Automate a Microsoft Intune macOS proof-of-concept in minutes: policies, compliance, scripts, PKG apps, and optional Microsoft Defender for Endpoint (MDE) are deployed from a single script.
macOS
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install --cask powershellWindows
winget install Microsoft.PowerShellPowerShell modules (Microsoft Graph) are installed on demand the first time you run the script.
- MDM Authority: determines how you manage your devices (cannot be none). Learn how.
- APNS certificate: Required for any macOS enrollment. Learn how.
- Permissions: Use an Intune Administrator (or equivalent) or grant
DeviceManagementConfiguration.ReadWrite.All,DeviceManagementApps.ReadWrite.All,DeviceManagementManagedDevices.ReadWrite.All. - Optional MDE: Download your org-specific onboarding file before using
--mde(seemde/README.mdfor detailed steps).
git clone https://github.com/microsoft/intune-my-macs.gitcd intune-my-macs
pwsh ./mainScript.ps1 --assign-group "Intune Mac Pilot"
cd intune-my-macs
pwsh ./mainScript.ps1 --assign-group "Intune Mac Pilot" --apply
The script defaults to dry-run mode. Nothing is created until you add
--apply.
| Flag | Purpose |
|---|---|
--apps, --config, --compliance, --scripts, --custom-attributes |
Limit the import scope to specific artifact types |
--assign-group "Name" |
Assign every created object to an Entra group |
--prefix "[custom]" |
Override the default naming prefix |
--mde |
Include the mde/ content (requires onboarding file) |
--remove-all |
Delete previously created objects that use the current prefix |
--apply |
Actually create/update/delete Intune objects (otherwise it's a preview) |
- Security & configuration policies: FileVault, Firewall, Gatekeeper, guest restrictions, login window, screen saver, managed login items, NTP, Office, Declarative Device Management, and more.
- Compliance & scripts: macOS compliance policy, enrollment restrictions, device scripts (Company Portal install, Dock customization, Escrow Buddy, etc.).
- Applications: Swift Dialog, Office 365, Teams, M365 Copilot, Intune Log Watch.
- Custom attributes: Hardware compatibility checks and other helpers.
- Optional MDE: Defender installer (see
mde/README.md).
For the full artifact catalog and settings, see INTUNE-MY-MACS-DOCUMENTATION.md or generate a fresh Word doc with tools/Generate-ConfigurationDocumentation.py.
INTUNE-MY-MACS-DOCUMENTATION.md– overview of every artifact.mde/README.md– Defender prerequisites and onboarding steps.tools/README.md– Utilities such as documentation export, duplicate payload detection, and processing-order reports.
- Auth or permission errors: Re-run
pwsh ./mainScript.ps1after confirming the Graph permissions above; modules auto-install per user. - Devices not receiving policies: Verify APNS, device enrollment, and group membership, then force a device sync.
Built with ❤️ by the Microsoft Intune Customer Experience Engineering team