In this post, let’s see how to configure different macOS compliance policy for devices in Intune. We will see a quick overview of creating an Intune compliance policy for Apple macOS devices. Also, we will discuss the options of creating a custom Intune compliance policy.
Our last blog post discussed that Intune mobile device management (MDM) solution supports macOS. Intune compliance policies are the first step of the protection before providing access to corporate applications, along with Conditional Access policies.
Compliance policy configuration is an important design decision while managing devices with Intune. We can set min/ max OS version, password policy (Password length, expiry duration), and many more through these compliance settings.
Also, please ensure you have the required Administrator access to create device compliance policies in the Intune portal and push them to specific or all user groups.
The organization creates and pushes compliance policies in Intune portal to prevent access restrictions in case the device is not compliant, which helps an organization to protect data and organization resources usage. The Compliance Policy can be created in different categories, such as:
- Device Health
- Device Properties
- System security Settings
- Password
- Encryption
- Device Security
- Gatekeeper
- Should you upgrade to Mac OS Ventura v13 managed using Intune
- New System Settings in macOS Ventura v13 and Intune Software Update Configs
Create macOS Compliance Policy in Intune
Follow the steps mentioned below to create compliance policies in Intune portal for macOS devices; also, steps can be iterated the same way for other platforms such as Windows, iPadOS/iOS, macOS, Android, ChromeOS, and Linux OS.
- Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/.
- On the left sidebar, select Devices > under the Policy category, select Compliance Policies.
The list of created policies will be reflected under the Policies category. To create a new policy, click on Create Policy.
Let’s select the correct categories for compliance setting creation,
- Platform – macOS
- Profile type – Mac compliance policy, click on Create.
Under Mac compliance policy, provide the policy name that helps you identify them later. For Example, Compliance Policy for Mac Devices. You can also choose to specify a Description and click on Next.
Note – This compliance policy will ensure that all the macOS devices are compliant before accessing corporate resources like E-mail, SharePoint, Teams, etc.
Expand the available categories on the Compliance settings tab, and configure your policy settings. The profile type uses settings from the Settings catalog. You will have the following compliance options available for macOS management, select below:
- Device Health
- Require system integrity protection: Require
- Device Properties
- Operating System Version
- Minimum OS version
- Maximum OS Version
- Minimum OS build version
- Maximum OS build version
- Operating System Version
We mentioned macOS v12.6.2 as the minimum OS version, which means all the older OS below v12.6.2 will be reported as non-compliant devices.
For System security settings under Mac compliance policy, select below:
- System Security – Password
- Require a password to unlock devices (Require/Not Configured)
- Simple Passwords (Block/ Not Configured)
- Minimum Password Length
- Password type: Device default/ Alphanumeric/ Numeric
- Number of non-alphanumeric characters in password: (0-4)
- Maximum minutes of inactivity before password is required (Not required/ 1-5-15 min / 1-4 hour)
- Password expiration days: Select the number of days before the password expires, and they must create a new one.
- Number of previous passwords to prevent reuse: Enter the number of previously used passwords that can’t be used.
The next step is configuring an encryption firewall to protect devices from unauthorized network access. You can use a Firewall to control connections on a per-application basis.
- Encryption
- Require encryption of data storage on device ( Require / Not Configured)
- Device Security
- Firewall ( Enable / Not Configured)
- Incoming connections (Block / Not Configured)
- Stealth Mode ( Enable / Not Configured)
- Gatekeeper
- Allow apps downloaded from these locations (Not configured / Mac App Store / Mac App Store and identified developers / Anywhere) and click Next.
On the Actions for noncompliance tab, specify a sequence of actions to apply automatically to devices that don’t meet this compliance policy (By default, the policy is selected as Mark device noncompliant > Immediately).
Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
Select Assignments group (Included groups and Excluded groups) and click Next.
Assignment Group: It determines who has access to any app, policy, or configuration profile by assigning groups of users to include and exclude.
On the Review+create page, please review if any settings need to be changed, or else go ahead and click on create button.
Once the compliance policy is created, it will take a few minutes to get pushed to the mentioned devices in the selected group; also, to view the deployment status on the list of targeted devices, we can check by the below ways.
- To see all the device statuses, Navigate to Devices > Compliance Policies > Select the policy name, and on the Overview page, you may see the policy deployment status.
Device compliance reports are meant to be broad and provide a more traditional reporting view of data to identify aggregated metrics. This report is designed to work with large datasets to get a full device compliance picture.
In Intune Portal, you will check the mac devices compliance status by going under Devices > macOS > macOS devices. Here you get the Compliance status Compliant for the devices you targeted.
Also, we can view the per user, per device, and per setting status under every compliance policy setting.
Device Status: On this page, we can see a list of devices that the compliance policy has been pushed and how many of them are showing as compliant or non-compliant.
User Status: On this page, we can see a list of users associated under Intune and push with the compliance policy and how many of them are showing as compliant or non-compliant.
Per Setting Status: On this page, we can see a list of Settings edited under the policy and push to a list of devices; we can view the status as Compliant, Non-Compliant, Pending, Error, and Not-Applicable for each of the settings.
Here’s how you can export Intune Device Compliance policies from Intune portal. You have two options to navigate to the compliance policies node either you can navigate to the Devices node or Endpoint Security, Export Intune Device Compliance Policies.
Device Compliance Settings for macOS in Intune
As we know, organizations must push compliance policies to all the devices that exist in their environment, irrespective of platforms, to make them compliant with Organizations’ policies and standards and protect the company’s data and restrict the user environment only to compliant users to access company resources such as M365 apps or MS teams or any other internal domain sites.
Author
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering.