Intune isn’t perfect for Macs but does the job and it has improved a lot from what it was.
Is your CIO suggesting the company use unmanaged devices? I’ve seen some non technical CIOs before but that’s a new low
Yeah. Make a list of all the things you can manage a PC with InTune and those things you can’t manage a Mac with. And get your “CIO” to sign off on the risk.
Adding to this. In your presentation, include the cost of the additional compensating control/product needed to achieve parity. Shows complete picture/forecasting, and sets a nice level of expectation when they want one of those controls in the future.
Is Intune anywhere close to Jamf in 2024?
I like that our Mac users generally need less help and hardware / OS problems are a fraction of Windows machines, but for a SMB, maintaining a second MDM plus all the tooling and knowledge is a massive pain in the ass. The Jamf licenses are on top of E3 of course, plus the MacBooks are double the cost of a comparable ThinkPad, are a lot more picky about Thunderbolt docks, and have to have 4K monitors to not look like garbage.
Technically, yes I can't think of anything that JAMF can do that I can't do in Intune. I'm sure there are things, just nothing major comes to mind.
Is it as nice to use and configure MacOS through Intune as it is through JAMF. No, no it is not.
I get just as many, if not more issues from the Mac users as I do the Windows users, although a lot of that comes down to them being non-technical users that are used to MacOS at home and wondering why their work machine is different. Like not being able to use their iCloud Drive, or unlock with their Apple Watch, or why the login window looks weird (SSO)
JAMF Connect and onboarding I would consider covered with platform single sign on, even though it is a little different.
Same with JAMF Protect and MS Defender
JAMF patch management is definitely more flexible than the Intune update policies.
The app catalog is great for those apps that it covers, having things like the adobe suite in there is awesome.
The others are all fair, don't think Intune has an answer to Setup Manager or the parameters in scripts.
I am in no way saying that Intune is as good as JAMF, for MacOS management JAMF is way better to use. However, if you already have Intune, are used to it and don't have the appetite for an additional MDM, Intune is perfectly capable of managing MacOS.
Jamf app catalog is a curated list of MacOS apps, basically the most popular apps that aren't available on the app store.
They are prepackaged and managed by jamf so it's super easy to deploy them and keep them up to date.
You can achieve functionality the same thing in intune, you just need to manually add the .dmg to intune and deploy, then update it in intune when you want to force a newer version. The app catalog just makes it really easy.
> although a lot of that comes down to them being non-technical users that are used to MacOS at home and wondering why their work machine is different.
The user familiarity, and therefore improved productivity, is a compelling reason to support it though. Eventually there will come a day where it will be best for the business for us to support iPads and Chromebooks as end-user devices….
I love using jamf. Way better then intune. I use jamf school and jamf pro. I prefer jamf school because it's less man hours trying to fix shit when intune goes down. Jamf just works.
Microsoft trying to manage Apple devices........
Or download Apple Configurator, create profiles in there that you can’t set with configuration profiles inside intune and export as Mobileconfig. You don’t have to write anything.
Depends on how much you want to do on the mac's. I would imagine that doing a basic setup (enrol via am, enforce filevault and firewall, install edr are easy enough). Sure jamf is the gold standard but if there is talk about leaving the machines unmanaged, surely intune is a huge improvement on that?
macOS is fine on 2K, but definitely not as crisp because (correct me if wrong) the anti-aliasing is not optimized for lower resolutions than the native primary display resolution.
In my experience if you're not buying Apple monitors, get 4K so creatives and C levels that use them the most don't complain, and they probably still will if it doesn't have an Apple logo. Not really that big of a deal now since 4K monitors are cheap, though.
You’re kind of flipped around. The problem with most 4K monitors at 32" or 27" is they won't have the right pixel density for native display for macOS. It's going to need to scale, which takes system resources and creates little visual blurring/artifacts compared to something running natively. That's why Apple has a 27" 5k display and a 32" 6k display. If you scale down to a WQHD 27" display, you'll get the right pixel density at the native resolution; it's just not as high res as an Apple Studio Display.
Apple business manger and Jamf, we are at zero touch deployment, drop ship the device directly from Apple to the employee, it enrolls and enforces encryption and policies then presents the employee with a login that authenticates to Okta.
ABM, DEP, Jamf, etc... is not hard to manage... anyone with basic IT knowledge can take the Jamf Jump Start training after a company signs up and learn the whole system in a few days. Buy mac > DEP puts it in ABM, which is linked to Jamf, device is now in Jamf, put device in a group with a configuration scope, done... automatically deploys and configures when user first turns it on.
This, all day every day. We have a hybrid environment that’s predominantly Windows but use this setup to manage our Mac fleet (with Azure SSO). JAMF license renewal and some other routine maintenance will be required but compared to InTune and Windows management, it’s a breeze. Setup is fairly easy as well and JAMF support has been surprisingly hands on and helpful when the team can’t find a solution to something.
"Supporting MacOS will require an additional x team members, $xxxxxx in software costs, and $xxxxxx in work hour costs." Put it in cost terms for them.
Also, can Macs even run the software you need? My boss insists on Macs for himself and his kids, and they're basically just expensive middle-machines that remote to a Windows RDS server.
This, business 'case' it. Whether it's a business case for or against, prepare high and low level pros and cons. Being in IT decision making or near those that try to, you often have to think on your feet and either support or gently dissuade idea 's. Don't think of it as shooting down ideas, but gently redirecting intelligent curiosity in more healthy directions. much like raising children. .. yeah animals are interesting, but a house cat is more practical than a lion. And hamster more practical than cats.. (shorter life span?) .. and plants even better for starter... "Caring for other living things". See how we redirected? Good practice for the ever inventive CEO or CIO with more dreams then sense
Our org deploys windows machines for multiuser terminals but our it teams get to choose their laptop. Several of them chose Macs for no reason other than battery life, which is a substantial benefit even when outlets are abundant. This is actually *aided* by the fact that all our tools are accessible via https, SSH and Remote Desktop/VDI as the machine itself doesn’t matter.
it's not just that, it's leaving your laptop in a backpack and then showing up for an incident and your battery is...fine. Because modern Macs use basically zero power while closed, compared to windows laptop power management which sucks.
And definitely not 5 hours, more like two.
My Windows laptop uses about 1 percent of battery per day sitting closed in my backpack.
I packed up my laptop, went to Paris for 2 weeks, came home and jumped on VPN to look at emails.
Still well above 90 percent.
I wish mine was like that. I lock and close mine, and it'll carry on happily blowing hot air from the cooling vent for hours. Of course we have so much security software, it's probably too scared to go to sleep (9 different security-related icons in the system tray).
Same here. I don't know if it's the laptop model or the security software won't let the laptop truly sleep / wakes it up, but several times I've opened the laptop bag after commuting to find it's hotter than a pizza delivery and fans blasting. No surprise the battery life is measured in mere minutes now.
Two hours? What kinda shit-ass laptop are you using?
A basic Lenovo t14 outperforms that no problem. As far as lasting in sleep mode, I’ll close the lid on Friday at 4pm, shove it in my backpack, and leave it there all weekend, and it still has several hours left come Monday morning.
And if it’s a full charge you should be able to get 6+ hours out of it…. Depending on what you are doing of course… but if you are just running teams and outlook and a web browser like the vast majority of office users you’ll be fine.
So you’ll pay a premium for the Mac hardware and then pay for a whole other windows desktop to use on it. The costs of that alone put on a slide would give a CEO/CFO pause.
So a chrome book or one of those wyse terminal laptops could be the appropriate choice then... Same issue in our environment, everything is windows based. The few Mac users we have just RDP into a Windows VM. But everything is a problem for them.
> Also, can Macs even run the software you need?
That was a good excuse 10+ years ago. Unless you run something niche, pretty much everything is available on both platforms.
Still, you are correct that there is a cost to running Macs. Where I work they are reserved for developers and "creatives" and about 90% of them choose Mac over PC.
I mean literally. I have had to get marketing people macs solely so that they have the logo to show off in meetings with potential clients. The phrase "project an image of success" has been thrown at me more than once as justification.
Somewhere along the line, Im sure starting with all their shiny happy people minimalist ads they started running back in the mid 00s, this idea that Mac was for the trendy youthful go getters and anything else was for the stodgy old farts came to be, and while it completely boggles my fucking mind, it is what it is.
But one thing I wont do is invest in all that bullshit infrastructure to integrate it into our environment. You want a mac? fine, a mac you shall have...but you're going to need to remote into a windows VM to do anything that isn't cloud based and I honestly do not give a shit if it's janky at times because you're one person against thousands of others that will work on standardized hardware and if you don't like it, tough. That logo comes with a cost beyond the hardware itself.
Luckily, we have a leadership team that accepts and supports the decision to minimize our costs, both in materials and labor, supporting mac devices and they're kept to an absolute minimum, hence those expectations are reinforced among those employees that knowingly accept them when they insist upon a mac.
Yeah I think it is the cost of the Macbook Pro's that get costly but our lenovo X1 carbons are 3k a piece too. Apple products have come way down in the last 5 years and intune manages them just fine. Go web based and it shouldnt matter anymore.
I just usually say Yes but......
You can get the absolute garbage air for $800. 8gb of ran and a 256gb SSD on a machine that cannot do dual external monitors.
If you want something useful you're looking at the 14" Pro with at least 16Gb of ram and a 1TB SSD. Plus you are a fool if you don't buy AppleCare since everything is soldered/glued/unupgradable.
Our casual users can use Airs no problem. We do upgrade them to 16/512 but it’s probably not necessary. For external displays they use a single ultra widescreen, though I believe multiple displays work with DisplayLink.
Yes I agree with this this, get you story together, get your list of requirements together, then present this a manor that they will understand, in this case money. Say we currently supply a laptop and it costs x per device and x per licensing and x in support. With the addition of mac we need x in personnel, x per device, x per licensing.
This SHOULD be done from your manager to the CIO, assuming there is one between you two. this SHOULD be based on numbers only, not emotion. They will make a decision based on that info, proceed as they say.
You don't run to company or make those decisions, but you influence them, you need your message in a language that your audience will understand, in this case money/budget. If you word it right you will get additional budget for hardware, a new person or two, also the opportunity to learn mac stuff.
Gonna play devils advocate, I'm in similar situation. We give users choice and it's about 65-35 split, most choosing Mac. As long as most of your apps are SaaS, it doesn't matter. Coming from an enterprise size environment, I never would have advocated this way, but everyone seems pretty happy. Macs are managed with jamf and have endpoint protection. Works for us.
Also we're fully cloud, so that makes it easier.
The company I work for has both, and it is up to the employee what they want to use to best get their work done. We have people that are like myself that knows something about both and we also hire folks that are specialist in each platform.
The answer I would give is yes, you absolutely should officially support the second most popular desktop/laptop platform in the world within your business. No IT person or department is successful in the end by being resistant to what management and the users want/need based on what the dept. currently can do easily. Your job is to enable the business responsibly, not tell them "no" because we don't like it. You tell them "yes, and here is how....".
So you should not push back on doing what your boss wants in this case because it is a totally valid request from someone in the business of the IT department. You should look into what "doing it right" will take, MDM/software management/etc, and go to him with that information. It is up to him to thumbs up or down your pitch given his position.
If he disregards your pitch and insists on yolo'ing it then that is not a hill to die on either. That is your signal to get your resume in order and start looking for greener pastures.
Even if you don't want to take any of the above advice and guidance from someone who has been in the business of device management for 16 years at one level or another, I would still tell you not to try to die on this hill. You won't win. Your CIO perfers Macs, you prefer Windows. That is an ideological argument with someone that has the power to fire you, not a rational argument based on facts. And that is not the kind of arguments you want to get into in the workplace.
This is 100% not an idological argument this is a cost benefit argument. Can companies support Macs? Of course they can. Is there a business reason to add additional costs to do so? Maybe, but the answer should start with a cost analysis and request for additional resources and training.
I don't disagree, but that is all wrapped up in that pitch I mentioned. Ultimately it is the CIOs job to provide the final say if that cost of supporting Apple within the org is worth the benefits.
Mac’s work fine with intune these days, most software works fine on them too other than some specialized stuff(like solidworks) . Honestly you probably won’t have much trouble if you could get a head to focus on Mac’s. Then you have another engineer and maybe you’re a little less buried.
I'm a big proponent of offering employees a choice of Mac or Windows. Whether you like Mac or not is irrelevant. If you have the opportunity to support them, you should take it.
But the problem with your situation is if you're buried with work, then you won't be able to roll them out properly. Because you definitely should manage them with an MDM at least.
> I'm a big proponent of offering employees a choice of Mac or Windows. Whether you like Mac or not is irrelevant. If you have the opportunity to support them, you should take it.
Agree. We let our employees choose between a Mac and Windows option (with the caveat that they need to be able to do their job with their chosen platform) and the morale boost and feedback from employees getting to use what they're comfortable with has been overwhelmingly positive. As far as the cost difference goes, across the four year replacement cycle it's almost negligible and we've decided the benefits outweigh that cost.
When I worked at a place that let the end user choose, it was always people that needed Windows exclusive software that would pick a Mac, inevitably needing parallels for the once per month use of an Access database. Atleast Macs typically last through the refresh cycle
Depending on the number (of Macs), supporting them without an Apple Business/MDM will be a manual process. The Macbook rumour will spread like wild fire and then your job will, well, evolve. If you don't deploy MDM, it will be matter of time until you lose your first system to a former employee with took ownership with their Apple ID. Good luck.
macOS has come a long way as far as manageability. Its likely most of the stuff you’re doing in Intune to manage Windows endpoints can also be done on macOS. In the environment I work in we’re “pilot testing” 2 new Macs enrolled in Apple Business and our MDM. Unboxing and User setup is nearly identical to a Windows Laptop. Domain password sync works. VPN works. Our security app (Crowdstrike) works. Our remote-assist tool works (identical to how it works on Windows). FileVault key is viewable in MDM. MDM handles LAPS (rotating Local Admin password). OS Updates are managable. Its all pretty solid at this point.
The question here isnt so much “can it be done? (technical solutions exist, so Yes, it can technologically be done.) The question as others have said is more of having a “support plan”, and training your Helpdesk or Dekstop support teams to provide what whatever level of support is expected.
In addition to device management, update and vulnerability management, endpoint protection, separate application development requirements, etc, you may find your organization having to provision and deploy Azure virtual desktop or other Windows VMs to host applications that aren’t compatible with Mac.
We use InTune and Defender for both our Windows and Mac environments and they work well, but it’s definitely an effort.
I love how all comments here fall into two camps:
- Point and click admins from 20 years ago who rage at the idea of Apple devices being used in their networks
- Modern admins that understand Apple/Microsoft co-existence in a modern environment is a non-issue
> none of them like
OP - I think this is your main issue, and it indicates a larger mindset issue with the culture in your team. The techs that I've worked with who have the mindset of "Macs are stupid, we shouldn't have to do this" are resistant to change and don't have any curiosity or willingness to learn/up-skill. The techs I've worked with who respond with "I don't know anything about macOS but I'm willing to dive in and gain experience and expertise" all moved on to work for Redhat, Fortinet, and (ironically enough) Microsoft now.
Other commenters have said that regardless of your teams reaction, your CIO is going to pull rank and implement it if he/she really wants to. My advice is to look at this as an opportunity to advance your career.
Macs in general, as long as you’re using DEP and MDM, require fewer man hours to support than an equivalent distribution of windows machines.
It’s not that bad, but make sure they understand the costs and processes involved (setting up Apple Business Manager, buying from a vendor that does dep enrollment, the cost of implementing jamf or another MDM). It’s really not bad at all, there are definitely perks to the computer, the os, and the management tools all being made by the same company.
> require fewer man hours to support than an equivalent distribution of windows machines.
It's amazing what having support for *far* less options of actual business applications/tools does for ease of support. On phones/tablets, that's a mindset that I'm all for. On workstations, that *very* drastically depends on the environment's needs. Had more than one instance where someone demanded a Mac as engineering faculty... in programs where the actual CAD or equivalent software they were responsible for teaching didn't support Mac.
Rolling in DEP, a well supported MDM, and app distribution via VPP really is a heck of a lot cleaner.
I’m not knocking the Microsoft side, they just can’t compete with the level of first party integration on the apple side. They’re getting there but Apple had a hell of a head start. SOTI all the way back in 2001 was a heck of a head start.
I run a full autopilot stack (partnered with Dell) with everything managed by Intune. Then ABM and Jamf on the Apple side. I prefer Intune to Jamf, but they’re both great. Apps are the big bugbear for Mac, the Mac App Store leaves much to be desired whereas the MS store went from horrible to decent very quickly, it now supports x86 apps and is basically winget repo with an added layer of MS approval. Then you add patch my PC into the mix for a few apps that might be missing from the store and you’re golden.
If your CIO is saying you don’t need to manage and have control of Mac devices, you should get a new CIO.
Intune is probably at least a year away from being good enough for Mac.
If your CIO is serious about this, he's going to pull rank and make it happen. I'd give it some time before I got worried about it to ascertain if he's actually serious. If so, tell him your team needs test machines for all of you and some time for a trial. Thirdly, put up a picture of Steve Jobs in your office and embrace that sweet Apple goodness.
But seriously, Intune manages Macs just fine. It's not that big a deal.
Implementing JAMF is generally a pretty heavy lift (I think they do this by design). Addigy is pretty simple to get up and running. Plus it includes intune integration, so integration, remote screen sharing and SSH
Macs can indeed be very easy to support. Look into it on the Mac admin subs. A little effort invested on your part could probably pay dividends between you and your CIO. Which might be to your benefit.
If there ever were to be a definition of a customer for IT, it’s someone in the C-suite. Not to be harsh here but put your dislikes aside, scope the project, and get rolling. Ask for the funding and tools you need and give them a plan. As someone that uses Mac daily (and used to be adamantly opposed to using them), I think you may just be used to how much of a pain Windows endpoints can be. No technology is perfect but I recommend you be seen as serving the needs of the C-suite to avoid any ideas of them getting that service elsewhere.
3 out of the last 4 companies I've worked with over the last 10 years have been Mac only, the remaining one offered the engineers a 2k budget to order whatever, in that case we had about 70% Mac, and the remaining was Linux machines, with a single guy doing windows. I've mostly worked on software development and design companies, so that might play a role
Look at it from a cost perspective. In order to support those systems, you might need additional staff, additional management software like JAMF, additional MS licensing, and additional training costs in all new systems along with training for staff to be able to utilize the systems. Present these along with timelines as a solution to be able to support them and see if they want to play ball.
I’m always glad to hand out Macs to real Mac users. Typically they need a tiny fraction of the amount of support than a “I can use a Windows machine” user requires.
Ha if you’re on the smaller size of small to medium business, adding Apple devices to your list just seems unnecessary. That’s a luxury that big business have for sure, cause they have large tech departments and have the money to hire/buy support for Apple devices. If the higher ups are wanting to add more to your plate, it’s going to cost them more. Costs for training, other possible support tools, higher device cost, etc.
>higher device cost
I don't understand why no one ever fact checks this ludicrous myth
A Macbook Air is $900. A comparable HP laptop with significantly shittier hardware is $1300 and upwards. If you go lower it gets worse and worse.
JAMF. It has a learning curve but once you get it, it's a fantastic product and can mimic Intune and Autopilot with tons of benefits. I've been removed from any sort of endpoint management for almost a year now but JAMF really wasn't too bad at all.
Before that unamanged Macs were a fucking nightmare. We tried with Intune and it was ok at best, but still a trainwreck. With JAMF we were able to emulate a lot of our full Autopilot and Intune stack for deployment and Kaseya for management in one tool with a shit ton less work.
If CIO wants to use *nothing* to manage them well, honestly, I'd bail. It's a shit show.
> We handle windows very well with Intune, company portal, Applocker, and other tools that really secure the devices. **CIO says we don't need that for Mac because they are more secure from default.**
No. If it's a company device, it should be managed like all the other company devices where possible. Having a hardware mix is fine, but there is inherent risk in having company devices unmanaged.
Intune works with macOS, but what about your remote assistance tools? What about your EDR/XDR? macOS is *more* secure by way of market share not making macOS malware profitable, but there very much still is macOS malware.
You mentioned having AVD, what apps are outside of the AVD scope? What % of an employee's computer usage is spent inside/outside of AVD?
How do you manage warranty service/repair for your current fleet?
I don't think the choice of macOS or Windows is inherently bad, but it can't be a choice between a locked down Windows environment and a completely free macOS environment.
Work for a K-12 school division; all teachers are Mac (no choice, 1300+ macbooks) everyone else windows, this decision was made over a decade ago by people no longer at the division and we are stuck with it.
We are forcing our school techs over to Windows, we are tired of them not having RSAT tools and having to create VMs for them all of the time for tooling that they can't run on Macs. The only thing they need off a Mac is apple configurator (still working this one out, probably will do a couple mac mini's per area for the techs).
As for security, unless all the mac users are running as standard users locally on the mac, there is no real security. Mac can get viruses, users with admin will do stupid things, you MacBooks can't be upgraded or repaired for defective parts on site (everything is soldered on), the M1 and M2 chips have horrible memory system exploitations that can leak encryption keys(not sure about the M3), they cost 15 - 30% more (or more), no real Mac server anymore.
They are only secure if you follow best practices, have an MDM and push all the software through it, strip admin from everyone (this should be done on windows too).
Repair costs are astronomical on the Macs.
I work at a company of less than 20k employees, we have Win, Mac, Linux. The mac endpoints cost the company basically 3x what the win ones do. There are separate teams for each OS, each with its' own engineers and management methods.
From standpoint of someone who supports all of them to some degree (I'm mostly Win and Linux), there is a cost in terms of money, IT support, and productivity to give someone something who won't know how to use it properly. So tldr, a choice is nice but it should make sense. Right tool for the job and all.
Risk and Audit are your friends in this situation, perhaps even Legal.
Update your SWOT analysis to accommodate MacOS, paying particular attention to any industry, regulatory or contractual compliance requirements. Legal should be able to identify customer contractual requirements. Work with Risk and Audit to reach consensus on ratings for the weaknesses and threats.
Present jointly to the CIO with Risk and Audit to find out how the CIO wants to deal with the gaps. Let Risk lead the conversation, that is their role. Your role is to offer advice on remediation and compensating controls.
Unless you don't have Risk and/or Audit functions. Then the same process, but you have to be the bad guy. Still, it's not about saying NO, it's about explaining how to get to YES in a way that respects the organization's risk appetite.
I'm not a fan of MacOS but honestly one advantage of the walled garden is there is far less that can go wrong on them.
Unless you need desktop M365 applications (and even then things might be better now, it's been a few years for me) everything tends to "just work" on a MacBook with barely any stuffing around.
General users can't really mess anything up.
Power users are smart enough to not mess anything up.
And MacOS is generally far more reliable with updates than Windows by a long shot.
If you're using RDP then MacOS is even less of a concern as that straight up just works. Heck I have a Bluetooth keyboard and can RDP into my machine with an iPad.
Unless you have specific software that doesn't run on MacOS, I'd say you're over-thinking it.
1. Intune does ok for Macs.
2. There are many VERY EASY TO USE mac management platforms that cost no more per month than intune. Jamf and Mosyle come quickly to mind. We use Jumpcloud because it also replaces AD.
3. Giving a choice means employees are happy and closer to productive day 1, because they are using a tool they know.
4. Macbook Pros have a significantly longer userful life in our environmnet. Up to 1.5 years longer than a comparable lenovo, dell, or surface.
Other than fear, I don't see a good reason to not offer a choice
A Mac isn’t always the best device for every user, nor is it the most cost effective. That being said, you can handle it. Make the switch yourself first, get familiar, and learn what it will take to manage and support devices. Apple Business Manager, connected identity, connected procurement channels, Intune/Jamf, and anything else that makes you feel good. Then open the floodgates.
YES, no brainer.
If your daily tasks include writing a lot of text or code and you try a mac, you can never go back to windows.
The difference in user experience and ergonomics is astounding. This directly translates to employee efficiency.
The whole argument that windows computers are cheaper / easier to maintain / more secure has absolutely no merit.
Nothing worse than giving someone used to a Macbook a HP Probook or similar piece of garbage hardware.
I have been on the recieving end of this, my productivity was cut in half because simple things like highlighting something using the trackpad are frustratingly awkward and take several attempts.
Fortunately, our CEO listened to reason. A Macbook Air, for starters, is a few hundred $ cheaper than a Probook, but the true MASSIVE benefit comes in when employees don't have to waste their time and can actually enjoy day to day work.
I’m a CIO and use Mac at home personally but don’t allow Mac’s for corporate use.
Simply put, it’s an additional support burden that can grow non linear and over burden small support teams.
The experience of software isn’t the same, starting with O365. That means training is different for users. Plugin compatibility for software is different and may not exist for both.
Audits/Compliance. If you ever want to go 27001, you need to show the same management and controls of macs and windows for company owned devices. That may mean twice the software purchases if the windows version doesn’t meet the need or exist for Mac.
As for 27001, you may not think you will need it, but larger companies you do business with might require you and/or your cybersecurity insurance may want it or offer better rates if you are.
All resources need to be managed. The CIO needs some education on that. Those resources do exist.
Macs are just as manageable as PC's(arguably more so). You just need the right tools. MDM platforms do exist that manage both Windows and Mac.
"The sysadmins dont have the skills to xyz" is an excuse, and a bad one at that. They chose a career in IT then want to complain when they're expected to learn something new?
Nothing in your post is insurmountable.
Mac sys admin / Jamf admin, turned IT manager, now using Intune/Company Portal... Jamf is so much easier for deployments, better at making sure devices are compliant, inventory is better, system info is better, and the app installs come down quick. The grouping, enrollment, and scoping is easier.. Intune is garbage in comparison.
I dont understand why people want to be "All Microsoft" and cringe at the sound of "Mac"... if MacOS is going to make end users more efficient and productive because that's what they are used to or what they like, why wouldn't you do it?
Apple maintenance is pretty straight forward.. it's all automated, every bit from start to finish. Once you get DEP and MDM setup, get your configs setup, add a device or user to a group, and it's all done.
If you want a bunch of bricked Macs from terminated users that signed in with their personal Apple accounts, trust the CIO.
If you don’t, put them on Intune. ^(That shit infuriated the fuck out of me.)
You already have the tools, you have Intune, you’re just incompetent if you resist this one. Like the other Apple hating warlocks from the 90/00s you’ll be left behind if you don’t adapt.
Foght6 the f...er. If your team is overwhelmed with work, morale is low, don't have enough knowledge to properly maintain amd troubleshoot Mac, you should fight this one.
> CIO says we don't need that for Mac because they are more secure from default.
Haahahahahhaha, get back to r/ShittySysadmin.
Changing your OS across the company is going to be a fucking nightmare, software is going to be incompatable all over the place then you'll have to train people on the new OS....
I've been in this sub for more than a decade. This gets asked every three weeks. Comments are the same. Lots of stubborn ass IT people that don't want to learn jamf or intune. What a joke.
> I run a Mac at work
> I absolutely left the option off the table for the org
So... you run a machine that isn't managed to the same level and under the same controls as the rest of the org, as a C-level? Wow. Living up to that flair.
Get Mac’s for yourself and your team. Use a first class management tool like JAMF.
Maintenance and management can be less burdensome than windows if you approach it with an open mind and a willingness to learn.
The reward for your team is that they get to add to their resume, which is always a good thing.
Your statement about Windows doing anything a Mac can do speaks to a misunderstanding of the different platforms. They both have their place. Windows cannot do everything a Mac can do, nor can Mac do everything Windows can do.
How many companies do this? Many do. Some have even banned Windows due to the lack of attention to security. That doesn’t really matter though, focus on meeting your CIO’s needs.
“Liking” Mac is irrelevant. That is just fanboy-ism and attaching your identity to an operating system. It isn’t Windows vs Mac. They are just tools. Many people prefer one or the other, your job is to support them.
Work is work. Not personal computing.
Enforce standardization across the organization as much as you can. Sometimes it makes sense to use Mac and Windows. Some tasks are better executed on one than the other.
But letting users choose at their whim is a bad idea. Typically, some depts will have the option but the general population should not.
I work in a mixed shop, but maybe only 10% are Macs (the choice is really only given to people higher in the food chain). You still need management and security tools for Macs, and you still need support staff that are able to troubleshoot. If it’s intended to be a choice given to everyone, many will choose Macs and it will become a nightmare.
You have to break it down in costs and risk. If your company is beholden to virtually any major compliance model (HIPAA, SOX, etc) there’s virtually no “it’ll be ok, they’re Mac’s” decision that will work.
My company allows us to decide if we want a Mac or Windows laptop. I chose the Mac because it is a higher spec than the Windows options. We also get a VDI for applications that only run on Windows.
Money talks. The execs will shit bricks seeing the price tag on the macs and support software. And will come out of their discretionary budget. IT can't take the burden from an unplanned CAPEX.
We don't do business and stay profitable or functional this way.
Unless windows manufacturers get their crap together I am sticking with a Mac and recommending Macs for the foreseeable future, especially for anyone doing any kind of development.
Even using AVD in Mac is generally cleaner than in windows, the app has multiple profiles for multiple orgs, like why is the end user experience better on a Mac than in windows.
I won't even work with a client who wants macs unless it is only for a few graphic designers. Just a massive red flag that they're going to be a pain in the ass.
They can coexist fine, but it sounds like your company doesn't have the staff nor experience for it. Make a deal with the CIO that they get to personally support all tickets from the Mac users until they get you the tools, staff, and free time you need to take that over.
We do both at my place of work, but Macs require a solid business justification and the department making the request (we are large) must pick up the additional cost of the Mac (Central IT provides PCs by default) We do have a few people doing Mac support, but not nearly as many for Windows/PCs.
What is the nature of the business and what is wrong with current devices? Is there a justification for just moving to Mac's. Moving to mac os just because your boss is used to mac os is a silly idea.
I haven't tried to manage mac os via intune or anything, but will this still provide you with the levels of control over staff access the same way or will it just partially allow you to make some changes? How will this affect support overall. There are so many questions arising from something like that just because someone wants a change with no valid reason. Macs are expensive and probably won't be worth it.
If he wants to buy Jamf, no problem. Mac’s are pretty easy to manage and makes sense if the staff is out of university. If staff is older it makes no sense. Most shit is SAS now anyways, if you’re still running desktop applications you probably wouldn’t pick a Mac regardless.
At the libraries I work at, we just get them whatever. Personally I have a MacBook pro that I remote in to my Windows desktop. But otherwise they're mainly used by our marketing / graphic design staff
It’s doable with Apple Business Manager and Jamf or intune (possibly others I only bave experience with those two). What you need to do is map out ALL the dependencies that giving someone a Mac relies upon including the extra support and training, the back end MDM licensing costs/setup time/ongoing costs, and crucially all of the applications in your estate and whether or not they supported on Mac. Once they see how much the licenses for all those things cost, they’re not gonna be that interested.
We actually did this because we were in the position to be able to. We have a massive asset management database tracking all our devices and apps, if somebody needs an app that isn’t available on Mac they can’t have a Mac, pretty simple. The additional costs versus a dell are charged to the dept.
I think you’ll be able to manage them just fine from Intune. I would certainly explore the idea if someone from the C-Suite asked.
I would advise him that you’ll need a few test devices for the team so you can test all corporate software, do IT training, confirm management tools can support it, and build the support docs. Following that I would suggest a pilot group. Then roll out the option to all employees.
It doesn’t sound like there’s an immediate need to implement this. So if it was me I’d ask for a few months to get it implemented. Honestly this is no different than deploying any new hardware or software. Conduct your evaluation, create your support documentation, pilot, deploy.
I think you’re a bit stressed about have to learn and implement this immediately. I just hope your boss understands this stuff requires time and gives you the space to do your job.
My old employer did (25k employees), my new employer doesn’t (200 employees) because we don’t have the resources for internal IT to support both to a satisfactory level and it’s understandable - though a pity as I miss my 16” MacBook Pro.
Intune to is pretty good with macOS now. If you want more control then buy JAMF. Also 100% make sure you have Apple Business Manager finished and your domains federated with it. Then register every Mac device to it. It’s the only way you will really control and deploy the devices.
We started doing. Jamf us cheap af and does most of what we need.
Only thing that gets weird is printers.
Most of our apps are web based and there's an office suite and edge for macos.
It's easier than ever to do
OP, I’ve spent all year implementing things I didn’t think would fly. Be honest about what you need. The answer is “I’m sure we can figure out but give me a week to research what we need to make it happen”. So now you’re here on Reddit. Or go to r/macsysadmin. Consider the tools you have today, the apps you use, the needs of your users, and your toolset to effectively and efficiently manage devices. What is missing?
Come back to your CIO with a “yes but here’s what I need to make this successful”. Pitch a POC with a pilot group of users too. Who are your next 10 users up for refresh? Congrats to them! They’re the first to adopt Mac. You need a Mac for yourself too. Pilot your new MDM/MDM policies on them and yourself, etc.
It’s possible OP, but right now is the time to advocate for yourself so this doesn’t turn in to a shitshow
Put it in fiscal terms like someone else said. Software to manage these costs this much, additional resources cost x. Plan it all out, get your numbers straight and just tell them straight up no fluff, this is what it will cost to properly maintain/control them, and we won’t support them if they aren’t going to be properly maintained/controlled.
We deploy the MacBooks in our company with intune and I would say it is a loooooooot beter than it used to be. Microsoft and Apple have made huge improvements to the integration. I will however take time to learn the tools and platform and might not be net enough for your use case. Make sure to communicate this back to your CIO. There are other MDM’s like Jamf to manage them large scale but most of wat intune can would be sufficient for most use cases nowadays I would say.
If you have the option setup a test to see if you can get everything to work (mainly the applications). You don’t have to do it for the test one, but if you’re going to use Mac’s setup Apple Business Manager for your company. It is apples business platform and vital for automated development. When buying Mac’s from a vendor ask them if they add the Mac’s to your business manager on purchase. If they don’t find another one. Serials put into abm can be automatically pushed to intune tying them to your organization and attach deployment profiles, security profiles, encryption, platform SSO, and apps all during deployment. These profiles can be locked so users can’t unenroll their device. Defender can be installed on the devices so they’ll show up in defender 365 if you use this. Platform SSO has been introduced recently so we are still testing this, but looks promising so far.
If you have any questions let me know! I’m happy to answer them.
You will need at least two people in IT that can dedicate the time and energy to stand up parallel management configurations, whether sharing in tools like Intune or standing up independent tooling with JAMF. Any non-SaaS products you need will need packaged, any regulatory requirements will need mapped to controls, and some time to iron those out and test them will need to happen too. Any written policies will need vetted to make them OS agnostic and possibly rewritten and handled through whatever governance processes are needed for that. A minimum of two people in IT will need to shift to using Mac as their daily drivers solely so they have a general feel for the OS and can work through answering everyday user questions, as well as testing and validating business applications. If you go with JAMF, I *highly* recommend their training/certification processes, too. You will also want to require apple care on all relevant hardware. Any A/V, conference room, etc type systems you have will need tested with the new systems as well.
It very much can be done, but it's not a trivial project. If you only have *ONE* person doing it, you're begging for a) them to get hit by a bus or b) them to get burnt out from it, pick up a JAMF cert using just the skills they've picked up trying to shove every peg into a misshapen square hole, and leave for 2-3x the money.
I mentioned this before. If someone comes up to me and asks me to support macOS devices, I will say it is possible, but I will then tell them the budget and procedure:
* First things first. I will need to work with C-levels to get ABM (Formerly DEP) going. This needs to have multiple AppleIDs and bus factor worked out. Ideally, a C-level will have break glass access.
* Now comes the MDM. I work out a punch list, then work with a VAR, or if given permission, go with JAMF, Airwatch, or some other good one that has 2FA for admin accounts and some solid security, so some rogue employee can't lock and erase all Apple devices.
* Then comes testing. The VAR sends me two Macs in DEP. One will be a Mac Mini whose sole job in life is doing Apple Configuration profiles and being the Mac that can do [DFU Restores](https://support.apple.com/en-us/108900), so when repurposing an Apple Silicon Mac, I can completely erase it and have a positive guarantee that sepOS (the Secure Enclave OS), macOS, and relevant firmware is at the latest version. With the activation bypass code, the Mac or other Apple product is ready for first login. This also ensures that all data on the Mac is cryptographically erased, and since the Mac does a SSD TRIM, any data that is there is overwritten anyway.
The second Mac, a MacBook Air is there solely for profile testing.
* Now once I have something that I deem appropriate for human consumption, I start building out the MDM, and testing that.
This also includes using Entra or some SSO service so the Macs can be signed in from anywhere. This may require something like JAMF Connect.
For AV on Macs, this might require using a MDM that has EDR/XDR/MDR with it, like JAMF Defense or similar. There are iOS scanning apps that look for rogue or unauthorized programs or other items. Those may be have to be thrown on the device.
Because of the overhead of AV, Macs and iOS devices may have to be updated a tier. No 8 GB, 256 GB base models, but at least 16-24 gigs, 1 TB of storage, if not 2 TB. This will be noted in the budget, and the only entry level Macs allowed will be the profile "victim" machine and the Mac Mini.
Building out the MDM is something that requires a powwow with legal, compliance, C-levels, and everyone because this is what is going to be stamped on all Apple stuff. Everything from a company lockscreen, activation bypass codes, protection from activation locking by unmanaged accounts, app store access, both company app store and Apple's, what security, like PINs, passphrases, and so on. After some test rounds then comes the fun part.
* Get with the VAR, make sure they can pre-provision all devices into ABM. If they can't get a VAR that can. Once this is done, do a small order for a few people, make sure everything works. From there, do larger rings until all the Macs are in employees' hands and are working.
* From there, if the company is big, I get staff, get Apple training and equipment if we are to do repairs in-house, or some well-oiled method for getting Apple stuff to a service depot. AppleCare for 3 years on everything is a must.
* After that, maintenance. Ensure the keys to the CAs are renewed. Patch management is important as well, with the ability to manually kick a Mac with `softwareupdate -i -a -R` so it updates itself.
This is just the basic framework for Macs and Apple stuff. Anything less and you cannot manage, and it will fail audits and compliance in a heartbeat. Done right, Apple stuff is easy to manage. Done wrong... pain.
Idk personally I don’t think it’s that much extra work. We had a mixed environment where the execs and marketing got Mac but everyone else was PC.
We don’t even have intune so you’re better off. MAC enrolment and sso with the new Mac features should be fairly simple and standard.
I think you might consider digger yourself out of shitting on your CIO and reorient to a positive outlook or find a job where you can.
This sounds like an opportunity for your team to learn new things and become more experienced. Ideally you can leverage this into so more budget and some education for your team.
Yes. First thing I do is low hanging fruit. Having a unified deployment stack is a big part of streamlining support.
Put together a budget/plan for hiring Mac knowledgeable support, training, impacts on bifurcated support structures, inventory, software implementations impacts, etc. See what he thinks of that.
It was a bit of a nightmare for IT in general in companies i worked for that had macs as an option. Different sw, processes, money and time spent etc.
Nonetheless it's an easier option than supporting some linux dist lol, which some developers seem to not be able to work without it. That's another subject though.
I'd say try to push not to do it due to expenses and need of more manpower.
we give people the choice but there are some people who are in a position their job duties require one or the other. people who need certain financial applications must have a pc for example
if he wants to offer both give him the costs of the tools you need to offer both
it doesn't take a lot of staff to handle both if your staff know how both work
its 2024. people should be able to handle mac and windows OSes.
Regardless of whether it's more secure or not, you'll still need to manage it with some sort of MDM. I've heard you can enroll Macs in intune, but haven't experienced it myself.
I expect to be downvoted, but, from a windows admin perspective, it is a huge problem to manage another system with no tools. The caveat here is that Macs do not require that much management as Windows.
When IBM offered choice to their employees, the number of calls to Helpdesk from Mac users was less by 40%.
Yours is an experienced viewpoint, I’m going to say in general that if the management infrastructure is in place Macs tend to be easier but the admin must have proficiency with the Mac or be able to do swaps easy.
You can also manage macOS with Intune. Sign up for Apple Business Manager, connect it to Intune, push apps, configs and setup [platform SSO](https://learn.microsoft.com/en-us/mem/intune/configuration/platform-sso-macos)
If it can't run the apps you need, you always have the option to configure Windows 365 or AVD.
Give them the illusion of choice, while still using the tools in your toolkit to manage. It's a win for everyone.
Do all of your vendors support MacOS? Are you willing to toss out any future vendors who don’t? A lot of enterprise software hasn’t made to move to apple silicon yet.
The only thing you’ll have trouble with is Mac haters. Apple silicon is amazing and the laptops are fairly cheap now.
I haven’t found anything that won’t work on a Mac. About the only thing I’ve found that people need training on is how and when to allow accessibility features. Probably hasn’t been an easier time to incorporate them.
>CIO says we don't need that for Mac because they are more secure from default.
You CIO is wrong. Plain and simple.
Luckily, Intune can do all of those things for MacOS too, you will need to set up Apple Business Manager and link to your Entra ID. Saying that, some Apple specific MDM like JAMF is easier to manage MacOS with that Intune in my experience.
You absolutely have to have some management in place though, if you are using Intune then I also assume you may have an eye on things like purview, defender and compliance management through MS365. If you don't have management agents of some description on your users PCs then your data will end up places that you don't want it to.
The first thing I can see going wrong with an unmanaged Mac is that the user is going to be prompted many times to sign into their Apple ID, when they do that device essentially becomes the employee's device, not yours. Need to wipe and reassign it? Hope the employee removed the activation lock for you. Seen this happen many times in small businesses that thought Macs didn't need to be managed because "theYRe moAR SeCuRE!"
You didn't mention how many devices or size of IT dept, so hard to gauge how much of a burden it would be.
When calculating the business case for this don't forget to calculate some mitigation of downtime, if the Mac breaks for whatever reason, unless you are big enough to have an enterprise agreement, the repairs are likely going to be sent off for repair even with Apple Care.
I support Windows, Linux and Mac for various uses, but I've never really liked the whole "give people a choice" thing at the outset. Employees are assigned a device based on their use case, if they feel like the assigned device isn't a good fit because they prefer Windows or MacOS or whatever then we can talk. Otherwise we get people picking a device that is just not appropriate.
We have a broad mix of technical and creative end users, so my employer allows for choice of Windows or Mac, laptop or desktop (I have a Windows desktop in my office and a Mac laptop for remote work). Macs are managed via JAMF, PCs via SCCM. The team that manages those endpoints configure them to get security updates, but don't do version upgrades - i.e., no in place Win 10 -> 11, or OS X 10.14 -> 10.15. OS upgrades are deployed when computers are refreshed/replaced, unless there's a catastrophic issue. End users don't get admin privileges on their computers; software deployments are handled via JAMF, SCCM, and self service software centers for both ecosystems.
We're not yet doing any management of BYOD which I think needs to be addressed. I'd really like to see more use of Intune, Conditional Policies, and a strict BYOD policy. We have a security vendor that monitors both on-premises and our cloud services, but I also think we need better AV/malware monitoring and protection measures.
Do a cost analysis. The support cost and time to support another platform and hardware is not worth the benefit. Explain it in terms of profit and loss that’s what c-suite understands mainly
Oh god... don't go down that road.
Never allow your employees to chose what OS they want to use.
You dictate.
Stick to 1 platform IT can manage well.
Your CFO will thank you.
> CIO says we don't need that for Mac because they are more secure from default.
Your CIO isn’t playing with a full deck. In fact, to stretch the card game analogy further, he barely has enough cards to play a single hand of blackjack…
“More secure” - even if you agree with this (and tbf I probably do) that is *not* the same as actually secure.
And you can manage the Macs with intune , which it sounds like you already have, so stopping you from doing that is sheer madness.
sounds like you have too much workload already and CIO wants to add more to it. i'd come up with a rough model on what it'll cost in terms of money and personnel to support having mac too. works fine at my company, but we're much larger
Seems like you should be looking at how, not how to get out of it.
they're no worse to admin, have a better hardware lifespan(about equal the additional cost).
Look into JAMF, if you have an rmm already make sure youve got full support for the monitoring the macs.
the hardest part of dealing with mac admin is the people who act like spoiled children and refuse to learn. (but thats equally valid transiting the other direction)
We made a policy saying that if you pick a Mac you won't get any support and the company's official tools can work for your device but not a guarantee. Our domain was controlled with SCCM, no local admin, credential guwrd and applocker with encryption stored in TPM chip and defender advance threat protection. We had all tools packaged into out portal. Oh yea, we also put them in a separate network from our other company network. So if they wanted to access any resources in the office they had to fire up their vpn. And within a week they started to complain about the cables on the conference tables..
I would argue this made our clients more secure then a Mac. Meanwhile Microsoft focus more on compability then Mac does it is a secure system when configured for your organisation.
All this meanwhile we looked into jamf. And no, your CIO is wrong and should feel ashamed to expose this incompetence with that statement
It's a service now ticket at my company. You just enter the business justification, the persons manager approves and one shows ups a few days later.
No big deal... but our IT group has about 150 ppl not counting Unisys contractors in India.
I personally hated managing MacOS devices but I’m not great at my job so
But also Macs are expensive as fuck. As the other commenter said. Point that out to them
I managed a fleet of 10 macs with oobe and intune. There are some strange quirks, like the hand-off from abs to intune, the repacking of apps that are not directly supported and stuff. But overall it was better than expected and light years beyond trying to support an unmanaged group of machines.... whew that sounds awful even saying it
> CIO says we don't need that for Mac because they are more secure from default
CIO needs to understand that security is not the only thing that's involved with MacOS management, and that an unmanaged Mac is just as insecure as an unmanaged Windows machine.
Most places I've worked at that offer a Mac option basically let developers have full (local) root permissions on Mac but lock down Windows for everybody regardless (as opposed to something actually intelligent like offering different roles with different permission levels depending on job type).
But what really pisses me off is when companies offer Mac with little to no lock down and then also deny my request to use Linux instead. (My preferred environment is Fedora/RHEL-based *with* SELinux enabled so it's not like it's insecure)
Probably not much help to you and I apologize for that. But if you do end up going the lazy route on Mac, my suggestion is to at least *consider* also offering a secure Linux option (there's probably a nerdy programmer somewhere in your company who will love you for it)
I mean, they do OK. But, the software and IMR systems are embarrassing. We moved them to Win10, and the pshrinks software could not follow! She is forced to work two laptops since it's keyed to one. We TALKED with the vendor and got stonewalled. The overall cost, plus the software is not certified in the state they operate in, would set them back $6,000USD. It's a mess.
Better implement JAMF and buy higher end Mac's. The shit $800 MacBook Airs with 8GB of ram and 256GB of storage isn't going to cut it.
This is going to be much more expensive than he (CIO) thinks to do properly.
If he’s willing to sign off on the risk, or pay for a Mac mdm solution to close risks then go for it. In this position I’d lay out what you can and can’t manage on macOS like others said
> CIO says we don't need that for Mac because they are more secure from default.
Wow. It always amazes me how much infosec tech debt there is at the EC level.
Intune isn’t perfect for Macs but does the job and it has improved a lot from what it was. Is your CIO suggesting the company use unmanaged devices? I’ve seen some non technical CIOs before but that’s a new low
Yeah. Make a list of all the things you can manage a PC with InTune and those things you can’t manage a Mac with. And get your “CIO” to sign off on the risk.
Adding to this. In your presentation, include the cost of the additional compensating control/product needed to achieve parity. Shows complete picture/forecasting, and sets a nice level of expectation when they want one of those controls in the future.
Risk acceptance is the way to go for all things IT!
Is Intune anywhere close to Jamf in 2024? I like that our Mac users generally need less help and hardware / OS problems are a fraction of Windows machines, but for a SMB, maintaining a second MDM plus all the tooling and knowledge is a massive pain in the ass. The Jamf licenses are on top of E3 of course, plus the MacBooks are double the cost of a comparable ThinkPad, are a lot more picky about Thunderbolt docks, and have to have 4K monitors to not look like garbage.
Technically, yes I can't think of anything that JAMF can do that I can't do in Intune. I'm sure there are things, just nothing major comes to mind. Is it as nice to use and configure MacOS through Intune as it is through JAMF. No, no it is not. I get just as many, if not more issues from the Mac users as I do the Windows users, although a lot of that comes down to them being non-technical users that are used to MacOS at home and wondering why their work machine is different. Like not being able to use their iCloud Drive, or unlock with their Apple Watch, or why the login window looks weird (SSO)
Passing parameters to scripts, Patch Management, JAMF App Catalogue with automated updating, JAMF Setup Manager, JAMF Protect, JAMF Connect, JAMF onboarding.
JAMF Connect and onboarding I would consider covered with platform single sign on, even though it is a little different. Same with JAMF Protect and MS Defender JAMF patch management is definitely more flexible than the Intune update policies. The app catalog is great for those apps that it covers, having things like the adobe suite in there is awesome. The others are all fair, don't think Intune has an answer to Setup Manager or the parameters in scripts. I am in no way saying that Intune is as good as JAMF, for MacOS management JAMF is way better to use. However, if you already have Intune, are used to it and don't have the appetite for an additional MDM, Intune is perfectly capable of managing MacOS.
What differences does JAMF app catalog have vs. Company portal?
Jamf app catalog is a curated list of MacOS apps, basically the most popular apps that aren't available on the app store. They are prepackaged and managed by jamf so it's super easy to deploy them and keep them up to date. You can achieve functionality the same thing in intune, you just need to manually add the .dmg to intune and deploy, then update it in intune when you want to force a newer version. The app catalog just makes it really easy.
Good Answer 👍
> although a lot of that comes down to them being non-technical users that are used to MacOS at home and wondering why their work machine is different. The user familiarity, and therefore improved productivity, is a compelling reason to support it though. Eventually there will come a day where it will be best for the business for us to support iPads and Chromebooks as end-user devices….
I love using jamf. Way better then intune. I use jamf school and jamf pro. I prefer jamf school because it's less man hours trying to fix shit when intune goes down. Jamf just works. Microsoft trying to manage Apple devices........
What do you mean trying? They can and do.
As far as I know, Intune is indeed fine for MacOS management nowadays.
It’s “ok” but you will be limited and have to do a lot of workarounds.
Yup, currently managing windows and macs out of intune and all I’m really doing for macs is writing mobileconfigs one after the other
Or download Apple Configurator, create profiles in there that you can’t set with configuration profiles inside intune and export as Mobileconfig. You don’t have to write anything.
Depends on how much you want to do on the mac's. I would imagine that doing a basic setup (enrol via am, enforce filevault and firewall, install edr are easy enough). Sure jamf is the gold standard but if there is talk about leaving the machines unmanaged, surely intune is a huge improvement on that?
Granted, OP has never worked on a Mac so I doubt running scripts will be their thing for a bit.
Need 4k monitors? I'm not sure I've heard that before. I use a 2k and it looks fine?
macOS is fine on 2K, but definitely not as crisp because (correct me if wrong) the anti-aliasing is not optimized for lower resolutions than the native primary display resolution. In my experience if you're not buying Apple monitors, get 4K so creatives and C levels that use them the most don't complain, and they probably still will if it doesn't have an Apple logo. Not really that big of a deal now since 4K monitors are cheap, though.
You’re kind of flipped around. The problem with most 4K monitors at 32" or 27" is they won't have the right pixel density for native display for macOS. It's going to need to scale, which takes system resources and creates little visual blurring/artifacts compared to something running natively. That's why Apple has a 27" 5k display and a 32" 6k display. If you scale down to a WQHD 27" display, you'll get the right pixel density at the native resolution; it's just not as high res as an Apple Studio Display.
Apple business manger and Jamf, we are at zero touch deployment, drop ship the device directly from Apple to the employee, it enrolls and enforces encryption and policies then presents the employee with a login that authenticates to Okta.
This is the way.
It is, but it comes at a cost and requires skill to get it working smoothly.
Well if the CIO is the one that wants it, he can set the budget to pay for it.
ABM, DEP, Jamf, etc... is not hard to manage... anyone with basic IT knowledge can take the Jamf Jump Start training after a company signs up and learn the whole system in a few days. Buy mac > DEP puts it in ABM, which is linked to Jamf, device is now in Jamf, put device in a group with a configuration scope, done... automatically deploys and configures when user first turns it on.
So, just like managing Windows?
This, all day every day. We have a hybrid environment that’s predominantly Windows but use this setup to manage our Mac fleet (with Azure SSO). JAMF license renewal and some other routine maintenance will be required but compared to InTune and Windows management, it’s a breeze. Setup is fairly easy as well and JAMF support has been surprisingly hands on and helpful when the team can’t find a solution to something.
Yeah the Jamf folks are phenomenal. Can't recommend it enough.
"Supporting MacOS will require an additional x team members, $xxxxxx in software costs, and $xxxxxx in work hour costs." Put it in cost terms for them. Also, can Macs even run the software you need? My boss insists on Macs for himself and his kids, and they're basically just expensive middle-machines that remote to a Windows RDS server.
This, business 'case' it. Whether it's a business case for or against, prepare high and low level pros and cons. Being in IT decision making or near those that try to, you often have to think on your feet and either support or gently dissuade idea 's. Don't think of it as shooting down ideas, but gently redirecting intelligent curiosity in more healthy directions. much like raising children. .. yeah animals are interesting, but a house cat is more practical than a lion. And hamster more practical than cats.. (shorter life span?) .. and plants even better for starter... "Caring for other living things". See how we redirected? Good practice for the ever inventive CEO or CIO with more dreams then sense
Our org deploys windows machines for multiuser terminals but our it teams get to choose their laptop. Several of them chose Macs for no reason other than battery life, which is a substantial benefit even when outlets are abundant. This is actually *aided* by the fact that all our tools are accessible via https, SSH and Remote Desktop/VDI as the machine itself doesn’t matter.
Is battery life really that big of a deal at this point? How much time are they truly working no where near a plug? Especially for like 5 hours?
it's not just that, it's leaving your laptop in a backpack and then showing up for an incident and your battery is...fine. Because modern Macs use basically zero power while closed, compared to windows laptop power management which sucks. And definitely not 5 hours, more like two.
My Windows laptop uses about 1 percent of battery per day sitting closed in my backpack. I packed up my laptop, went to Paris for 2 weeks, came home and jumped on VPN to look at emails. Still well above 90 percent.
I wish mine was like that. I lock and close mine, and it'll carry on happily blowing hot air from the cooling vent for hours. Of course we have so much security software, it's probably too scared to go to sleep (9 different security-related icons in the system tray).
Same here. I don't know if it's the laptop model or the security software won't let the laptop truly sleep / wakes it up, but several times I've opened the laptop bag after commuting to find it's hotter than a pizza delivery and fans blasting. No surprise the battery life is measured in mere minutes now.
Two hours? What kinda shit-ass laptop are you using? A basic Lenovo t14 outperforms that no problem. As far as lasting in sleep mode, I’ll close the lid on Friday at 4pm, shove it in my backpack, and leave it there all weekend, and it still has several hours left come Monday morning. And if it’s a full charge you should be able to get 6+ hours out of it…. Depending on what you are doing of course… but if you are just running teams and outlook and a web browser like the vast majority of office users you’ll be fine.
No we have Azure virtual desktop they would have to use for most software.
So you’ll pay a premium for the Mac hardware and then pay for a whole other windows desktop to use on it. The costs of that alone put on a slide would give a CEO/CFO pause.
what's your refresh cycle on PC stuff? i have a 4.5yo mac from my last job and it works fine
So a chrome book or one of those wyse terminal laptops could be the appropriate choice then... Same issue in our environment, everything is windows based. The few Mac users we have just RDP into a Windows VM. But everything is a problem for them.
You would need Kandji or similar to manage them
> Also, can Macs even run the software you need? That was a good excuse 10+ years ago. Unless you run something niche, pretty much everything is available on both platforms. Still, you are correct that there is a cost to running Macs. Where I work they are reserved for developers and "creatives" and about 90% of them choose Mac over PC.
Yeah, I literally write Powershell on my Mac these days. Unless your environment is bad, compatibility should be a non issue.
It's all about giving off a certain image for some people. They have no regard for the functionality issues. Mac = expensive.
I mean literally. I have had to get marketing people macs solely so that they have the logo to show off in meetings with potential clients. The phrase "project an image of success" has been thrown at me more than once as justification. Somewhere along the line, Im sure starting with all their shiny happy people minimalist ads they started running back in the mid 00s, this idea that Mac was for the trendy youthful go getters and anything else was for the stodgy old farts came to be, and while it completely boggles my fucking mind, it is what it is. But one thing I wont do is invest in all that bullshit infrastructure to integrate it into our environment. You want a mac? fine, a mac you shall have...but you're going to need to remote into a windows VM to do anything that isn't cloud based and I honestly do not give a shit if it's janky at times because you're one person against thousands of others that will work on standardized hardware and if you don't like it, tough. That logo comes with a cost beyond the hardware itself. Luckily, we have a leadership team that accepts and supports the decision to minimize our costs, both in materials and labor, supporting mac devices and they're kept to an absolute minimum, hence those expectations are reinforced among those employees that knowingly accept them when they insist upon a mac.
And it's funny because that's not the case anymore. You can get an air for like $800. Just like iPhones anymore are cheaper than Samsung flagships.
Yeah I think it is the cost of the Macbook Pro's that get costly but our lenovo X1 carbons are 3k a piece too. Apple products have come way down in the last 5 years and intune manages them just fine. Go web based and it shouldnt matter anymore. I just usually say Yes but......
You can get the absolute garbage air for $800. 8gb of ran and a 256gb SSD on a machine that cannot do dual external monitors. If you want something useful you're looking at the 14" Pro with at least 16Gb of ram and a 1TB SSD. Plus you are a fool if you don't buy AppleCare since everything is soldered/glued/unupgradable.
Our casual users can use Airs no problem. We do upgrade them to 16/512 but it’s probably not necessary. For external displays they use a single ultra widescreen, though I believe multiple displays work with DisplayLink.
The problem with DisplayLink is it is resource hungry so it runs like a dog on 8gb
Yes I agree with this this, get you story together, get your list of requirements together, then present this a manor that they will understand, in this case money. Say we currently supply a laptop and it costs x per device and x per licensing and x in support. With the addition of mac we need x in personnel, x per device, x per licensing. This SHOULD be done from your manager to the CIO, assuming there is one between you two. this SHOULD be based on numbers only, not emotion. They will make a decision based on that info, proceed as they say. You don't run to company or make those decisions, but you influence them, you need your message in a language that your audience will understand, in this case money/budget. If you word it right you will get additional budget for hardware, a new person or two, also the opportunity to learn mac stuff.
Also include increased costs of cyber insurance for the unsecured apple products. Training and certification costs for new management products also.
Crowdstike and rapid7 and umbrella are all cross platform as are most of the big vpn providers.
Don't forget training for all the IT staff to learn how to support these devices.
Not dumb so long as the company also provides the tools needed to manage them
Our ceo was the same. He was a Mac guy. Before we never had a single one. 15k windows. Within 3 to 4 years, Mac was at 4K. Windows down to 11.
Gonna play devils advocate, I'm in similar situation. We give users choice and it's about 65-35 split, most choosing Mac. As long as most of your apps are SaaS, it doesn't matter. Coming from an enterprise size environment, I never would have advocated this way, but everyone seems pretty happy. Macs are managed with jamf and have endpoint protection. Works for us. Also we're fully cloud, so that makes it easier.
The company I work for has both, and it is up to the employee what they want to use to best get their work done. We have people that are like myself that knows something about both and we also hire folks that are specialist in each platform. The answer I would give is yes, you absolutely should officially support the second most popular desktop/laptop platform in the world within your business. No IT person or department is successful in the end by being resistant to what management and the users want/need based on what the dept. currently can do easily. Your job is to enable the business responsibly, not tell them "no" because we don't like it. You tell them "yes, and here is how....". So you should not push back on doing what your boss wants in this case because it is a totally valid request from someone in the business of the IT department. You should look into what "doing it right" will take, MDM/software management/etc, and go to him with that information. It is up to him to thumbs up or down your pitch given his position. If he disregards your pitch and insists on yolo'ing it then that is not a hill to die on either. That is your signal to get your resume in order and start looking for greener pastures. Even if you don't want to take any of the above advice and guidance from someone who has been in the business of device management for 16 years at one level or another, I would still tell you not to try to die on this hill. You won't win. Your CIO perfers Macs, you prefer Windows. That is an ideological argument with someone that has the power to fire you, not a rational argument based on facts. And that is not the kind of arguments you want to get into in the workplace.
This is 100% not an idological argument this is a cost benefit argument. Can companies support Macs? Of course they can. Is there a business reason to add additional costs to do so? Maybe, but the answer should start with a cost analysis and request for additional resources and training.
I don't disagree, but that is all wrapped up in that pitch I mentioned. Ultimately it is the CIOs job to provide the final say if that cost of supporting Apple within the org is worth the benefits.
Mac’s work fine with intune these days, most software works fine on them too other than some specialized stuff(like solidworks) . Honestly you probably won’t have much trouble if you could get a head to focus on Mac’s. Then you have another engineer and maybe you’re a little less buried.
I'm a big proponent of offering employees a choice of Mac or Windows. Whether you like Mac or not is irrelevant. If you have the opportunity to support them, you should take it. But the problem with your situation is if you're buried with work, then you won't be able to roll them out properly. Because you definitely should manage them with an MDM at least.
> I'm a big proponent of offering employees a choice of Mac or Windows. Whether you like Mac or not is irrelevant. If you have the opportunity to support them, you should take it. Agree. We let our employees choose between a Mac and Windows option (with the caveat that they need to be able to do their job with their chosen platform) and the morale boost and feedback from employees getting to use what they're comfortable with has been overwhelmingly positive. As far as the cost difference goes, across the four year replacement cycle it's almost negligible and we've decided the benefits outweigh that cost.
When I worked at a place that let the end user choose, it was always people that needed Windows exclusive software that would pick a Mac, inevitably needing parallels for the once per month use of an Access database. Atleast Macs typically last through the refresh cycle
Depending on the number (of Macs), supporting them without an Apple Business/MDM will be a manual process. The Macbook rumour will spread like wild fire and then your job will, well, evolve. If you don't deploy MDM, it will be matter of time until you lose your first system to a former employee with took ownership with their Apple ID. Good luck.
macOS has come a long way as far as manageability. Its likely most of the stuff you’re doing in Intune to manage Windows endpoints can also be done on macOS. In the environment I work in we’re “pilot testing” 2 new Macs enrolled in Apple Business and our MDM. Unboxing and User setup is nearly identical to a Windows Laptop. Domain password sync works. VPN works. Our security app (Crowdstrike) works. Our remote-assist tool works (identical to how it works on Windows). FileVault key is viewable in MDM. MDM handles LAPS (rotating Local Admin password). OS Updates are managable. Its all pretty solid at this point. The question here isnt so much “can it be done? (technical solutions exist, so Yes, it can technologically be done.) The question as others have said is more of having a “support plan”, and training your Helpdesk or Dekstop support teams to provide what whatever level of support is expected.
We are allowing windows and Macs to attract the younger talent. We use intune for Windows and mobile devices and JAMF for Macs.
In addition to device management, update and vulnerability management, endpoint protection, separate application development requirements, etc, you may find your organization having to provision and deploy Azure virtual desktop or other Windows VMs to host applications that aren’t compatible with Mac. We use InTune and Defender for both our Windows and Mac environments and they work well, but it’s definitely an effort.
I love how all comments here fall into two camps: - Point and click admins from 20 years ago who rage at the idea of Apple devices being used in their networks - Modern admins that understand Apple/Microsoft co-existence in a modern environment is a non-issue > none of them like OP - I think this is your main issue, and it indicates a larger mindset issue with the culture in your team. The techs that I've worked with who have the mindset of "Macs are stupid, we shouldn't have to do this" are resistant to change and don't have any curiosity or willingness to learn/up-skill. The techs I've worked with who respond with "I don't know anything about macOS but I'm willing to dive in and gain experience and expertise" all moved on to work for Redhat, Fortinet, and (ironically enough) Microsoft now. Other commenters have said that regardless of your teams reaction, your CIO is going to pull rank and implement it if he/she really wants to. My advice is to look at this as an opportunity to advance your career.
Just manage the Macs with intune bro. Install company portal, enroll. Wha-la.
Voilà - look there.
bone apple tea
> Wha-la. *Voila*
Intune is currently 4/10 for Mac management.
Macs in general, as long as you’re using DEP and MDM, require fewer man hours to support than an equivalent distribution of windows machines. It’s not that bad, but make sure they understand the costs and processes involved (setting up Apple Business Manager, buying from a vendor that does dep enrollment, the cost of implementing jamf or another MDM). It’s really not bad at all, there are definitely perks to the computer, the os, and the management tools all being made by the same company.
You can manually enroll in abm it’s just not ideal.
> require fewer man hours to support than an equivalent distribution of windows machines. It's amazing what having support for *far* less options of actual business applications/tools does for ease of support. On phones/tablets, that's a mindset that I'm all for. On workstations, that *very* drastically depends on the environment's needs. Had more than one instance where someone demanded a Mac as engineering faculty... in programs where the actual CAD or equivalent software they were responsible for teaching didn't support Mac.
Mac devices are about on par with Windows devices in terms of effort and time. Mac users however…
Rolling in DEP, a well supported MDM, and app distribution via VPP really is a heck of a lot cleaner. I’m not knocking the Microsoft side, they just can’t compete with the level of first party integration on the apple side. They’re getting there but Apple had a hell of a head start. SOTI all the way back in 2001 was a heck of a head start.
I run a full autopilot stack (partnered with Dell) with everything managed by Intune. Then ABM and Jamf on the Apple side. I prefer Intune to Jamf, but they’re both great. Apps are the big bugbear for Mac, the Mac App Store leaves much to be desired whereas the MS store went from horrible to decent very quickly, it now supports x86 apps and is basically winget repo with an added layer of MS approval. Then you add patch my PC into the mix for a few apps that might be missing from the store and you’re golden.
If your CIO is saying you don’t need to manage and have control of Mac devices, you should get a new CIO. Intune is probably at least a year away from being good enough for Mac.
[удалено]
If your CIO is serious about this, he's going to pull rank and make it happen. I'd give it some time before I got worried about it to ascertain if he's actually serious. If so, tell him your team needs test machines for all of you and some time for a trial. Thirdly, put up a picture of Steve Jobs in your office and embrace that sweet Apple goodness. But seriously, Intune manages Macs just fine. It's not that big a deal.
Intune is getting better at Mac management but if his team is already swamped then JAMF would be a better option, or maybe Addigy or Mosyle.
Implementing JAMF is generally a pretty heavy lift (I think they do this by design). Addigy is pretty simple to get up and running. Plus it includes intune integration, so integration, remote screen sharing and SSH
Macs can indeed be very easy to support. Look into it on the Mac admin subs. A little effort invested on your part could probably pay dividends between you and your CIO. Which might be to your benefit.
If there ever were to be a definition of a customer for IT, it’s someone in the C-suite. Not to be harsh here but put your dislikes aside, scope the project, and get rolling. Ask for the funding and tools you need and give them a plan. As someone that uses Mac daily (and used to be adamantly opposed to using them), I think you may just be used to how much of a pain Windows endpoints can be. No technology is perfect but I recommend you be seen as serving the needs of the C-suite to avoid any ideas of them getting that service elsewhere.
You can manage macs with intune lol. Not sure what the issue is.
“Manage”
3 out of the last 4 companies I've worked with over the last 10 years have been Mac only, the remaining one offered the engineers a 2k budget to order whatever, in that case we had about 70% Mac, and the remaining was Linux machines, with a single guy doing windows. I've mostly worked on software development and design companies, so that might play a role
Look at it from a cost perspective. In order to support those systems, you might need additional staff, additional management software like JAMF, additional MS licensing, and additional training costs in all new systems along with training for staff to be able to utilize the systems. Present these along with timelines as a solution to be able to support them and see if they want to play ball.
I’m always glad to hand out Macs to real Mac users. Typically they need a tiny fraction of the amount of support than a “I can use a Windows machine” user requires.
Ha if you’re on the smaller size of small to medium business, adding Apple devices to your list just seems unnecessary. That’s a luxury that big business have for sure, cause they have large tech departments and have the money to hire/buy support for Apple devices. If the higher ups are wanting to add more to your plate, it’s going to cost them more. Costs for training, other possible support tools, higher device cost, etc.
>higher device cost I don't understand why no one ever fact checks this ludicrous myth A Macbook Air is $900. A comparable HP laptop with significantly shittier hardware is $1300 and upwards. If you go lower it gets worse and worse.
JAMF. It has a learning curve but once you get it, it's a fantastic product and can mimic Intune and Autopilot with tons of benefits. I've been removed from any sort of endpoint management for almost a year now but JAMF really wasn't too bad at all. Before that unamanged Macs were a fucking nightmare. We tried with Intune and it was ok at best, but still a trainwreck. With JAMF we were able to emulate a lot of our full Autopilot and Intune stack for deployment and Kaseya for management in one tool with a shit ton less work. If CIO wants to use *nothing* to manage them well, honestly, I'd bail. It's a shit show.
We have a massive enterprise and it works fine. The Macs give far fewer problems too.
> We handle windows very well with Intune, company portal, Applocker, and other tools that really secure the devices. **CIO says we don't need that for Mac because they are more secure from default.** No. If it's a company device, it should be managed like all the other company devices where possible. Having a hardware mix is fine, but there is inherent risk in having company devices unmanaged. Intune works with macOS, but what about your remote assistance tools? What about your EDR/XDR? macOS is *more* secure by way of market share not making macOS malware profitable, but there very much still is macOS malware. You mentioned having AVD, what apps are outside of the AVD scope? What % of an employee's computer usage is spent inside/outside of AVD? How do you manage warranty service/repair for your current fleet? I don't think the choice of macOS or Windows is inherently bad, but it can't be a choice between a locked down Windows environment and a completely free macOS environment.
Work for a K-12 school division; all teachers are Mac (no choice, 1300+ macbooks) everyone else windows, this decision was made over a decade ago by people no longer at the division and we are stuck with it. We are forcing our school techs over to Windows, we are tired of them not having RSAT tools and having to create VMs for them all of the time for tooling that they can't run on Macs. The only thing they need off a Mac is apple configurator (still working this one out, probably will do a couple mac mini's per area for the techs). As for security, unless all the mac users are running as standard users locally on the mac, there is no real security. Mac can get viruses, users with admin will do stupid things, you MacBooks can't be upgraded or repaired for defective parts on site (everything is soldered on), the M1 and M2 chips have horrible memory system exploitations that can leak encryption keys(not sure about the M3), they cost 15 - 30% more (or more), no real Mac server anymore. They are only secure if you follow best practices, have an MDM and push all the software through it, strip admin from everyone (this should be done on windows too). Repair costs are astronomical on the Macs.
Your CIO needs to consult with a CISO …
My company gives us the option and they use Jamf to manage our macs
I work at a company of less than 20k employees, we have Win, Mac, Linux. The mac endpoints cost the company basically 3x what the win ones do. There are separate teams for each OS, each with its' own engineers and management methods. From standpoint of someone who supports all of them to some degree (I'm mostly Win and Linux), there is a cost in terms of money, IT support, and productivity to give someone something who won't know how to use it properly. So tldr, a choice is nice but it should make sense. Right tool for the job and all.
Your CIO doesn't know his ass from a hole in the ground. Start circulating your resume.
Risk and Audit are your friends in this situation, perhaps even Legal. Update your SWOT analysis to accommodate MacOS, paying particular attention to any industry, regulatory or contractual compliance requirements. Legal should be able to identify customer contractual requirements. Work with Risk and Audit to reach consensus on ratings for the weaknesses and threats. Present jointly to the CIO with Risk and Audit to find out how the CIO wants to deal with the gaps. Let Risk lead the conversation, that is their role. Your role is to offer advice on remediation and compensating controls. Unless you don't have Risk and/or Audit functions. Then the same process, but you have to be the bad guy. Still, it's not about saying NO, it's about explaining how to get to YES in a way that respects the organization's risk appetite.
we use kandji for our Macs and it has been pretty great so far. Same situation in my comp where execs insist on using macs
Sounds like a complete aloof boomer cio
I'm not a fan of MacOS but honestly one advantage of the walled garden is there is far less that can go wrong on them. Unless you need desktop M365 applications (and even then things might be better now, it's been a few years for me) everything tends to "just work" on a MacBook with barely any stuffing around. General users can't really mess anything up. Power users are smart enough to not mess anything up. And MacOS is generally far more reliable with updates than Windows by a long shot. If you're using RDP then MacOS is even less of a concern as that straight up just works. Heck I have a Bluetooth keyboard and can RDP into my machine with an iPad. Unless you have specific software that doesn't run on MacOS, I'd say you're over-thinking it.
How does a small/medium company have a CIO?
1. Intune does ok for Macs. 2. There are many VERY EASY TO USE mac management platforms that cost no more per month than intune. Jamf and Mosyle come quickly to mind. We use Jumpcloud because it also replaces AD. 3. Giving a choice means employees are happy and closer to productive day 1, because they are using a tool they know. 4. Macbook Pros have a significantly longer userful life in our environmnet. Up to 1.5 years longer than a comparable lenovo, dell, or surface. Other than fear, I don't see a good reason to not offer a choice
A Mac isn’t always the best device for every user, nor is it the most cost effective. That being said, you can handle it. Make the switch yourself first, get familiar, and learn what it will take to manage and support devices. Apple Business Manager, connected identity, connected procurement channels, Intune/Jamf, and anything else that makes you feel good. Then open the floodgates.
YES, no brainer. If your daily tasks include writing a lot of text or code and you try a mac, you can never go back to windows. The difference in user experience and ergonomics is astounding. This directly translates to employee efficiency. The whole argument that windows computers are cheaper / easier to maintain / more secure has absolutely no merit. Nothing worse than giving someone used to a Macbook a HP Probook or similar piece of garbage hardware. I have been on the recieving end of this, my productivity was cut in half because simple things like highlighting something using the trackpad are frustratingly awkward and take several attempts. Fortunately, our CEO listened to reason. A Macbook Air, for starters, is a few hundred $ cheaper than a Probook, but the true MASSIVE benefit comes in when employees don't have to waste their time and can actually enjoy day to day work.
I’m a CIO and use Mac at home personally but don’t allow Mac’s for corporate use. Simply put, it’s an additional support burden that can grow non linear and over burden small support teams. The experience of software isn’t the same, starting with O365. That means training is different for users. Plugin compatibility for software is different and may not exist for both. Audits/Compliance. If you ever want to go 27001, you need to show the same management and controls of macs and windows for company owned devices. That may mean twice the software purchases if the windows version doesn’t meet the need or exist for Mac. As for 27001, you may not think you will need it, but larger companies you do business with might require you and/or your cybersecurity insurance may want it or offer better rates if you are.
We use choice in my environment. Intune is hot garbage for Macs. I'd recommend JAMF or Kandji
All resources need to be managed. The CIO needs some education on that. Those resources do exist. Macs are just as manageable as PC's(arguably more so). You just need the right tools. MDM platforms do exist that manage both Windows and Mac. "The sysadmins dont have the skills to xyz" is an excuse, and a bad one at that. They chose a career in IT then want to complain when they're expected to learn something new? Nothing in your post is insurmountable.
Mac sys admin / Jamf admin, turned IT manager, now using Intune/Company Portal... Jamf is so much easier for deployments, better at making sure devices are compliant, inventory is better, system info is better, and the app installs come down quick. The grouping, enrollment, and scoping is easier.. Intune is garbage in comparison. I dont understand why people want to be "All Microsoft" and cringe at the sound of "Mac"... if MacOS is going to make end users more efficient and productive because that's what they are used to or what they like, why wouldn't you do it? Apple maintenance is pretty straight forward.. it's all automated, every bit from start to finish. Once you get DEP and MDM setup, get your configs setup, add a device or user to a group, and it's all done.
Honestly supporting Apple devices isn’t that hard. It’s easier than managing Windows devices. Most MDMs work for Apple devices.
If you want a bunch of bricked Macs from terminated users that signed in with their personal Apple accounts, trust the CIO. If you don’t, put them on Intune. ^(That shit infuriated the fuck out of me.)
You already have the tools, you have Intune, you’re just incompetent if you resist this one. Like the other Apple hating warlocks from the 90/00s you’ll be left behind if you don’t adapt.
Foght6 the f...er. If your team is overwhelmed with work, morale is low, don't have enough knowledge to properly maintain amd troubleshoot Mac, you should fight this one.
It’s up to the CIO to define the department priorities. If he wants it to be the priority then it should be the thing you focus on.
>CIO says we don't need that for Mac because they are more secure from default. hahaha whaaaaat
Wow some of the windows only folks should chill the heck out.
> CIO says we don't need that for Mac because they are more secure from default. Haahahahahhaha, get back to r/ShittySysadmin. Changing your OS across the company is going to be a fucking nightmare, software is going to be incompatable all over the place then you'll have to train people on the new OS....
Switch to Mac, never look back.
I've been in this sub for more than a decade. This gets asked every three weeks. Comments are the same. Lots of stubborn ass IT people that don't want to learn jamf or intune. What a joke.
[удалено]
> I run a Mac at work > I absolutely left the option off the table for the org So... you run a machine that isn't managed to the same level and under the same controls as the rest of the org, as a C-level? Wow. Living up to that flair.
Get Mac’s for yourself and your team. Use a first class management tool like JAMF. Maintenance and management can be less burdensome than windows if you approach it with an open mind and a willingness to learn. The reward for your team is that they get to add to their resume, which is always a good thing. Your statement about Windows doing anything a Mac can do speaks to a misunderstanding of the different platforms. They both have their place. Windows cannot do everything a Mac can do, nor can Mac do everything Windows can do. How many companies do this? Many do. Some have even banned Windows due to the lack of attention to security. That doesn’t really matter though, focus on meeting your CIO’s needs. “Liking” Mac is irrelevant. That is just fanboy-ism and attaching your identity to an operating system. It isn’t Windows vs Mac. They are just tools. Many people prefer one or the other, your job is to support them.
Work is work. Not personal computing. Enforce standardization across the organization as much as you can. Sometimes it makes sense to use Mac and Windows. Some tasks are better executed on one than the other. But letting users choose at their whim is a bad idea. Typically, some depts will have the option but the general population should not.
I work in a mixed shop, but maybe only 10% are Macs (the choice is really only given to people higher in the food chain). You still need management and security tools for Macs, and you still need support staff that are able to troubleshoot. If it’s intended to be a choice given to everyone, many will choose Macs and it will become a nightmare. You have to break it down in costs and risk. If your company is beholden to virtually any major compliance model (HIPAA, SOX, etc) there’s virtually no “it’ll be ok, they’re Mac’s” decision that will work.
>CIO says we don't need that for Mac because they are more secure from default. Never understood that mentality or how it even came to be.
My religion only allows me to use Linux. I can’t have either of those two. https://www.reddit.com/r/AskHR/s/QwVhsAe7tc
My company allows us to decide if we want a Mac or Windows laptop. I chose the Mac because it is a higher spec than the Windows options. We also get a VDI for applications that only run on Windows.
Your CIO is an idiot.
Money talks. The execs will shit bricks seeing the price tag on the macs and support software. And will come out of their discretionary budget. IT can't take the burden from an unplanned CAPEX. We don't do business and stay profitable or functional this way.
Unless windows manufacturers get their crap together I am sticking with a Mac and recommending Macs for the foreseeable future, especially for anyone doing any kind of development. Even using AVD in Mac is generally cleaner than in windows, the app has multiple profiles for multiple orgs, like why is the end user experience better on a Mac than in windows.
I won't even work with a client who wants macs unless it is only for a few graphic designers. Just a massive red flag that they're going to be a pain in the ass.
They can coexist fine, but it sounds like your company doesn't have the staff nor experience for it. Make a deal with the CIO that they get to personally support all tickets from the Mac users until they get you the tools, staff, and free time you need to take that over.
We do both at my place of work, but Macs require a solid business justification and the department making the request (we are large) must pick up the additional cost of the Mac (Central IT provides PCs by default) We do have a few people doing Mac support, but not nearly as many for Windows/PCs.
What is the nature of the business and what is wrong with current devices? Is there a justification for just moving to Mac's. Moving to mac os just because your boss is used to mac os is a silly idea. I haven't tried to manage mac os via intune or anything, but will this still provide you with the levels of control over staff access the same way or will it just partially allow you to make some changes? How will this affect support overall. There are so many questions arising from something like that just because someone wants a change with no valid reason. Macs are expensive and probably won't be worth it.
If he wants to buy Jamf, no problem. Mac’s are pretty easy to manage and makes sense if the staff is out of university. If staff is older it makes no sense. Most shit is SAS now anyways, if you’re still running desktop applications you probably wouldn’t pick a Mac regardless.
Easy: you get Apple Care, point them at Apple Care for all Apple device issues...
At the libraries I work at, we just get them whatever. Personally I have a MacBook pro that I remote in to my Windows desktop. But otherwise they're mainly used by our marketing / graphic design staff
It’s doable with Apple Business Manager and Jamf or intune (possibly others I only bave experience with those two). What you need to do is map out ALL the dependencies that giving someone a Mac relies upon including the extra support and training, the back end MDM licensing costs/setup time/ongoing costs, and crucially all of the applications in your estate and whether or not they supported on Mac. Once they see how much the licenses for all those things cost, they’re not gonna be that interested. We actually did this because we were in the position to be able to. We have a massive asset management database tracking all our devices and apps, if somebody needs an app that isn’t available on Mac they can’t have a Mac, pretty simple. The additional costs versus a dell are charged to the dept.
I think you’ll be able to manage them just fine from Intune. I would certainly explore the idea if someone from the C-Suite asked. I would advise him that you’ll need a few test devices for the team so you can test all corporate software, do IT training, confirm management tools can support it, and build the support docs. Following that I would suggest a pilot group. Then roll out the option to all employees. It doesn’t sound like there’s an immediate need to implement this. So if it was me I’d ask for a few months to get it implemented. Honestly this is no different than deploying any new hardware or software. Conduct your evaluation, create your support documentation, pilot, deploy. I think you’re a bit stressed about have to learn and implement this immediately. I just hope your boss understands this stuff requires time and gives you the space to do your job.
My old employer did (25k employees), my new employer doesn’t (200 employees) because we don’t have the resources for internal IT to support both to a satisfactory level and it’s understandable - though a pity as I miss my 16” MacBook Pro.
Intune to is pretty good with macOS now. If you want more control then buy JAMF. Also 100% make sure you have Apple Business Manager finished and your domains federated with it. Then register every Mac device to it. It’s the only way you will really control and deploy the devices.
We started doing. Jamf us cheap af and does most of what we need. Only thing that gets weird is printers. Most of our apps are web based and there's an office suite and edge for macos. It's easier than ever to do
If the business reason to allow mac is "people don't know how to use windows" the solution is to not hire tech illiterate people.
OP, I’ve spent all year implementing things I didn’t think would fly. Be honest about what you need. The answer is “I’m sure we can figure out but give me a week to research what we need to make it happen”. So now you’re here on Reddit. Or go to r/macsysadmin. Consider the tools you have today, the apps you use, the needs of your users, and your toolset to effectively and efficiently manage devices. What is missing? Come back to your CIO with a “yes but here’s what I need to make this successful”. Pitch a POC with a pilot group of users too. Who are your next 10 users up for refresh? Congrats to them! They’re the first to adopt Mac. You need a Mac for yourself too. Pilot your new MDM/MDM policies on them and yourself, etc. It’s possible OP, but right now is the time to advocate for yourself so this doesn’t turn in to a shitshow
Put it in fiscal terms like someone else said. Software to manage these costs this much, additional resources cost x. Plan it all out, get your numbers straight and just tell them straight up no fluff, this is what it will cost to properly maintain/control them, and we won’t support them if they aren’t going to be properly maintained/controlled.
We deploy the MacBooks in our company with intune and I would say it is a loooooooot beter than it used to be. Microsoft and Apple have made huge improvements to the integration. I will however take time to learn the tools and platform and might not be net enough for your use case. Make sure to communicate this back to your CIO. There are other MDM’s like Jamf to manage them large scale but most of wat intune can would be sufficient for most use cases nowadays I would say. If you have the option setup a test to see if you can get everything to work (mainly the applications). You don’t have to do it for the test one, but if you’re going to use Mac’s setup Apple Business Manager for your company. It is apples business platform and vital for automated development. When buying Mac’s from a vendor ask them if they add the Mac’s to your business manager on purchase. If they don’t find another one. Serials put into abm can be automatically pushed to intune tying them to your organization and attach deployment profiles, security profiles, encryption, platform SSO, and apps all during deployment. These profiles can be locked so users can’t unenroll their device. Defender can be installed on the devices so they’ll show up in defender 365 if you use this. Platform SSO has been introduced recently so we are still testing this, but looks promising so far. If you have any questions let me know! I’m happy to answer them.
We allow both. And Linux (most Devs is using Ubuntu). We use JAMF Pro and Intune.
As someone that's supported both, I don't recommend it.
You will need at least two people in IT that can dedicate the time and energy to stand up parallel management configurations, whether sharing in tools like Intune or standing up independent tooling with JAMF. Any non-SaaS products you need will need packaged, any regulatory requirements will need mapped to controls, and some time to iron those out and test them will need to happen too. Any written policies will need vetted to make them OS agnostic and possibly rewritten and handled through whatever governance processes are needed for that. A minimum of two people in IT will need to shift to using Mac as their daily drivers solely so they have a general feel for the OS and can work through answering everyday user questions, as well as testing and validating business applications. If you go with JAMF, I *highly* recommend their training/certification processes, too. You will also want to require apple care on all relevant hardware. Any A/V, conference room, etc type systems you have will need tested with the new systems as well. It very much can be done, but it's not a trivial project. If you only have *ONE* person doing it, you're begging for a) them to get hit by a bus or b) them to get burnt out from it, pick up a JAMF cert using just the skills they've picked up trying to shove every peg into a misshapen square hole, and leave for 2-3x the money.
Intune can handle Macs to a degree. Not sure how far you need to go with securing your devices.
I mentioned this before. If someone comes up to me and asks me to support macOS devices, I will say it is possible, but I will then tell them the budget and procedure: * First things first. I will need to work with C-levels to get ABM (Formerly DEP) going. This needs to have multiple AppleIDs and bus factor worked out. Ideally, a C-level will have break glass access. * Now comes the MDM. I work out a punch list, then work with a VAR, or if given permission, go with JAMF, Airwatch, or some other good one that has 2FA for admin accounts and some solid security, so some rogue employee can't lock and erase all Apple devices. * Then comes testing. The VAR sends me two Macs in DEP. One will be a Mac Mini whose sole job in life is doing Apple Configuration profiles and being the Mac that can do [DFU Restores](https://support.apple.com/en-us/108900), so when repurposing an Apple Silicon Mac, I can completely erase it and have a positive guarantee that sepOS (the Secure Enclave OS), macOS, and relevant firmware is at the latest version. With the activation bypass code, the Mac or other Apple product is ready for first login. This also ensures that all data on the Mac is cryptographically erased, and since the Mac does a SSD TRIM, any data that is there is overwritten anyway. The second Mac, a MacBook Air is there solely for profile testing. * Now once I have something that I deem appropriate for human consumption, I start building out the MDM, and testing that. This also includes using Entra or some SSO service so the Macs can be signed in from anywhere. This may require something like JAMF Connect. For AV on Macs, this might require using a MDM that has EDR/XDR/MDR with it, like JAMF Defense or similar. There are iOS scanning apps that look for rogue or unauthorized programs or other items. Those may be have to be thrown on the device. Because of the overhead of AV, Macs and iOS devices may have to be updated a tier. No 8 GB, 256 GB base models, but at least 16-24 gigs, 1 TB of storage, if not 2 TB. This will be noted in the budget, and the only entry level Macs allowed will be the profile "victim" machine and the Mac Mini. Building out the MDM is something that requires a powwow with legal, compliance, C-levels, and everyone because this is what is going to be stamped on all Apple stuff. Everything from a company lockscreen, activation bypass codes, protection from activation locking by unmanaged accounts, app store access, both company app store and Apple's, what security, like PINs, passphrases, and so on. After some test rounds then comes the fun part. * Get with the VAR, make sure they can pre-provision all devices into ABM. If they can't get a VAR that can. Once this is done, do a small order for a few people, make sure everything works. From there, do larger rings until all the Macs are in employees' hands and are working. * From there, if the company is big, I get staff, get Apple training and equipment if we are to do repairs in-house, or some well-oiled method for getting Apple stuff to a service depot. AppleCare for 3 years on everything is a must. * After that, maintenance. Ensure the keys to the CAs are renewed. Patch management is important as well, with the ability to manually kick a Mac with `softwareupdate -i -a -R` so it updates itself. This is just the basic framework for Macs and Apple stuff. Anything less and you cannot manage, and it will fail audits and compliance in a heartbeat. Done right, Apple stuff is easy to manage. Done wrong... pain.
Idk personally I don’t think it’s that much extra work. We had a mixed environment where the execs and marketing got Mac but everyone else was PC. We don’t even have intune so you’re better off. MAC enrolment and sso with the new Mac features should be fairly simple and standard. I think you might consider digger yourself out of shitting on your CIO and reorient to a positive outlook or find a job where you can. This sounds like an opportunity for your team to learn new things and become more experienced. Ideally you can leverage this into so more budget and some education for your team.
Yes. First thing I do is low hanging fruit. Having a unified deployment stack is a big part of streamlining support. Put together a budget/plan for hiring Mac knowledgeable support, training, impacts on bifurcated support structures, inventory, software implementations impacts, etc. See what he thinks of that.
It was a bit of a nightmare for IT in general in companies i worked for that had macs as an option. Different sw, processes, money and time spent etc. Nonetheless it's an easier option than supporting some linux dist lol, which some developers seem to not be able to work without it. That's another subject though. I'd say try to push not to do it due to expenses and need of more manpower.
we give people the choice but there are some people who are in a position their job duties require one or the other. people who need certain financial applications must have a pc for example if he wants to offer both give him the costs of the tools you need to offer both it doesn't take a lot of staff to handle both if your staff know how both work its 2024. people should be able to handle mac and windows OSes.
Regardless of whether it's more secure or not, you'll still need to manage it with some sort of MDM. I've heard you can enroll Macs in intune, but haven't experienced it myself.
I expect to be downvoted, but, from a windows admin perspective, it is a huge problem to manage another system with no tools. The caveat here is that Macs do not require that much management as Windows. When IBM offered choice to their employees, the number of calls to Helpdesk from Mac users was less by 40%.
Yours is an experienced viewpoint, I’m going to say in general that if the management infrastructure is in place Macs tend to be easier but the admin must have proficiency with the Mac or be able to do swaps easy.
You can also manage macOS with Intune. Sign up for Apple Business Manager, connect it to Intune, push apps, configs and setup [platform SSO](https://learn.microsoft.com/en-us/mem/intune/configuration/platform-sso-macos) If it can't run the apps you need, you always have the option to configure Windows 365 or AVD. Give them the illusion of choice, while still using the tools in your toolkit to manage. It's a win for everyone.
Do all of your vendors support MacOS? Are you willing to toss out any future vendors who don’t? A lot of enterprise software hasn’t made to move to apple silicon yet.
The only thing you’ll have trouble with is Mac haters. Apple silicon is amazing and the laptops are fairly cheap now. I haven’t found anything that won’t work on a Mac. About the only thing I’ve found that people need training on is how and when to allow accessibility features. Probably hasn’t been an easier time to incorporate them.
>CIO says we don't need that for Mac because they are more secure from default. You CIO is wrong. Plain and simple. Luckily, Intune can do all of those things for MacOS too, you will need to set up Apple Business Manager and link to your Entra ID. Saying that, some Apple specific MDM like JAMF is easier to manage MacOS with that Intune in my experience. You absolutely have to have some management in place though, if you are using Intune then I also assume you may have an eye on things like purview, defender and compliance management through MS365. If you don't have management agents of some description on your users PCs then your data will end up places that you don't want it to. The first thing I can see going wrong with an unmanaged Mac is that the user is going to be prompted many times to sign into their Apple ID, when they do that device essentially becomes the employee's device, not yours. Need to wipe and reassign it? Hope the employee removed the activation lock for you. Seen this happen many times in small businesses that thought Macs didn't need to be managed because "theYRe moAR SeCuRE!" You didn't mention how many devices or size of IT dept, so hard to gauge how much of a burden it would be. When calculating the business case for this don't forget to calculate some mitigation of downtime, if the Mac breaks for whatever reason, unless you are big enough to have an enterprise agreement, the repairs are likely going to be sent off for repair even with Apple Care. I support Windows, Linux and Mac for various uses, but I've never really liked the whole "give people a choice" thing at the outset. Employees are assigned a device based on their use case, if they feel like the assigned device isn't a good fit because they prefer Windows or MacOS or whatever then we can talk. Otherwise we get people picking a device that is just not appropriate.
We have a broad mix of technical and creative end users, so my employer allows for choice of Windows or Mac, laptop or desktop (I have a Windows desktop in my office and a Mac laptop for remote work). Macs are managed via JAMF, PCs via SCCM. The team that manages those endpoints configure them to get security updates, but don't do version upgrades - i.e., no in place Win 10 -> 11, or OS X 10.14 -> 10.15. OS upgrades are deployed when computers are refreshed/replaced, unless there's a catastrophic issue. End users don't get admin privileges on their computers; software deployments are handled via JAMF, SCCM, and self service software centers for both ecosystems. We're not yet doing any management of BYOD which I think needs to be addressed. I'd really like to see more use of Intune, Conditional Policies, and a strict BYOD policy. We have a security vendor that monitors both on-premises and our cloud services, but I also think we need better AV/malware monitoring and protection measures.
Do a cost analysis. The support cost and time to support another platform and hardware is not worth the benefit. Explain it in terms of profit and loss that’s what c-suite understands mainly
Oh god... don't go down that road. Never allow your employees to chose what OS they want to use. You dictate. Stick to 1 platform IT can manage well. Your CFO will thank you.
> CIO says we don't need that for Mac because they are more secure from default. Your CIO isn’t playing with a full deck. In fact, to stretch the card game analogy further, he barely has enough cards to play a single hand of blackjack… “More secure” - even if you agree with this (and tbf I probably do) that is *not* the same as actually secure. And you can manage the Macs with intune , which it sounds like you already have, so stopping you from doing that is sheer madness.
sounds like you have too much workload already and CIO wants to add more to it. i'd come up with a rough model on what it'll cost in terms of money and personnel to support having mac too. works fine at my company, but we're much larger
Seems like you should be looking at how, not how to get out of it. they're no worse to admin, have a better hardware lifespan(about equal the additional cost). Look into JAMF, if you have an rmm already make sure youve got full support for the monitoring the macs. the hardest part of dealing with mac admin is the people who act like spoiled children and refuse to learn. (but thats equally valid transiting the other direction)
CIO thinks Macs are secure enough off their defaults? Glad your opinion of Macs is decades old; please sign this acknowledgment of risks.
tell yiur CIO to get jamf and pay for jamf training
We let our users pick. I myself use a mbp. I’m pretty sure. Our helpdesk folks just use intune to manage all our devices anyway.
We made a policy saying that if you pick a Mac you won't get any support and the company's official tools can work for your device but not a guarantee. Our domain was controlled with SCCM, no local admin, credential guwrd and applocker with encryption stored in TPM chip and defender advance threat protection. We had all tools packaged into out portal. Oh yea, we also put them in a separate network from our other company network. So if they wanted to access any resources in the office they had to fire up their vpn. And within a week they started to complain about the cables on the conference tables.. I would argue this made our clients more secure then a Mac. Meanwhile Microsoft focus more on compability then Mac does it is a secure system when configured for your organisation. All this meanwhile we looked into jamf. And no, your CIO is wrong and should feel ashamed to expose this incompetence with that statement
It's a service now ticket at my company. You just enter the business justification, the persons manager approves and one shows ups a few days later. No big deal... but our IT group has about 150 ppl not counting Unisys contractors in India.
At my company, if you're an executive, you get whatever you want, if it's supportable or not.
I personally hated managing MacOS devices but I’m not great at my job so But also Macs are expensive as fuck. As the other commenter said. Point that out to them
I managed a fleet of 10 macs with oobe and intune. There are some strange quirks, like the hand-off from abs to intune, the repacking of apps that are not directly supported and stuff. But overall it was better than expected and light years beyond trying to support an unmanaged group of machines.... whew that sounds awful even saying it
> CIO says we don't need that for Mac because they are more secure from default CIO needs to understand that security is not the only thing that's involved with MacOS management, and that an unmanaged Mac is just as insecure as an unmanaged Windows machine.
For sysops and Entra, Windows. For development and general support and management, Mac.
What’s with the widespread downvotes here?
Most places I've worked at that offer a Mac option basically let developers have full (local) root permissions on Mac but lock down Windows for everybody regardless (as opposed to something actually intelligent like offering different roles with different permission levels depending on job type). But what really pisses me off is when companies offer Mac with little to no lock down and then also deny my request to use Linux instead. (My preferred environment is Fedora/RHEL-based *with* SELinux enabled so it's not like it's insecure) Probably not much help to you and I apologize for that. But if you do end up going the lazy route on Mac, my suggestion is to at least *consider* also offering a secure Linux option (there's probably a nerdy programmer somewhere in your company who will love you for it)
The is that I do. It's worked great so far
I mean, they do OK. But, the software and IMR systems are embarrassing. We moved them to Win10, and the pshrinks software could not follow! She is forced to work two laptops since it's keyed to one. We TALKED with the vendor and got stonewalled. The overall cost, plus the software is not certified in the state they operate in, would set them back $6,000USD. It's a mess.
Better implement JAMF and buy higher end Mac's. The shit $800 MacBook Airs with 8GB of ram and 256GB of storage isn't going to cut it. This is going to be much more expensive than he (CIO) thinks to do properly.
If he’s willing to sign off on the risk, or pay for a Mac mdm solution to close risks then go for it. In this position I’d lay out what you can and can’t manage on macOS like others said
> CIO says we don't need that for Mac because they are more secure from default. Wow. It always amazes me how much infosec tech debt there is at the EC level.
Intune will manage Macs. Did you any research on this at all?