Tuesday, 14 November 2023

macOS management with Intune - compliance

Back to main macOS page

Compliance policies in Intune define the rules and settings that users and devices must meet to be compliant. They include actions that apply to devices that are noncompliant. Compliance policies can be combined with Conditional Access, which can then block users and devices that don't meet the rules.


First I want to figure out what configurations I can make in my compliance policy. Using the Terminal app on my test macOS I executed csrutil status to see if System Integrity Protection was enabled. It is enabled so I can safely use that for compliance.


Navigate to Devices > macOS > Compliance policies. Click Create policy.


Click OK.


Enter a policy name and click Next. There are three sections that can be configured.


Device health - I know that system integrity protection is enabled on my test device.


Next we have Device Properties - I want to insist on a minimum operating system version.

System Security has four sub-sections
  • Password
  • Encryption
  • Device security
  • Gatekeeper

I need devices secured with a password.


I want the devices to be encrypted.


I haven't worked on the firewall yet so I'll not enable this yet.


Gatekeeper will follow in a later blog post.


I've just left the default noncompliance action (mark device noncompliant immediately).


Assign to a group containing macOS devices- and click Next.


Review the configuration and click Create.


The device shows being compliant in the Company Portal app.


In the Intune portal, drilling into the compliance policy we can see that the device is compliant.


We can also view the per-setting status of compliance items.

macOS management with Intune - PKG apps (Chrome)

Back to main macOS page

PKG files are compressed installer files that are used to install macOS applications. Intune can deploy these apps to managed macOS devices where the file is smaller than 2GB. The Microsoft Intune management agent for macOS is also required.

The PKG file for Google Chrome can be downloaded from here


Select Apps > macOS apps > Add. Under the Other app types, select macOS app (PKG)


Browse to the PKG file.


Click OK.


Edit app details as required and click Next.

You can add pre- and post-install scripts if required. Click Next.


Select a minimum operating system version. Click Next.


For the detection method, the app bundle ID and app version are configured automatically (unlike DMG files). Click Next.


Assign to a group containing macOS devices. Click Next.


Review your configuration and click Create.


Chrome very quickly appears on the macOS device.


The app reports as being installed in Intune.
 

macOS management with Intune - Microsoft Edge

Back to main macOS page

One of the available Intune app types for macOS is Microsoft Edge version 77 and later. To help keep Edge more secure and up to date, the app comes with Microsoft AutoUpdate (MAU), more about this in a later blog post.


Select Apps > macOS apps > Add


Select Microsoft Edge, version 77 and later for macOS


Edit app details as required and click Next.


Select the Stable channel. 


Assign to a group containing macOS devices. Click Next.


Review your configuration and click Create.


Edge very quickly appears on the macOS device.


The app reports as being installed in Intune.


macOS management with Intune - Microsoft 365 apps

Back to main macOS page

Intune makes it very easy for you to assign Microsoft 365 apps to macOS devices. By using this app type, you can install Word, Excel, PowerPoint, Outlook, OneNote, and Teams. To help keep the apps more secure and up to date, the apps come with Microsoft AutoUpdate (MAU), more about this in a later blog post.


Select Apps > macOS apps > Add


Select Microsoft 365 app for macOS.


Click Select.


Edit app details as required and click Next.


Assign to a group containing macOS devices. Click Next.


Review your configuration and click Create.


The app is available in Intune.


This is quite a large download and install so it could take a while. Then the apps can be seen on the macOS device.


 The apps report as being installed in Intune.

macOS management with Intune - FileVault encryption

Back to main macOS page

FileVault is full-disk encryption that is included with macOS. With Intune you can deploy policies that configure FileVault, and then manage recovery keys on devices that run macOS 10.13 or later. There are two methods of configuring FileVault policies with Intune.

  • Option 1: Endpoint Security > Disk encryption
  • Option 2: Device configuration profile for endpoint protection
I've chosen option 2.


First, on the test device, have a look at System Preferences > Security and Privacy.


We can see that FileVault is not turned on.


In Intune, click on the test macOS device. We can see the Recovery keys option. We're told that we can only view recovery keys on corporate devices.

The test device is not currently categorized as corporate.


I need to change that.


On the test macOS device I get a notification in the Company Portal app and can see that the ownership type of the device has changed from personal to corporate. 


It's reflected in the Intune portal also. Now we're in business.


Time for the profile. Click on Devices > macOS > Configuration profiles and click Create. Choose Templates as the Profile type and select Endpoint protection. Click Next.


Enter a profile name and click Next.


Select your options. Here I'm just enabling FileVault and entering a message. Click Next.


Assign to a group of macOS devices. Click Next.


Review your choices and click Create.


On the device I'm prompted to enter my password in order to enable FileVault.


FileVault is enabling.


We're presented with the recovery key and told to keep it safe. Don't worry about me sharing this. It's a test device and this key is no longer valid.


We can also see the recovery key in the Intune portal.


FileVault is turned on and the device is encrypting. This can take a while.


Device is fully encrypted.