Tuesday, 14 November 2023

macOS management with Intune - compliance

Back to main macOS page

Compliance policies in Intune define the rules and settings that users and devices must meet to be compliant. They include actions that apply to devices that are noncompliant. Compliance policies can be combined with Conditional Access, which can then block users and devices that don't meet the rules.


First I want to figure out what configurations I can make in my compliance policy. Using the Terminal app on my test macOS I executed csrutil status to see if System Integrity Protection was enabled. It is enabled so I can safely use that for compliance.


Navigate to Devices > macOS > Compliance policies. Click Create policy.


Click OK.


Enter a policy name and click Next. There are three sections that can be configured.


Device health - I know that system integrity protection is enabled on my test device.


Next we have Device Properties - I want to insist on a minimum operating system version.

System Security has four sub-sections
  • Password
  • Encryption
  • Device security
  • Gatekeeper

I need devices secured with a password.


I want the devices to be encrypted.


I haven't worked on the firewall yet so I'll not enable this yet.


Gatekeeper will follow in a later blog post.


I've just left the default noncompliance action (mark device noncompliant immediately).


Assign to a group containing macOS devices- and click Next.


Review the configuration and click Create.


The device shows being compliant in the Company Portal app.


In the Intune portal, drilling into the compliance policy we can see that the device is compliant.


We can also view the per-setting status of compliance items.

No comments:

Post a Comment