macOS & iOS 26 for Enterprise: DDM, Deployment, and the Intel Mac Sunset

Apple’s latest operating systems delivered September 15, 2025, bring transformative changes to enterprise device management—but IT administrators managing devices face critical decisions and mandatory migrations that demand immediate attention.

Apple shifted to year-based versioning with OS 26 (representing the 2025-2026 release cycle), and more significantly, deprecated legacy MDM software update commands that will be completely removed in 2026. For organizations managing Apple devices through Intune, this release requires strategic planning around Declarative Device Management adoption, presents unprecedented device migration capabilities, and delivers powerful new security features—but only if you navigate the breaking changes correctly.

Microsoft provides day-zero Intune support for all 3platforms, with expanded Settings Catalog options and full compatibility for existing management features. However, the window for migrating from legacy update management methods is closing rapidly, making this the most consequential Apple OS release for enterprise IT in years. Notably, macOS 26 Tahoe is the final version supporting Intel-based Macs, signaling the end of an era and forcing hardware refresh planning for many organizations.

Legacy update management faces mandatory sunset

The single most critical change for MDM administrators is Apple’s deprecation of traditional MDM
software update mechanisms. All legacy methods—including MDM commands, restrictions, the
com.apple.SoftwareUpdate payload, and MDM update queries—will be completely removed with the
2026 OS release. Organizations must migrate to Declarative Device Management for software
updates immediately, as continued reliance on existing methods guarantees management failure within 12
months.

DDM represents a fundamental architectural shift from reactive server-driven management to proactive device-autonomous configuration. Rather than servers constantly polling devices and issuing commands, DDM enables devices to independently apply configurations based on declarative policies, report status asynchronously through dedicated channels, and operate effectively even when offline. This reduces server overhead dramatically while improving scalability and user experience.

For Intune administrators, the transition involves configuring DDM software update policies through the Settings Catalog rather than traditional device configuration profiles. Microsoft has integrated full DDM support with two primary policy models: Enforce Latest Policy automatically installs the newest available OS version within administrator-defined deadlines, while Targeted Version Policy specifies exact OS versions for controlled deployments when application compatibility demands precision.

Configuration requires navigating to Devices > Configuration > Settings Catalog, selecting iOS/iPadOS or macOS as the platform, and locating software update settings within the Declarative Device Management section. Key parameters include TargetOSVersion for specifying required versions, TargetLocalDateTime for enforcement deadlines, and deferral windows up to 90 days for major updates. The DDM status channel provides real-time compliance reporting, eliminating the need for server polling while delivering granular insights into update states—waiting, downloading, installing, or encountering errors like insufficient storage or low battery.

Organizations should immediately audit existing update policies, create DDM configurations in Settings Catalog, test on pilot devices representing diverse hardware and use cases, migrate production environments systematically, and remove deprecated policies only after verifying DDM functionality. The migration timeline is compressed: completing this transition by Q2 2026 is mandatory, not optional.

Device migration without data loss transforms MDM transitions

Perhaps the most transformative enterprise feature in OS 26 is the ability to migrate devices between MDM solutions without factory resets or data loss. For organizations consolidating MDM platforms, transitioning to Intune from legacy solutions, or restructuring management hierarchies, this eliminates the traditional requirement to wipe devices and manually restore configurations—historically the largest barrier to MDM migrations.

The migration process leverages Apple Business Manager as the orchestration layer. Administrators reassign devices to the new MDM server within ABM, set enrollment deadlines, and allow the operating system to coordinate the transition between old and new MDM platforms.

Users receive notifications with increasing frequency as deadlines approach, and at the deadline (or when users manually initiate), the device automatically unenrolls from the source MDM and enrolls in the target MDM.

During migration, critical profiles including Wi-Fi, VPN, and certificates are applied during an “Await Final
Configuration” phase, ensuring devices maintain connectivity and security throughout. For macOS devices,
FileVault recovery keys automatically rotate and escrow to the new MDM platform, maintaining encryption
without user intervention. Personal data, applications, and user settings remain completely
intact—only management configurations change.

