I'm setting up a bunch of MacBooks that are already enrolled in Apple Business Manager (ABM) with users set up via federation through Entra. I've got Intune configured with basic profiles to install Office, Company Portal, Edge, Defender, OneDrive, and the SSO extension. However, I want to make the first login experience as seamless as possible—like pinning the Company Portal instead of relying on Spotlight. Also, I'm a bit confused about whether users can sign into the Mac using their Entra identity now. Has anyone faced a similar situation and found good guides or solutions for this? I'm experienced with Autopilot and Windows, but Macs are a bit outside my comfort zone.
2 Answers
In my last job, we decided to stop using Active Directory for our Macs and switched to Entra/Intune direct enrollment. It worked okay, but there was still quite a bit of manual setup needed—and that was a couple of years back. Ultimately, we went with Jamf, which took a few weeks to set up, but once we got it right, it allowed me to drop ship a Mac to users who could log in with just an internet connection, and everything was set perfectly. We customized the dock layout, configured the Kerberos extension, and added our VPN app based on AD group memberships. The key was their LAPS implementation.
Apple introduced a feature called platform SSO for Entra sign-in. I'm not sure if you’ve implemented it yet, but it shouldn’t be in preview anymore. You might want to check out this link for more information: https://learn.microsoft.com/en-us/intune/intune-service/configuration/platform-sso-macos
I’ve had a tough time getting platform SSO to work on our MDM. For some reason, the Mac won’t create a new user until somebody signs into Intune with a local account first, which defeats the point of sending it directly to the user. Plus, the username ends up as `user.namedomain.com`. It’s been frustrating, and even support from SimpleMDM seems to think it’s a limitation from Apple. And don’t get me started on the WiFi selection on the lockscreen—it’s a hassle!
That Mac Admins Slack group is an excellent resource for troubleshooting. I've visited it whenever I need some help with Macs—really helpful people over there! You can find them at MacAdmins.org.