How Jamf helps maximize your Microsoft investments

Your organization runs on Microsoft. Your teams rely on Intune for device management, Entra for identity, Microsoft Sentinel for security operations and Microsoft Security Copilot to tie it all together. You've built a serious, modern security stack and you should feel good about that.

But does that stack cover every device in your environment?

Key takeaways

• Microsoft Intune's macOS compliance policy evaluates six settings: OS version, password, FileVault, SIP, firewall and Gatekeeper. Custom compliance scripts, XProtect signature currency, Recovery Lock on Apple Silicon and CVE exposure are outside what Intune can assess for Apple devices. Jamf Pro evaluates against your actual security requirements by assessing more than six settings.

• Microsoft Defender for Endpoint collects behavioral telemetry on macOS, but Apple-native signals like Gatekeeper detections, XProtect events, TCC database modifications and LaunchDaemon persistence surface only through Apple's Endpoint Security API. Jamf Protect streams these events directly into Microsoft Sentinel, filling the telemetry layer that generic endpoint tools don't expose.

• Platform SSO with Secure Enclave mode provides phishing-resistant, hardware-bound authentication for Mac but carries real configuration requirements including full Entra ID join (hybrid-join not supported), user-group policy assignment and separate MDM profiles for hybrid Kerberos environments. Jamf Pro orchestrates the deployment and surfaces registration status as a queryable compliance attribute fleet-wide.

• Jamf is not a competing platform to Microsoft. It's the Apple-native layer that makes your existing Microsoft investments more complete. Intune, Entra, Microsoft Sentinel and Security Copilot all perform better with the Apple-specific data Jamf provides, without requiring new workflows or tools for your team to learn.

• Jamf is available on the Microsoft Azure Marketplace, meaning organizations with committed Azure spend can apply existing budget toward closing their Apple management gap through the vendor relationship they already have.

Your Microsoft tools weren't built for Apple.

The reality is that two world-class platforms were built independently from one another.

Microsoft Sentinel, Intune, Defender and Entra are engineered around the Windows ecosystem. They're excellent at what they do… for Windows. But Apple's platform operates on fundamentally different architecture, APIs and management frameworks. When you enroll a Mac in Intune, you get a baseline: enrollment, remote wipe and some configuration profiles. What you don't get is the deep, native visibility that macOS was designed to expose to purpose-built Apple management and security tools.

That gap shows up in ways that matter to your security posture:

• Device inventory that isn't complete: Hardware details, OS-level configuration states and security posture signals that Apple exposes only to native management tools simply don't surface in Intune. What you see looks comprehensive. What you're missing, you don't know to look for.

• Compliance enforcement that doesn't fully translate: Policies engineered for Windows behave differently on macOS. The gaps they create aren't always obvious until an auditor — or an attacker — finds them first.

• Security telemetry with a blind spot: Apple endpoints have their own threat surface that Microsoft Defender wasn’t built for: different malware patterns, different attack vectors, different behavioral signals. Without platform-native monitoring, that activity doesn't reach your SIEM. Microsoft Sentinel can only act on what it receives.

The result is a security stack that looks airtight in your dashboards but has a quiet, persistent gap where your Apple fleet lives. That gap is real. And the organizations that have learned this the hard way didn't find out on their own terms.

Jamf closes the gap inside the Microsoft tools you already use.

The most important thing to understand about Jamf is what it isn't: it's not a competing platform.

It's not another dashboard to manage or another workflow to maintain. Jamf is purpose-built Apple expertise that integrates directly into Microsoft's ecosystem, feeding the tools your team already trusts with the Apple-specific data they've been missing.

Better together isn't just a phrase. It's the principle our partnership was built on and it's reflected in the deep integrations we offer.

Jamf + Microsoft Intune: The Apple depth Intune needs

Intune does the foundational work. Jamf brings the Apple depth.

Together, they give IT teams unified device compliance across the entire fleet: Windows and Apple managed with equal rigor. Enrollment workflows purpose-built for Apple hardware. Granular policy enforcement and configuration options that go far beyond what Intune can deliver for macOS on its own.

Here’s the more subtle problem to consider. Intune's macOS compliance policy is a fixed, relatively short checklist:

• OS version
• Password rules
• FileVault encryption
• Firewall
• System Integrity Protection (SIP)
• Gatekeeper

For Windows, that checklist runs deep.

For Mac, it's a starting point — but not a complete picture.

Jamf's compliance framework is native to Apple and built to go much further.

It can assess:

• Whether XProtect malware signatures are current
• Whether Recovery Lock is set on Apple Silicon devices
• How the device scores against the CIS macOS Security Benchmark (with no workarounds)
• Whether a sensitive configuration is in place
• Whether specific security tools are running
• Whether a particular certificate is installed
• And much, much more

Any custom compliance signal your security team can define Jamf can enforce.

Intune cannot.

When a device passes Intune's macOS compliance check, it means the short checklist came back clean. When it passes Jamf's, it means it met your actual security requirements. For security leaders, that distinction matters enormously: a green checkmark is only meaningful if it asked the right questions in the first place.

Your team keeps working in Intune. They just stopped trusting a green checkmark that was never telling the whole story.

Jamf + Microsoft Entra: identity done right, from first boot

Let's start with the fact that Microsoft has made real progress on the macOS identity problem. Platform SSO, generally available since August 2025, extends Entra-based authentication to the macOS login screen using Secure Enclave-backed, hardware-bound cryptographic keys. The private key never leaves the device. Authentication is phishing-resistant. Touch ID triggers the Secure Enclave to sign assertions without sending biometric data to Entra ID. For organizations pursuing passwordless, this is a legitimate and well-engineered capability.

So where does Jamf fit in? Not as a replacement for PSSO — but as the management layer that makes it work correctly at scale, and as the solution for the scenarios that PSSO deliberately doesn't address.

PSSO is built around a tradeoff: the authentication method you choose determines whether your Mac credentials are hardware-bound or password-unified — and those properties are mutually exclusive.

Secure Enclave mode is the right choice for organizations prioritizing phishing-resistant authentication. The cryptographic key never leaves the device, and credentials are genuinely non-exportable. What it doesn't deliver is full passwordlessness — local accounts still require passwords for initial login and FileVault authentication, because FileVault uses the local account password as its disk encryption key. Your Mac login credential and your Entra identity are hardware-bound, not password-unified.

For organizations where password parity between the OS and the identity provider is a requirement — typically as part of a compliance posture aimed at reducing lateral movement risk — the Password authentication method is the appropriate choice. It keeps the local password in sync with Entra, including FileVault and Keychain.

These are distinct modes with distinct security properties. Choosing between them is a policy decision, not a deployment detail.

Beyond the authentication method decision, PSSO carries a real configuration surface.

• Devices must be fully Entra ID joined — hybrid-join environments where devices remain bound to Active Directory are explicitly not supported.
• Policies must be assigned to user groups rather than devices, and only one SSO policy can exist per user group, requiring all PSSO settings to be consolidated into a single profile.
• The stricter biometric-only policy requires macOS 14.6 and Company Portal version 2504 or later.
• If your environment spans on-premises Active Directory and Entra Cloud Kerberos, separate MDM profiles are required for each realm, with full Kerberos integration requiring macOS 14.6 and Company Portal 5.2408.0 or later.
• In environments with TLS inspection, specific Microsoft and Apple domains must be exempted or PSSO token acquisition will fail. And if Entra accounts have per-user MFA enabled rather than Conditional Access-based MFA, PSSO setup will be blocked entirely.

These are not reasons to avoid PSSO. It's a reason the MDM layer that manages it matters — and that's where Jamf changes what's possible.

Jamf Pro orchestrates the entire PSSO deployment: distributing Company Portal, configuring Extensible SSO payloads, deploying SCEP profiles for device identity and surfacing PSSO registration status as a queryable compliance attribute alongside enrollment state and security posture. Jamf Pro 11.21.1 added a dedicated verb to query Secure Enclave registration status per device, giving administrators fleet-wide visibility into which devices have successfully registered hardware-bound identity with Entra ID. Jamf Pro 11.22.0's Conditional Access.app reports on Entra PSSO registration status alongside device ID, user UPN, and certificate thumbprint — tying identity registration state directly into the same platform managing enrollment, compliance benchmarks, and security posture. When Jamf Pro's device attestation capabilities combine with PSSO in macOS 26, the result is what Jamf describes as a security trifecta: only a verified, trusted user operating a managed and authenticated device can access secure cloud resources.

Simplified setup

Apple's new workflow requires PSSO registration during the Setup Assistant, enabling zero-touch provisioning with identity-based first-user account creation. It currently supports Okta Identity Engine and is coming soon for Microsoft Entra ID.

Organizations deploying Entra today should plan for this capability to land, and Jamf Pro is built to enable it the moment Microsoft's support ships. For shared Mac environments, Authenticated Guest Mode (macOS 26) creates temporary user accounts after IdP authentication that automatically self-delete after logout — supported by both Entra ID and Okta through Jamf Pro. Tap to Login — which extends Apple Wallet's NFC contactless capabilities to Mac authentication — is introduced in macOS 26 but is not yet supported by any identity provider, making it a near-term roadmap item worth tracking.

For organizations that need password parity and use Entra ID alongside Okta or Google Workspace, Jamf Connect remains the most complete solution. Jamf Connect replaces the macOS login window with cloud identity provider authentication, creates local macOS accounts from IdP credentials during zero-touch enrollment and maintains continuous password synchronization. It checks alignment approximately every 60 minutes and prompts users when the local and network passwords diverge. FileVault and Keychain are updated as part of the sync.

This capability covers Microsoft Entra ID, Okta, and Google Workspace, not Entra ID alone — which matters for organizations that are not exclusively Microsoft-identity shops.

Two solutions; two roles

It's worth being precise about how Jamf Connect and PSSO interact, because the two can complement each other — or conflict — depending on configuration.

The recommended pairing for Entra environments:

1. Use Jamf Connect to manage local password sync and ongoing workflows
2. Use Microsoft's PSSO Secure Enclave extension to handle cloud identity authentication via a hardware-bound key.

In this model, Jamf Connect owns the local credential layer and PSSO owns the phishing-resistant IdP authentication layer; each doing what it does best without stepping on the other. What to avoid: configuring both Jamf Connect and PSSO Password mode to sync the same user's password simultaneously.

Having two solutions attempt password sync through different mechanisms will cause conflicts. Choose one method for password sync and configure the other accordingly.

Two operational realities are worth stating honestly.

First, during Automated Device Enrollment, Jamf Connect Login must be excluded from Conditional Access controls in Azure, because users authenticate at the system level before Conditional Access can be instantiated. Post-enrollment, Conditional Access enforcement operates normally.

Second, Jamf Connect requires a local password to be set even when using Entra ID, which means it does not support a fully passwordless workflow — that's what Secure Enclave PSSO is for. These are not deficiencies; they define the role each solution plays.

The complete picture for Entra-integrated Mac fleets: PSSO deployed and monitored through Jamf Pro handles phishing-resistant hardware-bound authentication. Jamf Connect handles zero-touch account provisioning, password parity enforcement, and multi-IdP flexibility where needed. Jamf's compliance framework ties device posture to identity-based access enforcement in a single platform. The result is not Jamf replacing PSSO. It's Jamf making PSSO operationally viable at fleet scale, closing the gaps Microsoft's architecture deliberately leaves open, and extending identity coverage to the scenarios, identity providers, and macOS versions that PSSO doesn't yet fully address.

PSSO without Jamf is a strong authentication capability that requires careful configuration management. Jamf with PSSO is an identity and device management foundation that works from first boot.

See the latest Jamf PSSO improvements >>

Jamf + Microsoft Sentinel: Complete telemetry, finally

Your SOC lives in Microsoft Sentinel. But their ability to detect, investigate, and respond depends entirely on the quality and completeness of the data feeding it. If your Apple endpoints aren't generating the right telemetry, your team is working with a partial picture — and the gap is more specific than most security leaders realize.

Microsoft Defender for Endpoint is a capable, well-integrated platform. Its telemetry on macOS covers process behavior, file system events, network activity and investigation packages. Where it excels is correlation: events flowing into Sentinel are automatically enriched with WHOIS lookups, threat intelligence providers and cross-platform signal correlation across your entire Microsoft environment. That infrastructure is mature, deep and genuinely hard to replicate. For Windows-centric fleets, it's comprehensive.

Jamf Protect adds in what Defender doesn't cover: the Apple-native signal layer. It is only in this layer that events surface through Apple's Endpoint Security API.

• Gatekeeper enforcement status and detections
• XProtect detection events
• TCC database modification events that reveal unauthorized privacy permission changes
• LaunchDaemon and LaunchAgent persistence mechanism
• PTY events that indicate reverse shell activity

None of these signals are in Defender's documented macOS telemetry schema.

Jamf Protect is built natively on Apple's Endpoint Security API, and it surfaces these events directly into Microsoft Sentinel.

Jamf Protect's Sentinel integration maps to ASIM fields (where supported), with event data landing in custom log types in your Log Analytics workspace. The integration currently streams two primary data types into Sentinel: threat detection events and network traffic data — DNS and HTTP activity from managed Apple endpoints. Hunting queries can combine alert data, telemetry events and network activity for detection and retrospective analysis, using the same KQL queries your team already writes.

The result in Sentinel is additive, not redundant. Defender provides mature cross-platform EDR signal, rich threat correlation and deep investigation capabilities across your Microsoft environment. Jamf Protect contributes the Apple-native telemetry layer: the events from Apple's own security framework that generic endpoint tools don't expose.

Mac and Windows events, side by side, in the platform your SOC already uses. No new tools to learn. No separate investigation workflow. Just the signals your team was missing.

Jamf + Microsoft Security Copilot: AI can only help if you give it the whole picture.

Microsoft Security Copilot is a genuinely powerful capability — but its analysis is bounded by the data it receives. If your Apple fleet isn't contributing the right telemetry, Copilot isn't giving you complete answers.

It's giving you the best answers it can with incomplete information, which is a different thing entirely.

The completeness problem is concrete. Copilot's macOS threat correlations are only as good as the macOS events feeding Sentinel.

• If Gatekeeper detections aren't streaming, Copilot can't surface them.
• If TCC database modifications aren't captured, Copilot can't correlate a suspicious privacy permission change with a concurrent process execution event.
• If CVE state changes for Apple devices aren't flowing, Copilot's vulnerability context for your Mac fleet is missing entirely.

The AI reasons with what it has — and right now, for many organizations running Defender without Jamf, it doesn't have the Apple-native telemetry layer.

Jamf's plugin for Microsoft Security Copilot closes that gap.

With Jamf Protect telemetry flowing through Sentinel and Jamf's plugin active, Copilot can surface Apple-specific threats, correlate Mac device activity with identity and network events across your environment, and support investigations that span your entire endpoint fleet — not just the Windows half. The investigation workflow your SOC already knows, now with the full picture.

The AI is only as smart as the data you give it. Incomplete data means incomplete protection. Jamf is how you give Copilot the Apple half of the story it's currently missing.

The Intune question — and the honest answer

If you're thinking "we already pay for Intune, why would we add another tool?" that's exactly the right question. And the honest answer is: because Intune wasn't designed to manage Apple fully, and the gaps this creates are specific, documented, and consequential.

