Evaluating Microsoft Endpoint Manager Against Workspace ONE UEM MacOS 2022 Edition

Well it’s about that time that we take a long look at MacOS Management in MEM and Workspace ONE UEM and see what has changed. Last year’s article was a popular one as we discovered that the Microsoft offering left much to be desired. Hopefully, they will have caught up a bit, but we only learn by evaluation. We will use the same 5 rounds as criteria: Device Enrollment, Profiles, Compliance, Application Management, and Security. Without further adieu, let’s get started.

Round 1: MacOS Device Enrollment Revisited

Like before, we have a few basic requirements with device enrollment:

  • Support the Device Enrollment Program (DEP)
  • Not suck at DEP
  • A solid user experience during enrollment

Overall, device enrollment isn’t that complicated, but you need to get the job done. A poor user experience is unacceptable, while balancing features and functionality that let users work instantly with a solid out-of-the-box experience. Let’s start with DEP!

MEM vs Workspace ONE UEM DEP Capabilities

You will find in the video that not much changed from 2011, with a small enhancement from Microsoft around Modern Authentication support for the Company Portal enrollment. It’s definitely a welcome user experience change, but overall MEM continues to do the bare minimum when it comes to DEP.

There is still no excuse that Microsoft hasn’t supported the Apple capabilities around creating Admin accounts and rotating passwords, which is not a nice to have. It’s a MUST HAVE! As I mentioned last year, the OOBE is foundational and vital to enrollment. Microsoft knows this as they have AutoPilot on PCs, but MacOS can no longer be a second class citizen in the enterprise.

As you saw, the gap is not insignificant when it comes to DEP. That’s just the reality of where we are at here. Microsoft needs to put more effort in to be honest. Supporting all platforms is no excuse for substandard efforts here. Let’s get into the enrollment experience!

MEM Enrollment on MacOS

The MEM Enrollment on MacOS is exactly the same as it was in 2021, which is sort of the theme when it comes to MacOS management with Microsoft unfortunately. I keep hoping they will make some advancements, but for the most part it’s same hat.

As you saw in the video, it’s the same as it was last year. The Apps onboarding is pretty weak still. They lose points for making zero progress in a year.

MEM Enrollment Score: 5

Workspace ONE UEM Enrollment for MacOS

The Workspace ONE UEM enrollment experience was pretty good in 2021. I have to admin that they have made even more advancements in the last year. They have worked hard to implement their OOBE Status Tracking Pages that I wrote about not too long ago. Let’s check the demo to see what their offering looks like in 2022:

As you saw, they have gotten stronger in this area and I don’t have a ton of room for criticism. I think we can admit it does run a bit slow, but that sometimes can be the inevitability of progress. Delivering better experiences “sometimes” can be a bit more complicated, thus the minimal timing increases are a part of that, but I think it’s well-worth it.

Workspace ONE Enrollment Score: 10

Round 2: MacOS Device Profiles Revisited

This section is usually the most exhausting, but luckily we did a ton of the work last year. We will show the total profiles that are now available along with highlighting what is new!

