure mode matches the design: no password change without a stored copy.
Insights
Pair rotation with elevation tooling in reviews: rotation secures the break-glass; self-service elevation (the Privileges-style tooling from the standard-user strategy) shrinks how often anyone needs it — two controls, one slide, and the "why do techs know admin passwords" question dies properly.
The unified log, the Endpoint Security framework, and deciding what Mac telemetry reaches your SIEM.
Mac security visibility runs on two systems with different jobs: the unified log (everything the OS narrates) and the Endpoint Security framework (the real-time event stream security products subscribe to). Knowing which carries what keeps both your diagnostics and your SIEM design honest.
you're reading the OS's own narration — auth events, Gatekeeper decisions, profile changesThe unified logLocal and rotating; query with log by predicate, ship only named predicates.
you need real-time security events — process execution, file activity, authenticationThe Endpoint Security frameworkDeploy an entitled agent that subscribes; you don't tap it directly.
The Unified Log
MacOS's firehose — system, subsystem, and app events, queried with the log tool by predicate and time window. For the admin it's primarily a troubleshooting surface (the ManagedClient story lives there), but security-relevant narration lives there too: authentication events, Gatekeeper decisions, profile changes. Two operational truths: it's local and rotating (it's not your audit trail unless something ships it), and private-data redaction means some fields log as opaque placeholders by design — plan around it rather than fighting it.
The Endpoint Security Framework
The modern detection substrate: a kernel-mediated API streaming real-time security events — process execution, file activity, authentication — to entitled subscribers. This is what your EDR agent consumes; it replaced the kernel-extension era (the system-extension migration story), and its existence explains the architecture: you don't tap the framework — you deploy and feed agents that do. Multiple subscribers coexist, with the performance-contention caveat that every additional subscriber inspects every event.
What Reaches the SIEM (the Design Decision)
The pragmatic Mac telemetry tiers:
EDR-forwarded events — the security backbone; the agent's pipeline is the shipping mechanism, and sensor-coverage % is the metric
MDM-side audit truth — enrollment, compliance state, action history via Graph — fleet-level security narrative without touching devices
Targeted unified-log shipping — only for specific, named predicates a detection genuinely needs (auth events on high-value Macs, say) via a collection agent; shipping the raw firehose is a SIEM-bill incident, not a strategy
Write the tier table down — "what Mac events do we have?" is an incident-response question best answered before the incident.
Insights
The notification/PPPC kit is upstream of all of this: an EDR agent without its approvals streams nothing — telemetry coverage is an enablement-kit metric before it's a SIEM metric.
Rehearse one retrieval: pick a security question ("what executed on this Mac at 14:02"), answer it from your actual pipeline, time it. The gap between the architecture diagram and that timing is your real logging posture.
CrowdStrike, SentinelOne, and friends under Intune — the deployment kit, Defender coexistence, and the health telemetry that proves coverage.
Whether the sensor is Defender or a third party, Mac EDR deployment is the same composite problem: an Endpoint Security framework subscriber that needs silent enablement, configuration, and proof of life. This page is the vendor-agnostic playbook.
Applies toAny ES-framework sensor — Defender or third party
Vendor configuration — managed preferences or the vendor's profile, carrying tenant/site tokens so activation is zero-touch
The sequencing rule from every enrollment page: the kit lands in the enrollment window so the Mac is never post-desktop and unsensored. Vendor documentation provides exact bundle IDs and payload values — transcribe from the current doc, not from a blog post or memory; these identifiers change across agent versions.
The Coexistence Question
One ES-framework heavyweight per Mac is the doctrine — two full EDR agents double-inspecting every event is the performance-conflict page's origin story. Defender-plus-third-party estates run deliberately: one agent in full EDR mode, the other absent or in a passive/coexistence mode the vendors document and support — an architecture decision made once, not a per-device accident. Document which agent owns full EDR mode and pin the passive role in the vendor's supported configuration, so an engineer can answer "who owns detection on this Mac" without a packet capture.
Proving Coverage
The metric that precedes all threat metrics: % of fleet with a healthy, communicating sensor. Assemble it from the vendor console's device list reconciled against Intune inventory — the delta list (managed Macs absent from the EDR console) is the work queue, and a custom attribute reporting agent presence/version makes the gap visible inside Intune itself. Compliance can then enforce what telemetry proves.
Insights
Agent updates are the self-updating-app decision at its highest stakes: most EDR vendors run their own update channels — allow them (staleness is the worse risk), pin ring-1 Macs to the vendor's early channel, and let the canaries absorb the bad-sensor-build day so the fleet doesn't.
The OS-release cycle is EDR's annual exam: vendor support statements for the new MacOS belong in your upgrade gate — the fleet's OS doesn't move until the sensor's support does.
Platform SSO's key-based modes — hardware-bound credentials, the passwordless arc, and what changes at the login window.
Platform SSO's password-sync mode keeps two credentials aligned; its key-based modes retire the alignment problem: the Mac's identity to Entra becomes a Secure Enclave-bound cryptographic credential — unphishable, unexportable, and bound to the silicon that minted it.
Mints atPlatform SSO registration — no registration, no credential
The Mode Ladder
Platform SSO's authentication methods, in ascending ambition:
Password sync: local ↔ Entra alignment — the password-policy page's world, familiar and transitional
Secure Enclave key: registration mints a hardware-bound key; that key authenticates to Entra — the user's local password stays purely local (machine unlock), while cloud auth rides the Enclave credential satisfying phishing-resistant MFA by construction. Token theft and password phishing against this credential stop being meaningful sentences.
The trajectory beyond — platform credentials behaving as passkeys across the WebAuthn world, Touch ID as the gesture — is where Apple and Microsoft are both steering; design new deployments assuming key-based is the destination and verify current Intune/Entra surfacing per release, because this surface is actively shipping.
What Changes Operationally
The login-window story simplifies (local password = local concern; no drift class, so the drift-triage family shrinks), registration carries even more weight (the Enclave key mints at PSSO registration — the unregistered Mac isn't just prompting more, it has no modern credential), and recovery flows re-center on re-registration rather than password reset. Conditional Access gains its strongest Mac input: phishing-resistant-MFA policies satisfiable natively, no security keys to ship.
The Composition Slide
This page plus MDA is the Mac trust story complete: the device proves itself via Enclave attestation; the user authenticates via Enclave-bound credential — identity and device trust rooted in the same silicon, which is the one-sentence answer when review asks why the Mac posture is strong.
Insights
Migration sequencing for existing PSSO estates: key-based modes change the registration contract, so treat the move like the account-model migration it is — ring it, with comms, because "your Mac will ask you to register again" unannounced is a phishing-drill false alarm you scheduled for yourself.
The application firewall, content-filter extensions, and the layered network posture on managed Macs.
The Mac's network-defense story is two distinct mechanisms admins routinely conflate: the built-in application firewall (inbound, app-identity-based) and the network/content filter extension framework (the rich layer your security stack rides). Managing each for what it is keeps the story straight.
the question is inbound and per-app — which apps may accept connectionsApplication firewallEnabled fleet-wide, stealth per taste, block-all on the high-assurance tier.
the question is flow inspection, protective DNS, or per-app VPNFilter extensionsThe layer your security stack rides — deployment is an agent-kit exercise.
The Application Firewall
MacOS's firewall is inbound, per-application: signed apps get allow/deny decisions rather than port rules. The managed posture via the firewall payload: enabled fleet-wide, stealth mode per taste, block-all-incoming on the high-assurance tier, logging on. The right-sized expectation: this is laptop-grade inbound hygiene — the instrument is app-identity rather than port/subnet rule craft, so design it around "which apps may accept connections" and let heavier network policy live a layer up. It's the floor; attest it via compliance-adjacent scripting and move up a layer for the real policy.
The Filter-Extension Layer
Modern Mac network security is filter extensions — the Endpoint Security framework's networking siblings: content filters inspecting/deciding flows, DNS proxies enforcing protective resolution, and the per-app VPN/relay plumbing. Your EDR/web-protection stack implements its network features here, which makes deployment an agent-kit exercise: the extension approval payload, the filter configuration, notifications — pre-approved at enrollment or prompting at the worst time. The coexistence rule sharpens: filter slots are contended territory — one content-filter authority per fleet, vendor-documented exceptions only, or the agent-conflict page gains a networking chapter.
The Composite Posture
Layered and named for review: application firewall (inbound floor) → DNS filtering (cheap, broad) → content-filter extension (the policy engine) → relay/ZTNA for corporate access — each layer owned, each attested, with a traffic-class matrix documenting which control owns which flows.
The triage tell for filter-layer trouble: networking that breaks per-app or per-category (not per-network) is extension territory — check the filter's health and approval state before blaming Wi-Fi, and know your stack's bypass/fail-open behavior before the incident where it matters.
Compliance frameworks made operational — generating, deploying, and auditing Mac baselines from the NIST project.
When the auditor says "CIS Level 1" or the contract says "NIST 800-171," the Mac answer is the MacOS Security Compliance Project (mSCP) — NIST's open-source framework that turns benchmark prose into deployable, auditable artifacts. This page is the operating model.
A rules database (each rule: the control, its framework mappings — CIS, NIST, STIG-class — the check logic, and the fix) plus generators that emit, per your chosen baseline: configuration profiles (the settings a payload can enforce), scripts (checks and remediations for what profiles can't express), and documentation mapping every control to its framework citation — the audit-evidence layer pre-built. You select the framework tailoring, generate, and the abstract benchmark becomes concrete fleet artifacts.
The CIS Apple macOS Benchmark
mSCP is the engine; the CIS Apple macOS Benchmark is the most commonly cited destination it tailors to. CIS publishes a separate benchmark per major macOS release — at the time of writing the live set is macOS 26 Tahoe (v1.1.0), macOS 15 Sequoia (v2.1.0), macOS 14 Sonoma (v3.1.0), macOS 13 Ventura (v4.0.0) and macOS 12 Monterey (v4.0.0), plus a Cloud-tailored variant for each. The version skew matters operationally: a control's recommendation number, its key, and even whether it ships as a profile payload or a script can change between, say, Sonoma v3.x and Sequoia v2.x — never reuse a Ventura profile against a Sequoia fleet and assume parity.
