Microsoft Intune August (2408) release: Delivering on WWDC 2024 Promises
The August 2024 (2408) release of Microsoft Intune marks a significant milestone in the evolution of mobile device management (MDM) for Apple devices. In response to the new features introduced at WWDC 2024, Microsoft Intune has swiftly adapted to provide comprehensive support for macOS 15 and iOS/iPadOS 18. This
The August 2024 (2408) release of Microsoft Intune marks a significant milestone in the evolution of mobile device management (MDM) for Apple devices. In response to the new features introduced at WWDC 2024, Microsoft Intune has swiftly adapted to provide comprehensive support for macOS 15 and iOS/iPadOS 18. This update empowers IT professionals with the tools necessary to effectively manage and secure their Apple device fleet, ensuring seamless integration with the latest innovations from Apple.
In this blog post, we'll delve into the key enhancements introduced in the August 2024 release, exploring how Intune has risen to the challenge of supporting the latest Apple operating systems and delivering on the promises made at WWDC.
New Features and Capabilities
The August 2024 (2408) release of Microsoft Intune brings a host of new features and capabilities designed to enhance the management and security of Apple devices. Let's explore some of the key highlights:
Declarative Device Management (DDM): Apple continues to expand its DDM framework, which allows devices to autonomously manage policies and report their status to MDM servers in real-time. This eliminates the need for constant synchronization, enhancing scalability and reliability, especially for large enterprises. DDM now handles all aspects of software updates, including beta updates, making management more secure and efficient .
Enhanced Software Update Management: The new features provide admins with more granular control over software updates, including managing beta versions and notification behaviors. This is particularly useful for rolling out updates in a phased manner across different devices .
Safari Management: As an MDM admin, you can now manage Safari extensions across iOS, iPadOS, and macOS. This includes defining which extensions are allowed, controlling whether they are always on or off, and managing their access to specific domains, even in Private Browsing mode. This could make Safari more appealing as an enterprise browser.
Mac Management Enhancements: New capabilities include the ability to install executable files and service configuration files in a tamper-resistant location, giving admins greater control over Mac environments. Additionally, new disk management configurations allow IT to manage external and network storage options more effectively.
Security and Compliance: Apple has introduced new security features, including enhanced Activation Lock management and improved controls over multiple Apple IDs within organizations, streamlining the management of Managed Apple IDs
Let's explore these policies in detail and discuss how they can be configured within Intune.
External Disk Management with the New Configuration in Intune
This feature allows you to exercise granular control over external and network storage on macOS devices, enhancing data security and compliance within organizations.
Key Features of the New Disk Management Configuration:
You can choose to completely allow or disallow the use of external storage devices, such as USB drives or external hard disks. This control is crucial for environments where external data transfer needs to be tightly regulated to prevent data leakage or unauthorized data transfers.
Similar to external storage, the Disk Management configuration lets you manage access to network storage. This is particularly important in scenarios where sensitive data should not be stored or accessed via network drives, ensuring that all corporate data remains within secure, designated locations.
For situations where access to external or network storage is necessary but needs to be restricted, the Disk Management configuration provides an option to mount these storage devices as read-only. This ensures that users can view and access files without the ability to modify or transfer them, adding an additional layer of security.
The Payload:
Payload Definition:
The configuration uses the com.apple.configuration.diskmanagement.settings payload, specifically designed for managing disk-related settings on macOS devices. This payload provides the framework within which all disk management policies are applied.
Supported Operating Systems:
The settings are applicable to macOS 15.0 and later versions. This ensures that only devices running the latest supported OS versions can utilize these advanced management features.
The configuration supports both supervised and local enrollments, meaning it can be applied to both corporate-owned devices under full management and locally managed devices.
Configure the Disk Management Settings using Intune:
When configuring these settings in Intune, you would create a profile utilizing the Disk Management payload under Settings Catalog. This allows you to define the desired restrictions for both external and network storage, ensuring that these policies are enforced across your managed macOS devices.
In the Basics tab, enter the required information, and select Next:
In Configuration settings, select Add settings > expand Declarative Device Management > Disk Management
Choose Restrictions and then close the settings picker.
Configure the settings & Select Next.
In the Assignments tab, select the users or groups that will receive your profile.
In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
MDM Payload Delivered to Device:
:
Managing Safari Extension Settings with the New Configuration in Intune
The new Safari extension management feature is built on a declarative configuration framework, using the com.apple.configuration.safari.extensions.settings payload. This setup enables you to precisely manage which Safari extensions are active on devices, how they behave in different browsing modes, and which websites they can interact with.
Managed Extensions: Allows admins to specify the exact extensions that are managed on the device. You can define individual extensions using their composed identifiers or use a wildcard (*) to apply the policy to all extensions. This flexibility ensures that only approved extensions are active on users’ devices.
Extension State: You can allow users to choose to turn the extension on or off, or for certain extension to remain permanently active and cannot be disabled by the user or even permanently disable them and they cannot be enabled by the user.
Private Browsing State: Similar controls apply within Safari’s Private Browsing mode also.
Domain Control: Specifies a list of domains where the extension is allowed to function.
DeniedDomains: Conversely, this list defines domains where the extension is not permitted to operate.
Configure the Safari Extension Settings using Intune:
When configuring Safari extension settings in Intune, these controls allow organizations to create a tightly managed browsing environment. This not only enhances security but also helps in maintaining a consistent user experience across the organization.
Choose Managed Extensions and then close the settings picker.
Configure the settings & Select Next.
💡
To configure extension you have to add the composed identifier of the managed extension, or "*" for all extensions.
In the Assignments tab, select the users or groups that will receive your profile.
In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
End User Experience
Managing Software Updates with the New Configuration in Intune
This new approach replaces all legacy MDM software update commands, profiles, and restrictions, offering you as an MDM admin more granular control over how and when updates are deployed.
Key Features of the Software Update Settings Configuration:
Controlled Notification Timing: The new configuration allows to customize notification behaviors. Notifications can be set to trigger only one hour before the enforcement time and during the restart countdown, minimizing disruption while ensuring users are aware of impending updates.
Default Behavior: By default, all enforcement notifications are shown, but this can be modified depending on the organization’s needs.
Flexible Deferral Periods: The configuration allows admins to defer major, minor, and system updates for up to 90 days.
Granular Control: Separate deferral periods can be specified for major updates, minor updates, and system updates, allowing for nuanced control over when different types of updates are made available to users.
Rapid Security Response: This setting allows admins to manage Rapid Security Responses (RSRs), which are critical security updates that can be deployed outside of the usual update cycle. Admins can enable or disable the installation and rollback of these updates.
Controlled Beta Enrollment: The new settings include controls for managing device enrollment in beta programs. Admins can allow users to enroll in beta updates, enforce specific beta programs, or prevent beta enrollment entirely. This is particularly useful for organizations participating in Apple’s beta testing programs while maintaining control over which devices participate.
Recommended Cadence: You can specify how software updates are presented to users when multiple versions are available. Options include showing all available updates, only the oldest version, or only the newest version, depending on organizational needs.
Configure the new Software Update Settings using Intune:
Choose the required settings and then close the settings picker.
Configure the settings & Select Next.
💡
P.S: I have disabled the option to "Allow Standard User OS Updates". This is recommended approach as this gives you more control on holding the major release before you test it & push it to end users.
In the Assignments tab, select the users or groups that will receive your profile.
In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
MDM Payload Delivered to Device:
Enhancing Platform Single Sign-On in Microsoft Intune
The August 2024 release of Microsoft Intune expands the capabilities of Platform Single Sign-On (SSO) to provide deeper integration with identity providers (IdPs), adding new security and authentication options across macOS devices. This enhancement allows organizations to leverage IdP authentication not just during login but also for unlocking FileVault and the lock screen, ensuring a consistent and secure user experience.
IdP Authentication at FileVault Unlock: With this update, IdP authentication can now be required at the FileVault login screen on macOS. This means that even before accessing the desktop, users must authenticate through the organization’s identity provider, adding a crucial layer of security for encrypted drives.
Flexible Authentication Policies: As an MDM admin, you can now configure whether IdP authentication is attempted or required at the FileVault screen. For example, the AttemptAuthentication policy allows for a fallback to local credentials if the IdP is unreachable, while RequireAuthentication enforces strict IdP authentication unless certain grace periods are configured.
Login Window Enforcement: The same flexible IdP authentication policies apply to the macOS login window, ensuring that users authenticate through their IdP as they log into their devices. This can be set to either attempt authentication with a fallback or require authentication strictly, ensuring secure access control from the moment the device is accessed.
Screensaver Unlock: The UnlockPolicy can be configured to require IdP authentication before the screensaver can be unlocked, again adding another layer of security. Admins can allow grace periods or fallback options based on the organization’s security posture.
Managing Offline Access: For scenarios where devices are offline, the AllowOfflineGracePeriod setting permits users to log in or unlock their devices using their last successful IdP credentials within a specified grace period. This ensures that users can still access their devices without compromising security when connectivity issues arise.
In Basics, enter the descriptive name for the policy and Select Next.
In Configuration settings, select Add settings. In the settings picker, expand Authentication, and select Extensible Single Sign On (SSO):
In the Assignments tab, select the users or groups that will receive your profile.
In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
End User Experience:
💡
There are updates to the messages displayed in the login window. If the policy mandates a cloud-based login but the service is unavailable, the login window will now inform you of this issue.
If you have configured RequireAuthentication for the UnlockPolicy , FileVaultPolicy or LoginPolicy , then Platform SSO authentication is required before proceeding.
If the device is offline and AllowOfflineGracePeriod is enabled, then the offline OfflineGracePeriod is used to determine if the user can proceed or not.
If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the OfflineGracePeriod.
If the account is not registered for Platform SSO and AllowAuthenticationGracePeriod is enabled, then the AuthenticationGracePeriod is used to determine if the user can proceed or not.
If the policy requires cloud login but it is unavailable, the login window prompts accordingly.
MDM Payload Delivered to Device:
💡
To utilize the new keys for login policy, FileVault, and Unlock, you need to configure the Platform SSO profile’s AuthenticationMethod to Password.
If you've set the authentication type to SecureEnclave, the following error will appear:
mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] [0:MDMDaemon:CPDomainPlugIn:<0x29a0>]
<<<<< PlugIn: ValidatePayloadForInstall [SingleSignOnService] Error: Error Domain=SingleSignOn Code=1 "The “Single Sign On Extension” payload contains an invalid value for the key: “PlatformSSO.UnlockPolicy”."
UserInfo={IsInternalError=true, NSLocalizedDescription=The “Single Sign On Extension” payload contains an invalid value for the key: “PlatformSSO.UnlockPolicy”.} <<<<<
Conclusion
This latest release of Microsoft Intune showcases the platform’s commitment to staying ahead of the curve, delivering comprehensive support for Apple’s upcoming iOS 18, iPadOS 18, and macOS 15—despite these operating systems still being in beta. Intune’s ability to integrate and manage these cutting-edge features even before the general availability of these Apple OS versions highlights its blazing fast adaptability and forward-thinking approach.
With these enhancements, Intune provides IT administrators with unparalleled control and security across their Apple device fleets, ensuring that organizations are ready to fully leverage the new capabilities as soon as they are officially released. This proactive update not only underscores Intune’s agility but also reinforces its position as a leader in modern device management, ready to meet the needs of enterprises as they navigate the future of IT infrastructure.
For this post, we focused on Macs, but stay tuned as in the next post we will cover all the new features in the latest release for iOS/iPadOS devices.