Technical requirements include devices running macOS 26, iOS 26, or iPadOS 26; enrollment through
Automated Device Enrollment (ADE); device presence in Apple Business Manager; and both source and
target MDMs supporting Apple Migration APIs and Declarative Device Management. Intune fully supports serving as the target platform, with seamless integration with Microsoft 365 and Entra ID maintaining identity continuity.

Successful migration requires meticulous preparation: document all existing configurations in the source MDM, recreate profiles and policies in Intune using Settings Catalog to leverage modern declarative management, verify critical profiles like certificates and network access are configured in Intune before initiating migration, test the complete workflow with pilot devices, and establish clear communication plans for end users. FileVault key escrow and bootstrap token transfer for macOS devices demands particular attention to ensure administrative access persists post migration.

Platform SSO integration during device setup eliminates friction

Platform Single Sign-On has evolved from a post-enrollment configuration task to an integrated component of the Setup Assistant experience. Simplified Setup for Platform SSO on macOS 26 allows organizations to configure identity provider authentication as the first step during Automated Device Enrollment, fundamentally changing the device provisioning workflow.

Previously, Platform SSO could only be configured after users created local accounts, requiring post-setup
intervention and credential synchronization. With macOS 26, PSSO becomes the initial Setup Assistant step
—users authenticate with organizational identity providers (like Microsoft Entra ID) before creating local
accounts, which are then automatically generated and synchronized with IdP credentials.
If the iCloud setup pane remains visible, users can sign into Managed Apple Accounts without re-entering
credentials, creating a seamless zero-touch experience.

The technical workflow

The new workflow is orchestrated between the macOS device, the MDM server, and the IdP. 

• ADE Enrollment Trigger: The macOS device enrolls via Automated Device Enrollment (ADE).
• MDM Configuration: The MDM server recognizes the device’s ADE profile and sends a specific response (HTTP 403) with the Platform SSO configuration details and the location of the necessary SSO extension package from the IdP.
• Authentication Step: The macOS Setup Assistant downloads and installs the SSO extension and pauses the setup. The user is then prompted to authenticate with their IdP.
• Token Exchange: Upon successful authentication, the IdP returns a secure bearer token to the macOS device.
• Provisioning: The macOS device uses the bearer token to complete MDM enrollment and create the local user account, ensuring the password is synchronized with the IdP.
• Zero-touch experience: User profile pictures from the IdP can be automatically synced, and if the iCloud pane is visible, the user can sign into their Managed Apple Account without further intervention. 

PSSO in Setup Assistant phase with Intune + EntraID is NOT AVAILABLE as of now.

Authenticated Guest Mode

For macOS 26, Authenticated Guest Mode extends the new Platform Single Sign-On (SSO) workflow to shared device scenarios, such as those found in healthcare, education, and retail. It provides a secure, temporary, and auditable access method for multiple users on a single Mac without creating persistent local accounts.

Key features and workflow

• Temporary user sessions: Instead of creating a permanent local account for every user, Authenticated Guest Mode creates a secure, temporary session. This is ideal for environments with high user turnover, as it prevents the buildup of user profiles and data.
• IdP-based authentication: Users log in using their organizational credentials from a configured Identity Provider (IdP). The authentication can also be performed using an NFC-enabled badge, such as a Digital Student ID in Apple Wallet on an iPhone or Apple Watch.
• Simplified login: For NFC-enabled access, users can simply tap their device on a compatible external reader attached to the Mac. This triggers a secure Single Sign-on process, eliminating the need to type in a password.
• Group management integration: Standard user privileges are granted by default, but administrators can define and assign specific permissions based on a user’s group membership in the IdP. This allows for granular control over user capabilities without managing local directory services.
• Automatic data erasure: When a user logs out, all local data for that temporary session is automatically and completely erased. This ensures user privacy, maintains a clean and reliable device for the next user, and simplifies device management. 

