An in-depth review of the Intune platform from Rocketman Tech

Photo by Peter Scherbatykh on Unsplash

Jamf had the opportunity to read and comment on this review prior to publication on our blog. However, the opinions and assessments expressed in this review are those of Rocketman Tech. Chris was not compensated for this blog post; these views are his alone and not endorsed by Jamf.

Intune overview

Intune is a platform offered with Microsoft Entra that manages Windows devices along with Android, iOS and macOS devices. Initially SCCM, this platform was the gold standard for Windows management, and has always had limited Mac management capabilities, although historically these capabilities were quite limited and Intune/SCCM as a platform has never been widely considered as a tool for managing Mac computers. However, recently there has been a lot of discussion, specifically from organizations looking to consolidate their IT software, whether or not Intune is currently "good enough" to manage Mac computers. In order to answer this question, we're going to compare it to the gold standard of Mac management, Jamf Pro.

Components: Intune vs Jamf Pro

To start, we're going to compare many of the main components in Jamf Pro to Microsoft Intune, examining the similarities and differences along with the strengths and weaknesses of each platform. As we go through each of these components, we will show the Jamf Pro component along with the Intune counterpart.

To start off, we're going to compare the bread-and-butter of Jamf Pro: policies, smart computer groups and extension attributes to the Intune equivalent.

Policies

There is not a direct comparison between policies in Jamf Pro and any single component in Intune. However, some of the features of policies in Jamf Pro are supported by certain components within Intune, including apps, update policies, shell scripts and assignments.

Since policies are built specifically by Jamf, it's not surprising that Intune does not support many of these features, especially since policies are what really sets Jamf apart from most platforms. The ability to create a group of packages and scripts and define a trigger, frequency and scope is an incredibly powerful feature available in Jamf Pro that we don't see in many other management platforms, and Intune is certainly no exception to this.

One thing to note: Although shell scripts are supported for Intune, they have a limit of 200kb in size. This might seem insignificant, but there are quite a few scripts that we use regularly, including Kevin White's S.U.P.E.R.M.A.N. — which has been our preferred workflow for macOS updates — which is over this limit. This is an issue with Intune that is not an issue in Jamf Pro.

Smart Computer Groups

Smart Computer Groups is one of the most powerful components of Jamf Pro. Intune has a similar component called "Dynamic Device Groups." At face value, these two components seem pretty similar. For instance, both Jamf Pro and Intune support operators like exact matches, contains, greater or less than, and more. However, Intune does not support “matches regex” or “does not match regex” operators.

Although they both seem to have similar operators, there are two important distinctions that make Jamf Pro far more powerful with this feature. First off, Jamf's support for regular expressions really allows admins to customize exactly what they're looking for, whether that's in a device name, a serial number or another part of the computer inventory.

The most important distinction though is the amount of criteria. Jamf Pro supports over 150 different criteria that admins can create smart computer groups from, allowing administrators to really dial in exactly what they want in a dynamic group. On top of this, Jamf can even use custom extension attributes as criteria for smart computer groups.

Intune, on the other hand, only supports 17 basic criteria and does not support custom attributes to be used as criteria in dynamic device groups.

Extension attributes

Extension attributes in Jamf Pro really extend the functionality of smart computer groups in a powerful way, allowing admins to set up nuanced workflows to target specific needs in their environment. Intune has a similar feature called "Custom Attributes" — however, it doesn't have the same power that extension attributes in Jamf Pro have. You cannot create groups to assign computers to using custom attributes, and you can't create reports from them or update them via the API.

Both Jamf Pro and Intune include attributes for data type and input type (script). In addition, Jamf Pro includes:

• Input type (pop-up menu and text field)
• Inventory display
• Smart group criteria
• Update via API

The one thing Intune does have the ability to do is assign a custom attribute to specific devices, whereas with Jamf Pro it's all or nothing. This isn't a huge deal, since it's better to have more inventory than less. Allowing for device specific assignments would be a welcomed improvement for Jamf Pro, since it would decrease the inventory update time along with the database. Overall the power of what you can do with extension attributes in Jamf Pro far outweighs the benefits you get from being able to scope an attribute to specific devices.

PreStage enrollments

Since PreStage enrollments, like configuration profiles, are a protocol built by Apple, you would expect these two platforms to be pretty similar in this regard. At face value it seems like it, but once you dig deeper you see that that is far from the case. First off, there are a lot of features that just aren't available in Intune, most notably "Prevent User from enabling Activation Lock" and "Automatically advance through Setup Assistant." It also doesn't allow for enrollment packages, which is a basic requirement to set up any onboarding screens for users or deploy something like Jamf Connect.

One more thing to note, Intune has a feature called "Await final configuration" which installs configuration profiles during the set up, similar to what Jamf Pro does in its configuration profiles payload. However, with Jamf Pro you can choose exactly which configuration profiles you want, whereas Intune installs ALL of the configuration profiles. This workflow is NOT recommended by Apple and can cause major issues with enrollment, depending on how many profiles you have. The recommendation is to ONLY install the profiles you need, which in our case is usually 1-2 profiles. However, with Intune, this is not possible.

Configuration profiles

Since configuration profiles are built around Apple's Framework, there are not a whole lot of differences between what you can do between Jamf Pro and Intune.

However, the main difference we see between the two platforms is the functionality. In Jamf Pro, when a configuration profile is deployed to a device it comes down almost instantly, whereas in Intune it would take about 30 minutes to deploy initially, but between 8-24 hours for any changes to deploy to the profile. I'd often have to delete the profile and recreate it for it to deploy to the computer, and even then I often resorted to just wiping the computer to get the new profile to come down, since it seemed to work well when initially provisioning the computer.

It's also noteworthy that, although FileVault is supported, after extensive testing, troubleshooting and working with two different Intune experts when evaluating this platform, we were not able to get FileVault working on our Intune instance. This may have been a bug with our specific server or the version we were running, but given that FileVault is a very basic security component of macOS management, this would be a non-starter for us.

macOS updates

macOS updates, or software updates as they are known in both Intune and Jamf Pro, is the biggest area of opportunity for Jamf Pro and is one place where Intune is a little stronger. However, one thing to note is that although Intune has more built-in capabilities, it lacks the third-party support for more robust tools that most Apple administrators use to manage software updates, including S.U.P.E.R.M.A.N. and Erase-Install.

S.U.P.E.R.M.A.N

• Can't deploy the main script because it's too large
• Utilizes Jamf Parameters
• There is documentation for specifically deploying this through Jamf Pro
• Many community Extension Attributes have been made specifically for Jamf Pro
• MDM features are only available through the Jamf Pro API

Erase-Install

• Can't deploy the main script because it's too large
• Utilizes Jamf Parameters
• There is documentation for specifically deploying this through Jamf Pro

So while Intune has more built-in features, these third-party tools offer a lot more features than both Jamf or Intune and are much easier to deploy through Jamf Pro.

Third-party patch management

Jamf Pro provides App Installers, which is a secure and easy way to patch third-party applications. Microsoft offers something similar through their Microsoft Applications, so these apps are easily and securely updated, but does not provide a framework that can be used for other applications. So it's safe to say that Intune does not really have a comparable feature to Jamf's App Installers, even though it might seem to at first glance.

For instance, Jamf Pro has over 190 software titles through the Jamf App Catalog, while Intune only has 9. More interestingly, Jamf Pro offers patch management for more Microsoft software titles than Intune does!

So as far as third-party patch management is concerned, Jamf Pro is the clear winner.

Self Service

The main difference between Jamf's Self Service application and Microsoft's Company Portal is that Jamf's Self Service is able to deploy policies, which opens up a lot of powerful workflows that are not available when only being able to install packages. For example, only Self Service can accommodate workflows with:

• Software updates
• Scripts
• Printers
• Dock items
• Local accounts
• Configuration profiles

One feature that Intune has that Jamf Pro doesn't have, is the ability to view the Recovery Key through Company Portal. At face value this seems like a great feature, but when is this useful? If someone is locked out of their Mac, they won't be able to access Company Portal.

Although not built in, it's possible to set up a workflow in Jamf Pro where users can retrieve the Recovery Key for their Mac through an external resource, like Service Now. This is a much more useful feature, since if users are locked out of their Mac they can still retrieve this code.

Overall, Jamf's Self Service allows for much more powerful workflows than Intune's Company Portal.

Additional platform differences

There are several additional notable differences between Jamf Pro and Intune that affect the workflows that can be set up between the two platforms. These differences really illustrate what is possible with these two platforms and are not obvious at first glance.

Device check-in frequency

This is something we talked about when we were discussing configuration profiles, but it's something that really affects testing, troubleshooting and deployment in a powerful way. Jamf Pro deploys configuration profiles and policies quite regularly, and even allows policies to be deployed manually through Self Service or the Jamf Binary.

Intune has a much longer check-in time, between 8 to 24 hours and does not allow items deployed through Intune to be kicked off through any sort of trigger.

Jamf Pro device check-in frequency

• Agent check-in: configurable between 5 and 60 minutes
• MDM check-in: instantaneous
• Jamf Binary: kick off policies through Terminal
• Self Service: can deploy policies, configuration profiles, Mac App Store apps and App Installers

Microsoft Intune device check-in frequency

• Agent check-in: not configurable, between 8 and 24 hours
• MDM check-in: between 8 and 24 hours
• No Intune binary
• Company Portal: can only deploy apps

Zero-touch provisioning

Zero-touch provisioning has been a big part of Apple management for the last ten years, and Jamf Pro has always been on the forefront of this, whether it's offering support for tools like Splash Buddy, DEPNotify, and Swift Dialog, or creating their own built-in solution: macOS Onboarding. Setting up a good zero-touch provisioning workflow has always been a powerful part of Jamf Pro.

Intune, on the other hand, not only does not have a built-in solution, it really can't handle any third-party solutions because of the limitations of the platform. Without the ability to deploy packages during the prestage, administrators are quite limited in their enrollment process. Jamf Pro offers features that Intune does not, including:

• Integrated and third-party onboarding screens
• Control over the provisioning process
• Control over Setup Assistant Packages
• Control over the first user account

Other features

There are some other notable features available through Jamf Pro that are not available through Microsoft Intune, namely, creating:

• Reports similar to what you can do through advanced searches
• Static groups (a feature we use quite often),
• Custom alerts, like with smart computer groups
• Useful patch reports like you can with Jamf patch management

Platform support

There are a lot of differences between the Intune and Jamf Pro platforms that really showcase the power of Jamf Pro over Intune. However, what does the support for the two platforms look like? This is something that is often overlooked when assessing platforms like this, but is an incredibly important part of the product; if something goes wrong, you want to make sure that your organization has the resources it needs to fix the issue quickly and effectively.

Documentation

As a frequent user of MDM software, Jamf's documentation for Jamf Pro is the best I have seen from any vendor. It is easy to find, easy to follow, and almost always up to date. On top of this, they often have incredible supplemental white papers and videos and even unofficially supported documentation by different members of the Jamf team.

My experience with Intune's documentation, on the other hand, was much different. It was difficult to figure out which article I needed to solve my specific issue, and the documentation I found was often outdated, incomplete and didn't go into the detail I needed to address the issue. Talking to other experts in this area, I also confirmed that my frustrations were shared by others.

Customer support

Mac management through Jamf Pro is Jamf's main product, whereas Mac management through Microsoft Intune is an afterthought of one product that Microsoft offers. While no support is perfect, as far as vendor support is concerned it is fairly good, and it is world’s better than the support you'll receive from Microsoft for Mac management through Intune.

Jamf might take days or even weeks to solve a simple issue while they route you through their support channels, but based on my conversations with industry experts, including people who worked on the Microsoft support team, issues would often take months to resolve, and most the time, would simply go unresolved or be unsupported.

Outside support

Most companies need support outside of the typical vendor support for Jamf and Intune, especially when they run into issues with the platform or their current administrator left. There are many Apple consultants, like Rocketman Tech, who live and breathe Jamf Pro, and not very many that support Intune in any capacity.

With Jamf Pro, if necessary, at least there are many companies you can call to help you with your server. With Microsoft Intune, you may be stuck trying to solve everything yourself or hiring an expensive full-time employee who is learning on the job with your Intune server.

Third-party products

There is a large community making products specifically for Jamf Pro, and even products that are MDM agnostic have specific Jamf Pro features built in, along with documentation for using it in Jamf Pro. On top of this, there is also a large amount of testing that happens with these products specifically on the Jamf Pro platform, so it's easy to find documentation specifically built for Jamf Pro, whereas finding documentation specifically for Intune for these tools is almost non-existent.

Community

Jamf Nation has an incredibly powerful community, as they have been on the forefront of Apple management for over 20 years. If you don't want to pay for a Jamf consultant, you can probably find the answer to your question by going to Jamf Nation or the Mac Admins Slack channel. The Jamf Nation User Conference is also an amazing place with Apple Administrators gather to talk about all the amazing workflows people are setting up through Jamf Pro. Intune on the other hand, doesn't have a very large community, and not surprisingly, there is no conference specifically built for managing Apple devices with Intune.

There are many amazing Jamf meetups all over the world, in person and virtually, including Jamf Nation User Groups, Jamf Heroes meetups and other community meetups like Launchpad hosted by Jamf Partners.

Pricing

Pricing is where Intune really shines and why some companies are even considering moving to Intune. At face value Jamf Pro actually seems cheaper, and it is if the only thing you're managing is macOS and iOS devices. However, Microsoft bundles a Mac license in with the rest of their Office 365 products, so at least in the writing of this article, if you have a business license through Microsoft, managing a Mac computer is completely free.

Conclusion

So which platform is better for managing Mac computers? To be honest, no one is really asking this question. Jamf Pro is the clear winner by a long shot. No one is considering buying Intune over Jamf Pro to manage their Mac computers. The only organizations considering Intune over Jamf are companies that already have Intune and either don't want to pay for Jamf licenses, or don't want to go through the work of setting up a separate server. So the question is not is Intune better than Jamf, the question is, is Intune good enough to manage your organization's Mac computers?

Jamf Pro + Microsoft

It's worth noting that Jamf Pro actually works very well with other Microsoft products, including Intune, and ironically, the best way to manage your Macs with Intune is through Jamf Pro! With the Device Compliance integration through Jamf you're able to set compliance policies and view all your macOS inventory inside of Intune. Jamf Pro supports integration with the following Microsoft tools:

• Jamf Pro Device Compliance
• Jamf Pro with Microsoft Defender (and Jamf Protect)
• Jamf Pro with Microsoft Office
• Jamf Pro with Entra ID
• Jamf Pro with Platform SSO for Entra ID
• Jamf Pro with Security Copilot
• Jamf Pro with Power BI
• Jamf Pro and Jamf Connect with Active Directory integration