Skip to main content

macOS Agent & Intune Connector Contracts

ADR-0017 accepts the macOS agent and Intune connector contract. OP-056 implements the Intune posture connector runtime, and OP-061 implements runtime-lite macOS endpoint enrollment posture. The standalone macOS agent binary, native mobile agents, Intune device-control actions, and deployment changes remain out of scope.

macOS Scope

Phase 1 macOS support is macOS 13+ basic telemetry:

  • ADR-0009 enrollment and mTLS identity,
  • heartbeat,
  • basic inventory,
  • asset identity/fingerprint contribution,
  • source confidence.

Full endpoint parity, patching, software deployment, remote desktop, and broad remote operations remain later scope.

macOS Runtime-Lite

OP-061 reuses the existing ADR-0009/OP-032R enrollment path. Enrollment exchange accepts platform=darwin and optional OS version metadata, but only when agent_class=endpoint. The runtime emits agent.macos.enrolled, stores platform metadata in agent identity summaries, and projects identity-bound heartbeat into the existing asset posture as os_family=macos.

This is not the future standalone Go endpoint agent. It does not add osquery, Fleet, OTel bridge, remote command, SSH, patching, deployment, CI, Terraform, Helm, or AWS changes.

Intune Scope

Intune / M365 Endpoint Manager is an API integration. It reads device compliance posture and basic inventory from Intune APIs and surfaces posture alongside other endpoints. It is not a native mobile agent and does not issue device-control actions in Phase 1.

Intune Runtime

OP-056 adds tenant-scoped Intune connections, sync runs, and redacted device posture snapshots. Connection secrets are SecretProvider refs with purpose intune. Sync emits integration.intune.sync_completed, and the Settings page includes a read-only posture panel.

Raw Microsoft Graph payloads, user principal names, device names, and secrets are not returned through APIs, events, audit, UI, or exports.

Events

  • agent.macos.enrolled
  • integration.intune.sync_completed

API Surfaces

  • GET /api/v1/integrations/intune/connections
  • POST /api/v1/integrations/intune/connections
  • GET /api/v1/integrations/intune/connections/{connection_id}
  • PATCH /api/v1/integrations/intune/connections/{connection_id}
  • POST /api/v1/integrations/intune/connections/{connection_id}/sync
  • GET /api/v1/integrations/intune/devices
  • GET /api/v1/integrations/intune/devices/{device_id}

References

  • docs/adr/ADR-0017-macos-agent-intune-connector.md
  • docs/architecture/macos-agent-intune-connector-contracts.md
  • specs/events/agent.macos.enrolled.v1.schema.json
  • specs/events/integration.intune.sync_completed.v1.schema.json
  • specs/openapi.yaml
  • specs/asyncapi.yaml