Iru Release Notes

Zero-touch Windows enrollment from a single Entra connection

Setting up a new Windows device used to mean manual imaging and IT getting their hands on hardware, and many teams are still doing it this way. Windows Autopilot offers a better path: zero-touch deployment where devices ship direct from the vendor and enroll the moment the employee signs in for the first time. Iru connects directly to that flow, so the setup you configure once applies to every device.

Setting up Autopilot begins in Iru's Integration settings. Connect your Entra tenant and configure the app registration. Once configured, registered devices with Microsoft enroll automatically in Iru.

Blueprint Routing handles assignment automatically. Each new device is routed to the right Blueprint at enrollment based on the rules you configure, with no per-device work needed.

Following Blueprint assignment, enrollment handles itself. When the employee signs in with their Entra credentials on first boot, Iru enrolls the device and follows the Assignment Map logic to apply the right configurations and policies. Apps deploy and security settings start enforcing.

Admins configure the Intune Autopilot policy alongside this to control what employees see during the Windows out-of-the-box experience (OOBE), the first-boot setup wizard on Windows devices. The policy determines which setup screens appear, whether the user gets standard or admin rights, and whether the device Entra joins automatically. Configure it once and it applies to every device that goes through the Autopilot flow.

Every device enrolls the moment the employee signs in

Every device enrolls the moment the employee signs in

Your team is expanding to a new office, and forty devices are shipping directly from the manufacturer to employees across engineering and operations. Engineering needs one set of apps and policies. Operations needs another. No one from IT is traveling to image devices before they go out. IT wants the onboarding process to be easier.

Configure Blueprint Routing in Iru's Autopilot settings once. From that point, every device that enrolls gets assigned to the right Blueprint automatically. Each employee opens the box, signs in with their Entra credentials on first boot, and enrollment completes on its own. The right apps and policies apply without any per-device setup before the device ships.

Every device ships, enrolls, and configures after a user signs in with Entra credentials.

Getting started

To get started with Windows Autopilot in Iru, check out the product documentation.

If you want to see how zero-touch enrollment works for your team, request a demo today.

Endpoints just joined your IT team's AI build environment.

Somewhere in your fleet right now, there is a device out of compliance, assigned to someone who left last month, running an operating system you stopped supporting last year. It is sitting there, a quiet risk, waiting to matter at the worst possible time.

Your team will find it eventually. After opening a console, building a filter, waiting on results, and cross-referencing a spreadsheet. Twenty minutes if everything goes right.

With Iru MCP, your team writes one prompt and a workflow handles the rest: querying Iru, opening the ticket, and notifying the team, all without touching a single console.

Meet Iru MCP

IT teams have always been constrained by the tools they were given. That changed with AI build environments like Claude Code and Cursor. Iru MCP brings endpoint into that same environment. Your device fleet becomes a programmable surface your team can read, act on, and wire into broader workflows in Claude Code, Cursor, or any MCP-compatible AI tool.

Why this matters: AgenticOps

IT teams are moving from operators running tasks in dashboards to builders shipping workflows in an AI development environment. Endpoints are a critical part of almost every IT workflow, and until now, they were missing from the AI build environment. Iru MCP changes that. Wire endpoint management into every workflow you build. Run entire operational sequences from a single prompt. Stay in control at every irreversible step. IT teams are moving from operators to builders. That is AgenticOps.

See it in action: three real workflows

1. Threat detection and automated response

A suspicious login fires from an unfamiliar location. You type one prompt. Your AI assistant queries Iru for the device assigned to that user, checks its compliance status, locks it via MDM pending investigation, notifies your security Slack channel, and sends the affected user an automated email. Every irreversible step waits for your explicit approval before it executes.

What used to be a fifteen-minute scramble across four tools is now a single workflow. Every action logged. Your team responds faster, with a complete audit trail.

2. Cross-tool compliance intelligence

You ask which employees accessing corporate resources are doing so from non-compliant devices. Your AI queries Iru for device compliance status, pulls access data from your MCP-connected identity tool, including Okta, Microsoft Entra, or any identity platform with MCP support, and surfaces the answer in a single conversation. No custom report. No spreadsheet. No week-long audit.

Most security teams cannot answer that question without a manual audit. With Iru MCP, one prompt gets you there. The same conversation can trigger remediation in Iru, open a Jira ticket, and notify Slack. A workflow that does not stop at the answer, it acts on it.

3. Multi-system onboarding and offboarding

A new employee joins. You type one prompt. The AI assigns the standard blueprint in Iru, opens the access ticket in ServiceNow, and posts the welcome message in Slack. Three systems. One conversation. An employee departs. The same logic runs in reverse: devices are unenrolled and wiped via Iru, the offboarding ticket is opened in ServiceNow, and the manager is notified in Slack.

IT did not run a task. IT built a workflow, one that runs the same way every time, across every system, without opening a console. Ship it once. Run it forever.

Safety is not an afterthought

Fair question: what if the AI does something unintended?

Every irreversible action stops and waits for you. Before anything executes, the AI surfaces a clear summary: device name, device identifier, assigned user, and the exact consequence. Nothing happens until you say yes.

