Hexnode vs Intune: Choosing the Right MDM for Mixed Apple and Windows Fleets
Hexnode or Intune for a mixed Apple and Windows fleet in 2026? Honest, ZAR-priced take on Conditional Access, Apple parity, ChromeOS and licensing.
TL;DR. Pick Intune if you are Windows-heavy and already pay for Microsoft 365 Business Premium, E3, or E5: the licence is bundled and Conditional Access is the killer feature. Pick Hexnode for mixed Apple and Windows fleets, organisations without M365 BP entitlement, Google Workspace shops, anyone with ChromeOS, and small IT teams that want a console they can actually understand on day one. Sometimes both, scoped per platform.
What are we actually comparing?
Two MDM products with overlapping ambitions and very different histories.
Intune is Microsoft’s endpoint management platform, bundled into Microsoft 365 Business Premium, E3, E5, F3, and the standalone Intune Plan 1/2 SKUs. It started life as a Windows management tool, grew an Apple and Android mobile story, and has spent the last five years catching up to its own marketing on the non-Windows side. It lives inside the Microsoft Endpoint Manager admin centre, shares plumbing with Entra ID, Conditional Access, and Defender for Endpoint, and is configured by people who don’t mind reading Microsoft Learn for a living.
Hexnode is a cross-platform MDM built from the ground up to treat macOS, iOS, Android, ChromeOS, and Windows as equal citizens. It is sold per device or per user, has a noticeably cleaner console, and ships new Apple MDM payload support typically weeks ahead of Intune when Apple drops a new OS. It does not own an identity provider and doesn’t pretend to.
Both can manage a phone, a laptop, a tablet, and the policies riding on them. The differences live in the seams: licensing, identity, Apple cadence, and how much pain a small IT team is willing to absorb in exchange for “free” management.
Where Intune wins
Five real wins, no slogans.
It’s already paid for. If your organisation runs Microsoft 365 Business Premium (around R280 per user per month at current ZAR list), or any E3/E5 SKU, Intune is in the licence. You are paying for it whether you use it or not. For a 50-seat shop on Business Premium, that is roughly R168 000 per year of Intune entitlement already on the invoice. Hexnode at the equivalent feature tier is around R75 to R110 per device per month on top.
Conditional Access integration with Entra ID. This is the headline feature, and nothing else in the MDM space comes close. Conditional Access reads device-compliance state from Intune in real time and gates sign-in to Microsoft 365: block non-compliant devices from Outlook, demand MFA from off-network IPs, require app protection on personal phones, force a hybrid-joined Windows device for sensitive line-of-business apps. Hexnode can pass compliance signals via SAML or SCIM, but the round trip isn’t native and the policy granularity isn’t the same.
Autopilot zero-touch for Windows. Devices ship from Dell, Lenovo, HP, or Microsoft Surface with their hardware hash pre-registered to your tenant. The user signs in once, walks away, the device provisions itself. Hexnode supports Windows Autopilot enrolment too, but Intune’s Autopilot story is the reference implementation and the OEM channel knows it.
Defender for Endpoint integration. If you run Defender for Business or Defender for Endpoint, the device-risk score feeds straight back into Intune compliance, which feeds Conditional Access. Three Microsoft products talking to each other natively. With Hexnode you bolt Defender on, but the cross-product enrichment is gone.
Windows depth. BitLocker, Windows Update for Business, security baselines, ADMX templates, attack surface reduction rules, the full GPO-to-MDM bridge for shops migrating off on-prem AD. Intune does Windows the way Windows wants to be done, because Microsoft writes both ends of the protocol.
Where Hexnode wins
Faster macOS feature parity. This is the real differentiator. When Apple ships a new MDM payload at WWDC (Declarative Device Management capabilities, new restriction keys, fresh configuration profiles) Hexnode tends to surface them in the console weeks ahead of Intune. We’ve watched this for five OS cycles now. macOS 14 Sonoma’s new managed-app config keys landed in Hexnode roughly three weeks after release; Intune took the better part of a quarter. macOS 15 Sequoia’s new screen-recording and Bluetooth payload controls followed the same pattern. If you care about being current on Apple, Hexnode is the safer bet.
Android Enterprise depth. Both vendors support Android Enterprise. Hexnode’s coverage of fully-managed, work-profile, and dedicated-device modes is broader, the Samsung Knox integration is richer, and the Zebra and Honeywell rugged-device support is something Intune still does not do well. Warehouse and logistics fleets running Zebra scanners almost always end up on Hexnode for this reason alone.
ChromeOS support. Hexnode manages Chromebooks. Intune does not, in any meaningful sense. If you have more than five Chromebooks the conversation is over.
Cleaner UI for smaller IT teams. The Hexnode console is opinionated. Target groups, policies, apps, compliance: four things on a sidebar, each doing roughly what it sounds like it does. The Endpoint Manager admin centre has more pages than most people can name from memory and a configuration model that splits between configuration profiles, security baselines, settings catalogues, administrative templates, and compliance policies, sometimes for the same setting. One competent generalist can run a Hexnode tenant. Intune wants someone who genuinely enjoys it.
Works for organisations on Google Workspace. No Entra ID, no problem. Hexnode federates against Google identity, the user experience is identical, and you do not have to invent a reason to buy a Microsoft licence stack for a Google shop. Intune is technically usable without M365 (the standalone Plan 1/2 SKUs exist) but the value collapses without Conditional Access.
Mac comparison: who actually does it better?
Hexnode. Not by a whisker: by about two quarters of feature lag and a measurably smaller list of edge-case bugs.
The specific Intune gaps worth naming on macOS:
Apple Silicon Bootstrap Token edge cases. On Apple Silicon Macs (M1, M2, M3, M4), the Bootstrap Token is what lets the MDM authorise system extensions, kernel extensions, and FileVault key escrow without a user prompt. Intune’s Bootstrap Token escrow has historically had quiet failure modes: the token is requested, the device thinks it has been delivered, the MDM thinks the same, and three weeks later you discover the token never actually escrowed. Hexnode is not immune to this but the failure rate we see in the wild is lower and the diagnostics are clearer.
Kernel-extension and system-extension approvals. Apple’s PPPC (Privacy Preferences Policy Control) and TCC frameworks let an MDM pre-approve specific apps for Full Disk Access, Screen Recording, Accessibility, and the rest. Hexnode’s PPPC profile catalogue is broader and the UI for building the profile is more humane. Intune’s PPPC story works but feels like the second-class citizen it historically has been.
FileVault edge cases. Both products manage FileVault. Both escrow recovery keys. Intune’s FileVault personal-recovery-key rotation has had documented issues where the key visible in the Intune console does not match the key actually stored on the device, which becomes a five-figure problem when a user is locked out of an encrypted Mac and the recovery key does not work. Hexnode has had bugs too, in fairness, but fewer of them and shorter fix turnarounds.
MDM-only-feature gap. A handful of Apple MDM payloads (managed Wallpaper enforcement, managed Software Update deferrals at the granularity Apple offers, certain Login Window configurations) are simply not exposed in Intune yet. They are in Hexnode. If your compliance posture demands them, that is the answer.
The honest counter-point: Intune covers the important things on macOS adequately. FileVault on, screen lock, OS minimum version, basic config profiles, Conditional Access state. For a fleet that is 80% Windows and 20% Mac and where the Mac compliance bar is “encrypted, patched, screen-locked,” Intune is fine. For a fleet that is 50/50 or Mac-majority, the lag stops being academic.
For the deeper take, see A Practical Guide to Mac Compliance with Hexnode and Intune.
Windows comparison: who actually does it better?
Intune. Not even close.
Conditional Access. Autopilot. BitLocker with auto-escrow to Entra ID. Windows Update for Business with proper rings, deferrals, and reporting. Defender for Endpoint risk scoring feeding compliance. Security baselines that ship with sensible defaults. ADMX-backed policy for the long tail of legacy GPO settings. Co-management with on-prem ConfigMgr for shops migrating gradually. The Settings Catalogue covers thousands of Windows configuration items by name.
Hexnode does Windows. The compliance and inventory work. BitLocker management exists. App deployment via MSI and EXE works fine. Patch management is reasonable. None of it is bad. None of it is what Intune does on Windows. If you are 80% Windows and the Macs are an afterthought, Intune wins this one even on a feature-by-feature read.
Mobile (iOS / Android)
Both fine. Both will run the basic shape: Apple Business Manager enrolment, Android Enterprise work profiles, app protection policies, selective wipe, conditional mailbox access. The differences narrow on phones because Apple and Google control the protocols and both vendors implement them faithfully.