Each benchmark grades recommendations into Level 1 (L1) and Level 2 (L2) profiles. L1 is the defensible default — controls that meaningfully reduce attack surface with minimal impact on usability, the floor you can apply fleet-wide without a help-desk surge. L2 is defense-in-depth for high-sensitivity endpoints — stricter controls (think aggressive auditing, tighter com.apple.* restrictions, hardware-feature lockdowns) that will break workflows and need a documented exemption process. There is no separate "server" profile for macOS the way there is for Windows or Linux; macOS is a workstation benchmark, so when an auditor says "CIS Level 1" for a Mac fleet, they mean L1 workstation.
No MS baselineMicrosoft baselines are Windows-only — CIS + mSCP are the Mac source of truth
The honest framing: there is no Microsoft security baseline for macOS — Microsoft ships security baselines only for Windows. So unlike the Windows baseline you can import as a profile inside Intune, the Mac story is "obtain the benchmark from CIS, generate deployable artifacts with mSCP, and enforce them yourself." CIS PDFs are free for non-commercial use; the machine-readable build kits and CIS-CAT Pro scanner are member benefits. Practically, most shops drive the benchmark through mSCP (it carries the CIS mappings) rather than hand-transcribing the PDF — generate against your OS version, then deploy via Settings Catalog and custom profiles with the check scripts running as custom attributes for per-rule evidence.
Generate against your OS version (rules are release-specific — the annual OS pass includes regenerating)
Tailor honestly: exemptions are first-class in the framework — the developer fleet's deviations get documented exemptions with rationale, not silent skips
Deploy the layers in their lanes: profiles via custom/Settings Catalog, check scripts as custom attributes reporting per-rule state, remediations through the script pipeline — and ring the rollout like any baseline change, because a compliance baseline is one: pilot ring first, broad rings after the soak, rollback notes per rule
Audit continuously: the check-script outputs rolled into reporting = per-control compliance percentage, charted — the burn-down the auditor actually wants
The Relationship to Your Existing Baseline
Your restrictions cookbook and mSCP overlap heavily by design — reconcile rather than duplicate: the framework becomes the system of record for controls it covers (one home per setting), your cookbook keeps the org-specific remainder, and the conflict-check between them is a one-time diff that prevents a standing mystery.
Insights
mSCP's killer feature is the mapping: one deployed rule set, evidenced once, satisfies multiple frameworks' citations simultaneously — which converts "we also need to answer the STIG question" from a project into a re-export.
ADE no-shows, approval snags, missing bootstrap tokens, and profiles that "applied" but didn't — the Mac failure catalog.
Mac enrollment failures cluster along two seams — supply-chain issues at Setup Assistant, identity issues at sign-in — plus two Mac-only suspects: profile approval state and the bootstrap token. Triage in that order: supply chain, network, identity, then the Mac-specific state.
Step 1Supply chainSerial assigned in ABM, token sync run
Step 2NetworkCaptive portals and TLS inspection at Setup Assistant
Step 3IdentitySign-in issues at the identity layer
Work the ladder in order — each rung is cheap to check and rules out everything beneath it:
Confirm the serial is assigned. The Mac must be assigned to Intune's MDM server in ABM, and the token sync must have run since — check that the device appears in Intune's enrollment-program devices list with a profile before blaming anything else.
Check the network at Setup Assistant. Captive portals and TLS inspection break first contact with the activation and enrollment services; a staging VLAN with clean egress is the standard hedge.
Check date/time skew on long-shelved hardware — clock drift produces TLS failures with vague errors that look like anything except a clock.
Already activated past Setup Assistant?Erase All Content and Settings brings an Apple silicon Mac back to ADE in minutes — the legitimate fast fix, not an admission of defeat.
User-Approved Path: Approval Limbo
The Company Portal flow stalls when the user skipped the System Settings approval step — symptoms: enrolled-ish, but profiles won't land and the portal nags. Verify with profiles status -type enrollment (it states user-approved status plainly); the fix is finishing the approval, and the prevention is the three-screenshot guide.
The Mac-Specific Suspects
Bootstrap token missing (profiles status -type bootstraptoken) — breaks deep operations (DDM updates, some account flows) on Macs that enrolled through odd paths. ADE re-enrollment is the clean restoration.
Profile "applied" but behavior unchanged — check scope first (filters/groups), then ground truth on-device: sudo profiles show lists exactly what landed; if the payload's there and behavior isn't, the payload's keys are wrong for this OS version (custom-profile archaeology), not the delivery.
Stuck at "awaiting final configuration" — one of the await-config wave's profiles is failing to land; thin the wave on a test profile to bisect.
Verification After Any Fix
The clean retest is erase-to-ADE, not retry-in-place — partial enrollment state contaminates the second attempt and manufactures phantom bugs. Erase, re-enroll, and confirm profiles status -type enrollment reports the expected state before declaring the cause found.
Insights
Two commands answer 80% of "what is this Mac's state": profiles status -type enrollment and sudo profiles show. Put them in the helpdesk runbook verbatim.
profiles commands, the ManagedClient log stream, Intune agent logs, and install.log — where each Mac answer lives.
Mac diagnostics reward routing the question to the right source before reading anything: every class of question has one stream that answers it directly, and the skill is choosing the stream, not reading faster. The router table:
Question
Source
What's the enrollment/supervision/token state?
profiles status -type enrollment (+ -type bootstraptoken) — one paste ends the debate
What profiles actually landed, from where?
sudo profiles show — the device-side truth to diff against the portal's per-setting report
What is MDM doing right now?
Console.app filtered to subsystem com.apple.ManagedClient (the mdmclient stream) — watch a sync live: check‑ins, profile installs, declarations, errors with actual reasons
/var/log/install.log — the installer's own narrative; every PKG/DMG app type failure explains itself here
Is the agent stack healthy?
The triage sequence: PPPC grants → systemextensionsctl list → login items
Everything, for a support case
sysdiagnose — the Mac's everything-bundle; Company Portal also sends Intune-side logs with an incident ID from its Help menu
The Live-Watch Technique
The single most instructive Mac-admin hour: Console.app on com.apple.ManagedClient, then trigger a sync from Intune and watch — profile delivery, DDM declarations, errors in real prose. One live-watched sync converts MDM from folklore into observable mechanics — and the habit pays for itself on the first profile that "applied" without applying.
Remote Collection
No bench access? Company Portal's send-logs covers the Intune agent side remotely (incident ID for support), and the device blade's sync + per-profile reporting covers the server side. For the genuinely deep cases, talk a user through sysdiagnose (one keystroke chord or one Terminal line) — the bundle uploads anywhere and contains everything above.
Insights
install.log is the most under-visited file in Mac administration — app-install tickets that survive an hour of portal-staring die in three minutes of reading it.
Log with a question: the table is the router, and the answer is usually a dozen lines once you're in the right stream — aimless scrolling through the firehose is how afternoons disappear.
install.log archaeology, VPP ghosts, and PKG exit codes — the lane-by-lane triage for Mac app delivery.
Mac app failures triage by lane, because each deployment lane fails differently. Two questions open every investigation — was it assigned, did the device hear about it (sync health) — then the lane determines the rest.
Step 1Was it assigned?Scope and targeting before anything else
Step 2Did the device hear?Sync health — a quiet Mac installs nothing
Step 3Branch by laneVPP, PKG, or script — each fails differently
VPP Lane
The MDM commands an App Store install; failures cluster in three:
Store-side eligibility: app region/OS requirements vs the device's reality — check the store listing's OS and region requirements against the failing device before suspecting anything deeper
Stuck command states: an install command queued against a device that was asleep mid-flight — sync, re-evaluate, and only then escalate
PKG/LOB Lane
The installer ran and the OS wrote the story to install.log (/var/log/install.log — readable directly or via the unified-log tooling): every package, every script phase, every exit code. The triage pair:
Read the log's verdict — a nonzero exit names the failing phase; preinstall/postinstall script failures are the usual culprits and the log shows their output
Reproduce manually: run the same PKG via installer in a root shell on a test Mac — rehearse in the same root context management uses; what fails interactively with a visible error fails identically but silently under management
Installomator-class failures live in the script's own logging: download/verification failures (vendor URL moved, Team ID mismatch — the verification working), blocking-process deferrals reading as "never installed," and the recurring-sweep-reinstalled-it inversion during retirements.
install.log is the most underused file in Mac administration — it's been quietly recording every installation verdict all along, and the admin who reads it first skips forty minutes of guessing. Make it the runbook's literal first step for this ticket class.
Registration that never happens, token state that rots into prompt loops, and password drift after a reset — diagnosed with one command.
Platform SSO failures rarely look like identity problems. The reports are "Office keeps prompting," "the new Mac never asked me to register," and "my password works on the website but not on the Mac." All three trace back to one of three failure modes, and one command tells you which. Read the diagnostic surface first, then match the symptom to the mode below.
Diagnostic commandapp-sso platform -s (run as the signed-in user)
Log subsystemscom.apple.AppSSO · com.apple.ManagedClient in Console.app
Server-sideEntra ID › Sign-in logs (filter on the device and user)
The diagnostic surface
Run app-sso platform -s as the affected user before theorizing. It reports the real state: whether the device and user are registered, the device and user registration objects, token health, and the SSO extension configuration as the Mac actually sees it. One paste of its output settles most arguments faster than any amount of symptom description. For the why behind whatever state it shows, filter Console.app to com.apple.AppSSO (and com.apple.ManagedClient for the profile delivery side) — see the logging page's predicates.
1. Registration never happened
app-sso platform -s shows the device and/or user as not registered. The post-enrollment registration prompt is the load-bearing moment, and it usually fails by simply not appearing. Causes, in order:
The profile didn't land or didn't fire. Confirm the Single sign-on extension profile is present and applied: sudo profiles show should list the Platform SSO payload, and the ManagedClient stream shows its delivery. No profile, no prompt — if it's missing, this is a delivery problem first.
