In this post, let’s see how to configure Device Restriction Settings for macOS Devices using Intune. We will give a quick overview of how and why we create configuration profiles for Apple macOS devices. Also, we will discuss the different features we can configure while creating a custom configuration profile.
Our last blog post discussed how to create compliance policies. Intune compliance policies, configuration profiles, and Conditional Access policies are the first and mandatory steps of the organization to protect its resources before providing required access to employees to use corporate applications.
Microsoft Intune includes many built-in settings to control different features on devices. We can create custom profiles, created similar to built-in profiles. These profiles include features and settings for organizations to control on company-enrolled devices.
For Example, we can create a custom profile that sets the same feature for every macOS device. This feature also applies to:
- Android device administrator
- Android Enterprise personally owned devices with a work profile
- Windows 10/11
The Configuration Profile can be created in two ways: selecting the existing Templates provided by Microsoft and customizing the required settings, or in the future, with the option Settings Catalog and selecting the required settings that need to be customized and deploying the configuration profile to devices.
- Should you upgrade to Mac OS Ventura v13 managed using Intune
- New System Settings in macOS Ventura v13 and Intune Software Update Configs
Why should we create a configuration profile
Let’s understand what configuration means exactly. Configuration management is maintaining computer systems and software in a desired state to ensure that it performs as expected to changes made over time.
A Configuration profile allows us to manage configurations and settings centrally from an MDM solution portal and deploy those to as many locations as necessary across the Globe. Using profiles, we can update or modify multiple devices instead of manually changing settings for each one.
Custom settings are configured differently for each platform. For Example, on Apple devices, profiles already created using Apple Configurator or Apple Profile manager also can be easily imported to Intune.
Intune has many templates, including settings specific to a feature, such as certificates, VPN, email, and more. Some profile examples include:
- On iOS/iPadOS and macOS devices, allow or prevent access to AirPrint printers inside organizations.
- Allow or prevent access to Bluetooth or Airdrop on devices.
- Create a WiFi or VPN profile that gives different devices access to your corporate network.
- Manage software updates, including when they’re installed.
How to Configure Device Restriction Settings for Intune-enrolled macOS devices
To create a configuration profile, we must ensure the required access to the Intune Portal. Follow the steps mentioned below to create a configuration profile in Intune portal for macOS devices; also, steps can be iterated the same way for other platforms such as Windows, iPadOS/iOS, Android, ChromeOS, and Linux OS.
- Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/.
- On the left sidebar, select Devices > under Policy, select Configuration profiles.
- The list of existing configuration profiles will be reflected on the right side. To create a new profile, click on Create Profile.
- Select the correct categories for Profile creation,
- Platform – macOS
- Profile type – Settings Catalog/ Templates
- Click on Create.
While creating a sample profile, we selected the Templates under the profile type category and, amongst the displayed templates, selected Device restrictions.
Once you click on Create button from the above page, Provide the Name and Description and click on Next.
Under the Configuration settings tab, select and customize the required settings to be applied on the enrolled mac devices.
For Example, we have blocked Safari Autofill and file transfer using iTunes on company-owned macOS devices. Once the customizations are completed, click on Next.
Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
The assignment Group determines who has access to any app, policy, or configuration profile by assigning groups of users to include and exclude. Select Assignments group (Included groups and Excluded groups) and click Next.
On the Review+create page, please review if any settings need to be changed, or else go ahead and click on create button.
Once the Configuration Profile is created, it will take a few minutes to get pushed to the targeted devices in the selected group; also, to view the deployment status on the list of targeted devices, we can check by the below ways.
The report reflects the successful deployment of the block Safari Autofill and file transfer using iTunes policy to macOS devices. To see all the device statuses, Navigate to Devices > Configuration Profiles > Select the Profile, and you can find the list of devices under categories such as below.
- Not Applicable
Once you click on the view report button, you can see the list of devices along with their details below :
- Device name
- Logged in User
- Check-in Status
- Last check-in time
Also, we can view the two different types of reports, you can quickly check the update as devices/users check-in status reports.
Device assignment status, This report will show the list of targeted devices under the configuration profile, including devices in pending policy assignment status.
Per settings status, This report will show the configuration status of each set for this policy across all devices and users.
Here’s how you can export Intune setting catalog Profile report from Intune portal. You have two options to navigate to the compliance policies node either you can navigate to the Devices node or Endpoint Security, Intune Settings Catalog Profile Report.
- Enroll macOS in Intune with Step by Step Guide
- Configure macOS Compliance Policy in Intune for Devices
Results – Check Deployed Profile on macOS
Once the Profile gets pushed to the list of client macOS devices as part of the assignment group, it may take a few minutes to reflect on the end user’s device. To check the profile status on the client device, we can follow the below steps.
- Click on the Apple icon at the top-left corner.
- Select System Settings from the list of options.
Go to Privacy & Security > Profiles > you can see the number of profiles deployed to the device.
Also, to view the settings/restrictions in a profile, double-click on the Profile and open it to view the details.
As we know, organizations must push device restriction profiles to all the devices that exist in their environment to make them compliant with Organizations’ policies and standards and protect the company’s data and disable the device features usage such as Bluetooth, Public-Wifi or Airdrop, ensuring the data leakage while users to accessing company resources on internal domain sites.
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering.