My blog has become the gold standard of evaluating Workspace ONE and Intune. My most famous article which has had north of 5K views in the last year took an unbiased look at these two great platforms. Today, we will look at MacOS, which has been a request by a number of people since my Windows two-part article came out. We will look at Enrollment, Device Profiles, Compliance, Application Management, and Security.
Round 1: MacOS Device Enrollment
MacOS Device Enrollment isn’t very complicated. We expect that every platform can do DEP, do DEP well, and the enrollment experience is top notch. One of the things that we are doing this time around is a few match-off videos where we show the setup experience or user experience for both platforms to prove how good or bad it is. Let’s start things off with the DEP Battle Royale!
Intune vs. Workspace ONE DEP Capabilities
Microsoft’s implementation of DEP is really basic. We’re going to watch the video below to show how the two of them face off. The basic truth is that Intune is just hitting the bare minimum. It’s basically the setup assistant toggles, department number, and department. Workspace ONE hits that note, but them elevates it at least 3 or 4 levels.
As you saw in the video, the implementation of the great new Custom Enrollment along with the automated standard user account and managed admin account with a rotating password is absolutely phenomenal. It would be great to see Microsoft invest some more time on the DEP supportability because it’s a huge foundation.
Intune Enrollment with MacOS
Moving onto the enrollment itself, lets take a look at what the Intune Enrollment experience looks like below. First, we’ll watch and then we’ll discuss!
As you saw, the entire user experience is really great on MacOS, but the main issue that I saw is one that I have written about in the past. Intune can be a little bit disjointed, which you saw was the case. After enrollment or after deploying an application, it can sometimes take up to one hour to see apps. Otherwise I think the experience overall was very nice.
Intune Enrollment Score: 6
Workspace ONE Enrollment with MacOS
VMware has investing some significant effort into the user experience for their enrollments and you can tell. With their unified catalog built into the Intelligent Hub, which has many potential capabilities like People Search, Mobile Flows, etc. You can see from the demo below what that user onboarding experience is coupled with their great investment in DEP makes a substantial offering.
As you saw, it’s a crisp and smooth experience when enrolling with Workspace ONE. They definitely earned their score. Personally, I think they could take a few cues from Microsoft with their consumer-centric and simplistic enrollment.
Workspace ONE Enrollment Score: 9
Round 2: MacOS Device Profiles
This section took an exhaustive amount of time. The 30+ device profiles that exist on MacOS are certainly complicated as MacOS management is not for the weak of heart. I assure you that it will be surprising to see where this landed…
Workspace ONE vs. Intune Device Profiles
The best way to look at this will be with some table magic as it’s remarkably confusing.
| WS1 Device Profiles | Intune Match | Notes |
| Passcode | Device Restrictions | |
| Network | Intune supports outer identity. WS1 adds these: TLS minimum and maximum versions, allow direct connections if PAC is down, WiFi captive portal | |
| VPN | VPN | Intune lets you block users from disabling On-Demand or Per-App VPN. WS1 supports integrating VPN with system extensions via Provider Designated Requirement, ability to exclude or include all traffic. |
| SCEP | SCEP | |
| Dock | NONE | |
| Credentials | PKCS Certificate | Intune doesn’t support Identity Preference. |
| Restrictions | Device Restrictions | WS1 doesn’t let you block iTunes File Sharing, Lookups, or iCloud Photo Library but Intune does. Intune doesnt support the following: restricting systems preference items, game center, deprecated TLS, App Store, whitelisting/blacklisting folders, restricting widgets, restricting sharing services except AirDrop, restricting media, locking desktop picture, blocking iCloud data overall, blocking iCloud passwords for local accounts, blocking Find my iCloud, blocking AirPrint. |
| Software Update (Update Policy) | NONE | |
| Parental Controls | Mostly NONE | Disabling dictation is in here, but otherwise not supported by Intune |
| Directory | NONE | |
| Security & Privacy | Device Restrictions/Endpoint Protection | Intune doesnt support “Require password after sleep begins” or “Send Diagnog to Apple” |
| KEXT | Extensions | |
| Privacy Prefs | Device Restrictions | |
| Encryption | Endpoint Protection | Intune ONLY supports Personal Key and nothing else. |
| Login Items | Device Features | WS1 separates out network mounts as its not obvious Intune can use this for network shares **Test this** |
| Login Windows | Device Features | Intune only supports windows layout, power button settings, apple menu disablement. (Disable shutdown, restart, power off, log out, lock screen while logged in.) WS1 supports several other options, reference tab for login windows |
| Energy Saver | NONE | |
| Time Machine | NONE | |
| Finder | NONE | |
| Accessibility | NONE | |
| Printing | NONE | |
| Proxies | NONE | |
| Smart Card | NONE | |
| Mobility | NONE | |
| Associated Domains | Device Features | Intune lets you enable direct downloads instead of going through a CDN |
| Managed Domains | Device Restrictions | |
| SSO Extension | Device Features | Intune gives you Azure AD SSO Extension (Intune exclusive), Intune also lets you deploy custom domain realm mappings (Map a host that doesn’t match the realm name) |
| Skip Setup Assistant | NONE | |
| Content Filter | NONE | |
| System Extensions | Extensions | |
| Airplay Mirroring | NONE | |
| AirPrint | Device Features | Intune lets you customize Port and TLS, which is a bug because those are iOS only features |
| xSAN | NONE | |
| Firewall | Endpoint Protection | Intune will let you whitelist or blacklist apps on the Firewall which WS1 doesn’t. WS1 instead will automatically allow all signed apps to receive incoming connections. WS1 also supports stealth mode to block stuff like Ping. |
| Firmware Password | NONE | |
| Custom Attributes | Custom Attributes |
The good news is that Intune has a few features that Workspace ONE is missing:
| Content Caching | Device Features | Intune supports content caching, which lets you cache icloud data and other apple content e.g. software updates/apps, *WS1 will let you disable it* |
| Apple Classroom | Device Restrictions | Intune supports customization of Apple Classroom experience features |
| Preference File | Preference File | Intune lets you import plists directly to applications |
Workspace ONE Profiles Score: 8.5
Intune Profiles Score: 5
Round 3: MacOS Compliance Profiles
MacOS compliance is crucial as the OS continues to evolve. It’s crucial to make sure that we are monitoring for gaps and moving swiftly. Luckily, both VMware and Microsoft do a nice job handling them.
Workspace ONE vs. Intune Device Compliance
The compliance table can be seen below. For the most part, I wouldn’t expect with Gatekeeper that application compliance will matter all that much, but it would be nice to see Microsoft let you blacklist models and based on device last seen:
| Device Compliance | Intune Comparable | Notes |
| System Integrity Protection | Exists in Intune | |
| Application Compliance | NO | Let’s you flag devices as compromised that have or do NOT have an application or application version. |
| Disk Encryption | Exists in Intune | |
| Device Model | NO | Blacklist certain Mac models |
| OS Version | Exists in Intune | |
| Device Last Seen | NO |
Workspace ONE Compliance Score: 9
Intune Compliance Score: 7.5
Round 4: MacOS Application Management
When it comes to application management, we focus on two things: packaging and deploying applications. We will take a look at how both applications are packaged and deployed. Let’s dig in!
Workspace ONE vs. Intune Application Packaging
One of the things that Microsoft is very fond of doing in Intune is having a special hocus pocus way of packaging apps that is tedious and painful. MacOS is no different. VMware is no prince either as they have their own packaging tool as well. Check out the video to see a side-by-side comparison of the two products.
As you saw, the big issue is that Intune will only let you packaging .PKG files, but despite that they have some very cool capabilities with their tool like setting customized bundle identifiers and versions, which I love. Sure you could use code like this below, but you shouldn’t have to:
sudo productbuild --component /Applications/Application.app ~/Downloads/Application.pkgOverall, the Munki codebase that VMware has adapted for application management is a very strong decision that has worked out well as you can see with the VMware Admin Assistant. Either way, they both work pretty well, but VMware’s tool is obviously a bit easier to use for the lay person.
Workspace ONE Application Deployment
Workspace ONE application deployment is very strong. It certainly takes some getting used to, but once you get the basics down you can deploy apps very easily. Check the walkthrough below and then we’ll discuss:
As you can see, Workspace ONE does a nice job when it comes to application deployment. Sometimes you may need to use their product provisioning technology for certain tools, which lets you deploy apps with config files, scripts, etc to create a structured deployment and setup for an application. I usually leverage product provisioning, which is the ability to deploy files, scripts, applications, etc and create a harmonious collaboration. This is only temporary until Freestyle Orchestrator releases, so i won’t waste more time on it.
Intune ONE Application Deployment
Intune application deployment is very problematic unfortunately. Simplistically, MacOS application deployments that do NOT support pre-install scripts or post-install scripts are NO BUENO for MacOS. I was remarkably disappointed to see that they can deploy apps, but that’s really about it. Check out the video so you can see the experience:
Another issue that I ran into is that there is no version control. One of my favorite things about Workspace ONE’s application management for all platforms is the ability to add versions to applications and have true application version control. They do support the ability to deploy scripts, but it only supports shell scripts. My apologies to all of the python users out there. I think it’s worth mentioning since as you can see below, they support the ability to deploy scripts with frequency, which is an area that VMware could do better with.
Workspace ONE Application Management Score: 9
Intune Application Management Score: 5
Round 5: MacOS Security
When I focus on MacOS Security, I look at Endpoint Detection and Response, encryption, compliance, firewall, and gatekeeper.
We covered most of these in other sections. I look at Carbon Black and Microsoft Defender for Endpoint as essentially a wash. Intune and Workspace ONE are relatively close on MacOS security. VMware wins on encryption and compliance and Microsoft wins at the firewall level.
I’m not going too deep on this, but simply they are tied. The great news is that MacOS provides a number of frameworks that empower vendors to deliver secure solutions on MacOS through gatekeeper, system extensions, and much more.
Workspace ONE Security Score: 8
Intune Security Score: 8
The Final Tally
Let’s add things up and see where we land:
| VMware Workspace ONE | Microsoft Intune | |
| Enrollment | 9 | 6 |
| Profiles | 8.5 | 5 |
| Compliance | 9 | 7.5 |
| Application Management | 9 | 5 |
| Security | 8 | 8 |
| Total Score | 43.5 | 31.5 |
Honestly, I was way too easy on Microsoft considering the significant gaps all over their MacOS offering with Intune. I can see why many people at Microsoft recommend using JAMF and doing the Intune integration. Part of me is sorry that I even committed my time and effort to doing all of the research on the platform, but it’s necessary to keep a good eye on the where UEM platforms are at so we can challenge our vendors to deliver a superior product.
10 thoughts on “Evaluating Intune against Workspace ONE UEM: MacOS Edition”
Beatiful
Great article. I’d love to see you add the comparison of JAMF in here against WSONE and Intune also.
Pingback: Service – Week 13-2021 Workspace ONE Updates – Julius Lienemann
Thank you for putting this together!
Pingback: Filling the Gaps in MacOS Management - Mobile Jon's Blog
Avery good comparison….Thanks !
Jon, the question is why despite all of your good points and numbers, VMware is more and struggling against Intune in the corporate world. The answer is fairly easy and I am missing the responsible criterias in your comparison. Since the great days of AirWatch and now WS1 in the corporate world, days have changed: Everybody is moving into the cloud – for a good reason! I myself work with no company, that hasn’t already reached out for M365 – especially Microsoft Teams – and therefore has now to manage Azure AD for user and device identities, as also to protect cloud-based enterprise apps. In this sense VMware falls quite short. Users are still considered to be sourced from onpremises AD. Support for Azure AD conditional access policies asking for compliance of a device do not exist (macOS is still not GA) or is still in its early days (all other platforms). Microsoft is here – you can call it unfair – in the key position to promote its own Endpoint Manager Solution perfectly integrated with Azure AD, but artificially limit the capabilities of all third-party vendors – like VMware – to do the same. Just have a look into the user experience of registering a device with Azure AD using Intune and using WS1. They are worlds apart and the distance will stay, because Microsoft is controlling all aspects of integration. And I am not talking about just nicer icons – I am talking about failing flows, because of incorrect user interaction and therefore masses of support tickets you better want to avoid. But yes, I am with you: In a legacy device management environment, completely designed onpremises, I would always choose VMware over Microsoft for good reasons.
Specifically, the MacOS management on Intune is really really rough. I would never use it. Even if a company moves to Intune, they would remiss in not buying Jamf to manage their MacOS devices directly (which is what I would do if I needed a solution to only manage MacOS). I definitely agree that the Azure AD Conditional Access experience is not the best. I personally hate the “flipping” back and forth. From my perspective, Intune is the top platform for Windows Management by quite a bit, but they still have more work to do on non-Windows platforms. At the end of the day, we still have issues as engineers on rationalizing why the “free” product isn’t good enough.
Jon, does this comparison still hold up almost a year later?
I�ll be doing an update on this soon and you will find out then 🙂