Guide for Managing Mac OS X devices with Microsoft Intune MDM This document provides preview details on managing Mac OS X devices using Microsoft Intune MDM. Mac OS X 10.9 Support for the System Center 2012 R2 Configuration Manager Mac Client Mac OS X 10.9 is supported on System Center 2012 R2 Configuration Manager with the following known exception: USB devices on Mac computers cannot be inventoried.

Refreshing Managed Client Cache Deleting the contents of the /Library/Managed Preferences directory is definitely one way to refresh your managed preferences cache in Mac OS X, but there have been commands specifically designed to clear the cache for each version of Mac OS X. By OS, these include the following: • 10.6 – mcxrefresh – You can use this command (in /usr/bin) to refresh managed preferences • 10.6 also has a ManagedClient binary in /System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient. When run with a -f option, ManagedClient will force updates. • 10.5 has a binary called mcxd located in /System/Library/CoreServices/mcxd.app/Contents/MacOS/mcxd which can also be run with a -f option • 10.4 has a binary called MCXCacher, stored in /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher which also supports the same -f option. There are a number of other ways to go about this. If you have some that you use that I did not mention please feel free to add a comment.

I’ve noticed that this blog post still gets a reasonable amount of traffic and comments. While that’s really gratifying, the content is horribly out-of-date, and a number of the comments relate to the fact that the functionality which was available when I wrote this post has changed quite a bit, and doesn’t really match up to what you’re going to see in an up-to-date build or ConfigMgr. If/when I get my hands on another Mac I can look at updating the content (although I’m really working with Azure and Chef these days), so I strongly recommend that you take a look at the work my colleague Peter Daalmans has been doing with ConfigMgr and Mac management. He blogs over at and he’s keeping up with all the latest developments in Mac management using Configuration Manager. One of the (many) big changes in Configuration Manager 2012 SP1 is the ability to enrol and manage Mac OS X clients using a native agent. As you’d expect with any sort of cross-platform, non-Windows management story, you won’t be able to do all the same things with Configuration Manager that you can do with a Windows platform. Functionality in SP1 for Mac OS X will consist of: • Hardware inventory • Software inventory • Application deployment • Configuration deployment and compliance And that’s not a bad list to be starting with 🙂 So how do you set this up and get Macs enrolled?

Microsoft has a step-by-step guide which contains all the information you’ll need, and it’s what I used to get my lab environment up and operational. So here’s my take on the whole process. Requirements: • Mac OS X clients running either Snow Leopard (10.6) or Lion (10.7). At the time of writing SP1 Beta was used (Build 7782) which does not support Mountain Lion (10.8); • Configuration Manager hierarchy running Configuration Manager 2012 SP1 Beta (Build 7782) or greater; • Configuration Manager 2012 SP1 site server should be running on Windows Server 2008 R2 SP1.

Build 7782 does work on Windows Server 2012, but it’s slightly buggy and I lost a huge amount of time in troubleshooting. Stick with W2K8R2 for the moment and save yourself a headache; • Configuration Manager hierarchy needs to be configured to support HTTPS communications, so you’ll need to go through setting up PKI. The reason for this is that Mac OS X clients are treated as internet clients at all times. This means that they are manageable regardless of where they are (assuming your site server is externally-accessible) but also that they don’t need to be joined to the domain.

Check out for PKI certificate requirements in CM12; • A PKI certificate template for enrolment on Mac clients. Full information on the process is. Site Server Configuration • In the Site System role for the primary site server (and every server which will service Mac clients), tick the option “Specify an FQDN for this site server to use on the Internet” and enter the FQDN. For the purpose of lab testing, this can be the internal FQDN of the site server – it doesn’t HAVE to be accessible externally. Management point enabled for Internet access and mobile devices • Install the server roles Enrollment Point and Enrollment Proxy Point.