The user dismissed or deferred the prompt. Users defer the registration prompt indefinitely. Re-trigger it (sign out / sign in, or the configured re-prompt), and back it with comms during onboarding so registration is an expectation, not a surprise.
A stale Company Portal / SSO extension on an older image. Platform SSO depends on a current Company Portal and SSO extension build. On Macs imaged before the current enrollment kit, update those components.
Make the unregistered population a report, not a mystery: surface registration state through compliance policy.
2. Registered, but apps prompt in a loop
app-sso platform -s shows the device registered, but tokens are stale and apps re-prompt repeatedly. Network changes, long sleeps, password resets, or a Conditional Access policy change can all leave token state rotted. Work the escalation ladder, climbing only when the rung below fails — and capture the app-sso output at each step so you know what actually changed:
Re-authenticate. Trigger a fresh interactive sign-in in a prompting app; a successful sign-in often refreshes the token state on its own.
Refresh SSO state. Sign the user out and back in to force the extension to rebuild its token cache.
Re-register. The clean-slate move: remove the user registration and let the prompt re-run, re-establishing the registration objects from scratch.
3. Password drift after a reset
The "old password unlocks the Mac, the new one doesn't" window. In password-sync mode, the local account password and the Entra password can briefly diverge after an identity-side reset, because the local password only updates on the next online sign-in. The fix is exactly that: have the user sign in once while online (network reachable, at the login window or in an app) and the sync completes. The ticket disappears entirely if you tell users up front: after a password reset, sign in once while online before relying on the new password at the login window.
Insights
Distinguish SSO broken from access denied. A Conditional Access block presents to the user as a sign-in failure that looks identical to a broken SSO. The Entra sign-in logs name the blocking policy in one lookup — check them before re-registering, because a real fraction of "Platform SSO is down" reports are compliance findings doing their job.
Push reachability, captive networks, TLS inspection, and the connectivity floor under Mac management.
Every Mac management function — sync, app commands, remote actions — rides the same connectivity floor: APNs wakes the device, HTTPS carries the payload. When Macs go quiet or commands crawl, this floor is the first suspect, and its three legs fail in usefully distinguishable ways.
Intunequeues commands, serves payloads
→
APNsthe wake-up channel — 5223/443
→
Macfetches work over HTTPS
The Floor's Anatomy
The Mac maintains a persistent APNs connection (the 5223/443 story to Apple's push ranges); management pushes arrive as wake-ups; the MDM client then fetches work over HTTPS from Intune's service endpoints. Three legs — push, fetch, and Apple's own services (activation, VPP/App Store, update CDNs) — and each fails differently:
Push blocked: devices respond to nothing until they poll — the "sync from the portal does nothing, sync from the device works" signature
Fetch degraded: pushes arrive, payloads stall — large app deployments crawling while small profile changes land
Apple services strangled: installs and updates fail with store-flavored errors while management looks healthy
The Usual Network Suspects
TLS inspection: APNs and Apple services use certificate pinning — inspection breaks them by design; the fix is the inspection-bypass list from Apple's published hosts/ranges, delivered to the proxy team as architecture, not as a request
Captive portals and 802.1X gaps: the enrollment-day classic — pre-auth network states where the Mac can't reach anything; the open provisioning SSID hedge exists for this
Egress filtering by hostname-of-the-week: Apple's endpoints are ranges and evolving hostnames — allow by Apple's published requirements doc, reviewed on a calendar, not by whack-a-mole
Sleep semantics: a closed MacBook lid is not an incident — power-state awareness belongs in the stale-device thresholds, tuned per fleet so a long weekend doesn't read as an outage
The Verification Kit
Device-side: Apple's push-diagnostic surface and a curl-class reachability script against the documented endpoints — runnable by helpdesk, output pasteable into tickets. Fleet-side: check‑in distribution by network site — one office's Macs lagging is a firewall finding wearing a fleet costume.
Insights
Build the network requirements one-pager before the first escalation: Apple's ranges, Intune's endpoints, the no-inspection list, the ports — handed to network engineering as a standing artifact. Mac estates feel this acutely because Apple's certificate pinning makes inspection failures absolute rather than degraded — there is no "mostly working" APNs.
When the management stack becomes the workload — ES-subscriber contention, CPU triage, and the exclusion choreography.
"My Mac is slow since IT got it" is sometimes user folklore and sometimes precisely true: every Endpoint Security subscriber inspects every event, and a fleet running EDR + DLP + a legacy agent + an updater zoo has built a measurable tax. This page is the triage and the architecture answer.
The Triage
Name the consumer: Activity Monitor (or top via a diagnostic script for fleet-scale collection) during the complaint window — the offender is usually identifiable in sixty seconds, and "which process" splits the tree: a vendor agent burning CPU is a tuning/version finding; kernel-task-adjacent heat is often thermals or the OS mediating a misbehaving subscriber
Check the interaction, not just the agent: the classic pattern is two scanners scanning each other — EDR inspecting the backup tool's file sweep, DLP inspecting the EDR's logs — multiplicative load no single vendor's dashboard owns
The fix for scanner-on-scanner load is mutual exclusions, vendor-documented: each agent's paths/processes excluded from the others' inspection — per the vendors' published coexistence guidance, never improvised, because a hand-rolled exclusion is a detection hole with a performance excuse. Version the exclusion sets in the repo and revisit them when any agent majors.
Do
Name the consumer first — Activity Monitor during the complaint window
Apply mutual exclusions exactly as the vendors publish them
Correlate spikes with OS updates, agent waves, and sweep windows
Measure before and after — turn "feels slower" into a distribution
Don't
Improvise exclusions — a hand-rolled one is a detection hole with a performance excuse
Run two heavyweight ES subscribers in full mode
Leave a retired tool's orphaned daemon resident
The Architecture Answer
Standing load is a stack-design finding: the one-heavyweight-ES-subscriber doctrine, the agent-kit inventory as the registry of everything resident, and the retirement sweep actually removing what's decommissioned — the orphaned daemon from a retired tool is the purest form of pointless load. A fleet that can't list its resident agents can't reason about its baseline.
Insights
Measure before and after: a custom attribute sampling load/battery-impact indicators turns "feels slower" into a distribution — and turns your exclusion work into a before/after chart leadership understands.
The political note: performance is how security stacks lose user consent — the developer fleet especially will route around an agent that costs them build time. A tuned stack isn't a luxury; it's what keeps the coverage map honest.
Missing keys, failed enablement, and the locked-out morning — the FileVault failure catalog and its fixes.
Intune enables FileVault through a Disk encryption policy and escrows a personal recovery key (PRK) to the device record. Three things go wrong, and they need different fixes — so confirm which one you have before you touch the Mac. Start with two facts: what Intune thinks (device record → Recovery keys) and what the Mac knows (sudo fdesetup status).
Console pathEndpoint security › Disk encryption (macOS — FileVault)
Key escrowedPersonal recovery key (PRK), on the device record
Local truthsudo fdesetup status
Fleet viewReports › Encryption report
1. Policy says encrypt, but the Mac isn't encrypted
The Disk encryption profile is assigned and shows as applied, yet fdesetup status reports FileVault is Off. Work the causes in this order — cheapest first:
Enablement is deferred until the user signs out. FileVault can only turn on at a login-window event, so Intune arms it and waits. sudo fdesetup status will say "Deferred enablement appears to be active for user". This is normal — the user just hasn't logged out/restarted yet. Have them restart; if it must happen sooner, push a notification asking them to sign out.
The profile never actually landed. Confirm delivery before blaming FileVault: sudo profiles list should show the FileVault payload, and the policy should report Succeeded for the device. If it didn't arrive, this is a delivery problem — work enrollment and profile issues first.
The signed-in user has no secure token. FileVault enablement requires a secure-token holder; users created by some scripted/automated provisioning paths don't get one. Check with sysadminctl -secureTokenStatus <username>. If it's DISABLED, grant it (an existing token-holder runs sysadminctl -secureTokenON <username> -password -) — this is a bench fix, not a policy fix.
Across the fleet, the Encryption report (Reports › Encryption report, or pull it via Graph) lists every Mac's encryption and key-escrow state — that's how you find the stragglers without touching each device.
2. The Mac is encrypted, but no key is in escrow
The quiet, dangerous one: fdesetup status says FileVault is On, but the device record's Recovery keys tab is empty. You have encryption with no recovery path. Two common causes:
The Mac was encrypted before Intune managed it — common after a Jamf-to-Intune migration. The key was escrowed to the old MDM (or to a user's iCloud, or nowhere Intune can see).
A recovery key rotated but didn't re-escrow — the disk is encrypted with a key Intune doesn't hold.
The fix is to generate a new personal recovery key and escrow it. Intune does this automatically once the FileVault profile reapplies at a login event, but for already-encrypted Macs the reliable, hands-off way is the open-source Escrow Buddy (a login-window authorization plugin) deployed as a package: it regenerates and escrows the PRK at the next login for exactly the gap population the Encryption report identifies. See the open-source toolbox. Track escrow coverage (encrypted Macs with a key in Intune ÷ all encrypted Macs) and drive it to 100% — re-check it after any migration.
3. A user is locked out at the pre-boot screen
Forgotten password, or an account that lost its secure token. The user is stuck at the FileVault pre-boot login and can't reach the desktop. The recovery flow:
Retrieve the personal recovery key. In Intune, open the device → Recovery keys → show the FileVault personal recovery key. This is RBAC-gated and audit-logged — only roles with the Get FileVault key permission can read it, and every read is recorded.
Unlock the disk. At the pre-boot screen the user presses the ? next to the password field, then enters the recovery key. macOS boots and prompts them to set a new password for the account.
Set the new password and confirm they can sign in normally on the next restart.
Confirm the key rotated and re-escrowed. A used recovery key should be considered burned. Trigger a rotation (reapply the policy / next login with Escrow Buddy in place) and verify a new key now shows on the device record — otherwise you've quietly slid back into problem #2.
