Your IT Solution

SAB Assign

User Guide

SAB Assign is a native macOS application for Mac admins who manage Microsoft Intune and need a safer, faster way to apply or remove the same assignment logic across many resources.

What It Does

SAB Assign lets you select many Intune resources at once, inspect the current assignments on a selected item, build one assignment plan, and then apply or remove matching assignments across all selected resources in one operation.

  • Apps
  • Settings Catalog policies
  • Configuration profiles
  • Compliance policies

System Requirements

  • macOS 14 or later
  • Apple Silicon or Intel Mac
  • At least 4 GB RAM
  • Microsoft Intune tenant
  • Entra ID administrator account for first-time setup
  • Network access to login.microsoftonline.com and graph.microsoft.com

First Launch

On first launch, the app presents a welcome screen with two setup paths:

  • Magic Setup for automatic Entra app registration
  • Manual Configuration for admins who already have an app registration
  • Explore with sample data to enter mock mode without touching your tenant

Microsoft Graph Access

The recommended setup path is Magic Setup. It walks you through device code sign-in, creates or reuses the IntuneBulkAssign app registration, grants the required permissions, and saves the resulting profile locally.

Manual setup is also supported if you already manage the Entra registration yourself.

  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • Group.Read.All
  • Organization.Read.All

Main Interface

The app uses a three-column layout:

  • Left sidebar for section navigation and settings
  • Center pane for browsing, searching, filtering, and selecting resources
  • Right pane for current assignments, assignment plans, results, and the activity log

Building an Assignment Plan

An assignment plan combines scope, include or exclude groups, app intent where relevant, and optional assignment filters. You can preview the plan before applying it.

  • All devices
  • All users
  • Selected groups
  • Include or exclude assignment filter mode
  • Required, Available, or Uninstall intent for apps

Apply and Unassign

Applying preserves existing assignments and merges in the new targets. Unassigning removes only the assignments that match the plan criteria. Both actions show confirmation dialogs before changes are sent to Intune.

After a run, the app shows per-resource results, updates the activity log, and reloads assignment counts.

Evidence Export

Export Evidence creates:

  • A JSON plan file with selected items, scope, filters, warnings, and result status
  • A text activity log file with the timestamped session history

This is intended for CAB records, change control, rollback planning, and audit support.

Troubleshooting Themes

  • Connection failures from missing or expired credentials
  • Partial failures caused by permissions, deleted resources, or throttling
  • Mock fallback when live credentials are incomplete
  • Retry handling for transient Graph API errors
  • Manual or Magic Offboard cleanup for abandoned app registrations

Security Model

  • Tenant ID and Client ID stored locally as profile data
  • Client Secret stored in the macOS Keychain
  • Tokens cached in memory only
  • HTTPS network communication
  • Sandboxed app with outgoing network access and user-selected file export access

Best Practices

  • Learn the workflow in mock mode first
  • Validate live mode with a small pilot set before broader runs
  • Inspect current assignments before clicking Apply
  • Export evidence after production changes
  • Use groups instead of broad tenant-wide scopes when possible

Need Help?

Use the support page for contact details and release status, or review the privacy policy if you need details about local storage and credentials.