macOS Management with Intune - Part IV

Overview

Welcome to the next part of the macOS management series. In this post, I will help you deploy different apps to your corporate macOS devices.

---

Microsoft Edge

You have the below-listed options to configure Edge as a managed browser on the MacBooks.

1. Settings Catalog
2. Property List Files
3. Custom profiles

Settings Catalog

It is the easiest and simplest way of configuring policies for Microsoft Edge, as Microsoft has now included almost every setting that can be configured for Edge in the Settings Catalog to make Edge your corporate-managed browser.

Login to Intune admin portal and navigate to Devices > macOS > Configuration Profile, and select Settings Catalog as profile type.

---

Property List Files

A property list file known as a plist is a structured text file that contains essential configuration information for a bundled executable. The file contents are structured using XML, and its contents are a set of keys and values describing different aspects of the bundle. The system uses these keys and values to obtain information about your app and how it is configured. All bundled executables (plug-ins, frameworks, and apps) must have a property list file.

By convention, the name of an information property list file is Info.plist. The name of this file is case-sensitive and must have an initial capital letter I. This file resides in the top level of the bundle directory. In macOS bundles, this file resides in the bundle’s Contents directory.

The simplest way to create an Info.plist file is to use Xcode. To do so, Open Xcode on your Mac and Click File > New.

Now, select platform as macOS, resource as “Property List“, and keep the file name as com.microsoft.Edge.plist.

Then you can configure all the settings you want for Edge as your corporate browser.

Do you need to try this hard to configure Edge? No!

Thanks to Microsoft for making our life easier. You can download the policy templates file from the Microsoft Edge Enterprise landing page. It has an example plist file (itadminexample.plist), which contains all supported data types that you can customise to define your policy settings.

Save it as “com.microsoft.Edge.plist”. This name is case-sensitive and shouldn’t include the channel you’re targeting because it applies to all Microsoft Edge channels.

The next part is deploying the plist file to your target devices. Login to Intune portal, create a new device configuration profile for the macOS platform and select the Preference file profile type. Target com.microsoft.Edge as the preferred domain name and upload your list, which you just modified in the previous step.

---

Deploying Microsoft 365 Apps

Microsoft 365 for Mac, or Microsoft 365 apps for Mac as it’s now known, is a key part of any Microsoft 365 deployment or any macOS deployment in an organisation.

We can use three different mechanisms within Microsoft Intune to get Microsoft 365 Apps deployed to Macs.

1. Mac App Store via Volume Purchase Program (VPP)
2. Microsoft Content Delivery Network
3. Intune Scripting Agent for Mac

Deploying Microsoft 365 Apps for Mac via Volume Purchase Program (VPP) (Not the recommended way)

This method requires an Apple VPP token configured with your Intune tenant. Before proceeding further, ensure that you’ve followed the steps documented here.

Once you have an Apple Business Manager VPP token synchronised with Intune, proceed further to assign Office Apps to your users.

1. Open https://business.apple.com/#main/appsandbooks

2. Click in the search menu box, change the Type to “Mac” and search for “Microsoft”.

3. Select the Application that you want to assign licenses.

4. Assign the Application to your organisation and enter the number of licenses that you need. Since these apps have no cost, it makes sense to enter more licenses than you will need.

5. Once you have entered the values, click Get. The Application will temporarily show as Processing.

6. Repeat the process for the other applications that you intend to use.

8. Open Intune admin portal and select Tenant Administration > Connectors and tokens > Apple VPP Tokens.

9. Select the Token you want to sync and click Sync in the ellipsis menu.

10. In the Intune admin portal, navigate to Apps > macOS, filter for unassigned apps, and then type “Microsoft” into the search bar.

11. Select each app you wish to deploy and assign it to an Azure AD group.

Deploying Microsoft 365 Apps for Mac via the Microsoft Content Delivery Network (Recommended way)

This mechanism is supported natively by Intune and is as simple as checking a box and providing a group of users to deploy it. Those users will receive the entire Microsoft 365 Apps (which includes Teams and the Microsoft Auto update tool).

• Open Intune admin portal, select Apps > macOS > Add

• Under Select “App Type” choose Microsoft 365 Apps > macOS

• Review the apps and add as Required apps to the appropriate device group.

Deploying Microsoft 365 Apps for Mac via the Intune Scripting Agent for Mac

This approach uses the Intune scripting agent to download and install the Office suite or individual apps.

You can download the scripts from Microsoft GitHub Repo:

1. Deploy entire Office Suite
2. Deploy individual Office Suite apps

These two scripts do the same thing. Once deployed onto the Mac, they attempt to download the installer package and install it.

• Download a copy of our sample file installOfficeSuiteIndividualApps.sh and save it to your device.

• Open the file in your text editor of choice and modify the AppsToInstall array only to include Outlook, Word, PowerPoint and OneDrive.

• Mark the script as executable by opening a Terminal session and using the chmod +x command.

• Open the Intune admin portal and navigate to Devices > macOS > Shell Scripts > Add

• Enter a Name and Description and click Next.

• Click the file browse UI in the Upload script dialog and select the saved file.
  • Run script as signed-in user = No
  • Hide script notifications on device = Not configured
  • Script frequency = Not configured
  • Set the Max number of retries to 3, Run and leave the rest as not configured

• Assign the script to the device group.

The Intune script agent runs on an 8hr check-in cycle but can be manually triggered by the end user.

1. Open the Company Portal app (sign in if prompted).
2. Select the device you are using.
3. Click Check Settings under the ellipses menu.

There are no right and wrong with these three approaches, and each is applicable in certain circumstances. However, the recommended way to deploy M365 apps to your Macs is by using the CDN approach, as it provides the best mixture of complexity and flexibility and is the easiest to support for most scenarios.

---

Summary

With this, I will end the series as we have configured all the policies and profiles required for enrolling and managing macOS devices with Intune. We have also configured Microsoft Edge and M365 apps as required apps to make your users productive immediately after device provisioning.

I hope this will help you to manage the Macs more effectively.

Keep learning and stay #intuneinspired.