Rehearse this once a quarter on a test Mac so the first time you do it for real isn't live.
Verify a Mac is fully covered
On the Mac:sudo fdesetup status → FileVault is On, and fdesetup haspersonalrecoverykey → true.
In Intune: the device's Recovery keys tab shows a personal recovery key, and the Disk encryption policy reports Succeeded.
Fleet-wide: the Encryption report shows the device as encrypted with a key escrowed — both columns, not just the first.
Insights
Encryption coverage and escrow coverage are two different numbers. A Mac that's encrypted but has no key in Intune looks green on "encrypted" and is a disaster waiting for a forgotten password. Report on the escrowed-key percentage, not just the encrypted percentage.
Why a Mac sits past its DDM update deadline — and how to tell which of four causes you actually have before touching the device.
When a Mac doesn't move to its target version, the cause is almost always one of four things, and the fixes don't overlap — so confirm which one you have first. Start with two facts: what Intune declared (the DDM software-update policy — target version and deadline) and what the Mac knows (softwareupdate --list and the update logs). The four causes, in the order they're worth checking:
Fleet viewReports > Device compliance, and the per-device hardware inventory (model, OS, free storage)
Local truthsoftwareupdate --list · /var/log/install.log
Silicon prerequisiteBootstrap token escrowed (sudo profiles status -type bootstraptoken)
1. The deadline hasn't passed, or the declaration never arrived
Before treating a Mac as failing, confirm it is actually overdue and that it heard the deadline at all. A Mac inside its enforcement window is compliant, not broken.
Check the policy math. Compare the target version and the enforced-install deadline in the update policy against today's date. DDM enforcement windows are designs — a device inside the window simply hasn't been forced yet.
Confirm the declaration reached the device. A Mac that hasn't checked in hasn't received the update declaration. Verify recent check-in on the device record, then watch the declaration land on-device: Console.app filtered to subsystem com.apple.ManagedClient shows the software-update declaration arriving and its status. If the Mac is quiet, this is a connectivity problem — work network and APNs issues first.
Confirm the bootstrap token is escrowed. On Apple silicon, MDM-driven updates need the bootstrap token to authorize the install without a user password. Check with sudo profiles status -type bootstraptoken; if it's missing, no amount of deadline pressure will install the update — restore it via ADE re-enrollment or by having a secure-token user run sudo profiles install -type bootstraptoken.
2. The Mac can't take the target version
The declaration arrived and the deadline passed, but the update still won't install because the device is ineligible. Two common reasons:
The hardware aged out of the release. The target major doesn't support this model — confirm against Apple's supported-models list for that release. This is a refresh-planning problem, not a delivery one; exclude the model from the policy or replace the device.
Storage starvation. A macOS major upgrade needs substantial free space (Apple typically wants well over 20 GB free, more for the download plus install). The 128 GB Macs are the usual stragglers. Confirm on-device with df -h /System/Volumes/Data; pre-sort the fleet by the free-storage column in hardware inventory. Because the sync-first data posture keeps user files in OneDrive, clearing local space is usually safe — but verify sync coverage before deleting anything.
3. The conditions for an automatic install are never met
The Mac is eligible and has heard the deadline, but the install never fires because macOS requires power and connectivity it never gets.
Never on AC power. macOS will not begin a major update on battery. The desk-drawer MacBook that's never plugged in overnight never installs. Confirm by reading the deferral reason in /var/log/install.log and the ManagedClient stream.
The download never completes. A multi-gigabyte installer that loses to an evening VPN or a saturated link never finishes. Sites without content caching feel this hardest — stand up a caching server, or stage the update during a window with bandwidth.
DDM escalates pressure (and finally forces a restart) as the deadline nears, but if the conditions are structurally absent, fix the conditions. Pair the deadline with a user-facing heads-up — a Nudge prompt or a swiftDialog message — so the eventual forced restart isn't a surprise.
4. The update mechanism is genuinely wedged
Eligible, powered, connected, past deadline — and still stuck. The update daemons are in a bad state or a partial download won't clear. Work the ladder:
Restart the Mac. This clears most wedged-daemon and stuck-download states on its own.
Inspect and clear the download. Read /var/log/install.log and the ManagedClient stream for the actual failure; softwareupdate --list confirms whether the Mac still sees the update as available. Re-trigger from Intune after the restart.
Scripted reinstall. For the stubborn cases, a tool like erase-install downloads a fresh installer and reinstalls macOS in place — the scripted rung of the recovery ladder.
Rebuild. On a sync-first fleet, a Mac that has resisted an hour of update surgery is a rebuild decision: Erase All Content and Settings returns an Apple silicon Mac to a clean state in minutes. See re-enrollment and recovery.
Read the pattern across the fleet
Before chasing individual devices, look at the shape of the lag in the compliance and inventory reports — it usually names the cause:
One model lagging → eligibility (cause 2).
One site lagging → bandwidth / missing content caching (cause 3).
One enrollment ring or cohort lagging → declaration delivery (cause 1).
Scattered individuals → conditions and wedges (causes 3 and 4).
Insights
Diagnose from the report, confirm on the bench. The distribution tells you which of the four causes you're looking at faster than any single device will — but the actual fix still gets verified in install.log and the ManagedClient stream on the device.
The combination play: Installomator + Nudge + SOFA + swiftDialog is a complete third-party-currency and OS-pressure system, entirely open source, entirely Intune-deliverable — the strongest evidence in endpoint management that community tooling can be production-grade.
Escrow Buddy earns special mention for incident prevention: run the FileVault escrow-coverage query once, and any gap it finds is exactly what this tool exists to close before the locked-out-CFO morning.
Delegated administration that survives growth — roles decide what admins can do, scope tags decide what they can see.
The single-admin tenant doesn't scale past one site, one acquisition, or one bad day. Intune's answer is two orthogonal controls — design both before you need them.
The Two Axes
Control
Question it answers
Mechanism
Role (RBAC)
What actions can this admin perform?
Built-in or custom roles with granular permissions
Scope tag
Which objects can this admin see and touch?
Tags stamped on devices, policies, apps, profiles
An admin's effective access = role permissions ∩ objects bearing their scope tags.
Roles — Start Built-In
Help Desk Operator: view everything in scope, run remote actions (sync, restart, remote lock) — the tier-1 workhorse; no policy editing.
Policy and Profile Manager: configuration authoring without tenant-wide settings.
Read Only Operator: auditors, NOC dashboards.
Custom roles only when a real gap appears (e.g., "may wipe but not delete") — every custom role is documentation debt.
Assign roles to Entra groups, never individuals, with the assignment's scope groups limiting which users/devices the role acts on.
Scope Tags in Practice
Create tags per administrative boundary: Site-Indianapolis, BU-Healthcare, Region-EMEA.
Devices inherit tags automatically from their enrollment profile — set the tag on the enrollment profile and every device enrolling through it is born correctly tagged. This is the linchpin; manual tagging never keeps up.
Tag policies/apps to match. An object with no tag carries Default — visible to everyone holding Default, which is why step 4 matters:
Remove the Default tag from delegated admins' role assignments, or the whole model is decorative.
A Pattern That Scales
Central platform team: full roles + Default tag — owns baselines, the tenant-wide connectors and service tokens, and this site's Graph automation.
Site/BU IT: Help Desk Operator + their site tag — they service their devices, can't see anyone else's, can't break the baseline.
Connectors stay central, always. Tenant-wide connectors and certificates exist exactly once per tenant; their blast radius is every enrolled device, not one site. Delegation stops at the connector layer.
Do
Assign roles to Entra groups, never individuals
Set scope tags on enrollment profiles so devices are born tagged
Keep tenant-wide connectors and service tokens with the central team
Don't
Leave the Default tag on delegated admins' role assignments
Create custom roles before a real gap appears
Promise data isolation in reports before validating the monitor blades
Insights
Audit logs record actor + action — RBAC makes the log mean something when HR calls.
Scope tags don't partition reports as cleanly as objects; validate what delegated admins see in monitor blades before promising data isolation.
Acquisitions: tag the acquired fleet on day one (their own enrollment profiles → automatic tags) and you can delegate their legacy IT safely while integration proceeds.
The honest playbook for crossing to Intune — per platform, because the bridge is different on each.
The first truth of MDM migration: on mobile platforms, a device holds one management profile — no co-management, no silent hand-off; every device crosses via unenrollment + re-enrollment, and your job is making that crossing boring. The desktop platforms each bend that truth their own way. Universal regardless of fleet: inventory before touching anything — export the old MDM's device list and reconcile it against your enrollment source of truth, because every migration surfaces devices nobody knew existed, and you want to find them on paper, not at wipe time.
Corporate / ADE devices — the wipe wave
In ABM, reassign serials from the old MDM server entry to the Intune server entry (token setup).
Wipe (from the old MDM, or hands-on). At activation, the device hits the Remote Management screen pointing at Intune — supervised, locked, clean.
User signs in via Setup Assistant modern auth; VPP apps and policy land; done.
Cost: on-device app data is lost (managed-app cloud data survives — Outlook/Teams/OneDrive rehydrate). Communicate exactly that, nothing softer.
BYOD / unsupervised — user-driven
Old profile removed by the user (or retired by the old MDM) → enroll fresh via account-driven or web-based enrollment. Carrot beats stick: gate access on Intune compliance via Conditional Accessafter a generous migration window, and the long tail migrates itself.
Sequencing the Shared Dependencies
Asset
Constraint
Move
VPP location token
Lives in exactly one MDM at a time
Either migrate the location token at cutover (apps under it stop deploying from the old MDM), or use a second ABM Location for Intune during transition and shift licenses between locations
New token for Intune; reassign devices in ABM in waves
Conditional Access
The enforcement cutover
Run "compliant in old MDM or Intune" during transition if the old MDM has a compliance connector; otherwise date-based cutover with loud comms
Watch Activation Lock: clear it via the old MDM's bypass codes before wiping devices it manages — Intune has no codes for devices it never supervised.
