Configure Device Restriction Settings for macOS Devices using Intune

In this post, let’s see how to configure Device Restriction Settings for macOS Devices using Intune. We will give a quick overview of how and why we create configuration profiles for Apple macOS devices. Also, we will discuss the different features we can configure while creating a custom configuration profile.

Our last blog post discussed how to create compliance policies. Intune compliance policies, configuration profiles, and Conditional Access policies are the first and mandatory steps of the organization to protect its resources before providing required access to employees to use corporate applications.

Microsoft Intune includes many built-in settings to control different features on devices. We can create custom profiles, created similar to built-in profiles. These profiles include features and settings for organizations to control on company-enrolled devices.

For Example, we can create a custom profile that sets the same feature for every macOS device. This feature also applies to:

Patch My PC
  • Android device administrator
  • Android Enterprise personally owned devices with a work profile
  • iOS/iPadOS
  • Windows 10/11

The Configuration Profile can be created in two ways: selecting the existing Templates provided by Microsoft and customizing the required settings, or in the future, with the option Settings Catalog and selecting the required settings that need to be customized and deploying the configuration profile to devices.

Why should we create a configuration profile

Let’s understand what configuration means exactly. Configuration management is maintaining computer systems and software in a desired state to ensure that it performs as expected to changes made over time.

A Configuration profile allows us to manage configurations and settings centrally from an MDM solution portal and deploy those to as many locations as necessary across the Globe. Using profiles, we can update or modify multiple devices instead of manually changing settings for each one.

Custom settings are configured differently for each platform. For Example, on Apple devices, profiles already created using Apple Configurator or Apple Profile manager also can be easily imported to Intune.

Adaptiva

Intune has many templates, including settings specific to a feature, such as certificates, VPN, email, and more. Some profile examples include:

  • On iOS/iPadOS and macOS devices, allow or prevent access to AirPrint printers inside organizations.
  • Allow or prevent access to Bluetooth or Airdrop on devices.
  • Create a WiFi or VPN profile that gives different devices access to your corporate network.
  • Manage software updates, including when they’re installed.

How to Configure Device Restriction Settings for Intune-enrolled macOS devices

To create a configuration profile, we must ensure the required access to the Intune Portal. Follow the steps mentioned below to create a configuration profile in Intune portal for macOS devices; also, steps can be iterated the same way for other platforms such as Windows, iPadOS/iOS, Android, ChromeOS, and Linux OS.

  • Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/.
  • On the left sidebar, select Devices > under Policy, select Configuration profiles.
  • The list of existing configuration profiles will be reflected on the right side. To create a new profile, click on Create Profile.
  • Select the correct categories for Profile creation,
    • Platform – macOS
    • Profile type – Settings Catalog/ Templates
    • Click on Create.

While creating a sample profile, we selected the Templates under the profile type category and, amongst the displayed templates, selected Device restrictions.

Configure Device Restriction Settings for macOS Device using Intune Fig. 1
Configure Device Restriction Settings for macOS Device using Intune Fig. 1

Once you click on Create button from the above page, Provide the Name and Description and click on Next.

Configure Device Restriction Settings for macOS Device using Intune Fig. 2
Configure Device Restriction Settings for macOS Device using Intune Fig. 2

Under the Configuration settings tab, select and customize the required settings to be applied on the enrolled mac devices.

For Example, we have blocked Safari Autofill and file transfer using iTunes on company-owned macOS devices. Once the customizations are completed, click on Next.

Configure Device Restriction Settings for macOS Device using Intune Fig. 3
Configure Device Restriction Settings for macOS Device using Intune Fig. 3

Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.

Configure Device Restriction Settings for macOS Device using Intune Fig. 4
Configure Device Restriction Settings for macOS Device using Intune Fig. 4

The assignment Group determines who has access to any app, policy, or configuration profile by assigning groups of users to include and exclude. Select Assignments group (Included groups and Excluded groups) and click Next.

Configure Device Restriction Settings for macOS Device using Intune Fig. 5
Configure Device Restriction Settings for macOS Device using Intune Fig. 5

On the Review+create page, please review if any settings need to be changed, or else go ahead and click on create button.

Configure Device Restriction Settings for macOS Device using Intune Fig. 6
Configure Device Restriction Settings for macOS Device using Intune Fig. 6

Once the Configuration Profile is created, it will take a few minutes to get pushed to the targeted devices in the selected group; also, to view the deployment status on the list of targeted devices, we can check by the below ways.

The report reflects the successful deployment of the block Safari Autofill and file transfer using iTunes policy to macOS devices. To see all the device statuses, Navigate to Devices > Configuration Profiles > Select the Profile, and you can find the list of devices under categories such as below.

  • Succeeded
  • Error
  • Conflict
  • Not Applicable
Configure Device Restriction Settings for macOS Device using Intune Fig. 7
Configure Device Restriction Settings for macOS Device using Intune Fig. 7

Once you click on the view report button, you can see the list of devices along with their details below :

  • Device name
  • Logged in User
  • Check-in Status
  • Last check-in time
Configure Device Restriction Settings for macOS Device using Intune Fig. 8
Configure Device Restriction Settings for macOS Device using Intune Fig. 8

Also, we can view the two different types of reports, you can quickly check the update as devices/users check-in status reports.

Device assignment status, This report will show the list of targeted devices under the configuration profile, including devices in pending policy assignment status.

Configure Device Restriction Settings for macOS Device using Intune Fig. 9
Configure Device Restriction Settings for macOS Device using Intune Fig. 9

Per settings status, This report will show the configuration status of each set for this policy across all devices and users.

Configure Device Restriction Settings for macOS Device using Intune Fig. 10
Configure Device Restriction Settings for macOS Device using Intune Fig. 10

Here’s how you can export Intune setting catalog Profile report from Intune portal. You have two options to navigate to the compliance policies node either you can navigate to the Devices node or Endpoint SecurityIntune Settings Catalog Profile Report.

Results – Check Deployed Profile on macOS

Once the Profile gets pushed to the list of client macOS devices as part of the assignment group, it may take a few minutes to reflect on the end user’s device. To check the profile status on the client device, we can follow the below steps.

  • Click on the Apple icon at the top-left corner.
  • Select System Settings from the list of options.
Configure Device Restriction Settings for macOS Device using Intune Fig. 11
Configure Device Restriction Settings for macOS Device using Intune Fig. 11

Go to Privacy & Security > Profiles > you can see the number of profiles deployed to the device.

Configure Device Restriction Settings for macOS Device using Intune Fig. 12
Configure Device Restriction Settings for macOS Device using Intune Fig. 12

Also, to view the settings/restrictions in a profile, double-click on the Profile and open it to view the details.

Configure Device Restriction Settings for macOS Device using Intune Fig. 13
Configure Device Restriction Settings for macOS Device using Intune Fig. 13

Conclusion

As we know, organizations must push device restriction profiles to all the devices that exist in their environment to make them compliant with Organizations’ policies and standards and protect the company’s data and disable the device features usage such as Bluetooth, Public-Wifi or Airdrop, ensuring the data leakage while users to accessing company resources on internal domain sites.

Author

Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.