πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 2
Domain 2 β€” Module 6 of 10 60%
13 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 2: Manage and Maintain Devices Premium ⏱ ~12 min read

Config Profiles: Android, iOS & macOS

Intune doesn't just manage Windows. Learn to create configuration profiles for Android, iOS/iPadOS, and macOS β€” each with its own capabilities and quirks.

Multi-platform management

β˜• Simple explanation

Imagine you’re a chef cooking for guests with different dietary needs.

One table wants steak, another is vegetarian, the third is gluten-free. You need different recipes for each β€” but you’re still the same chef, in the same kitchen, using the same ordering system. That’s Intune managing different platforms: same admin center, same assignment logic, but each platform has its own menu of available settings.

Riko at Pixel and Co manages Macs, iPhones, and Android phones β€” all from the same Intune console. But what you CAN configure varies by platform.

Microsoft Intune provides platform-specific configuration profiles for Android, iOS/iPadOS, and macOS. Each platform uses different MDM protocols and supports different settings. The Intune admin center presents platform-appropriate options when you select the target OS.

Key protocol differences: iOS/macOS use Apple MDM (configuration profiles as .mobileconfig XML). Android uses Android Enterprise management APIs. Each has unique enrollment types that affect available management depth.

iOS/iPadOS configuration

What you can configure

CategorySettings Available
Device restrictionsBlock camera, block screenshots, block app installs, require password
Wi-FiConfigure Wi-Fi networks, certificates, EAP settings
VPNPer-app VPN, always-on VPN, IKEv2 profiles
EmailConfigure native Mail app with Exchange settings
CertificatesSCEP, PKCS, trusted root certificates
Kiosk mode (Supervised)Lock device to a single app or set of apps
Home screen layoutArrange app icons and folders (Supervised only)
AirPrintPre-configure printer destinations

Supervised vs unsupervised

A critical concept for iOS management:

FeatureUnsupervisedSupervised
Setup methodUser installs Company PortalADE via Apple Business Manager
Management levelBasic restrictions + app managementFull control β€” kiosk mode, web filter, silent app install
Block app removalNoYes
Single app modeNoYes
Web content filterNoYes
Silent app installNoYes

Key exam concept: Many exam questions hinge on whether a device is supervised. If the question requires deep control (blocking apps, kiosk mode, content filtering), the answer requires supervised mode through ADE.

πŸ’‘ Exam tip: supervised = ADE

If an exam question asks how to get a supervised iOS device, the answer is Apple Automated Device Enrollment (ADE) through Apple Business Manager. You cannot retroactively make an unsupervised device supervised without wiping it and re-enrolling through ADE.

Riko at Pixel and Co has a mix: corporate iPads enrolled via ADE (supervised) and designers’ personal iPhones enrolled via Company Portal (unsupervised). She can lock iPads to a single design app but can’t do the same on personal iPhones.

Android configuration

Android profiles depend on the enrollment type (from Module 4):

Android Configuration by Enrollment Type
FeatureFully ManagedDedicatedCorp Work ProfilePersonal Work Profile
Device restrictionsFull deviceFull deviceWork profile + deviceWork profile only
Wi-Fi configurationYes (device-wide)Yes (device-wide)Yes (device-wide)Work profile only
App managementAll appsAllowed apps onlyWork profile appsWork profile apps
Camera controlCan disable device-wideCan disable device-wideCan disable in work profileWork profile camera only
Factory reset protectionYesYesYesNo
Managed Google PlayRequiredRequiredRequiredRequired

Key Android settings

SettingWhat It Does
Managed Google PlayThe enterprise app store β€” only approved apps appear
Work profile passwordSeparate password for the work profile container
Copy/paste between profilesBlock or allow data sharing between work and personal
Screen captureBlock screenshots in the work profile
Bluetooth sharingBlock sending files via Bluetooth from work profile

macOS configuration

macOS management in Intune mirrors iOS in many ways (both use Apple MDM) but has unique features:

CategorySettings Available
Device restrictionsDisable AirDrop, iCloud, external storage, password requirements
Wi-Fi / VPNNetwork configuration, IKEv2, certificate-based auth
FileVaultEnable full-disk encryption (macOS equivalent of BitLocker)
System extensionsApprove kernel extensions and system extensions
Privacy preferencesControl app access to camera, microphone, files
Custom profilesUpload .mobileconfig XML for settings not in the UI
Shell scriptsDeploy and run shell scripts on managed Macs
ℹ️ Deep dive: FileVault via Intune

FileVault is macOS’s full-disk encryption, similar to BitLocker on Windows. Intune can:

  • Enable FileVault on enrollment or after
  • Escrow the recovery key to Entra ID (viewable in Intune admin center)
  • Rotate the recovery key periodically
  • Require FileVault as a compliance condition

Riko enables FileVault on all corporate Macs at Pixel and Co. If a designer forgets their password, the recovery key is stored in Intune β€” no need to call Apple.

Platform comparison at a glance

CapabilityWindowsiOS/iPadOSAndroidmacOS
Settings CatalogYes (5000+)Yes (growing)LimitedYes (growing)
ADMX importYesNoNoNo
Kiosk/single-app modeYesYes (supervised)Yes (dedicated)No
Full-disk encryptionBitLockerBuilt-in (always on)Device encryptionFileVault
Shell/PowerShell scriptsYesNoNoYes (shell scripts)
Custom config profilesOMA-URI.mobileconfigOEMConfig.mobileconfig

🎬 Video walkthrough

🎬 Video coming soon

Config Profiles: Android, iOS & macOS β€” MD-102 Module 13

Config Profiles: Android, iOS & macOS β€” MD-102 Module 13

~12 min

Flashcards

Question

What does 'supervised' mean for iOS devices, and how do you get it?

Click or press Enter to reveal answer

Answer

Supervised mode gives full management control (kiosk mode, silent app install, web filter, block app removal). It's enabled through Apple Automated Device Enrollment (ADE) via Apple Business Manager. You cannot make an unsupervised device supervised without wiping and re-enrolling.

Click to flip back
Question

What is Managed Google Play and why is it required for Android Enterprise?

Click or press Enter to reveal answer

Answer

Managed Google Play is the enterprise app store for Android Enterprise devices. Only admin-approved apps appear. It's required for all Android Enterprise enrollment types (fully managed, dedicated, work profile). Without it, you can't deploy apps to managed Android devices.

Click to flip back
Question

What is FileVault and how does Intune manage it?

Click or press Enter to reveal answer

Answer

FileVault is macOS's full-disk encryption (equivalent to BitLocker). Intune can enable it, escrow the recovery key to Entra ID, rotate keys, and require it as a compliance condition. Recovery keys are viewable in the Intune admin center.

Click to flip back

Knowledge Check

Knowledge Check

Riko needs to lock a corporate iPad to a single design review app so it can be used as a kiosk in the Pixel & Co lobby. The iPad was enrolled by a designer using Company Portal. Can Riko enable single-app mode?
Knowledge Check

A designer at Pixel & Co has a personal Android phone with a work profile. They complain that they can't copy text from their personal WhatsApp into the work Outlook app. Why?

Next up: Control Admin Rights with EPM β€” giving users just-in-time admin rights without permanent local admin access.

← Previous

Configure Windows Devices with Intune

Next β†’

Control Admin Rights with EPM

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.