Android's crossing runs the same one-profile law, with mode-specific bridges:
Legacy device administrator fleets — there is no in-place path; the device admin → Android Enterprise migration is a re-enrollment program of its own, and it's overdue by definition.
Corporate AE devices (fully managed, dedicated): factory reset → re-provision against Intune via QR / zero-touch. In the zero-touch portal, repoint the configuration at Intune first so resets land in the right console automatically; for dedicated fleets, stage by site with spare devices absorbing the swap.
Work profile BYOD: the gentlest crossing — old work profile removed (user or old MDM), fresh work-profile enrollment from Company Portal; personal data never in play. Same carrot: Conditional Access enforcement after the window.
Managed Google Play: bind your enterprise to Intune and re-approve the app catalog; private apps move with the enterprise binding, and app configuration policies are rebuilt against the new console, not exported.
Windows is the exception to the one-profile law — it has an actual bridge:
From ConfigMgr: co-management attaches both consoles to the same device and slides workloads to Intune one at a time — compliance first, then updates, then apps — with a pilot collection in front of every slide. No wipe, no re-enrollment; the migration is a sequence of workload decisions.
From a third-party MDM: unenroll from the old agent, then enroll via auto-enrollment (Entra-joined devices pick management up nearly silently) — or treat the migration as the hardware-refresh moment and let Autopilot deliver the clean target state instead of carrying the old image's sins forward.
Domain-joined estates: the real decision is identity, not MDM — Entra join vs. hybrid sets the ceiling on everything after; migrate to the target join state, not a mirror of the old one.
The Mac crossing runs the same ABM-reassignment mechanics as any Apple fleet — and since most arrivals come from Jamf, the real project is translation:
ADE Macs: reassign serials to Intune's MDM server entry in ABM, then erase (EACS makes this a 10-minute return-to-service, not a rebuild) → Setup Assistant lands enrollment, bootstrap token escrows, policy flows.
FileVault: recovery keys do not migrate — plan a re-escrow wave immediately post-enrollment and measure escrow coverage before declaring any Mac migrated.
The agent kit (PPPC, system extensions, login items) must be staged in Intune before the first wave, or security tooling greets migrated users with permission prompts.
Wave Plan That Works
Ring 0 (IT, 1 week): every enrollment path, every app, every crossing pattern you'll use.
Ring 1 (one site/department): real users, real helpdesk load data — staff the desk off this number.
Waves by site: corporate-device batches sized to helpdesk capacity (200–500 devices/wave is typical), BYOD self-service in parallel.
Cleanup: old MDM read-only for 30–60 days (audit trail, stragglers), then decommission and release its service tokens.
Do
Export and reconcile the old MDM's inventory before touching anything
Size corporate-device waves to helpdesk capacity
Keep the old MDM read-only for 30–60 days before decommissioning
Don't
Lift-and-shift the old design — migrate to the target state
Discover unknown devices at wipe time instead of on paper
Release the old MDM's service tokens while stragglers remain
Insights
The migration is the once-a-decade chance to fix sins: enrollment types, naming, scope tags, baseline hygiene. Migrate to the target design, never lift-and-shift the old mess.
Running endpoint management in GCC, GCC High, and DoD — what changes, what doesn't, and how to write scripts that survive both worlds.
Government and sovereign-cloud tenants run the same Intune with different plumbing and a delayed feature train. If you operate in (or sell into) these environments, internalize the deltas.
The Environments
Environment
Identity / Graph endpoints
Notes
Commercial
login.microsoftonline.com / graph.microsoft.com
The default everything on this site assumes
GCC (Moderate)
Commercial endpoints, compliance-bounded tenant
Closest to commercial behavior
GCC High
login.microsoftonline.us / graph.microsoft.us
Separate cloud; separate endpoints everywhere
DoD
login.microsoftonline.us / dod-graph.microsoft.us
As above, stricter
The Apple side is identical in all of them: same ABM, same APNs (devices still need the standard Apple network paths), same VPP. Apple doesn't have a "gov cloud" — your sovereignty boundary is on the Microsoft half.
Feature Lag Is Real
New Intune capabilities ship commercial-first and reach GCC High/DoD later — sometimes weeks, sometimes quarters. Operating rules:
Before designing around anything recent (new enrollment types, fresh Settings Catalog payloads), check Microsoft's Intune for US Government feature parity documentation rather than assuming the blog post applies to you.
Pilot in the actual target cloud. A commercial demo tenant proves nothing about your GCC High reality.
Write Cloud-Portable Automation
Hardcoded graph.microsoft.com is the classic landmine — scripts work in the lab, fail mysteriously in the customer's GCC High tenant. Parameterize the base URLs in every script (this site's foundation pattern adapts in two lines):
Token endpoint: https://login.microsoftonline.us/<tenant> for GCC High/DoD
Scope: https://graph.microsoft.us/.default to match
Same applies to anything anchoring on product release channels or rings — government clouds can trail, so version-anchored automation (update enforcement targets, app version checks) should read the environment's actual current state rather than assuming worldwide release timing.
Do
Parameterize token and Graph base URLs in every script
Pilot in the actual target cloud
Check the US Government feature-parity doc before designing around new capabilities
Don't
Hardcode graph.microsoft.com
Treat a commercial demo tenant as proof of GCC High behavior
Reuse app registrations or credentials across clouds
Insights
Documentation links in vendor blogs default to commercial portal URLs; your portal is intune.microsoft.us-side — train new admins early or they'll "lose" the tenant weekly.
Compliance frameworks (FedRAMP High, IL4/IL5) constrain connectors and integrations more than core MDM — every third-party MTD/telecom/reporting integration needs its own authorization story before it touches the tenant.
Mixed-estate consultancies: keep separate app registrations and credential vaults per cloud. Cross-cloud credential reuse is both impossible and an audit finding for trying.
Federation, directory sync, and the personal-Apple-ID conflict problem — identity decisions that shape your whole Apple estate.
Managed Apple Accounts (MAAs) are org-owned Apple identities issued through ABM. Several capabilities simply don't exist without them — decide your MAA posture early, because retrofitting identity is the worst kind of project.
Identity typeOrg-owned Apple Accounts issued through ABM
FederationMicrosoft Entra ID — work credentials, Conditional Access, MFA
If you're in the last row and staying there, your MAA strategy can legitimately be "none yet." Write that down as a decision, not an accident.
Federation: Make Apple Sign-In = Work Sign-In
ABM > Settings > Accounts (Managed Apple Accounts): federate with Microsoft Entra ID. Users authenticate to Apple services with their existing work credentials — your Conditional Access and MFA apply, no second password is born, offboarding disables the Apple identity with the Entra account.
Add directory sync (SCIM) from Entra ID so MAAs provision/deprovision automatically rather than on first sign-in — at scale, lifecycle automation is the difference between an identity system and a pile of accounts.
Entra IDwork credentials, Conditional Access, MFA
→
ABMissues Managed Apple Accounts
→
Apple servicesoffboarding follows the Entra account
The Domain-Capture Conflict
Federating a domain triggers Apple's conflict handling for personal Apple IDs already using work email addresses — and there are always more than anyone expects. Affected users are prompted to change their personal Apple ID's email (their purchases and data follow the renamed personal account; nothing is seized).
Run this as a managed mini-project, not a checkbox:
Check the conflict count first. ABM shows how many personal accounts are using your domain before you commit — get the number, then size the communication effort to it.
Announce with a runway. Tell affected users what is coming, what they need to do, and when — well before anything changes for them.
Publish a one-page FAQ answering the only question users actually care about: "what happens to my apps and purchases?" (They follow the renamed personal account; nothing is seized.)
Then flip federation. Surprise-federating a domain is how Apple identity projects acquire a bad reputation that outlives the project.
Insights
MAAs are deliberately constrained consumer-wise (limited purchasing, controlled iCloud scope) — that's the point; they're work identities. Set user expectations accordingly.
iCloud storage for MAAs and managed-account data separation on personal devices both flow from ABM-side settings — review them as policy decisions, not defaults.
Username format: match UPNs exactly. Every divergence between Entra UPN and MAA identifier becomes a helpdesk ticket with your name in the post-mortem.
App registration to first authenticated call — the PowerShell foundation every script on this site builds on.
Whatever platform your fleet runs on, your tenant can be automated end to end through Microsoft Graph. Every script in this section is plain PowerShell calling the REST API directly: no SDK modules, no dependencies, runs identically on PowerShell 5.1, PowerShell 7, and Azure Automation.
RequiresEntra app registration with application permissions
AuthClient credentials — secret for testing, certificate or Managed Identity in production
App inventory, app licensing, and install-status reports
DeviceManagementServiceConfig.Read.All
APNs certificate, ADE tokens
Grant admin consent.
Certificates & secrets: create a client secret for testing. For production, use a certificate or run from Azure Automation with a Managed Identity — secrets in scheduled scripts are how breaches start.
The Foundation Script
Save this as GraphFoundation.ps1 — every other script on this site embeds these two functions.
Scriptclient credentials
→
login.microsoftonline.comreturns the bearer token
→
graph.microsoft.compaged GETs, auto-retry on 429
<#
.SYNOPSIS
Foundation for Microsoft Graph automation - pure REST, no module dependencies.
Authenticates with client credentials and provides a Graph request wrapper
with automatic paging and throttling (429) handling.
.NOTES
Permissions: assign per-script least privilege (see table on this page).
Production: prefer certificate credentials or a Managed Identity over secrets.
#>
[CmdletBinding()]
param(
[Parameter(Mandatory)] [string]$TenantId,
[Parameter(Mandatory)] [string]$ClientId,
[Parameter(Mandatory)] [string]$ClientSecret
)
function Get-GraphToken {
param(
[Parameter(Mandatory)] [string]$TenantId,
[Parameter(Mandatory)] [string]$ClientId,
[Parameter(Mandatory)] [string]$ClientSecret
)
$body = @{
client_id = $ClientId
client_secret = $ClientSecret
scope = 'https://graph.microsoft.com/.default'
grant_type = 'client_credentials'
}
$tokenResponse = Invoke-RestMethod -Method POST `
-Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
-ContentType 'application/x-www-form-urlencoded' `
-Body $body
return $tokenResponse.access_token
}
function Invoke-GraphRequest {
<#
GET: follows @odata.nextLink paging and returns all results.