Your permissions define exactly what the AI can do. A read-only configuration gives you a read-only AI. A full-access configuration gives you a full-access AI.

What this means for your team

The teams that embrace AgenticOps now are building a capability that compounds with every workflow. For practitioners, that is time back. For leaders, that is a team that scales without adding headcount, building on the Iru investment you have already made. No new budget. No new tools. As Iru’s API expands, so does what your team can build. This release is the foundation. Every workflow your team ships from here compounds on what came before.

We cannot wait to see what you build.

IT and security teams are about to operate very differently. Not incrementally differently. Fundamentally differently. The shift from operator to builder is not a feature update. It is a new way of working that compounds with every workflow your team ships. The teams that start now will have built something the rest of the industry is still trying to understand. We built Iru MCP for those teams. Now it is your turn.

Get started using the Iru MCP

Get started here. The setup guide walks you through the whole process.

Prefer a live walkthrough? Register for our Iru MCP webinar for a deep dive and Q&A.

Want to learn more? Book a demo to see what Iru can do for your team.

For the first time, IT has declarative MDM control over what transfers when a user migrates from an old Mac to a new one.

Everyone who’s gotten a new personal iPhone knows that screen: 'Transfer from iPhone.' You tap it, wait, and Apple transfers everything. It's straightforward and powerful. Hardware refreshes are a natural part of the device lifecycle for employees, but transferring data and preserving settings has historically been a challenge.

Organizations have long wished for Migration Assistant in macOS to work just as seamlessly for their users as it does for consumers, while ensuring the controls they need to ensure organizational security and compliance remain in place. In macOS 26.4, Apple delivered on that wish.

What Apple's Managed Migration Assistant enables

Managed Migration Assistant is an Apple MDM capability that gives IT administrators declarative control over Mac-to-Mac migrations during Setup Assistant. It runs as part of the Automated Device Enrollment flow, scoped via your MDM configuration.

Migration was entirely user-controlled with no enforcement mechanism. IT can now specify which data transfers, which accounts are included, and which security settings apply.

What IT can control

The Managed Migration Assistant declaration exposes four configuration options:

• Required File and Folder Paths
  Define which paths must migrate to the new device. Paths are relative to the user's Home folder, and folder paths require a trailing slash (e.g., Documents/Work/). At the time of this writing, sub-paths are supported, so you can require an entire parent directory while still excluding specific contents within it.

• Excluded Paths
  Specify paths that must not migrate, even if they exist within a required parent directory. In the Migration Assistant UI, users see parent directories only; subfolders are not shown. The declaration still applies correctly at migration time.

• Excluded User Accounts
  Prevent specific user accounts from transferring to the new Mac. Local admin accounts exist to support IT operations, not end users. Migrating one means it arrives on the new device untracked, carrying stale credentials and privileges that were never explicitly granted. If the account is still needed, MDM provisions it fresh.

One thing you cannot control: the user's ~/Library folder always migrates regardless of your configuration. It is not subject to required or excluded path rules.

Managed Migration Assistant in Iru

To configure Managed Migration Assistant in Iru:

1. The admin creates a Migration Assistant library item in Iru and assigns it to the appropriate Blueprint.
2. The device enrolls via ADE. Scope it by assigning the library item to whichever Blueprint covers the devices you want it to apply to: all devices, or a specific subset.
3. During Setup Assistant, the Restore/Migration screen appears (be sure not to skip this screen; see below)
4. Iru applies the declaration from the library item, enforcing the configuration.
5. The user selects their old Mac as the migration source.
6. The migration runs within the parameters defined in the library item.

All four configuration controls are available in the library item: security and privacy settings, required paths, excluded paths, and excluded user accounts.

Iru surfaces the completion data on each device record. The device details tab shows what migrated, what was skipped, and when. The same data is available via the enterprise API device details endpoint.

One gotcha to know before you configure this

If your ADE library item is configured to skip all Setup Assistant screens, Migration Assistant will not run. The Restore screen must be explicitly un-skipped for Managed Migration Assistant to have anything to attach to.

If you're adding this to an existing ADE flow that suppresses all panes by default, audit your current ADE configuration first. If the Restore screen is being skipped, un-skip it before deploying a Migration Assistant configuration. Otherwise, your configuration will be applied to a screen that never appears.

What you get after migration completes

Declarative Device Management provides a completion report after migration runs: what migrated, what was skipped, how much data transferred, and a timestamp. For IT teams that previously had zero visibility into a Migration Assistant run, this is a meaningful operational change. Iru surfaces that data on each device record.

Post-migration, managed app deployment should still run through your MDM, not rely on whatever apps came over from the old Mac. Apps that migrated via Migration Assistant are carry-over copies, not managed deployments. Let your MDM redeploy managed apps as it normally would, so they're in a known-good state rather than a migration artifact.

Start migrating with Iru

Migration has long been one of enterprise IT's least controllable processes. Managed Migration Assistant changes that. Iru delivers it. IT now defines what transfers, what stays behind, and what security posture the new Mac starts with.

See it in action.

Want to bring IT control to your Mac migrations? Book a demo and we'll walk you through Managed Migration Assistant in Iru.