Evaluating Intune against Workspace ONE UEM: MacOS Edition

My blog has become the gold standard of evaluating Workspace ONE and Intune. My most famous article which has had north of 5K views in the last year took an unbiased look at these two great platforms. Today, we will look at MacOS, which has been a request by a number of people since my Windows two-part article came out. We will look at Enrollment, Device Profiles, Compliance, Application Management, and Security.

Round 1: MacOS Device Enrollment

MacOS Device Enrollment isn’t very complicated. We expect that every platform can do DEP, do DEP well, and the enrollment experience is top notch. One of the things that we are doing this time around is a few match-off videos where we show the setup experience or user experience for both platforms to prove how good or bad it is. Let’s start things off with the DEP Battle Royale!

royal rumble wrestling GIF by WWE

Intune vs. Workspace ONE DEP Capabilities

Microsoft’s implementation of DEP is really basic. We’re going to watch the video below to show how the two of them face off. The basic truth is that Intune is just hitting the bare minimum. It’s basically the setup assistant toggles, department number, and department. Workspace ONE hits that note, but them elevates it at least 3 or 4 levels.

As you saw in the video, the implementation of the great new Custom Enrollment along with the automated standard user account and managed admin account with a rotating password is absolutely phenomenal. It would be great to see Microsoft invest some more time on the DEP supportability because it’s a huge foundation.

Intune Enrollment with MacOS

Moving onto the enrollment itself, lets take a look at what the Intune Enrollment experience looks like below. First, we’ll watch and then we’ll discuss!

As you saw, the entire user experience is really great on MacOS, but the main issue that I saw is one that I have written about in the past. Intune can be a little bit disjointed, which you saw was the case. After enrollment or after deploying an application, it can sometimes take up to one hour to see apps. Otherwise I think the experience overall was very nice.

Intune Enrollment Score: 6

Workspace ONE Enrollment with MacOS

VMware has investing some significant effort into the user experience for their enrollments and you can tell. With their unified catalog built into the Intelligent Hub, which has many potential capabilities like People Search, Mobile Flows, etc. You can see from the demo below what that user onboarding experience is coupled with their great investment in DEP makes a substantial offering.

As you saw, it’s a crisp and smooth experience when enrolling with Workspace ONE. They definitely earned their score. Personally, I think they could take a few cues from Microsoft with their consumer-centric and simplistic enrollment.

Workspace ONE Enrollment Score: 9

Round 2: MacOS Device Profiles

This section took an exhaustive amount of time. The 30+ device profiles that exist on MacOS are certainly complicated as MacOS management is not for the weak of heart. I assure you that it will be surprising to see where this landed…

Workspace ONE vs. Intune Device Profiles

The best way to look at this will be with some table magic as it’s remarkably confusing.

WS1 Device ProfilesIntune MatchNotes
PasscodeDevice Restrictions
NetworkIntune supports outer identity. WS1 adds these: TLS minimum and maximum versions, allow direct connections if PAC is down, WiFi captive portal
VPNVPNIntune lets you block users from disabling On-Demand or Per-App VPN. WS1 supports integrating VPN with system extensions via Provider Designated Requirement, ability to exclude or include all traffic.
SCEPSCEP
DockNONE
CredentialsPKCS CertificateIntune doesn’t support Identity Preference.
RestrictionsDevice RestrictionsWS1 doesn’t let you block iTunes File Sharing, Lookups, or iCloud Photo Library but Intune does.
Intune doesn’t support the following: restricting systems preference items, game center, deprecated TLS, App Store, whitelisting/blacklisting folders, restricting widgets, restricting sharing services except AirDrop, restricting media, locking desktop picture, blocking iCloud data overall, blocking iCloud passwords for local accounts, blocking Find my iCloud, blocking AirPrint.
Software Update (Update Policy)NONE
Parental ControlsMostly NONEDisabling dictation is in here, but otherwise not supported by Intune
DirectoryNONE
Security & PrivacyDevice Restrictions/Endpoint ProtectionIntune doesn’t support “Require password after sleep begins” or “Send Diagnog to Apple”
KEXTExtensions
Privacy PrefsDevice Restrictions
EncryptionEndpoint ProtectionIntune ONLY supports Personal Key and nothing else. 
Login ItemsDevice FeaturesWS1 separates out network mounts as its not obvious Intune can use this for network shares **Test this**
Login WindowsDevice FeaturesIntune only supports windows layout, power button settings, apple menu disablement. (Disable shutdown, restart, power off, log out, lock screen while logged in.) WS1 supports several other options, reference tab for login windows
Energy SaverNONE
Time MachineNONE
FinderNONE
AccessibilityNONE
PrintingNONE
ProxiesNONE
Smart CardNONE
MobilityNONE
Associated DomainsDevice FeaturesIntune lets you enable direct downloads instead of going through a CDN
Managed DomainsDevice Restrictions
SSO ExtensionDevice FeaturesIntune gives you Azure AD SSO Extension (Intune exclusive), Intune also lets you deploy custom domain realm mappings (Map a host that doesn’t match the realm name)
Skip Setup AssistantNONE
Content FilterNONE
System ExtensionsExtensions
Airplay MirroringNONE
AirPrintDevice FeaturesIntune lets you customize Port and TLS, which is a bug because those are iOS only features
xSANNONE
FirewallEndpoint ProtectionIntune will let you whitelist or blacklist apps on the Firewall which WS1 doesn’t.  WS1 instead will automatically allow all signed apps to receive incoming connections. WS1 also supports stealth mode to block stuff like Ping.
Firmware PasswordNONE
Custom AttributesCustom Attributes