POST/PATCH/DELETE: returns the response (often empty / 204).
Retries automatically on 429 using the Retry-After header.
#>
param(
[Parameter(Mandatory)] [string]$Uri,
[ValidateSet('GET', 'POST', 'PATCH', 'DELETE')] [string]$Method = 'GET',
$Body = $null
)
$results = [System.Collections.Generic.List[object]]::new()
$nextUri = $Uri
while ($nextUri) {
try {
$params = @{
Method = $Method
Uri = $nextUri
Headers = @{ Authorization = "Bearer $script:GraphToken" }
ErrorAction = 'Stop'
}
if ($null -ne $Body) {
$params.Body = $Body | ConvertTo-Json -Depth 10
$params.ContentType = 'application/json'
}
$response = Invoke-RestMethod @params
if ($null -ne $response.value) {
$results.AddRange(@($response.value))
}
elseif ($null -ne $response -and $response -ne '') {
$results.Add($response)
}
$nextUri = $response.'@odata.nextLink'
}
catch {
$statusCode = $null
try { $statusCode = [int]$_.Exception.Response.StatusCode } catch { }
if ($statusCode -eq 429) {
$retryAfter = 10
try {
$retryAfter = [int]@($_.Exception.Response.Headers.GetValues('Retry-After'))[0]
}
catch { }
Write-Warning "Throttled by Graph (429). Waiting $retryAfter seconds..."
Start-Sleep -Seconds $retryAfter
continue # retry the same URI
}
throw
}
}
return $results
}
# --- Demo: your fleet at a glance, grouped by OS ---
$script:GraphToken = Get-GraphToken -TenantId $TenantId -ClientId $ClientId -ClientSecret $ClientSecret
$uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices" +
"?`$select=id,deviceName,operatingSystem,osVersion,lastSyncDateTime&`$top=1000"
$devices = Invoke-GraphRequest -Uri $uri
Write-Host "Found $($devices.Count) managed devices." -ForegroundColor Cyan
$devices | Group-Object operatingSystem | Sort-Object Count -Descending |
Format-Table @{ n = 'Platform'; e = { $_.Name } }, Count -AutoSize
Things Worth Knowing Before You Script
Know your operatingSystem filter values. Each platform's collection on Useful Graph Calls lists the exact strings and quirks for that fleet.
$select everything you report on. Unselected calls return fat objects; at fleet scale that's real time and real throttling exposure.
v1.0 vs beta: stay on v1.0 unless a property forces you to beta — beta contracts change without notice. Each script page notes when beta is required.
Test in Graph Explorer first. Paste the URI, see the shape of the data, then script it.
Export your entire iOS/iPadOS fleet to CSV — supervision, compliance, OS spread, storage, and sync health in one pass.
The report you'll run weekly: every iOS/iPadOS device with the fields that actually drive decisions, plus console summaries of OS version spread, supervision coverage, and compliance.
Fleet-wide Android inventory with security patch aging, management-mode breakdown, and replacement-planning data.
The fleet-wide Android inventory to run on a schedule, built with the columns that matter on this platform: security patch age (your compliance-floor evidence), management mode, and OEM distribution (your update-support and replacement-budget evidence). Sovereign-cloud portable like every script on this site.
PatchAgeDays sorted descending puts your risk at the top of the CSV — the over-180 bucket is usually hardware past its OEM support window, i.e., a procurement conversation, not a nagging campaign.
Mode breakdown sanity-checks reality against design intent — BYOD work profiles appearing in a "corporate-only" tenant is a policy gap announcing itself.
Feed PatchAgeDays straight into your minimum-patch-level compliance decision: set the floor where it captures the stragglers without strafing the median.
90 daysdefault -PatchWarnDays window before a device flags STALE
180 dayspatch age that usually means hardware past its OEM support window
Fleet-wide Windows inventory with join-type split, Autopilot coverage, encryption rate, and build distribution — your cloud-migration KPIs in one CSV.
The fleet-wide Windows inventory to run on a schedule, with the columns this platform's strategy runs on: join type (the hybrid → Entra migration KPI), Autopilot coverage, encryption rate (the BitLocker attestation), and OS build distribution (the update-ring reality check).
Find, report, and safely retire iOS devices that stopped checking in.
Stale records rot every metric you have — compliance percentages, license counts, app install rates. This script finds iOS devices beyond a sync threshold and (optionally) retires or deletes them, with -WhatIf support and an exclusion list so the CFO's drawer-iPad survives.
PermissionsRead.All to report; ReadWrite.All to retire or delete
Default threshold90 days without a sync (-DaysStale)
Default actionReport — nothing changes until you opt in
Safety rails-WhatIf support plus a serial exclusion list
Retire vs Delete
Retire removes company data and management when the device next checks in. Harmless for truly dead devices; the right action for live-but-forgotten ones.
Delete removes the Intune object. If the device powers on later, it's unmanaged but still holds whatever it had. For supervised ADE devices, prefer retire/wipe flows so Activation Lock is handled — never delete a record before clearing AL.
Run -Action Report first. Always.
Monthly: run with -Action Report, eyeball the CSV, chase surprises (a whole site going stale = network problem, not device problem).
Quarterly: -Action Retire -DaysStale 120 -WhatIf, review, then drop -WhatIf.
Keep retired records around a cycle before any Delete pass — and for supervised hardware, your asset process (Activation Lock clearance, ABM reassignment) owns deletes, not this script.
ReportMonthly, -Action ReportEyeball the CSV — a whole site going stale is a network problem, not a device problem
RetireQuarterly, -WhatIf firstReview the plan, then drop -WhatIf; devices clear at next check‑in
DeleteAsset process onlyAfter Activation Lock clearance and ABM reassignment — never first
Sync, restart, or lock iOS devices at scale by serial number — plus an APNs certificate health check.
The remote actions you click one-at-a-time in the console — Sync, Restart (supervised), Remote lock — driven by a serial list instead. Overnight kiosk restarts, post-change fleet syncs, incident lockdowns.
Commands queue via APNs — an offline device executes when it next comes online. "Command sent" means accepted by the service, not completed on glass.
ScriptPOST remote action
→
Intunequeues the command
→
Deviceexecutes at next contact
Bonus: APNs Certificate Health Check
The check referenced throughout this site — wire it into your monitoring so certificate expiry never surprises you. Permission: DeviceManagementServiceConfig.Read.All.
# Requires a valid $script:GraphToken (see foundation above)
$apns = Invoke-GraphRequest -Uri 'https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate'
$daysLeft = [math]::Floor(([datetime]$apns.expirationDateTime - (Get-Date).ToUniversalTime()).TotalDays)
[PSCustomObject]@{
AppleId = $apns.appleIdentifier
Expires = $apns.expirationDateTime
DaysRemaining = $daysLeft
Status = if ($daysLeft -lt 0) { 'EXPIRED' } elseif ($daysLeft -le 30) { 'RENEW NOW' } else { 'OK' }
}
if ($daysLeft -le 30) {
Write-Warning "APNs certificate expires in $daysLeft days. Renew with the SAME Apple ID: $($apns.appleIdentifier)"
}
Catch exhausted app licenses and expiring VPP tokens before silent install failures do.
When a VPP app runs out of licenses, installs fail silently — no user error, no admin alert, just devices missing apps. This report surfaces token health and per-app license headroom in one pass.
EXHAUSTED: buy more licenses in ABM (free apps included — just raise the quantity) and sync the token under Tenant administration > Connectors and tokens > Apple VPP tokens.
Token lastSyncStatus failing: usually an ABM password change or token re-download elsewhere — re-download the .vpptoken from ABM and update the connector.
Run it weekly on a schedule; alert on any non-OK row. This single report prevents the most baffling class of "app won't install" tickets.
One scheduled script watching all three Apple lifelines — APNs certificate, VPP tokens, and ADE tokens.
Three annually-expiring Apple credentials can each take down a different slice of your fleet: the APNs certificate (all commands), VPP tokens (app deployment), and ADE server tokens (new-device enrollment). This script checks all three and exits non-zero on any warning — drop it in Azure Automation on a daily schedule and wire the failure to your alerting.
Renewal calendar still applies — this script is the safety net, not the process. Two named owners per credential, renewal at 11 months.
The -GraphBase/-LoginBase parameters make it sovereign-cloud portable — pass the .us endpoints in GCC High/DoD.
In Azure Automation, swap the secret for a Managed Identity token and alert on the runbook's failure status — the non-zero exit is designed for exactly that.
30 daysdefault -WarnDays expiry warning window
48 hoursADE sync age that flags SYNC STALE
11 monthscalendar renewal point — the script is the safety net, not the process
Enforce a fleet-wide naming convention on supervised iOS devices with the setDeviceName action.
IOS-IND-4F7K2M in the console, on the lock screen, and on the asset label beats Tom's iPhone (3) every day of the week. Supervised devices accept a remote rename via Graph — this script applies a template across the fleet.
The rename is queued via APNs like any action — offline devices pick it up at next contact.
A user on an unsupervised device can rename it right back; this convention game is for supervised corporate fleets (Settings Catalog can also block user renaming — search "device name").
Pair with the lock screen asset tag so the name on glass matches the name in the console.
Find every device missing or failing a required app — by name, with exportable failure detail.
"Is Outlook actually on every device?" deserves a better answer than scrolling the portal. This script resolves an app by display name and reports per-device install state, exporting the failures for follow-up — and Reading the States below tells you where to take what you find.
failed + an error detail → start at App Install Failures; license exhaustion and storage are the leaders.
failed + an error detail → start at Android App Install Failures; storage pressure and Play connectivity are the leaders.
failed + an error detail → start at Win32 App Failures; content download and disk space are the leaders.
failed + an error detail → start at App Install Failures on Mac; license exhaustion and storage are the leaders.
notInstalled with no error → the install command may simply be queued (device offline) — check LastSync before escalating.