Custom compliance policies for macOS are explicitly limited to Windows and Linux in Intune; Apple platforms are excluded by design. The macOS compliance checklist covers six items:

• OS version
• Password policy
• FileVault
• System Integrity Protection
• Firewall
• Gatekeeper

None of the following surface in Intune's compliance framework:

• XProtect signature currency
• Recovery Lock on Apple Silicon
• TCC database state
• CVE exposure across your Mac fleet

When a Mac passes Intune's compliance check, it means those six things came back clean. It doesn't mean your security requirements were evaluated.

Microsoft's base Endpoint Analytics tool is documented as Windows-only with no macOS support. Advanced Analytics, available as part of the E5 subscription, does surface battery health and storage metrics for Apple devices via Device Query; but broader performance monitoring, crash reporting and user experience scoring for Apple platforms remain undocumented. The telemetry Intune and Defender collect on macOS is real, but the Apple-native signals that only flow through Apple's Endpoint Security API (i.e. Gatekeeper detections, XProtect events, TCC modifications, LaunchDaemon persistence) aren't in Defender's documented macOS schema.

This isn't about adding complexity. It's about filling blind spots — whether or not you're aware of them.

The research is specific: these aren't theoretical gaps. They're documented product boundaries, in Microsoft's own documentation, that create real exposure in organizations running significant Apple fleets on Intune alone. Most security leaders, once they see the list, aren't comfortable accepting it.

The good news: the procurement path is simpler than you might expect.

Jamf is available on the Microsoft Azure Marketplace.

One of the most common friction points with adding a new security tool is budget — not because the value isn't clear, but because new vendors mean new procurement cycles, new approval processes and new line items in an already scrutinized budget.

Jamf is available for purchase on the Microsoft Azure Marketplace, which means you can apply your existing Azure committed spend toward Jamf. If your organization has committed Azure spend to utilize, Jamf can be part of that conversation through the vendor relationship you already have, using budget you've already committed. No new procurement cycle. No new vendor approval. The tool that closes your Apple management gap fits into the commercial relationship you already have with Microsoft.

This is what the Jamf and Microsoft partnership is designed to do: reduce the friction of adding best-in-class Apple management to a Microsoft-centric environment. The security gap in your Apple fleet has a solution that may already fit within the budget you have.

The risk of waiting is real.

Every day that your Apple devices operate without native management and security visibility is a day that undetected risk exists in your environment. It doesn't show up in Intune's compliance dashboard, because the questions that would surface it aren't being asked. It doesn't trigger Microsoft Sentinel alerts, because the telemetry that would generate them isn't flowing. It doesn't appear in your vulnerability reports, because there's no documented CVE tracking for Apple devices in Microsoft's endpoint management stack. It just exists, quietly, until it doesn't.

The gaps documented in this post aren't edge cases. They're the difference between a compliance check that evaluates six settings and one that evaluates your actual security requirements. Between telemetry that covers your Windows fleet comprehensively and telemetry that covers your entire endpoint environment. Between identity infrastructure that works from first boot on every device and one that requires careful configuration management to function correctly on Apple hardware.

Your Microsoft investments are strong. Jamf makes them complete.

PSSO deployed and monitored through Jamf Pro. Compliance benchmarks that assess against CIS, NIST, and DISA STIG natively on Apple. Telemetry from Apple's Endpoint Security API flowing into Sentinel with a native ASIM parser. CVE state-change events for every Mac in your fleet. Recovery Lock, XProtect detections, TCC visibility — signals that only exist when you're managing Apple the way Apple was designed to be managed.

Every device, every endpoint, every signal. All in the platforms your team already relies on. The question was never Microsoft or Jamf. It's what happens to your security posture when you stop choosing between them.

Check out the Jamf for Mac and Jamf for Mobile listings in the Microsoft Azure Marketplace.