The good news is that Intune has a few features that Workspace ONE is missing:

Content CachingDevice FeaturesIntune supports content caching, which lets you cache icloud data and other apple content e.g. software updates/apps, *WS1 will let you disable it*
Apple ClassroomDevice RestrictionsIntune supports customization of Apple Classroom experience features
Preference FilePreference FileIntune lets you import plists directly to applications

Workspace ONE Profiles Score: 8.5

Intune Profiles Score: 5

Round 3: MacOS Compliance Profiles

MacOS compliance is crucial as the OS continues to evolve. It’s crucial to make sure that we are monitoring for gaps and moving swiftly. Luckily, both VMware and Microsoft do a nice job handling them.

Workspace ONE vs. Intune Device Compliance

The compliance table can be seen below. For the most part, I wouldn’t expect with Gatekeeper that application compliance will matter all that much, but it would be nice to see Microsoft let you blacklist models and based on device last seen:

Device ComplianceIntune ComparableNotes
System Integrity ProtectionExists in Intune
Application ComplianceNOLet’s you flag devices as compromised that have or do NOT have an application or application version.
Disk EncryptionExists in Intune
Device ModelNOBlacklist certain Mac models
OS VersionExists in Intune
Device Last SeenNO

Workspace ONE Compliance Score: 9

Intune Compliance Score: 7.5

Round 4: MacOS Application Management

When it comes to application management, we focus on two things: packaging and deploying applications. We will take a look at how both applications are packaged and deployed. Let’s dig in!

Workspace ONE vs. Intune Application Packaging

One of the things that Microsoft is very fond of doing in Intune is having a special hocus pocus way of packaging apps that is tedious and painful. MacOS is no different. VMware is no prince either as they have their own packaging tool as well. Check out the video to see a side-by-side comparison of the two products.

As you saw, the big issue is that Intune will only let you packaging .PKG files, but despite that they have some very cool capabilities with their tool like setting customized bundle identifiers and versions, which I love. Sure you could use code like this below, but you shouldn’t have to:

sudo productbuild --component /Applications/Application.app ~/Downloads/Application.pkg

Overall, the Munki codebase that VMware has adapted for application management is a very strong decision that has worked out well as you can see with the VMware Admin Assistant. Either way, they both work pretty well, but VMware’s tool is obviously a bit easier to use for the lay person.

Workspace ONE Application Deployment

Workspace ONE application deployment is very strong. It certainly takes some getting used to, but once you get the basics down you can deploy apps very easily. Check the walkthrough below and then we’ll discuss:

As you can see, Workspace ONE does a nice job when it comes to application deployment. Sometimes you may need to use their product provisioning technology for certain tools, which lets you deploy apps with config files, scripts, etc to create a structured deployment and setup for an application. I usually leverage product provisioning, which is the ability to deploy files, scripts, applications, etc and create a harmonious collaboration. This is only temporary until Freestyle Orchestrator releases, so i won’t waste more time on it.

Intune ONE Application Deployment

Intune application deployment is very problematic unfortunately. Simplistically, MacOS application deployments that do NOT support pre-install scripts or post-install scripts are NO BUENO for MacOS. I was remarkably disappointed to see that they can deploy apps, but that’s really about it. Check out the video so you can see the experience:

Another issue that I ran into is that there is no version control. One of my favorite things about Workspace ONE’s application management for all platforms is the ability to add versions to applications and have true application version control. They do support the ability to deploy scripts, but it only supports shell scripts. My apologies to all of the python users out there. I think it’s worth mentioning since as you can see below, they support the ability to deploy scripts with frequency, which is an area that VMware could do better with.

Workspace ONE Application Management Score: 9

Intune Application Management Score: 5

Round 5: MacOS Security

When I focus on MacOS Security, I look at Endpoint Detection and Response, encryption, compliance, firewall, and gatekeeper.

We covered most of these in other sections. I look at Carbon Black and Microsoft Defender for Endpoint as essentially a wash. Intune and Workspace ONE are relatively close on MacOS security. VMware wins on encryption and compliance and Microsoft wins at the firewall level.

I’m not going too deep on this, but simply they are tied. The great news is that MacOS provides a number of frameworks that empower vendors to deliver secure solutions on MacOS through gatekeeper, system extensions, and much more.

Workspace ONE Security Score: 8

Intune Security Score: 8

The Final Tally

Let’s add things up and see where we land:

VMware Workspace ONEMicrosoft Intune
Enrollment96
Profiles8.55
Compliance97.5
Application Management95
Security88
Total Score43.531.5

Honestly, I was way too easy on Microsoft considering the significant gaps all over their MacOS offering with Intune. I can see why many people at Microsoft recommend using JAMF and doing the Intune integration. Part of me is sorry that I even committed my time and effort to doing all of the research on the platform, but it’s necessary to keep a good eye on the where UEM platforms are at so we can challenge our vendors to deliver a superior product.

4 thoughts on “Evaluating Intune against Workspace ONE UEM: MacOS Edition”

  1. Pingback: Service – Week 13-2021 Workspace ONE Updates – Julius Lienemann

Leave a Reply

Scroll to Top
%d bloggers like this: