engagED 2026 Recap + Field Notes
At ISNSW’s ICT Conference, engagED 2026, I gave a talk on cross-platform device management with Microsoft Intune.
It was a practical walkthrough of:
- what works
- what doesn’t
- and where people are wasting time
Based on what I see first hand and via our team helping amazing customers.
I recently re-ran the session with a smaller group at a local school, which gave me a chance to sense-check the content and be reminded of what resonated.
Below is a summary of the talk and what was discussed.
The core message: pick the right way (not every way)
Intune gives you flexibility. Too much of it.
There are 100 ways to do things — but there’s usually one you actually should do.
One of the reasons I built out the GitHub repo for the session was to cut through that noise and give people a shortlist of:
- articles worth reading
- tools worth using
- patterns worth following
If you haven’t already, grab the full list here:
https://raw.githubusercontent.com/aarondavidpolley/engagED2026/refs/heads/main/favourites_23_04_2026.html
Where we’ve come from (and why it matters)
Most environments still carry baggage from traditional imaging:
- PXE boot
- Golden images
- Build rooms
- Manual staging
That world is effectively dead.
Modern expectation is:
Ship → unbox → sign in → ready.
Inside the repo, I’ve linked the Microsoft enrolment guidance and platform docs that show how all platforms now assume this model.
Recommended starting points from the favourites list:
- Device enrollment guide for Microsoft Intune – Microsoft Intune | Microsoft Learn
- Visual enrollment guide for Microsoft Intune
Platform reality
One thing I always sanity check live:
- Windows = dominant
- iPadOS / iOS = strong
- macOS = present
- Android / Linux = edge cases
That matches both what we saw in the room and in most education environments.
This matters because:
Not everything is equal across platforms — design accordingly.
Filters > Groups (this is one of the biggest unlocks)
If you take nothing else from this content, take this:
Use filters, not groups, wherever you can.
Why:
- Entra groups = slow
- Filters = local evaluation on device
The single most important document in the repo for this is:
This is buried in Microsoft Learn, but it changes how you design:
- Autopilot flows
- Policy targeting
- App assignment
Practical outcome:
- Faster provisioning
- Less “why hasn’t this applied”
- Cleaner architecture
Provisioning: Autopilot (and just Autopilot)
This is simple:
If you’re not using Autopilot, you’re making life harder.
From the repo, key reference:
These show:
- What works
- What’s supported
- What to avoid
Everything else (scripts, hybrid join hacks, GPO-based enrolment) falls into:
“You might get it working, but you’ll regret it.”
Identity: stop trying to synchronise passwords everywhere
This is where opinions usually come out.
Modern identity model (across all platforms):
- Directory credential (used once)
- Local secret (PIN / local password)
- Biometrics (Face ID / Touch ID / Windows Hello)
- MFA / Conditional Access / Passkeys
From the repo, I included:
- How To Hold macOS User Identity in 2025 – Aaron David Polley
- Configure Platform SSO for macOS devices – Microsoft Intune | Microsoft Learn
- Configure iOS/iPadOS Enterprise SSO app extension with MDMs – Microsoft Intune | Microsoft Learn
These help frame the shift:
Passwords are no longer the central control point.
Key takeaway:
- Stop forcing sync where it’s not required
- Start designing around device-bound identity and phishing resistant (ie passkeys and password-less) credentials
App management: OG is best
This is where people burn time.
For Windows:
Package everything as Win32 apps (IntuneWin)
For macOS:
LOB (MDM) is more robust than PKG/DMG (Agent)
From the repo, relevant tools and references:
- Add an unmanaged macOS PKG app to Microsoft Intune | Microsoft Learn
- Understanding Microsoft Intune management agent for macOS | Microsoft Learn
- How to add macOS line-of-business apps to Microsoft Intune | Microsoft Learn
- IntuneBrew | Homebrew ❤️ Intune
- IntuneGet | Winget ❤️ Intune
- RealmJoin: Cloud-Based Software Distribution
- Patch My PC: Home Page
3rd party tools exist because:
- Native app lifecycle in Intune isn’t strong enough on its own
The repo intentionally includes community tooling like Awesome Intune because:
You need ecosystem support to run Intune at scale properly.
Config management: “I have a group… I have a filter…”
10 points if you got this reference.
This was the comic relief section, but it matters.
Key idea:
- Groups = identity-based assignment
- Filters = execution control
From the repo:
- Create a policy using settings catalog in Microsoft Intune – Microsoft Intune | Microsoft Learn
- Assignment Filter Performance Tips for Intune – Microsoft Intune | Microsoft Learn
- Get started with macOS endpoints – Microsoft Intune | Microsoft Learn
The combination is how you:
- Build consistent configurations
- Avoid timing issues
- Reduce complexity
Network: certificates are the new passwords
This is a shift that’s already underway.
From the repo:
- Microsoft Cloud PKI for Microsoft Intune – Microsoft Intune | Microsoft Learn
- RADIUSaaS: Secure and Easy Cloud-Based Authentication for Network Access | RADIUSaaS
- SCEPman: Cloud-Based Certificate Authority | scepman-nuxt-app
- Install the Certificate Connector for Microsoft Intune – Microsoft Intune | Microsoft Learn
Why it matters:
Wi-Fi and network auth should not rely on user passwords anymore.
Certificates provide:
- Better security
- Better UX
- More consistency across platforms
Security: define your crown jewels
Security isn’t about turning everything on.
It’s about:
Knowing what matters, and protecting it properly.
From the repo:
Most people already have access to Defender.
The gap isn’t licensing—it’s configuration and understanding:
- Where policies are coming from
- How they overlap
- What actually enforces control
What people actually valued
The feedback was consistent:
- “Great hints & tips and resources.”
- “Great resources to further develop our Intune instance…”
- “Appreciated the in-depth Autopilot content and reading materials.”
That last point was intentional.
The goal wasn’t to deliver a talk.
It was to give people:
A set of things they can go and implement tomorrow.
Final thought
Intune isn’t hard simply because it’s missing features.
It’s hard because:
- There are too many ways to do things
- Not all of them are equal
The environments that succeed:
- Standardise early
- Pick proven patterns
- Use the ecosystem
- Stay consistent
Everything else becomes easier from there.
