Understanding macOS management with IntuneMDMAgent and Configuration Profiles – Part 1 – History of Mac OS X and macOS Management

Overview

This is part 1 in a multipart series on how macOS devices are managed by Intune. In this post we look at the history of macOS management. In part 2 we look at how macOS handles MDM with Intune. In part 3 we look at Company Portals role in managing macOS.

Authors notes: The technologies in the beginning of this article are almost 25 years old. While I have used them, my memory of some of their capabilities and function are foggy. As such, my prep for this portion of the series took me down numerous rabbit holes. Having to litterally dusting off my G3 iMac, installing unsupported software from DVDs, looking for websites about the early days of Mac OS X management, and scouring the digital archives of the Wayback Machine for product documentation. Unfortunately, a large portion of Mac OS X’s early history is being lost the “digital” sands of time. The documentation I have will be posted to ModernWork 365’s Github account in the coming days.

The nomenclature and jargon surrounding the technology in this article can have different meanings if spelled or referenced a specific way. The word MacOS or Mac OS spelled this way describes System Software 1-9, or more commonly referred to as Classic. Tho this is an incorrect description, as Classic is an emulation environment that ran on PowerPC Macs up to the introduction of Intel Macs in 2006. The spelling of Mac OS X, also OS X, where X is the roman numeral for 10, in this context describes a lineage of Mac Operating System that began with version 10.0 Cheeta, thru 10.15 Catalina. The spelling of macOS in this context refers to a lineage of Mac Operating Systems from version 11.0 to the current shipping version, 13. OPENSTEP spelt this way refers to the Operating System, not the API. The API while not referenced in this article is spelt OpenStep. This would ship as Yellow Box, in Mac OS X Server 1.0 and is of itself a parent of the Cocoa Framework. Also discussed is Rhapsody. Both OPENSTEP and Rhapsody are parents of Mac OS X, and a descendant of the NeXTSTEP Operating System😮‍💨😉).

It is important to note that there were, and still are numerous tools and products to manage Mac OS X. These included extending AD Schema, AdmitMac, DeployStudio, Configuration Manager, radmind, WorkSpace One, Jamf, Intune, and others. The topologies discussed were ones I built or came across in my career thru discussion, roundtables or other interactions with Mac admins. As such topologies described in this article are a 30,000 FT view of ways organizations could have managed macOS over the years.

Leading up to Mac OS X

During the late 1990’s Mac OS had significantly lost steam and relevance with its core customer. There are numerous stories about how dysfunctional Apple was during this time. Product strategies shifted, multiple leadership changes, and wasting resources were all common themes thru the 1990’s. Microsoft capitalized on this, and thru sheer will and discipline, released product after product that met customer needs. This cemented Windows as the dominant operating system.

During this period Apple attempted a number of resets and pivots to the strategy of Mac OS. These included licensing Mac OS to hardware manufacturers, developing a version of Linux for PowerPC, developing A/UX based on Unix, purchasing an Operating System, and developing various server platforms and other network operating system tools to little commercial success. The madness came to a stop in December of 1996, when Apple announced their acquisition of NeXT.

The beginnings of Modern Mac Management

Apple’s first “modern” entry into system management came with Mac OS X Server, v1.0 in 1999. Mac OS X Server, version 1.0 was the first commercial product based on Rhapsody, which was a complete departure from the MacOS codebase as it was based on OPENSTEP, and technology acquired with NeXT.

Macintosh Manager

In the early days of X, if you had Macs in your organization, chances where they were running Mac OS 8 or 9. Mac OS X did not ship on commercial hardware as the default boot OS until January 2002, almost a year after its commercial release. To manage Mac OS, Macintosh Manager, was the tool of choice for many IT Pro’s. The Macintosh Manager extension on the client communicated with Mac OS X Server to authenticate the user, cache preferences, and apply them to the user’s session. A typical topology during this time was a PowerMac running Mac OS X Server, and an extension installed on the client.

Macintosh Manager topology

Below is a typical screen used by IT Pro’s managing Mac OS clients. The general look and feel of this application would be seen again in the future.

Macintosh Manager in use
Macintosh Manager 2.1. This is a screenshot from a PDF on 10.1 Server install media in my collection. I used this interning with my High School IT department. Also, I miss the pinstripe.

The rise of the Big Cats

By 2003, Apple had introduced Mac OS X version 10.3 Panther and with it, native support for Active Directory Join. During the next few years “Magic Triangle” became a common topology. In a “Magic Triangle” the client was bound to both Open Directory, and Active Directory. This was made possible by plugins to the Directory Services processes in Mac OS X, Netinfo(10.0 – 10.4), or DirectoryServices(10.5+, known now as opendirectoryd). In the example below, Mac OS X Server version 10.4 Tiger on the Xserve, with an Open Directory Master Role was AD Joined. The client, a PowerBook running Mac OS X version 10.4 Tiger was joined to Open Directory and Active Directory. With the PowerBook aware of both directories, a user with an account in Active Directory could login to a Mac OS X client, where the password policy would come from AD, and user and or computer policy could come from Open Directory.

Magic Triangle

Open Directory Server technology, bundled with the Mac OS X Server SKUs, was a LDAP compliant Directory and served similar functionality to Active Directory: supporting metaphors like containers, computers, users, groups, a KDC, etc.

Settings management was made possible thru MCX, or Managed Client for X. MCX was a xml file that contained a set of managed key / value pairs for a given app. This was deployed to the client upon login, logout, startup or shutdown. The IT Pro would use Workgroup Manager in the Server Admin Tools in Jaguar Server or later to import an application that they wanted to manage and set the preferences. In the below example I wanted to manage settings for Google Chrome. Using Workgroup Manager, I import the application.

Workgroup Manager in Mac OS X Server

Then using the Manifest editor, I set a key to suppress unsupported Operating Systems to true. Oh, the irony….

Managed Prefs for Chrome

The IT Pro would then scope the policy, and the client would then cache the property lists in either /Library/Managed Preferences/ or /Library/Managed Preferences/UserName.

OS X Lion

Mac OS X version 10.7 Lion would be a watershed moment for Mac OS X. Lion brought MDM and other major features, but also a shift in business model. By the early 2010’s the Enterprise Product Lines grew to include two different SKUs of OS X Server, Xserve hardware, Xsan, Apple Remote Desktop, Final Cut Server and more. Lion was redeemed thru the Mac App Store, and with-it Lion Server. The IT Pro downloaded the Lion Server app from the App Store, services were installed on-demand, and the client was promoted to a server.

Lion Server Promotion
Lion Server Promotion
Mac OS X being Promoted to Lion Server on an old iMac.

By the end of 2011, Xserve, Final Cut Server, and the multiple SKUs of OS X Server had been discontinued.

Mobile Device Management in Mac OS X

As mentioned, Lion brought MDM management to Mac OS X. To use MDM, a client was enrolled into management via a Management Profile. The Management Profile contained a certificate issued from a PKI, and served as a mechanism of trust between the client and the MDM. The MDM provider and client used Push Notification to notify the client about policy. This was a major departure from previous management models in which the client was joined to a directory service to get policy. A typical topology used to manage Macs during the mid 2010’s is seen below, where the device was enrolled into Jamf, which providing both MDM and agent-based management, while also bound to Active Directory. It was during this time that Casper Suite, known now as Jamf Pro began to make serious inroads into IT organizations.

macOS managed by MDM and AD

From Big Cats to California landmarks, macOS becomes a first-class citizen for Modern Device Management.

Throughout the 2010’s OS X continued to receive new enterprise features. Major functionality like FileVault 2 Key management, DEP and VPP support, and continued MDM maturity would ship with every major release. Active Directory Join became less commonplace as tools like Apple’s Enterprise Connect, Jamf Connect, and NoMAD enabled enterprise password rules rose in popularity.

Into the early 2020’s Apple made a number of platform investments that impacted IT Pro’s supporting macOS. These included System Integrity Protection, replacing HFS+ with APFS, introducing Secure Token, Bootstrap Token, and the shift to Arm Processors, branded as Apple Silicon. Today a typical topology for managing macOS is leveraging Apple Business/School Manager, prioritizing MDM over agent-based functionality and using Cloud Identity. And with Platform SSO and Declarative Device Management on the horizon as major new features to identity and the device management experience there is no shortage of enterprise technology in macOS. For our top enterprise features in macOS Sonoma, check out this post!

Modern Mac managed by cloud identity and mdm

Wrap up

24ish years in one post. I am sure I have missed huge advancements or gotten a feature wrong. But I hope you have enjoyed this look back at macOS management. Up next, in Part 2 of Understanding macOS management with IntuneMDMAgent and Configuration Profiles, we will bring this back into Microsoft 365 focus and discuss how Intune works with the MDM framework in macOS.

More Reading

If you are interested in learning more about the history of Apple, the Mac or the Personal Computer industry, I have included a few links below for further reading:

(ModernWork 365 does not receive any monetary gain from the links below)

Apple Confidential

Revolution in the Valley – The insanely great story of how the Mac was made

Fire in the Valley -The Birth and Death of the Personal Computer

Triumph of the Nerds: The Rise of Accidental Empires

Showstopper!: The Breakneck Race to Create Windows NT and the Next Generation at Microsoft

Share the Post:

Related