Apple M1 Management
Over the past couple of months, I have been testing the new Apple MacBook Air, equipped with the Apple M1 System on a Chip (SoC).
The three articles linked below document my initial thoughts and findings.
Alongside performance, compatibility and battery life, I have been testing enterprise management, looking to ensure that Apple Silicon equipped Mac’s can be enrolled and managed alongside their Intel counterparts.
The screenshots below highlight the enterprise enrollment experience using Microsoft Endpoint Manager (AKA Microsoft Intune) running on macOS 11 Big Sur. I also tested Microsoft Defender ATP for Mac.
Enrollment is achieved is via Microsoft Company Portal, which can be downloaded from the Microsoft website.
Similar to Apple iOS and Google Android, Microsoft Company Portal is a standalone application that is used to enable the following capabilities:
- Device enrollment to access business resources, including Office 365, Productivity, Collaboration, and data (via OneDrive).
- Configure Single Sign-On (SSO) to simplify authentication.
- Access business resources via company-issued certificates.
- Browse and install approved business applications.
- View and manage enrolled devices, including the ability to remote erase, etc.
- Links to key business contacts for support, etc.
At the time of writing, the Company Portal application for Mac is Intel-only (x86 architecture), therefore runs via Rosetta 2 emulation on Apple Silicon.
Once installed, the user must log in with a Microsoft Account (Microsoft User Principle Name) that is connected to a corporate environment, which will automatically check the device management status.
Microsoft has done a nice job making user privacy transparent, delivered in an easy to consume format. Assuming the user agrees with the privacy statements, the enrollment process will begin.
Similar to Apple iOS and iPadOS, a macOS management profile needs to be installed, which includes the pre-defined configuration setup using Microsoft Endpoint Manager.
Once complete, the device is checked for compliance. If there are any gaps (e.g. Password Policy, Encryption), the user is prompted to make the required updates.
Finally, the enterprise enrollment process will install any pre-defined business-critical software. I configured Microsoft Defender ATP for Mac, which is also running via Rosetta 2 emulation on Apple Silicon.
In conclusion, I am pleased to report that everything appears to be working as designed, which highlights (again) just how impressive Rosetta 2 is at emulating x86 architecture applications on Apple Silicon.
The enrolment process was seamless and the Microsoft Company Portal and Microsoft Defender ATP applications did not any negatives running via emulation. I also tested a full remote-wipe, which initiated instantly, forcing the Mac to restart and prompt for a remote recovery (reinstall macOS 11 Big Sur).
Overall, I am pleased to see that the transition to Apple Silicon does not impact the ability to enable device management within an enterprise.