Declarative Device Management expands to comprehensive device configuration

Beyond software updates, DDM in OS 26 dramatically expands scope to encompass application management, Safari configuration, and system settings across all Apple platforms. macOS 26 now supports deploying App Store apps, custom apps, and packages entirely through DDM, joining iOS and iPadOS in enabling declarative app distribution.

Expanded app management via DDM

Declarative app management is now the preferred method for managing application lifecycles, enabling more precise control and automation for IT administrators. With macOS 26, administrators can now deploy App Store apps, custom-built apps, and installer packages (.pkg) using DDM. This aligns macOS with the declarative app distribution model previously available for iOS and iPadOS.

Granular per-app update controls 

For apps deployed via DDM, organizations can define specific update behaviors on a per-app basis. 

• Enforce automatic updates: Ensure critical security and productivity apps are always up-to-date.
• Disable updates: Prevent unwanted changes to specific applications.
• Defer to user preferences: Allow users to manage updates for certain apps.
• Version pinning: Lock applications to a specific version to ensure compatibility with other software or to maintain a controlled release management process.

Asynchronous app status reporting

Rather than polling devices, DDM enables devices to proactively report the status of an app installation or update asynchronously through a dedicated “status channel”. This provides real-time updates on installation progress, success, or failure, improving administrative efficiency.

Cellular download restrictions

For iOS and iPadOS devices, administrators can restrict app downloads over cellular networks, preventing bandwidth consumption and controlling data costs for corporate-liable devices. This applies to App Store apps, custom apps distributed through ABM, and packages deployed via MDM. We hope to see these controls through Settings Catalog DDM app management declarations in Intune soon.

Safari management via DDM introduces native declarative configurations for enterprise browsing control.
Organizations can deploy bookmarks in centrally managed folders with subfolder organization, define
default homepages or start pages for new tabs and windows, control content summarization features, and
manage private browsing restrictions. These configurations apply across iOS 26, iPadOS 26,
macOS 26, and visionOS 26, providing consistent browser policy enforcement across the Apple ecosystem.

Additional DDM declarations available through Intune Settings Catalog include Default Applications, Allowed Camera Restriction, Extensible Single Sign On Kerberos, Allow Call Recording, Allow Live Voicemail.

The underlying DDM architecture leverages four core components:

• Declarations (configurations defining policies and assets)
• Status Channel (asynchronous device-to-server status reporting)
• Predicates (conditional logic determining when configurations apply)
• Extensibility (automatic adoption of new capabilities as they become available).

This enables sophisticated business logic executed on-device—applying different configurations based on OS version, device type, network status, time of day, or custom conditions without constant server communication.

Return to Service

Return to Service for iOS 26, iPadOS 26, and visionOS 26 dramatically streamlines the redeployment of shared devices by preserving managed applications during a device erase. This change is particularly beneficial for shift-based or high-turnover work environments, as it significantly reduces the time and bandwidth required to prepare devices for the next user. 

How Return to Service works

The new workflow eliminates the time-consuming process of re-downloading applications after every wipe. 

Immediate availability: The device can be ready for the next user in a matter of minutes, reducing the previous process from 30–45 minutes down to less than 5 minutes.

Preparation and snapshot: An MDM administrator sends a “Return to Service” command to a device. During its initial configuration, the device takes a snapshot of all managed applications after they are installed and configured but before user data is present. This is enabled using the AwaitDeviceConfigured key in the MDM configuration.

Secure data erasure: When an erase command is triggered, the OS securely removes all user data, including caches and temporary files, to ensure privacy.

App preservation: Instead of wiping the entire device and forcing re-downloads, the system reverts to the managed app snapshot. The app binaries are preserved, making the subsequent setup process much faster.

