Well it’s about that time that we take a long look at MacOS Management in MEM and Workspace ONE UEM and see what has changed. Last year’s article was a popular one as we discovered that the Microsoft offering left much to be desired. Hopefully, they will have caught up a bit, but we only learn by evaluation. We will use the same 5 rounds as criteria: Device Enrollment, Profiles, Compliance, Application Management, and Security. Without further adieu, let’s get started.
Round 1: MacOS Device Enrollment Revisited
Like before, we have a few basic requirements with device enrollment:
- Support the Device Enrollment Program (DEP)
- Not suck at DEP
- A solid user experience during enrollment
Overall, device enrollment isn’t that complicated, but you need to get the job done. A poor user experience is unacceptable, while balancing features and functionality that let users work instantly with a solid out-of-the-box experience. Let’s start with DEP!
MEM vs Workspace ONE UEM DEP Capabilities
You will find in the video that not much changed from 2011, with a small enhancement from Microsoft around Modern Authentication support for the Company Portal enrollment. It’s definitely a welcome user experience change, but overall MEM continues to do the bare minimum when it comes to DEP.
There is still no excuse that Microsoft hasn’t supported the Apple capabilities around creating Admin accounts and rotating passwords, which is not a nice to have. It’s a MUST HAVE! As I mentioned last year, the OOBE is foundational and vital to enrollment. Microsoft knows this as they have AutoPilot on PCs, but MacOS can no longer be a second class citizen in the enterprise.
As you saw, the gap is not insignificant when it comes to DEP. That’s just the reality of where we are at here. Microsoft needs to put more effort in to be honest. Supporting all platforms is no excuse for substandard efforts here. Let’s get into the enrollment experience!
MEM Enrollment on MacOS
The MEM Enrollment on MacOS is exactly the same as it was in 2021, which is sort of the theme when it comes to MacOS management with Microsoft unfortunately. I keep hoping they will make some advancements, but for the most part it’s same hat.
As you saw in the video, it’s the same as it was last year. The Apps onboarding is pretty weak still. They lose points for making zero progress in a year.
MEM Enrollment Score: 5
Workspace ONE UEM Enrollment for MacOS
The Workspace ONE UEM enrollment experience was pretty good in 2021. I have to admin that they have made even more advancements in the last year. They have worked hard to implement their OOBE Status Tracking Pages that I wrote about not too long ago. Let’s check the demo to see what their offering looks like in 2022:
As you saw, they have gotten stronger in this area and I don’t have a ton of room for criticism. I think we can admit it does run a bit slow, but that sometimes can be the inevitability of progress. Delivering better experiences “sometimes” can be a bit more complicated, thus the minimal timing increases are a part of that, but I think it’s well-worth it.
Workspace ONE Enrollment Score: 10
Round 2: MacOS Device Profiles Revisited
This section is usually the most exhausting, but luckily we did a ton of the work last year. We will show the total profiles that are now available along with highlighting what is new!
Workspace ONE vs. Intune Device Profiles
|WS1 Device Profiles||MEM Match||Notes|
|Network||MEM supports outer identity. WS1 adds these: TLS minimum and maximum versions, allow direct connections if PAC is down, WiFi captive portal. Intune also supports Wired Network Profiles.|
|VPN||VPN||MEM lets you block users from disabling On-Demand or Per-App VPN. WS1 supports integrating VPN with system extensions via Provider Designated Requirement, ability to exclude or include all traffic.|
|Credentials||PKCS Certificate||MEM doesn’t support Identity Preference.|
|Restrictions||Device Restrictions||WS1 doesn’t let you block iTunes File Sharing, Lookups, iCloud Private Relay or iCloud Photo Library but MEM does.|
MEM doesn’t support the following: restricting systems preference items,, deprecated TLS, App Store, whitelisting/blacklisting folders, restricting widgets, restricting sharing services except AirDrop, restricting media, blocking iCloud passwords for local accounts, blocking Find my Mac, blocking AirPrint.