A wall of failures sharing one timestamp usually means a VPP token or APNs event, not a device problem.
A wall of failures sharing one timestamp usually points at the service side — check the Managed Google Play connection under Tenant administration before blaming devices.
When the console doesn't have your setting — every platform's escape hatch for deploying configuration the UI hasn't surfaced.
Every platform eventually presents the same moment: the setting exists, the vendor documented it, and the Intune UI doesn't have a checkbox for it yet. Each platform has a custom lane for exactly this — different formats, same discipline: check the built-in surface first, document everything you hand-craft, and treat custom payloads as code.
The Settings Catalog covers most of Apple's MDM surface, but Apple ships payloads faster than any console can expose them. The escape hatch: build a .mobileconfig yourself and deploy it as a custom profile.
When to Reach for Custom
A brand-new payload from this year's iOS release
Vendor-supplied profiles (Wi-Fi gear, SSO/PKI vendors often hand you one)
Settings Catalog has the payload but not the one key you need
Always check the Catalog first — custom profiles are invisible to Intune's reporting granularity (it knows the profile applied, not each setting).
Build It
iMazing Profile Editor (free): every Apple payload with inline documentation — the community's standard tool.
Apple Configurator: fine for basics.
Hand-edit XML when you must; validate with plutil -lint profile.mobileconfig.
Example: Encrypted DNS (DNS over HTTPS)
A clean, modern example — point devices at a protective DNS resolver system-wide:
Devices > iOS/iPadOS > Configuration > Create > Templates > Custom — name it, upload the file, assign.
Rules That Save You Pain
Every PayloadUUID must be unique — generate fresh ones per profile (uuidgen); duplicating a UUID across profiles makes the device treat them as the same profile, with replacement chaos.
Changing content? Keep the identifiers, bump nothing else — same identifiers = clean in-place update.
Signing is optional via MDM delivery (the MDM channel is the trust); don't burn time on it.
Document every custom profile in your wiki with the payload reference link — future-you cannot read XML intent.
Android Enterprise deliberately has no raw-profile upload lane — there is no XML file to hand-craft. The "custom" surfaces are structured instead, and they cover the same ground:
The Two Custom Lanes
OEMConfig — the OEM publishes a schema app (Knox Service Plugin, Zebra OEMConfig) exposing every hardware knob the manufacturer supports, far beyond the generic policy surface. This is where barcode-scanner settings, hardware-key remapping, and firmware controls live.
App configuration policies — managed-config key/value payloads delivered to any app that declares restrictions. For apps whose schema Intune renders, it's a form; for the rest, the JSON editor is the custom escape hatch:
The key names and types come from the app's own managed-configuration schema — the vendor's admin guide or the app's Managed Google Play listing defines them; nothing here is invented.
the setting is a manufacturer hardware knob — scanners, key remapping, firmwareOEMConfigThe OEM's schema app exposes every knob the hardware supports.
you're configuring an app that declares managed configurationsApp configuration policyForm when Intune renders the schema; JSON editor for the rest.
Rules That Save You Pain
OEMConfig schemas are versioned with the OEM app — pin and test before letting the schema app auto-update across a production fleet.
Scope OEMConfig by manufacturer with an assignment filter — a Zebra schema assigned to a Samsung does nothing useful and clutters reporting.
One OEMConfig profile per device is the safe assumption; consolidate settings rather than stacking profiles.
The Settings Catalog now exposes most of the CSP surface, but Windows has carried a custom lane for years and it still earns its keep: custom OMA-URI profiles, speaking directly to CSP nodes the Catalog hasn't surfaced — plus ADMX ingest for third-party apps that ship Group Policy templates.
the CSP node is documented but the Settings Catalog hasn't surfaced itCustom OMA-URIOne row per node — the data type must match the CSP docs exactly.
a third-party app ships Group Policy templatesADMX ingestIngest the template first, then set its policies by URI.
When to Reach for Custom
A CSP node documented by Microsoft but not yet in the Catalog (new OS releases ship CSPs ahead of UI)
Third-party ADMX policies (Chrome and Edge are built in these days; your niche vendor's template isn't)
A Catalog setting that exists but lacks the one sub-key you need
Custom OMA-URI
Devices > Windows > Configuration > Create > Templates > Custom. Each row is one CSP node:
The data type must match the CSP documentation exactly (String, Integer, Boolean, String XML) — a type mismatch is the classic silent-looking failure that actually surfaces as a remediation-failed error code.
ADMX Ingest (Third-Party Templates)
Two-step pattern — first ingest the template, then set its policies:
# Step 1 - ingest the ADMX file (paste the file's XML as the String value)
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/YourApp/Policy/YourAppAdmx
Data type: String
Value: <the full contents of YourApp.admx>
# Step 2 - configure a policy the template defines
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/YourApp~Policy~YourCategory/YourPolicyName
Data type: String
Value: <enabled/>
The Step-2 URI path comes from the ADMX's own category/policy names — read the template, don't guess.
Rules That Save You Pain
Catalog first, always — custom OMA-URI rows report a per-URI status code, but decoding those codes means a trip to the CSP docs; Catalog settings report in plain English.
One profile per concern, named for the CSP it touches — a twenty-row custom grab-bag is unmaintainable.
Document the CSP reference link per row; the URI alone tells future-you nothing.
Macs get two custom lanes in Intune, and choosing the right one matters:
Lane 1: Custom .mobileconfig
The same craft as any Apple platform — when the Settings Catalog lacks the payload, build the profile yourself and deploy via Devices > MacOS > Configuration > Templates > Custom. Build with iMazing Profile Editor (free, every payload documented inline), validate with plutil -lint, and a compact example — a managed login-window banner:
For app preference domains (com.vendor.app), Intune's Preference file template deploys managed preferences without you wrapping them in profile XML — give it the domain and the plist, done. Reach for this when you're configuring an app rather than the OS; reach for Lane 1 when you need a real MDM payload type.
you need a real MDM payload type the Settings Catalog lacksCustom .mobileconfigBuild it in iMazing Profile Editor, validate with plutil, deploy via Templates > Custom.
you're configuring an app's preference domainPreference file templateHand Intune the domain and the plist — no profile XML wrapping.
Rules That Save You Pain
Every PayloadUUID must be unique (uuidgen per profile); reused UUIDs make profiles replace each other unpredictably.
Same identifiers + changed content = clean in-place update; new identifiers = a second profile.
Test on the bench unit per OS release — Apple deprecates payload keys, and custom profiles don't warn you.
Document every custom payload with its reference link; the agent-channel scripts are the answer when no MDM payload exists at all.
The copy-paste Graph endpoints an endpoint admin reaches for weekly — per platform.
Quick reference — all relative to https://graph.microsoft.com/v1.0 unless marked beta. Paste into Graph Explorer or feed to the foundation script.
Calls that work identically everywhere:
# Single device, trimmed
GET /deviceManagement/managedDevices/{id}?$select=deviceName,osVersion,complianceState,lastSyncDateTime
# Devices that haven't synced since a date (add your platform filter)
GET /deviceManagement/managedDevices?$filter=lastSyncDateTime le 2026-03-01T00:00:00Z
# Settings Catalog policies / compliance policies
GET /deviceManagement/configurationPolicies
GET /deviceManagement/deviceCompliancePolicies
# Recent Intune audit events (who wiped what)
GET /deviceManagement/auditEvents?$top=50&$orderby=activityDateTime desc
# Sync any device (POST, empty body)
POST /deviceManagement/managedDevices/{id}/syncDevice
# --- Devices ---
# All iOS/iPadOS devices (iPadOS reports as iOS)
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'iOS'
# Find a device by serial
GET /deviceManagement/managedDevices?$filter=serialNumber eq 'F2LXK3ABCD12'
# Supervision and version, trimmed
GET /deviceManagement/managedDevices/{id}?$select=deviceName,isSupervised,osVersion,complianceState
# --- Remote actions (POST, empty body) ---
POST /deviceManagement/managedDevices/{id}/rebootNow # supervised
POST /deviceManagement/managedDevices/{id}/remoteLock
POST /deviceManagement/managedDevices/{id}/retire
POST /deviceManagement/managedDevices/{id}/requestRemoteAssistance
# --- Apple service health ---
# APNs certificate (expiry watch!)
GET /deviceManagement/applePushNotificationCertificate
# ADE (DEP) tokens and their sync state
GET /deviceManagement/depOnboardingSettings
# Force an ABM sync (respect the 15-minute rate limit)
POST /deviceManagement/depOnboardingSettings/{id}/syncWithAppleDeviceEnrollmentProgram
# ADE enrollment profiles under a token
GET /deviceManagement/depOnboardingSettings/{id}/enrollmentProfiles
# --- Apps & VPP ---
# VPP tokens (state, expiry, lastSyncStatus)
GET /deviceAppManagement/vppTokens
# All apps -> filter client-side where '@odata.type' eq '#microsoft.graph.iosVppApp'
GET /deviceAppManagement/mobileApps?$top=999
# Install status for one app
GET /deviceAppManagement/mobileApps/{id}/deviceStatuses
# --- App protection (MAM) ---
GET /deviceAppManagement/iosManagedAppProtections
# All Android devices (covers every Android Enterprise mode)
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Android'
&$select=id,deviceName,manufacturer,model,osVersion,androidSecurityPatchLevel,deviceEnrollmentType,complianceState
# Patch-level floor check (ISO dates compare correctly as strings)
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and androidSecurityPatchLevel le '2026-03-01'
# Noncompliant Android only
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and complianceState eq 'noncompliant'
# App protection (MAM) policies
GET /deviceAppManagement/androidManagedAppProtections
The mode fingerprint (deviceEnrollmentType values), targeting rules, and the rest of the cookbook live on the dedicated page: Useful Graph Calls — Android.
# --- Devices ---
# All Windows devices
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Windows'
&$select=id,deviceName,model,manufacturer,osVersion,complianceState,lastSyncDateTime
# Find a device by name
GET /deviceManagement/managedDevices?$filter=deviceName eq 'LAPTOP-7F3K2'
# --- Autopilot ---
# Registered Autopilot identities (serial, model, profile assignment status)
GET /deviceManagement/windowsAutopilotDeviceIdentities
# --- Remote actions (POST) ---
POST /deviceManagement/managedDevices/{id}/rebootNow
POST /deviceManagement/managedDevices/{id}/windowsDefenderScan
# body: { "quickScan": true }
POST /deviceManagement/managedDevices/{id}/windowsDefenderUpdateSignatures
# --- BitLocker ---
# Escrowed recovery key IDs (key retrieval is a separate, heavily-audited permission)
GET /informationProtection/bitlocker/recoveryKeys
# --- Remediations (beta) ---
GET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts
# --- Devices ---
# All Macs
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'macOS'
&$select=id,deviceName,model,osVersion,complianceState,lastSyncDateTime
# Find a Mac by serial
GET /deviceManagement/managedDevices?$filter=serialNumber eq 'C02XK3ABMD6T'
# --- Remote actions (POST, empty body) ---
POST /deviceManagement/managedDevices/{id}/rebootNow # supervised
POST /deviceManagement/managedDevices/{id}/shutDown # supervised
POST /deviceManagement/managedDevices/{id}/remoteLock # sets a 6-digit PIN - record it
# --- Apple service health (shared Apple plumbing) ---
GET /deviceManagement/applePushNotificationCertificate
GET /deviceManagement/depOnboardingSettings
# --- Scripts (beta) ---
GET https://graph.microsoft.com/beta/deviceManagement/deviceShellScripts
The operatingSystem filter value is the string macOS as Graph reports it — one of the rare places that spelling is load-bearing, so copy it exactly.
Three habits: $select what you report on, page via @odata.nextLink (the foundation script does it for you), and prototype in Graph Explorer before you script.
# All Android devices (covers every Android Enterprise mode)
GET /v1.0/deviceManagement/managedDevices?$filter=operatingSystem eq 'Android'
&$select=id,deviceName,manufacturer,model,osVersion,androidSecurityPatchLevel,deviceEnrollmentType,ownerType,complianceState,lastSyncDateTime
# Patch-level floor check (ISO dates compare correctly as strings)
GET /v1.0/deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and androidSecurityPatchLevel le '2026-03-01'
# Noncompliant Android only
GET /v1.0/deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and complianceState eq 'noncompliant'
deviceEnrollmentType values you'll meet on Android Enterprise — the mode fingerprint:
# Corporate-owned Android
(device.deviceOSType -contains "Android") and (device.deviceOwnership -eq "Company")
# Everything from one enrollment token/profile - self-maintaining by design
(device.enrollmentProfileName -eq "Dedicated-Warehouse-Scanners")
# Naming-convention fleets (corporate modes where IT controls device names)
(device.displayName -startsWith "SCAN-")
Verify deviceOSType in your tenant
Android Enterprise devices register with OS-type strings that have varied across modes and eras (Android, AndroidEnterprise, AndroidForWork). Before trusting a rule fleet-wide, list a few known devices' actual values — -contains "Android" is the forgiving starting point; tighten once you've seen your tenant's reality.
Assignment Filter Expressions
# OEM-scoped (keep Zebra OEMConfig off Samsungs)
(device.manufacturer -eq "Zebra Technologies")
# Mode-scoped via enrollment profile
(device.enrollmentProfileName -startsWith "COPE-")
# OS floor for a policy needing modern APIs
(device.osVersion -ge "13")
The filters-over-dynamic-groups guidance applies unchanged: filters evaluate at delivery time, dynamic groups lag — enrollment-critical Android policy should be filter-shaped.
The copy-paste targeting cookbook — per-platform rules, and when to use a filter instead of a group.
Targeting is half of endpoint management. Two tools, one decision rule: filters evaluate instantly at policy delivery; dynamic groups take time to calculate. Prefer filters for include/exclude shaping, keep dynamic groups for membership you reuse across many assignments (licensing, CA, app bundles).
you're shaping one assignment's include/exclude and delivery timing mattersAssignment filterEvaluates instantly at policy delivery — the shape for enrollment-critical targeting.
you reuse one membership across many assignments — licensing, Conditional Access, app bundlesDynamic groupReal group membership, but it takes time to calculate after enrollment.
Dynamic Device Group Rules (Entra ID)
# All corporate iPhones and iPads
(device.deviceOSType -in ["iPhone","iPad"]) and (device.deviceOwnership -eq "Company")
# All personal (BYOD-enrolled) devices
(device.deviceOSType -in ["iPhone","iPad"]) and (device.deviceOwnership -eq "Personal")
# Everything enrolled through a specific ADE profile (THE workhorse - see note)
(device.enrollmentProfileName -eq "ADE-Corporate-1to1")
# Shared iPad fleet
(device.enrollmentProfileName -eq "SharedIPad-Production")
# Kiosks by naming convention (pairs with the Bulk Device Rename script)
(device.displayName -startsWith "KIOSK-")
# iPads only, any ownership
(device.deviceOSType -eq "iPad")
The enrollmentProfileName trick
Entra's device object has no "supervised" attribute — but every device from a given ADE profileis supervised. Targeting by enrollmentProfileName is how you build "all supervised corporate devices" in practice, and it self-maintains forever.
Assignment Filter Expressions (Intune)
Create under Tenant administration > Filters (platform iOS/iPadOS), then attach at assignment time with include/exclude mode:
# Corporate-owned only
(device.deviceOwnership -eq "Corporate")
# A specific enrollment profile
(device.enrollmentProfileName -eq "ADE-Corporate-1to1")
# iPads, excluding one model family
(device.model -startsWith "iPad") and (device.model -notContains "iPad mini")
# OS floor for a policy that needs newer-release features (DDM updates etc.)
(device.osVersion -startsWith "17") or (device.osVersion -startsWith "18")
Dynamic Device Group Rules (Entra ID)
# Corporate-owned Android
(device.deviceOSType -contains "Android") and (device.deviceOwnership -eq "Company")
# Everything from one enrollment token/profile - the same self-maintaining trick
(device.enrollmentProfileName -eq "Dedicated-Warehouse-Scanners")
# Naming-convention fleets (corporate modes where IT controls device names)
(device.displayName -startsWith "SCAN-")
Verify deviceOSType in your tenant
Android Enterprise devices register with OS-type strings that have varied across modes and eras (Android, AndroidEnterprise, AndroidForWork). Before trusting a rule fleet-wide, list a few known devices' actual values — -contains "Android" is the forgiving starting point; tighten once you've seen your tenant's reality.
Assignment Filter Expressions (Intune)
# OEM-scoped (keep Zebra OEMConfig off Samsungs)
(device.manufacturer -eq "Zebra Technologies")
# Mode-scoped via enrollment profile
(device.enrollmentProfileName -startsWith "COPE-")
# OS floor for a policy needing modern APIs
(device.osVersion -ge "13")
The full Android query cookbook — enrollment-type values, patch-level Graph filters — lives in Useful Graph Calls — Android.
Dynamic Device Group Rules (Entra ID)
# All corporate Windows devices
(device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company")
# Everything from one Autopilot deployment profile (self-maintaining)
(device.enrollmentProfileName -eq "Autopilot-UserDriven-Standard")
# Virtual machines by model + naming convention
(device.displayName -startsWith "BOT-") and (device.deviceModel -contains "Virtual")
# Kiosk/shared PCs by naming convention
(device.displayName -startsWith "KIOSK-")
The enrollmentProfileName trick on Windows
The attribute populates with the Autopilot deployment profile name — which makes "all devices that came through Autopilot profile X" a one-line, self-maintaining group that never needs manual upkeep.
Assignment Filter Expressions (Intune)
# Corporate-owned only
(device.deviceOwnership -eq "Corporate")
# Physical machines only (exclude VMs from BitLocker, baselines, etc.)
(device.model -notContains "Virtual")
# One hardware family for a driver-sensitive policy
(device.manufacturer -eq "Dell Inc.") and (device.model -startsWith "Latitude")
# OS floor for a feature-gated policy
(device.osVersion -startsWith "10.0.2")
Dynamic Device Group Rules (Entra ID)
# All Macs (the OSType value Entra registers for Mac MDM enrollments)
(device.deviceOSType -eq "MacMDM")
# Corporate ADE Macs via enrollment profile (self-maintaining)
(device.enrollmentProfileName -eq "ADE-Mac-Standard")
# Naming-convention fleets
(device.displayName -startsWith "MAC-")
MacMDM is the value
Entra registers Intune-enrolled Macs with deviceOSType of MacMDM — not the OS marketing name, not "Mac". Build one known-good Mac, check its device object, and you'll never guess again.
Assignment Filter Expressions (Intune)
# Corporate-owned only
(device.deviceOwnership -eq "Corporate")
# Model families (laptops vs desktops get different power/security posture)
(device.model -startsWith "MacBook")
# OS floor for a policy that needs a recent release
(device.osVersion -ge "14")
Rules of the Road
Dynamic membership can lag minutes-to-hours after enrollment — a brand-new device missing "everything assigned to the dynamic group" is usually just early. Filters don't have this problem, which is why enrollment-critical policy (identity/SSO, Wi-Fi) should be filter-shaped.
Never nest dynamic groups inside dynamic groups when you can avoid it; each layer adds calculation delay.
Name groups and filters with one convention — IOS-DG-Corporate-All, IOS-FLT-Supervised — so assignment screens read like sentences.
Name groups and filters with one convention — AND-DG-Corporate-All, AND-FLT-Dedicated — so assignment screens read like sentences.
Name groups and filters with one convention — WIN-DG-Corporate-All, WIN-FLT-Physical-Only — so assignment screens read like sentences.
Name groups and filters with one convention — MAC-DG-Corporate-All, MAC-FLT-Laptops — so assignment screens read like sentences.