Automated re-enrollment: The device automatically rejoins the Wi-Fi network and re-enrolls with the MDM service. All necessary profiles and configurations are reapplied seamlessly.

Apple Business Manager APIs enables programmatic device management

The introduction of Apple Business Manager APIs provides the first programmatic interface to ABM device inventory and management operations. Organizations can now view device information, edit device management assignments, assign or reassign devices to MDM servers, export device data, and create custom reports entirely through API calls rather than manual web portal interaction.

Authentication uses OAuth 2.0 with JWT Client Assertions, requiring administrators to generate private keys and create API accounts within ABM. Apple API endpoints at https://api-business.apple.com provide access to
organizational devices (/v1/orgDevices), MDM server configurations (/v1/mdmServers), and batch operations for large-scale device management.

For Intune administrators, ABM API integration enables automated device assignment workflows triggered by asset management systems, bulk operations during device refresh cycles, real-time inventory synchronization eliminating manualdata entry, integration with third-party IT service management platforms, and automated reporting for compliance and audit purposes. This eliminates the bottleneck of manual device assignment that previously constrained large-scale Apple device deployments.

Enhanced device information now includes physical MAC addresses for Wi-Fi and Bluetooth interfaces on iPhone, iPad, Apple TV, and Vision Pro devices, IMEI and EID numbers for cellular-capable devices, AppleCare coverage details facilitating support planning, and device release tracking showing who released devices from ABM and when.

Security advances emphasize post-quantum cryptography and remote management

Security enhancements in OS 26 address both immediate threats and future quantum computing risks. Post-quantum cryptography is now enabled by default in URLSession and Network.framework, using X25519MLKEM768 hybrid key exchange automatically in TLS 1.3 connections. This protects against “harvest now, decrypt later” attacks where adversaries collect encrypted traffic today for decryption once quantum computers become viable.

Organizations must verify server compatibility, as legacy TLS implementations may fail when receiving large ClientHello messages containing post-quantum algorithm advertisements. Testing with openssl s_client -connect server:443 -curves X25519MLKEM768 identifies incompatible servers requiring updates. Secure Transport, Apple’s legacy TLS library, does not support post-quantum algorithms and is deprecated—organizations still using Secure Transport must migrate to Network.framework or URLSession.

FileVault Enhancements

FileVault enhancements include automatic enablement when users sign in with Apple IDs during setup, recovery key storage in end-to-end encrypted iCloud Keychain rather than basic iCloud encryption, and critically, SSH remote unlock capability allowing administrators to unlock FileVault-encrypted Apple Silicon Macs after restart over network connections. Remote Login must be enabled and Ethernet connectivity available (Wi-Fi credentials remain in the encrypted keychain and thus inaccessible pre-boot), but this dramatically improves remote management capabilities for distributed Mac fleets.

FileVault recovery key escrow workflows have streamlined—if MDM installs escrow configuration when keys already exist and bootstrap tokens are present, keys automatically rotate before escrowing to the new MDM. This eliminates the previous requirement to cycle FileVault off and back on, reducing administrative burden and end-user disruption during MDM migrations or policy updates.

In previous versions of macOS, when an MDM solution deployed a FileVault profile to a Mac that was already encrypted, it would often prompt the end-user for their credentials. The user would need to enter their password to authorize the generation and escrow of a new Personal Recovery Key (PRK). This created a less-than-seamless experience and required user interaction

Passkey Ecosystem Maturity

In iOS 26, Apple introduced five new passkey APIs designed to improve implementation for developers and provide users with more seamless and flexible passwordless authentication. These APIs were announced at WWDC 2025 and released in September 2025:

The five new APIs are:

• New Account Creation API: This provides the fastest way to offer passkey sign-ups by integrating the process directly into the account creation flow. It prompts the user to create a passkey from the start, making a passwordless experience the default.
• Keep Passkeys Up-to-Date API: This allows developers to sync account changes, such as username modifications, with the user’s stored passkey credentials. The API works with credential managers to ensure passkeys remain consistent and valid.
• Automatic Passkey Upgrades API: This helps users move from passwords to passkeys by providing a seamless, automated upgrade path. It offers a standardized method for adding a passkey to an existing password-based account.
• Passkey Management Endpoints: These endpoints allow developers to signal their app’s passkey support directly to credential managers. This ensures that users can see that a service supports passkeys from within the Passwords app.
• Import and Export Passkey API: This API, based on a new FIDO Alliance standard, gives users control over their credentials by allowing them to securely import and export passkeys. It addresses a major user pain point by enabling passkey portability between different password managers and even other platforms like Android and Windows. 

Intune Zero Day support with expanded Settings Catalog

Microsoft delivered day-zero compatibility for macOS 26 and iOS 26, ensuring all existing management features function immediately upon OS release. The Settings Catalog received significant expansion with new controls including audio accessory pairing configuration, comprehensive Safari browsing controls and restrictions, enhanced security restrictions including per-app camera access, default app settings for calling and messaging applications, web filtering improvements, and Platform SSO configurations with enhanced Kerberos support.

Minimum requirements updated post-OS 26 release: iOS/iPadOS 17 or later required for new enrollments (devices on older versions remain enrolled but cannot newly enroll), macOS 14 Sonoma or later required, Company Portal version supporting Purebred v3 derived credentials, and new Remote Help for compatible with macOS26.

For Apple Intelligence feature management, Intune supports comprehensive restrictions via Settings Catalog for supervised devices, including Writing Tools system-wide assistance, Genmoji custom emoji generation, Image Playground and Image Wand image creation features, iPhone Mirroring, ChatGPT integration, Math and Mail Smart Replies, Notes transcription, Safari summarization, and call recording capabilities. These restrictions prevent “Ready for Apple Intelligence” notifications on devices where features are organizationally restricted, reducing user confusion.

App Protection Policies received standalone controls for Apple Intelligence features in managed applications, including Writing Tools and Genmoji restrictions applying within MAM-protected apps requiring Intune App SDK integration. Organizations can enforce restrictions even on unmanaged devices accessing corporate data through app protection policies, extending governance beyond traditional MDM-enrolled device boundaries

Enrollment modernization phases out legacy methods

User enrollment for BYOD scenarios transitioned from profile-based enrollment to account-driven enrollment, with the legacy method deprecated as of iOS 18 and formally unsupported in iOS 26. Account-driven enrollment requires users to navigate Settings > General > VPN & Device Management, select “Sign In to Work or School Account,” enter managed Apple Account credentials, and complete automatic service discovery via .well-known URLs or ABM fallback mechanisms.

Web-Based Device Enrollment eliminates the requirement to download and install Company Portal before enrolling devices. Users complete enrollment entirely through Safari, reducing friction for BYOD onboarding and improving enrollment completion rates. This complements account-driven enrollment for user affinity scenarios while supporting organization-owned devices without requiring app installation.

Automated Device Enrollment remains the preferred method for corporate-owned devices, providing zero touch provisioning, mandatory enrollment with tamper-resistant profiles, device supervision enabling advanced management capabilities, and seamless integration with Platform SSO and Setup Assistant customization. Intune administrators should enroll all corporate devices through ADE for full management capabilities and enforce enrollment for organizationowned hardware.

Intel Mac support ends and compatibility constraints tighten

macOS 26 Tahoe is the final macOS release supporting Intel-based Macs. Supported Intel models include Mac Pro 2019, MacBook Pro 16-inch 2019, MacBook Pro 13-inch 2020 (four Thunderbolt 3 ports), and iMac 2020—dropping all MacBook Air and Mac mini Intel models plus earlier MacBook Pro generations.