|Software Update (Update Policy)||NONE|
|Parental Controls||Mostly NONE||Disabling dictation is in here, but otherwise not supported by MEM|
|Security & Privacy||Device Restrictions/Endpoint Protection||MEM doesn’t support “Require password after sleep begins” or “Send Diagnostic to Apple”|
|Privacy Prefs||Device Restrictions|
|Encryption||Endpoint Protection||MEM ONLY supports Personal Key and nothing else.|
|Login Items||Device Features||MEM doesn’t support network shares. Also, VMware supports adding network home share points and pressing shift to prevent items from, opening.|
|Login Windows||Device Features||MEM only supports windows layout, power button settings, apple menu disablement. (Disable shutdown, restart, power off, log out, lock screen while logged in.) WS1 supports several other options like login/off scripts, restricting access by specific user accounts, blocking local login, and much more.|
|Printing||Printing Support in Settings Picker|
|Proxies||Global HTTP Proxy Support in Settings Picker|
|Associated Domains||Device Features||MEM lets you enable direct downloads instead of going through a CDN|
|Managed Domains||Device Restrictions|
|SSO Extension||Device Features||MEM gives you Azure AD SSO Extension (Intune exclusive). VMware had some progress here so good on them.|
|Skip Setup Assistant||NONE|
|AirPrint||Device Features||MEM lets you customize Port and TLS, which they have tool tips now saying they’re only iOS features but should not be seen in a MacOS Profile.|
|Firewall||Endpoint Protection||MEM will let you whitelist or blacklist apps on the Firewall which WS1 doesn’t. WS1 instead will automatically allow all signed apps to receive incoming connections. WS1 also supports stealth mode to block stuff like ICMP.|
|Custom Attributes||Custom Attributes|
|Custom XML||Custom XML|
The good news is that Intune has a few features that Workspace ONE is missing:
|Content Caching||Device Features||MEM supports content caching, which lets you cache iCloud data and other apple content e.g. software updates/apps, *WS1 will let you disable it* but seriously VMware we need to get this done!|
|Apple Classroom||Device Restrictions||MEM supports customization of Apple Classroom experience features|
|Preference File||Preference File||MEM lets you import plists directly to applications|
|Microsoft Edge||Settiings Picker||MEM will let you set Edge settings.|
|Microsoft Defender||Settings Picker||MEM will let you set Defender settings|
The New Settings Picker for MEM
The Settings Picker for MEM is very interesting. You will see it in the video below, but this capability will let you pick and choose various settings from different categories to build an a la carte configurations profile. You can pick from these categories:
- Global HTTP Proxy
- Microsoft Defender (AV Engine, CDP Preferences, EDR Preferences, Network Protection, UI Preferences)
- Microsoft Edge
- Profile Removal Passwords
Closing Thoughts on Profiles
In closing, I think we can agree that Microsoft is on the right path here, but they’re still missing so many things. Major core aspects of MacOS remain untouched like AirPrint, Dock, Finder and so much more. I do love the new settings picker, but it should be extended to ALL of configuration profiles. The ideas are good, but we just need more follow-through. VMware take a few of their hints and put in that Settings Picker as it could be a game changer!
Workspace ONE Profiles Score: 9
MEM Profiles Score: 7
Round 3: MacOS Compliance Profiles 2022
MacOS compliance is crucial as the OS continues to evolve. It’s crucial to make sure that we are monitoring for gaps and moving swiftly. Luckily, both VMware and Microsoft do a nice job handling them. No changes in 2022, so this is all the same.
Workspace ONE vs. Intune Device Compliance
The compliance table can be seen below. For the most part, I wouldn’t expect with Gatekeeper that application compliance will matter all that much, but it would be nice to see Microsoft let you blacklist models and based on device last seen:
|Device Compliance||Intune Comparable||Notes|
|System Integrity Protection||Exists in MEM|
|Application Compliance||NO||Let’s you flag devices as compromised that have or do NOT have an application or application version.|
|Disk Encryption||Exists in MEM|
|Device Model||NO||Blacklist certain Mac models|
|OS Version||Exists in MEM|
|Device Last Seen||NO|
Workspace ONE Compliance Score: 9
MEM Compliance Score: 7.5
Round 4: MacOS Application Management 2022
This is pretty much exactly the same as it was last year. I will share below the videos on deploying apps in the respective platforms, but I won’t repeat what I said in the other article.
Workspace ONE Application Management Score: 9
MEM Application Management Score: 5
Deploying MacOS Apps in Workspace ONE
Deploying MacOS Apps in MEM
Round 5: MacOS Security 2022
When I focus on MacOS Security, I look at Endpoint Detection and Response, encryption, compliance, firewall, and gatekeeper.
The major change that we see in 2022 is the exciting MEM Settings Picker. Let’s briefly cover the settings you can set in Defender and Edge, which help improve the security landscape easily for MacOS.
Workspace ONE Security Score: 8
MEM Security Score: 9
Microsoft Defender Settings Supportability
|AV Engine||Allowed Threats, Disallowed Threat Actions, Passive Mode, Real-Time Protection, Exclusions Merge, Scan Exclusions, Scan History Size, Scan Results Retention, Threat Type Settings, Threat Type Settings Merge|
|Cloud Delivered Protection Preferences||Automatic Security Intelligence Updates, Diagnostics Collection Level, Disable Automatic Sample Submissions, Disable Cloud Delivered Protection|
|EDR Preferences||Disable Early Preview|
|Network Protection||Enforcement Level|
|UI Preferences||Show/Hide Status Menu Icon, User Initiated Feedback|
Microsoft Edge Supportability
I’ll do you the favor and not list 250 settings. You can access a collection of the potential settings here. If you’re familiar with Chrome settings, you will find it is nearly identical. The idea is that you can basically configure every preference in a GUI, which makes life very easy. This coupled with the ability to push down Plists gives MEM a slight edge in security.
The Final Tally 2022
Let’s add things up and see where we land:
|VMware Workspace ONE||Microsoft Endpoint Manager|
|Total Score||45 (+1.5 since last year)||33.5 (+2 since last year)|
Overall, Microsoft didn’t do much, but I DO LOVE the new Settings Picker, which should be the new standard in endpoint management today. I hope VMware pays attention, because it is a huge value. Another thing to pick up on is to bring Carbon Black configuration into Workspace ONE and give those poor UEM administrators some power.
Microsoft knows MacOS is not a strong point, but we will hope that when we look at 2023 that their platform has become less rigid. The rigidity is still an issue. “Only support this scripting language”, “Only make it easy to deploy this type of app”, etc. They need to bring in someone who knows MacOS because that is clear when you are missing stuff like Dock configuration. VMware you have some work to do also, but nice job trying to keep parity with both platforms.
VMware also gets bonus points for recently releasing DEEM for MacOS, which enhances their MacOS offering. I hope everyone enjoys this year’s edition and I look forward to the comments!