Workspace ONE vs. Intune Device Profiles

WS1 Device ProfilesMEM MatchNotes
PasscodeDevice Restrictions
NetworkMEM supports outer identity. WS1 adds these: TLS minimum and maximum versions, allow direct connections if PAC is down, WiFi captive portal. Intune also supports Wired Network Profiles.
VPNVPNMEM lets you block users from disabling On-Demand or Per-App VPN. WS1 supports integrating VPN with system extensions via Provider Designated Requirement, ability to exclude or include all traffic.
SCEPSCEP
DockNONE
CredentialsPKCS CertificateMEM doesn’t support Identity Preference.
RestrictionsDevice RestrictionsWS1 doesn’t let you block iTunes File Sharing, Lookups, iCloud Private Relay or iCloud Photo Library but MEM does.
MEM doesn’t support the following: restricting systems preference items,, deprecated TLS, App Store, whitelisting/blacklisting folders, restricting widgets, restricting sharing services except AirDrop, restricting media, blocking iCloud passwords for local accounts, blocking Find my Mac, blocking AirPrint.
Software Update (Update Policy)NONE
Parental ControlsMostly NONEDisabling dictation is in here, but otherwise not supported by MEM
DirectoryNONE
Security & PrivacyDevice Restrictions/Endpoint ProtectionMEM doesn’t support “Require password after sleep begins” or “Send Diagnostic to Apple”
KEXTExtensions
Privacy PrefsDevice Restrictions
EncryptionEndpoint ProtectionMEM ONLY supports Personal Key and nothing else. 
Login ItemsDevice FeaturesMEM doesn’t support network shares. Also, VMware supports adding network home share points and pressing shift to prevent items from, opening.
Login WindowsDevice FeaturesMEM only supports windows layout, power button settings, apple menu disablement. (Disable shutdown, restart, power off, log out, lock screen while logged in.) WS1 supports several other options like login/off scripts, restricting access by specific user accounts, blocking local login, and much more.
Energy SaverNONE
Time MachineNONE
FinderNONE
AccessibilityNONE
PrintingPrinting Support in Settings Picker
ProxiesGlobal HTTP Proxy Support in Settings Picker
Smart CardNONE
MobilityNONE
Associated DomainsDevice FeaturesMEM lets you enable direct downloads instead of going through a CDN
Managed DomainsDevice Restrictions
SSO ExtensionDevice FeaturesMEM gives you Azure AD SSO Extension (Intune exclusive). VMware had some progress here so good on them.
Skip Setup AssistantNONE
Content FilterNONE
System ExtensionsExtensions
Airplay MirroringNONE
AirPrintDevice FeaturesMEM lets you customize Port and TLS, which they have tool tips now saying they’re only iOS features but should not be seen in a MacOS Profile.
xSANNONE
FirewallEndpoint ProtectionMEM will let you whitelist or blacklist apps on the Firewall which WS1 doesn’t. WS1 instead will automatically allow all signed apps to receive incoming connections. WS1 also supports stealth mode to block stuff like ICMP.
Firmware PasswordNONE
Custom AttributesCustom Attributes
Custom XMLCustom XML

The good news is that Intune has a few features that Workspace ONE is missing:

Content CachingDevice FeaturesMEM supports content caching, which lets you cache iCloud data and other apple content e.g. software updates/apps, *WS1 will let you disable it* but seriously VMware we need to get this done!
Apple ClassroomDevice RestrictionsMEM supports customization of Apple Classroom experience features
Preference FilePreference FileMEM lets you import plists directly to applications
Microsoft EdgeSettiings PickerMEM will let you set Edge settings.
Microsoft DefenderSettings PickerMEM will let you set Defender settings

The New Settings Picker for MEM

The Settings Picker for MEM is very interesting. You will see it in the video below, but this capability will let you pick and choose various settings from different categories to build an a la carte configurations profile. You can pick from these categories:

  • Domains
  • Global HTTP Proxy
  • Microsoft Defender (AV Engine, CDP Preferences, EDR Preferences, Network Protection, UI Preferences)
  • Microsoft Edge
  • Printing
  • Profile Removal Passwords

Closing Thoughts on Profiles

In closing, I think we can agree that Microsoft is on the right path here, but they’re still missing so many things. Major core aspects of MacOS remain untouched like AirPrint, Dock, Finder and so much more. I do love the new settings picker, but it should be extended to ALL of configuration profiles. The ideas are good, but we just need more follow-through. VMware take a few of their hints and put in that Settings Picker as it could be a game changer!

Workspace ONE Profiles Score: 9

MEM Profiles Score: 7

Round 3: MacOS Compliance Profiles 2022

MacOS compliance is crucial as the OS continues to evolve. It’s crucial to make sure that we are monitoring for gaps and moving swiftly. Luckily, both VMware and Microsoft do a nice job handling them. No changes in 2022, so this is all the same.