Hexnode is meaningfully richer on Android Enterprise: broader OEM coverage (Samsung Knox, Zebra, Honeywell, Sony rugged tablets), better dedicated-device kiosk support, more granular control over the work profile. Intune is fine for the standard “Outlook and Teams on a personal phone” BYOD case and slightly behind on anything more bespoke.
For BYOD specifically, Intune’s MAM-without-enrolment story (App Protection Policies on personal devices that never get enrolled) is one of the cleanest in the industry. Hexnode does the equivalent but the Intune flow has had years longer to settle.
ChromeOS
Hexnode supports it. Intune does not. End of section.
If your fleet has a meaningful number of Chromebooks (a school, a frontline-worker organisation, a retail business that picked Chromebooks for kiosks five years ago), you are choosing Hexnode whether you want to or not. The Google Admin console manages ChromeOS too, and is the deeper option for ChromeOS-only fleets, but if you want one console covering Chrome plus Apple plus Windows plus Android, Hexnode is the only realistic answer.
Pricing model
Two completely different shapes.
Intune. Bundled in M365 SKUs (Business Premium, E3, E5, F1, F3) or sold standalone as Intune Plan 1 (around R130 per user per month list) and Plan 2 (around R200, adds advanced endpoint analytics and remote help). For an organisation already paying for Business Premium at R280 per user per month, Intune is sunk cost. The marginal price of using it is zero.
Hexnode. Per-device or per-user, tiered. Express (the lowest, mostly inventory and basic profile push) sits around R45 per device per month at ZAR list. Pro is around R75. Enterprise around R95. Ultimate around R110, which adds the full kiosk feature set, expense management, and the deeper Apple and Android features. Volume discounts kick in past 100 devices and material discounts past 500.
Real-world ZAR cost on a 50-seat mixed fleet (30 Windows, 15 Mac, 5 ChromeOS):
- Intune route. M365 Business Premium for everyone: 50 × R280 = R14 000/month, R168 000/year. Intune is “free” inside that. ChromeOS: not managed by Intune, so add Google Admin or a separate licence for those five seats. Real Intune marginal cost: R0/month, but only because Microsoft has already taken the wallet on M365.
- Hexnode route. Hexnode Pro at R75/device × 50 devices = R3 750/month, R45 000/year. M365 Business Standard (no Intune) at R210/user × 50 = R10 500/month, R126 000/year. Total: R171 000/year. Slightly more than Business Premium alone, but the M365 Standard licence is lighter and the ChromeOS seats are covered.
The Intune route looks cheaper only if you would have bought Business Premium anyway. If you are on Business Standard or on Google Workspace, the marginal cost of adding Intune (via a standalone Plan 1 SKU) plus the configuration time means Hexnode is usually the cheaper realistic answer.
The number that does not appear on either invoice is time to operate. Intune assumes a Microsoft-fluent admin. Hexnode assumes a willing generalist. For a small IT team, the salary cost of “we need someone who actually understands Endpoint Manager” can dwarf the licence delta.
How to choose: a 6-question decision tree
Answer these in order. The first clear answer wins.
- Do you have Microsoft 365 Business Premium, E3, or E5 across the organisation already? No → skip to question 4. Yes → continue.
- Is your fleet 70%+ Windows? Yes → Intune. The bundling plus Conditional Access plus Autopilot plus Defender integration is decisive. No → continue.
- Do you have more than five Chromebooks? Yes → Hexnode (for the Chromebooks at minimum, often for everything). No → Intune is still the default; Hexnode is a reasonable alternative if your IT team finds Endpoint Manager unworkable.
- Are you on Google Workspace, no M365 entitlement? Yes → Hexnode. There is no good reason to introduce a Microsoft identity stack solely to use Intune. No → continue.
- Is your fleet majority Apple? Yes → Hexnode. The Apple feature lag in Intune compounds when Macs are the majority. No → continue.
- Is your IT team one or two people? Yes → Hexnode. Console UX matters more than feature depth at that team size. No → either tool works; pick on price and existing skills.
A seventh question worth asking on the side: do you run Zebra, Honeywell, or other rugged Android scanners in a warehouse or logistics setting? If yes, the answer is Hexnode regardless of the rest of the tree.
Comparison table
| Dimension | // microsoft Intune | // hexnode Hexnode |
|---|---|---|
| Bundled with M365 Business Premium / E3 / E5 | ✓Yes (included) | —No (separate purchase) |
| Conditional Access integration (Entra ID) | Native, real-time, granular | Via SAML/SCIM, not native |
| Windows Autopilot zero-touch | Reference implementation | Supported, secondary citizen |
| macOS feature lag vs Apple release | Often a quarter or more | Typically weeks |
| Apple Silicon Bootstrap Token reliability | Documented quiet-failure cases | Lower failure rate in our experience |
| ChromeOS lifecycle management | —Not supported in any meaningful sense | ✓Full support |
| Android Enterprise depth (work profile + COPE + dedicated) | Solid for standard cases | Broader OEM and rugged-device coverage |
| Kiosk mode (Apple, Android, Windows) | Workable on Windows, basic elsewhere | Excellent across all platforms |
| Private app store / VPP / managed Google Play | Native with M365 plumbing | Full support, slightly more steps |
| BitLocker management + recovery-key escrow | Native to Entra ID | Supported, separate key store |
| FileVault management + recovery-key escrow | Supported, edge-case bugs | Supported, fewer reported edge cases |
| Windows Update for Business rings | Native, deep | Basic |
| Defender for Endpoint risk-score integration | ✓Native | ◐Bolt-on, no cross-product enrichment |
| MDM-only-feature gap on Mac | Real: several payloads still missing | Minimal |
| ZAR pricing model | Bundled in M365 SKUs; standalone Plan 1 ~R130/user/mo | Per-device R45–R110/mo by tier |
| Partner / reseller support quality | Microsoft Premier, variable by region | Hexnode direct, fast and technical |
| Console learning curve | Steep (Endpoint Manager is sprawling) | Gentle (opinionated, consistent UI) |
Where this sits in the OSH stack
The MDM choice doesn’t happen in isolation. It sits next to your identity provider, your endpoint protection, your encryption strategy, and your compliance posture. The MDM page covers the joined-up view; the Hexnode page and Intune page go deeper on each platform.
A few adjacent questions worth reading before you commit:
- Microsoft 365: if you are weighing Business Premium specifically for the Intune entitlement, the security walkthrough on the Microsoft 365 page covers what you actually get for the licence beyond MDM.
- Google Workspace: if you are a Workspace shop, the MDM choice is effectively decided already; Hexnode is the answer.
- Mac compliance with Hexnode and Intune: the tactical follow-up. Once you have picked, what does a real Mac compliance posture look like?
- FDE: Bitdefender vs Intune: encryption key management often sits at the same decision point. If you already run Bitdefender FDE, the recovery key story changes the calculus.
- Services overview: for the engagement shape.
A word on lock-in
Neither product locks you in technically. Apple Business Manager assignments can be moved between MDMs (with a wipe). Android Enterprise enrolments can be re-pointed (with a factory reset). Windows Autopilot profiles transfer across tenants. The lock-in, when it happens, is operational: years of policy work, app packaging, scripts, baselines, and tribal knowledge that nobody documented because the tool was “just working.”
That argues for picking deliberately the first time. It does not argue for never switching. We’ve moved fleets in both directions and both are tractable inside a quarter for a sub-200-seat shop.
How OSH approaches the choice
We sell both. We deploy both. We don’t earn meaningfully more on one than the other, which is deliberate. The recommendation we make to a client is the one we would make to ourselves.
A typical fit assessment runs 60 minutes. We inventory the fleet by OS and ownership, check what M365 SKUs you already pay for (the Business Premium question is often the deciding factor before we even look at devices), look at the IT team shape, and ask the seven questions above. The output is a written recommendation with reasoning, not a quote. The quote follows once the answer is settled.
If the answer is “both” (Intune for Windows, Hexnode for Mac and Android), we’ve run that pattern for several clients and it works, with clear ownership boundaries and one compliance dashboard pulling from both consoles via API. It is not the default but it is not exotic either.
Get a 60-minute MDM fit assessment
We will inventory your fleet, check your M365 entitlement, sketch the BYOD-vs-corporate split, and tell you whether Hexnode, Intune, or both is the right answer. No pitch. Written reasoning you can take to the board. Book the fit assessment from the MDM page and we will run it next week.
