It has been about 18 months or so, and we are going to revisit Intune vs. Workspace ONE and how they handle Macs. I put this off for a long time because the gap has been SOOOOO large. Microsoft on the surface has made some significant progress in 2023 on MacOS management, which warrants a closer look at things. We will use our standard 5 rounds of criteria: Device Enrollment, Profiles, Compliance, Application Management, and Security. As a reminder, this will only cover the existing capabilities that exist today and nothing roadmap. Let’s get started!
Round 1: MacOS Device Enrollment Revisited
As always, the criteria with MacOS Device Enrollment is:
- Support the Device Enrollment Program (DEP)
- Doesn’t suck at DEP
- A strong user experience during enrollment
Device enrollment is a pretty basic area, where you don’t really need to be a rocket scientist to be decent at it. You just need to check all of the right boxes.
Microsoft has introduced a neat new capability within the last few years with DEP enrollments via modern authentication.
This new type enables some nice capabilities even without Company Portal being installed like:
- Device Wipe
- Enhanced auth methods like MFA and device registration for conditional access
- Password management prompts
- Automatic installation of the Company Portal
The same issues do exist that existed in 2022 in Intune like:
- Creating admin accounts and rotating their passwords
- Using custom anchor certificates
- Auto advance setup and await configuration before giving access to the device
- A few missing items on the setup wizard like Emergency SOS and App Store (but that’s not that important)
Intune Enrollment on MacOS
Once again, the enrollment is identical and still hasn’t changed. That has been the theme for a few years. My main complaint is they should adopt more of an OOBE approach and show some sort of dialogue/window for the applications being onboarded like VMware does:
Let’s check out the video demo
Intune Enrollment Score: 5
Workspace ONE UEM Enrollment for MacOS
Workspace ONE enrollment also hasn’t changed any, which you can check out from the video below so its score will stay:
Workspace ONE Enrollment Score: 10
Round 2: MacOS Device Profiles Revisited
We won’t go too crazy here as we did in last year’s article, so let’s focus on what has changed.
Before we get started, let’s celebrate VMware finally adopting DDUI (Data-Driven UI for MacOS):
| WS1 Device Profiles | Intune Match | Notes |
| Certificate Transparency | Microsoft Edge (specifically for Edge) | Controls the behavior of certificate transparency enforcement (provides auditing for certs issued by a CA to make sure no CA issues certs it shouldn’t be) |
| DNS Settings | Networking (Settings Catalog) | Lets you deploy DNS settings (Supports HTTPs or TLS protocols and On Demand Rules i.e. SSID matching, DNS domain matching, etc.) |
| File Provider | System Configuration (File Provider) | Grants file providers access to the path of the requesting process |
| Firewall (New) | Networking (Firewall) | Powered by WS1 Intelligent Hub v2.2+ for MacOS to monitor firewall settings and revert settings if unauthorized changes occur. It also protects against probing requests to elevate MacOS firewall capabilities. |
| Login and Background Items | Service Management (Managed Login Items) | Introduced in MacOS 13 to deploy login items to Macs |
| NSExtension | App Management (NS Extension Management) | Lets you specify extensions that are allowed to run on Macs |
| Notification Settings | User Experience (Notifications) | Lets you configure notification settings for applications |
VMware has closed some of the small gaps they had in 2022 with DDUI. They can now:
- Configure Content Caching
- Perform most of the Apple Classroom features except “Require teacher permission to leave Classroom app unmanaged classes”
They are still unable to import .plists and configure Microsoft Edge and Microsoft Defender. The .plist feature is probably the one criticism as its a huge value for MacOS administrators.
Microsoft has finally closed out some of their gaps finally. Now you can use the Settings Picker for:
- AirPrint
- Dock settings
- Parental Controls
- Software Update Policies
- Energy Saver
- Time Machine
- Finder
- Accessibility
- Smart Card
- Mobile Accounts
- xSAN
- AirPlay Mirroring
- Content Filter
Only items that don’t appear to be there now are:
- Skip Setup Assistant
- Firmware Password
Closing Thoughts on Profiles
I’m happy to say that it’s nice they are much closer than previous. Microsoft has finally closed a very reachable gap on profiles by implementing the base capabilities that Apple provides. The VMware-enhanced firewall is interesting, but I’m not sure how much better it actually is over the firewall APIs available via MacOS. Now, the game is finally TIED!
Workspace ONE Profiles Score: 9
Intune Profiles Score: 9
Round 3: MacOS Compliance Profiles 2023
MacOS compliance is very important, but I’m happy to announce nothing has really changed since last year.
The one thing that VMware has introduced is Tags with compliance policies, which is a very appealing feature. Now, you can use automations to tag devices to mark them as non-compliant.
This is something that Intune even with conditional access does not have today. It would be great if you could pull data from Defender or CrowdStrike to flag devices as non-compliant, but it just isn’t there yet. As a refresher, this is the 2022 comparison on compliance, and it still tracks:
| Device Compliance | Intune Comparable | Notes |
| System Integrity Protection | Exists in Intune | |
| Application Compliance | NO | Flags devices as compromised that have or do NOT have an application or application version. |
| Disk Encryption | Exists in Intune | |
| Device Model | NO | Blacklist certain Mac models |
| OS Version | Exists in Intune | |
| Device Last Seen | NO | |
| Tagging | NO |
Workspace ONE Compliance Score: 9.5
Intune Compliance Score: 7.5
Round 4: MacOS Application Management 2023
Thank the heavens, as you can finally support PKGs in Intune, which I have been very rough on Microsoft about for quite some time. Let’s check out the video:
That was SO much better than it used to be. They have now surpassed VMware in application deployments for most use-cases. The biggest key/issue that I have is a ton of confusion. You should only be able to deploy PKGs in ONE way. Being able to use LOB apps or PKG apps creates potential mistakes and confusion.
As a reminder, this is what deploying MacOS apps in Workspace ONE looks like today:
Later on, we’ll discuss the new stuff coming from Microsoft that will improve this even more, but there’s still some work to do here.
Workspace ONE Application Management Score: 9
Intune Application Management Score: 9
Round 5: MacOS Security 2023
When I focus on MacOS Security, I look at Endpoint Detection and Response, encryption, compliance, firewall, and gatekeeper. Microsoft has enhanced their Microsoft Defender support for MacOS with:
- Deprecating out the ability to disable real-time protection and passive mode
- Multi-threading for on-demand scans
- File hash computation
- Running scans after definition updates
- Scanning inside archive files
- Block users from logging into the consumer version of Defender
- Separate exclusion policies
I’d also like to point out that MacOS scripting in Intune supports Bash, Python, or whatever file you choose to upload! YAY! While comparing Microsoft Intune and VMware Workspace One UEM simplifies IT management, exploring the top european online casinos brings clarity to choosing the ultimate gaming platform.
One other thing that changed I want to touch on, I brought up in August when WS1 UEM 2306 was released.
Workspace ONE’s new MacOS Update Management
Previously, I covered the new MacOS Updater Utility (MUU) which addressed major gaps in MacOS Updates. Now, in 2306 we now have the next stage of MacOS Update Management.