Workspace ONE vs. Intune Device Compliance

The compliance table can be seen below. For the most part, I wouldn’t expect with Gatekeeper that application compliance will matter all that much, but it would be nice to see Microsoft let you blacklist models and based on device last seen:

Device ComplianceIntune ComparableNotes
System Integrity ProtectionExists in MEM
Application ComplianceNOLet’s you flag devices as compromised that have or do NOT have an application or application version.
Disk EncryptionExists in MEM
Device ModelNOBlacklist certain Mac models
OS VersionExists in MEM
Device Last SeenNO

Workspace ONE Compliance Score: 9

MEM Compliance Score: 7.5

Round 4: MacOS Application Management 2022

This is pretty much exactly the same as it was last year. I will share below the videos on deploying apps in the respective platforms, but I won’t repeat what I said in the other article.

Workspace ONE Application Management Score: 9

MEM Application Management Score: 5

Deploying MacOS Apps in Workspace ONE

Deploying MacOS Apps in MEM

Round 5: MacOS Security 2022

When I focus on MacOS Security, I look at Endpoint Detection and Response, encryption, compliance, firewall, and gatekeeper.

The major change that we see in 2022 is the exciting MEM Settings Picker. Let’s briefly cover the settings you can set in Defender and Edge, which help improve the security landscape easily for MacOS.

Workspace ONE Security Score: 8

MEM Security Score: 9

Microsoft Defender Settings Supportability

CategorySettingsComments
AV EngineAllowed Threats, Disallowed Threat Actions, Passive Mode, Real-Time Protection, Exclusions Merge, Scan Exclusions, Scan History Size, Scan Results Retention, Threat Type Settings, Threat Type Settings Merge
Cloud Delivered Protection PreferencesAutomatic Security Intelligence Updates, Diagnostics Collection Level, Disable Automatic Sample Submissions, Disable Cloud Delivered Protection
EDR PreferencesDisable Early Preview
Network ProtectionEnforcement Level
UI PreferencesShow/Hide Status Menu Icon, User Initiated Feedback

Microsoft Edge Supportability

I’ll do you the favor and not list 250 settings. You can access a collection of the potential settings here. If you’re familiar with Chrome settings, you will find it is nearly identical. The idea is that you can basically configure every preference in a GUI, which makes life very easy. This coupled with the ability to push down Plists gives MEM a slight edge in security.

The Final Tally 2022

Let’s add things up and see where we land:

VMware Workspace ONEMicrosoft Endpoint Manager
Enrollment105
Profiles97
Compliance97.5
Application Management95
Security89
Total Score45 (+1.5 since last year)33.5 (+2 since last year)

Overall, Microsoft didn’t do much, but I DO LOVE the new Settings Picker, which should be the new standard in endpoint management today. I hope VMware pays attention, because it is a huge value. Another thing to pick up on is to bring Carbon Black configuration into Workspace ONE and give those poor UEM administrators some power.

Microsoft knows MacOS is not a strong point, but we will hope that when we look at 2023 that their platform has become less rigid. The rigidity is still an issue. “Only support this scripting language”, “Only make it easy to deploy this type of app”, etc. They need to bring in someone who knows MacOS because that is clear when you are missing stuff like Dock configuration. VMware you have some work to do also, but nice job trying to keep parity with both platforms.

VMware also gets bonus points for recently releasing DEEM for MacOS, which enhances their MacOS offering. I hope everyone enjoys this year’s edition and I look forward to the comments!

1 thought on “Evaluating Microsoft Endpoint Manager Against Workspace ONE UEM MacOS 2022 Edition”

  1. Pingback: Microsoft Teams Rooms: Starting to REALLY Put the SHARE in SharePoint - Mobile Jon's Blog

Leave a Reply

Scroll to Top
%d bloggers like this: