Automate a Microsoft Intune macOS proof-of-concept in minutes: policies, compliance, scripts, PKG apps, and optional Microsoft Defender for Endpoint (MDE) are deployed from a single script.
macOS
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install --cask powershellWindows
winget install Microsoft.PowerShellPowerShell modules (Microsoft Graph SDK) are installed automatically the first time you run the script β no manual
Install-Modulerequired.
- MDM Authority: determines how you manage your devices (cannot be none). Learn how.
- APNS certificate: Required for any macOS enrollment. Learn how.
- Permissions: Use an Intune Administrator (or equivalent) or grant
DeviceManagementConfiguration.ReadWrite.All,DeviceManagementApps.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementScripts.ReadWrite.All,DeviceManagementServiceConfig.ReadWrite.All,Group.Read.All. - Optional MDE: Download your org-specific onboarding file before using
--mde(seemde/README.mdfor detailed steps).
git clone https://github.com/microsoft/intune-my-macs.gitcd intune-my-macs
pwsh ./mainScript.ps1 --assign-group "Intune Mac Pilot"
cd intune-my-macs
pwsh ./mainScript.ps1 --assign-group "Intune Mac Pilot" --apply
The script defaults to dry-run mode. Nothing is created until you add
--apply.
| Flag | Purpose |
|---|---|
--apps, --config, --compliance, --scripts, --custom-attributes, --enrollment |
Limit the import scope to specific artifact types |
--assign-group "Name" |
Assign every created object to an Entra group |
--prefix "[custom]" |
Override the default naming prefix |
--mde |
Include the mde/ content (requires onboarding file) |
--remove-all |
Delete previously created objects that use the current prefix |
--tenant-id "GUID" |
Specify the Entra tenant ID for Microsoft Graph connection |
--apply |
Actually create/update/delete Intune objects (otherwise it's a preview) |
To deploy into a specific tenant, pass the --tenant-id flag:
pwsh ./mainScript.ps1 --tenant-id "12345678-1234-1234-1234-123456789012" --assign-group "Intune Mac Pilot" --apply- Security & configuration policies: FileVault, Firewall, Gatekeeper, guest restrictions, login window, screen saver, managed login items, NTP, Office, Declarative Device Management, and more.
- Compliance & scripts: macOS compliance policy, enrollment restrictions, device scripts (Company Portal install, Dock customization, Escrow Buddy, etc.).
- Applications: Swift Dialog, Office 365, Teams, M365 Copilot, Intune Log Watch.
- Custom attributes: Hardware compatibility checks and other helpers.
- Optional MDE: Defender installer (see
mde/README.md).
For the full artifact catalog and settings, see INTUNE-MY-MACS-DOCUMENTATION.md or generate a fresh Word doc with tools/Generate-ConfigurationDocumentation.py.
INTUNE-MY-MACS-DOCUMENTATION.mdβ overview of every artifact.mde/README.mdβ Defender prerequisites and onboarding steps.tools/README.mdβ Utilities such as documentation export, duplicate payload detection, and processing-order reports.
NOT SUPPORTED β Dynamic device groups must not be used for policy assignment with this project.
Dynamic device groups (e.g. rules based on device.deviceOSType or device.deviceManufacturer) introduce unpredictable delays during enrollment. Entra ID must first register the device, then evaluate the dynamic membership rule, and then Intune must check in β this chain means policies may not arrive until well after the user reaches the desktop, defeating "Await Configuration Done" and skipping critical policies like FileVault and passcode requirements.
Instead, use one of these supported approaches:
| Approach | How |
|---|---|
| Assignment filters (recommended) | Assign to All Users or All Devices and add a device assignment filter using (device.enrollmentProfileName -eq "Your macOS Enrollment Profile"). This ensures policies apply before first sign-in. |
| Static groups | Create a static (assigned-membership) Entra security group and add devices manually or via automation. |
Assignment filters are evaluated at policy delivery time with no group-evaluation delay, making them the most reliable option for enrollment-time policy targeting.
Connect-MgGraphnot recognized: The Microsoft Graph SDK installs automatically on first run. If it fails, install manually:Install-Module Microsoft.Graph.Authentication -Scope CurrentUser.- Auth or permission errors: Re-run
pwsh ./mainScript.ps1after confirming the Graph permissions above; modules auto-install per user. - Devices not receiving policies: Verify APNS, device enrollment, and group membership, then force a device sync.
| Date | Change | Details |
|---|---|---|
| 2026-04-10 | Removed SCR-APP-101 (Set Office Default Applications) | macOS 26.4 requires user consent for every default-app change. The utiluti-based script now triggers multiple confirmation prompts per user, making silent deployment impossible. See utiluti#10. |
| 2026-04-10 | Fixed POL-SEC-006 passkey autofill blocking | Changed allowPasswordAutoFill and safariAllowAutoFill to true so users can enable "AutoFill Passwords and Passkeys" during device registration. Fixes #17. |
| 2026-04-10 | Fixed POL-APP-100 deprecated MAU data collection value | Changed AcknowledgedDataCollectionPolicy from the deprecated "send required and optional data" to "send required data". Prevents MAU from repeatedly prompting users. Fixes #15. |
| 2026-04-10 | Added guidance against dynamic device groups | Dynamic device groups cause unpredictable enrollment delays. README now documents assignment filters as the recommended approach. Fixes #14. |
Built with β€οΈ by the Microsoft Intune Customer Experience Engineering team