These are API driven, which start with leveraging the Apple API endpoint for current OS updates available. It’s pretty interesting. This is a small snip:
{"PublicAssetSets":{"iOS":[{"ProductVersion":"12.5.7","PostingDate":"2023-08-02","ExpirationDate":"2023-11-12","SupportedDevices":["iPad4,1","iPad4,2","iPad4,3","iPad4,4","iPad4,5","iPad4,6","iPad4,7","iPad4,8","iPad4,9","iPhone6,1","iPhone6,2","iPhone7,1","iPhone7,2","iPod7,1"]},{"ProductVersion":"15.7.8","PostingDate":"2023-08-02","ExpirationDate":"2023-11-12","SupportedDevices":["iPad5,1","iPad5,2","iPad5,3","iPad5,4","iPhone8,1","iPhone8,2","iPhone8,4","iPhone9,1","iPhone9,2","iPhone9,3","iPhone9,4","iPod9,1"]},{"ProductVersion":"16.6","PostingDate":"2023-08-02","ExpirationDate":"2023-11-12","SupportedDevices":["iPad11,1","iPad11,2","iPad11,3","iPad11,4","iPad11,6","iPad11,7","iPad12,1","iPad12,2","iPad13,1","iPad13,10","iPad13,11","iPad13,16","iPad13,17","iPad13,18","iPad13,19","iPad13,2","iPad13,4","iPad13,5","iPad13,6","iPad13,7","iPad13,8","iPad13,9","iPad14,1","iPad14,2","iPad14,3","iPad14,4","iPad14,5","iPad14,6","iPad6,11","iPad6,12","iPad6,3","iPad6,4","iPad6,7","iPad6,8","iPad7,1","iPad7,11","iPad7,12","iPad7,2","iPad7,3","iPad7,4","iPad7,5","iPad7,6","iPad8,1","iPad8,10","iPad8,11","iPad8,12","iPad8,2","iPad8,3","iPad8,4","iPad8,5","iPad8,6","iPad8,7","iPad8,8","iPad8,9","iPhone10,1","iPhone10,2","iPhone10,3","iPhone10,4","iPhone10,5","iPhone10,6","iPhone11,2","iPhone11,6","iPhone11,8","iPhone12,1","iPhone12,3","iPhone12,5","iPhone12,8","iPhone13,1","iPhone13,2","iPhone13,3","iPhone13,4","iPhone14,2","iPhone14,3","iPhone14,4","iPhone14,5","iPhone14,6","iPhone14,7","iPhone14,8","iPhone15,2","iPhone15,3"]},{"ProductVersion":"5.3.9","PostingDate":"2023-07-24","ExpirationDate":"2023-11-12","SupportedDevices":["Watch2,3","Watch2,4","Watch2,6","Watch2,7","Watch3,1","Watch3,2","Watch3,3","Watch3,4","Watch4,1","Watch4,2","Watch4,3","Watch4,4"]},{"ProductVersion":"6.3","PostingDate":"2023-07-24","ExpirationDate":"2023-11-12","SupportedDevices":["Watch2,3","Watch2,4","Watch2,6","Watch2,7"]},{"ProductVersion":"8.8.1","PostingDate":"2023-07-24","ExpirationDate":"2023-11-12","SupportedDevices":["Watch3,1","Watch3,2","Watch3,3","Watch3,4","Watch4,1","Watch4,2","Watch4,3","Watch4,4","Watch5,1","Watch5,10","Watch5,11","Watch5,12","Watch5,2","Watch5,3","Watch5,4","Watch5,9","Watch6,1","Watch6,2","Watch6,3","Watch6,4","Watch6,6","Watch6,7","Watch6,8","Watch6,9"]},{"ProductVersion":"9.6","PostingDate":"2023-07-24","ExpirationDate":"2023-11-12","SupportedDevices":["Watch4,1","Watch4,2","Watch4,3","Watch4,4","Watch5,1","Watch5,10","Watch5,11","Watch5,12","Watch5,2","Watch5,3","Watch5,4","Watch5,9","Watch6,1","Watch6,10","Watch6,11","Watch6,12","Watch6,13","Watch6,14","Watch6,15","Watch6,16","Watch6,17","Watch6,18","Watch6,2","Watch6,3","Watch6,4","Watch6,6","Watch6,7","Watch6,8","Watch6,9"]},{"ProductVersion":"16.6","PostingDate":"2023-07-24","ExpirationDate":"2023-11-12","SupportedDevices":["AppleTV11,1","AppleTV14,1","AppleTV5,3","AppleTV6,2","AudioAccessory1,1","AudioAccessory1,2","AudioAccessory5,1","AudioAccessory6,1"]},{"ProductVersion":"15.7.2","PostingDate":"2022-12-13","ExpirationDate":"2023-11-12","SupportedDevices":
Essentially, you can leverage a variety of methods for deploying MacOS Updates:
- Download Only (download but don’t install)
- Default (download or install the update, based on the current device state)
- InstallAsap (downloads the macOS update, and notifies the user a reboot is coming imminently (restart can be cancelled))
- NotifyOnly (downloads the update and notifies the user its available)
- InstallLater (user will be periodically informed of an available update)
- InstallForceRestart (downloads the update and forces a device restart if needed (this doesn’t require user consent).
Additionally, you can do some cool stuff like pause/unpause updates. The main change here for those unaware is this is now largely leveraging the Apple MDM capabilities that are built in, which will be much more reliable than the previous methods. Let’s check out the demo of setting up the policy.
You can see below, it sees that I am assigned to new patches for 13.4.1 and 13.5, but nothing has happened yet.
After a day or so, it finally went when I powered on my Mac. Essentially, in troubleshooting logs you will see it sends the command: (INSTALL_ASAP)
You can read more about INSTALL_ASAP and other commands in the Apple API docs. Basically, Install_ASAP downloads the software update and trigger the restart countdown notification. I didn’t see any notification as a FYI, but the install did go smoothly.
Workspace ONE Security Score: 8
Intune Security Score: 9
A Look Ahead to Both Platforms
One thing I am doing differently this year is showing their roadmap items that have been announced as there’s some big ones coming. Let’s start with VMware.
They have 3 items coming soon:
- Hub Health: This Intelligent Hub on the MacOS device will audit crucial MDM services to help self-heal issues as they come up. Those attributes will be able to drive automations via Freestyle Orchestrator or WS1 Intelligence workflows
- Security Baselines: Fairly self-explanatory, MacOS security baselines will be introduced shortly.
- Declarative Device Management : Feel free to read my blog article all about DDM which will be revolutionizing device management by empowering devices to processes commands themselves in rapid succession.
Microsoft recently wrote about the new great features coming to Intune for MacOS. Let’s quickly discuss some of the new stuff coming in the next quarter or so:
- Platform SSO is coming in Q1 to let users leverage Entra ID credentials to log into their Mac.
- Local account creation during provisioning is coming (to address a major DEP gap they have right now mentioned earlier).
- Await final configuration support (another gap I mentioned earlier).
The Pay-to-Play Intune Conundrum
One last thing I want to bring up is the new model with Intune. Intune is no longer “free” as many desirable features now cost money. This is a major challenge and some of these features are very desirable for MacOS users. Let’s cover a few of them real quick (many announced at Ignite 2023):
- Cloud PKI (which is going to cost $2 per user) is really intriguing. This is a cloud-based CA solution that lets you create CAs and certificate profiles in Intune for app authentication, Wi-Fi/VPN, and NAC conditional access.
- Microsoft Intune Enterprise App Management (which is powered by Liquit) is going to be interesting (also costs $2 per user) as that many extend to MacOS at some point, which makes app deployments easy as they host the apps for you. This lets you deploy auto-magically!
- Remote Help ($3.50 per user) will let you remotely support users, which is available on MacOS.
Their all-in strategy will be for companies to buy the Intune Suite for $10 per user and will include all of these new services and more. Read more about the various options here. Overall, it’s really interesting to see the transition from “free” to “suite” which is the same paradigm VMware has been pushing with AirWatch for a long time.
The Final Tally 2023
Lets add things up and see where we land:
| VMware Workspace ONE | Microsoft Intune | |
| Enrollment | 10 | 5 |
| Profiles | 9 | 9 |
| Compliance | 9.5 | 7.5 |
| Application Management | 9 | 9 |
| Security | 8 | 9 |
| Total Score | 45.5 (+.5 since last year) | 39.5 (+6 since last year) |
Final Thoughts
I waited 18 months because I was incredibly frustrated with where MacOS management was for Intune. I am happy to see them close the gap with VMware. I would expect the difference maker between the two will come down to the execution on Hub Health. Even with the new patching enhancements from VMware, MacOS patching is always going to be a challenge, but I will say it’s slightly less painful now.
Microsoft has proven that you no longer NEED JAMF to be successful. Their success will likely correlate with execution on their Q1 roadmap along with fixing some of the issues with application deployments. I am definitely optimistic, but only time will tell if MacOS management is finally addressed.
