macOS_IntuneManagement/README.md

macOS Intune Management

Cross-platform, headless Intune policy export/import with PowerShell.

Current version: 4.0.0 — see CHANGELOG_macOS_IntuneToolkit.md for recent changes.

This repository is now CLI-first. The old WPF application surface has been removed from the repo. The supported workflow is:

1. export policies from a source tenant
2. store the exported JSON and migration table
3. import into a target tenant with app-only or browser authentication

Quick start

The easiest way to get started is the unified launcher. It provides a single terminal UI for every tool and remembers your tenants.

pwsh ./Scripts/Start-IntuneToolkit.ps1

If fzf is installed you get an interactive picker; otherwise you get a numbered menu. You can also pass a tenant directly:

pwsh ./Scripts/Start-IntuneToolkit.ps1 -TenantId "<tenant-id>"

Entry points

• Scripts/Start-IntuneToolkit.ps1 — unified launcher (recommended)
• Start-HeadlessIntune.ps1 — single action wrapper with optional TUI
• Scripts/Export-Policies.ps1
• Scripts/Import-Policies.ps1
• Scripts/Initialize-IntuneAuth.ps1 — one-time Entra app + secret + Keychain setup
• Headless/IntuneManagement.Headless.psd1

Runtime

• pwsh 7+
• Microsoft Graph app registration
• App-only auth with client secret or certificate, or browser auth with a public client redirect URI
• fzf (optional) — for the best interactive menu experience in Start-IntuneToolkit.ps1 and Start-IntuneManagementTui.ps1. Falls back to numbered menus if not installed.
  • macOS: brew install fzf
  • Linux: sudo apt install fzf (or dnf / pacman)
  • Windows: winget install junegunn.fzf (or choco install fzf)

Default object types

The default headless policy scope is:

• DeviceConfiguration
• SettingsCatalog
• AdministrativeTemplates
• CompliancePolicies
• EndpointSecurity
• PolicySets

You can override that list with -ObjectTypes.

First-time setup

If you don't already have an Entra app registration, run the auth initializer. It creates the app, grants admin consent, and stores the secret in the macOS Keychain (or Windows Credential Manager).

pwsh ./Scripts/Initialize-IntuneAuth.ps1

Export

pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export" `
  -IncludeAssignments

Export with browser auth

pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AuthMode Browser `
  -ExportPath "/tmp/intune-export"

Import

pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport `
  -IncludeAssignments `
  -IncludeScopeTags `
  -ReplaceDependencyIds

Import with browser auth

pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AuthMode Browser `
  -ImportPath "/tmp/intune-export/SourceTenantName"

Single action entry point

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export"

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Import `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AuthMode Browser `
  -RedirectUri "http://localhost" `
  -ExportPath "/tmp/intune-export"

Additional toolkit scripts

• Baseline deployment — Deploy-IntuneBaseline.ps1 deploys a YAML manifest of policies + assignments to a tenant, with dry-run support. ConvertTo-IntuneBaseline.ps1 turns an existing export folder into a baseline skeleton.
• Bulk assignments — Bulk-AssignmentManager.ps1 adds or removes assignments for any policy type using the bulk /assign endpoint. Bulk-AppAssignment.ps1 does the same for applications.
• Backup / restore assignments — Backup-Restore-Assignments.ps1 saves assignments to JSON and can restore them with cross-tenant group name resolution.
• Bulk rename — Bulk-RenamePolicies.ps1 performs search/replace or prefix mutations across policy names and descriptions.
• Device operations — Bulk-DeviceOperations.ps1 supports delete, retire, wipe, lock, and sync with -WhatIf safeguards.
• Assignment documentation — Export-AssignmentsToCsv.ps1 exports assignments to CSV and Markdown.

Notes

• Export writes a migration table used during cross-tenant import.
• Import can translate dependency IDs and recreate missing assignment groups.
• This repo intentionally does not preserve the old Windows UI launch flow.
• Browser auth uses the system browser and a loopback redirect.
• If you omit -AppId with -AuthMode Browser, the CLI defaults to the Microsoft Graph PowerShell public client app id 14d82eec-204b-4c2f-b7e8-296a70dab67e.
• If your own app registration does not allow loopback redirects, pass -AppId and -RedirectUri "http://localhost" and configure the same redirect URI in Entra ID.