intune macOS

macOS Management with Intune – Part III

Overview Welcome to part three of the macOS management series, wherein I will help you with understanding the different macOS settings that should be managed with compliance policies & system preferences. And then will cover some required device restrictions also. Compliance Policy Using the compliance policies in Microsoft Intune, you

6 min read
macOS Management with Intune – Part III

Overview

Welcome to part three of the macOS management series, wherein I will help you with understanding the different macOS settings that should be managed with compliance policies & system preferences. And then will cover some required device restrictions also.


Compliance Policy

Using the compliance policies in Microsoft Intune, you can ensure that only trusted users from compliant macOS devices can access your company resources.

I will not go through the steps to create the compliance policy as it's a simple, straightforward configuration and is already available on numerous blog posts. Many a time, I have seen that we follow the steps in these guides and configure the policies by simply copying the steps from these guides.

So, If you are the one who will manage these endpoints, then you should know: what are you configuring? Is the policy needed in your environment? What will be it's impact?

Let's get started then by understanding the components in macOS compliance policies.

System Integrity Protection

The first policy to configure is System Integrity Protection (SIP). SIP in macOS protects the entire system by preventing unauthorised code execution. Apple’s system is smart enough to authorise apps that users download from the App Store. If you allow the users to download the apps from trusted developers, the system also authorizes them as the developer will notarize them.

When you enable this setting in the compliance policy, OS will block the launching of all other apps.

Failure to enable SIP leaves your computer vulnerable to malicious code.

Minimum / Maximum OS Version

You can enforce minimum and maximum OS version requirements for corporate macOS devices. When a device fails to comply with the configured versions, it is reported as non-compliant. Based on the conditions you have configured in conditional access, the device won’t be allowed to access organization resources until the device is compliant or a rule changes to allow the OS version.

If you want stricter controls, you can also enforce settings for specific build numbers that you want to be enforced as the minimum allowed.

Password Settings

Next is enforcing the password policy. You should configure this policy to ensure a password is required to access and use Mac that is enrolled in Intune. This policy uses the Passcode payload, and when the payload is installed on the device, users have 60 minutes to enter a password. If users don’t do so within that time, the payload forces them to enter a password using the specified settings. The settings available for the passcode payload are:

Setting Description

Gatekeeper

macOS includes a security technology called Gatekeeper, which helps to ensure that only trusted software runs on your Mac. When an end user downloads and opens an app, a plug-in, or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer, is notarized by Apple to be free of known malicious content, and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to ensure the user hasn’t been tricked into running executable code they believed to be a data file.

By default, Gatekeeper helps ensure that all downloaded software has been signed by the App Store or signed by a registered developer and notarized by Apple. As a standard practice, you can allow launching the apps downloaded from the App store and identified developers.

Stealth Mode

Enabling “stealth mode” makes it more difficult for hackers and malware to find your Mac. When stealth mode is on, your Mac doesn’t respond to either “ping” requests or connection attempts from a closed TCP or UDP network. However, it will respond to incoming requests from known apps.

Block Incoming Connections

⚡💣 This can block all connections to your mac devices. If you are using then make sure you allow the apps in firewall policy.

Blocking all incoming connections on the firewall will protect your Mac from unwanted contact initiated by other computers when connected to the internet or a private network. However, your Mac can still allow access through the firewall for some services and apps. For example:

You can further configure it in firewall settings to allow or restrict certain apps.

With all the required info now, this is how your compliance policy should look like:


Device Restrictions

Now, we move to the next part with configuring restrictions, and I will use the settings catalogue for them:

Software Update Policies

Enable Auto Update

Enable Download New Updates When Available

Enable Installation of App Update

Enable System Data Files and Security Updates

Software Update Deferment Is Less Than or Equal to 30 Days

Ensure Standard naming patterns avoid collisions and mitigate risk for computer users.


System Preferences

Below is a list of standard configurations you can configure for your company-owned macOS devices.

📢⚡Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain  to the system.
📢⚡AirDrop can allow malicious files to be downloaded from unknown sources.

Security & Privacy

Below is a list of standard restrictions you can configure for your company-owned macOS devices.

Ensure Backup Automatically is Enabled


Stay tuned for the next part, where I will cover app deployment using shell scripts.

Share This Post

Check out these related posts

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

Application Inventory: The Unsung Hero of macOS Security

Set Sail for Smooth Seas: Effortless Mac Enrollment with Intune