Organizations with significant Intel Mac deployments must accelerate hardware refresh planning. Devices on macOS 26 will receive security updates for approximately two years following macOS 27 release (estimated September 2026), creating a deadline for replacing Intel hardware. Budget planning, procurement timelines, and migration strategies require immediate attention for organizations with hundreds or thousands of Intel Macs.

iOS 26 compatibility requires iPhone 11 or later (A13 Bionic or newer), dropping support for iPhone XS, XS Max, and XR. Apple Intelligence features specifically require A17 Pro or later (iPhone 15 Pro, iPhone 16 series), M1 or later (iPad), or Apple silicon with 16GB RAM (Mac). Organizations standardizing on Apple Intelligence capabilities must ensure hardware refresh cycles target compatible devices.

Implementation roadmap and risk mitigation

Successful deployment requires phased approaches balancing urgency of DDM migration against stability validation. Recommended timeline spans 12 weeks: preparation phase (weeks 1-2) updating Intune infrastructure, testing labs, documenting configurations, and preparing pilot groups; pilot phase (weeks 3-4) deploying to 50-100 users representing diverse use cases and monitoring issues; staged rollout (weeks 5-8) expanding to 25% of users weekly by department or geography; and full production (weeks 9-12) completing remaining devices with compliance enforcement.

Critical testing validates enrollment workflows for ADE and user enrollment, MDM profile deployment and policy application, app deployment through DDM mechanisms, configuration profiles for Wi-Fi, VPN, email, and certificates, compliance and Conditional Access integration, Platform SSO functionality with Microsoft Entra ID, third-party application compatibility including productivity tools and line-of-business apps, and FileVault encryption with remote unlock capabilities.

Waiting for 26.1 or 26.2 releases reduces risk for conservative deployment strategies, though security updates and DDM migration urgency may justify earlier adoption for some organizations.

User communication strategies should begin 3-4 weeks before deployment with benefit explanations and timeline clarity, continue with preparation instructions emphasizing backups and storage requirements two weeks before, provide final reminders and support resource information one week before, deliver update instructions with clear expectations during deployment, and maintain ongoing FAQ updates and feedback channels post-deployment. Multi-channel communication through email, intranet pages, Teams announcements, and manager briefings ensures consistent messaging.

Conclusion and Strategic Recommendations

macOS 26 and iOS 26 represent the most significant evolution in Apple enterprise management in years, driven by the mandatory transition to Declarative Device Management, unprecedented device migration capabilities, and comprehensive security advances including post-quantum cryptography. For IT administrators managing Apple devices through Microsoft Intune, immediate action on three fronts is non-negotiable.

First, migrate software update management to DDM immediately—the 12-month timeline until legacy method removal provides barely adequate time for testing, phased rollout, and issue remediation across large device fleets. Organizations delaying this migration risk complete loss of update management capabilities in 2026.

Second, evaluate MDM migration without wipe capabilities for consolidation initiatives—this feature eliminates the primary barrier to MDM transitions and enables previously impractical management restructuring. Organizations considering Intune adoption from legacy MDM platforms or consolidating multiple tenants should prioritize planning migration strategies.

Third, update VPN configurations and verify application compatibility before broad deployment—deprecated encryption algorithms cause immediate failures, while application incompatibilities create user productivity impacts. Testing with representative hardware and software configurations prevents large-scale disruption.

The confluence of mandatory migrations, architectural shifts toward declarative management, and the end of Intel Mac support creates strategic imperatives extending beyond typical OS upgrades. Organizations treating this as routine patching will encounter deployment failures, management capability gaps, and security vulnerabilities. Those approaching it as enterprise transformation—updating architectures, modernizing configurations, and accelerating hardware refresh—will gain significant management efficiency, security posture improvements, and reduced administrative overhead.

Microsoft’s day-zero Intune support and comprehensive Settings Catalog integration provide the foundation for successful deployment. The tooling exists, the documentation is available, and the migration paths are clear. What remains is organizational commitment to the work—and the clock is already running on the 2026 deprecation deadline.