Here’s a step-by-step guide on how to disable Console Logon for macOS using Intune. macOS Console Access helps enhance the security of your system. This type of login allows users to interact with the macOS system directly, without relying on remote access methods such as SSH or remote desktop connections.
Console logon is often used for tasks like system maintenance, troubleshooting, and initial setup. However, it’s essential to ensure the physical security of the computer, as console logon provides direct access to the system.
Intune includes many built-in settings to control different features on macOS devices. You can create policies from the Settings catalog. These profiles include features and settings for organizations to control on company-enrolled devices.
The setting up Intune policy allows you to configure the Login Window Behavior payload to set preferences for user login, control the user’s ability to restart and shut down devices from the login window, and set the appearance of the login window.
Starting with the Intune Service release 2301 setting login and background items have been added. You can create a policy that automatically opens items when users log in to their macOS devices using this feature. Same way, you can prevent apps from running in the background while the user is logged on.
- Help Experience Improvement Program Policy Using Intune
- Manage MacOS Login Background App Experience Using Intune
Disable Console Logon for macOS using Intune
By following these steps, you can effectively disable console logon on macOS devices managed by Microsoft Intune. This allows admins to configure system preferences and security settings to control console access.
- Sign in to the Microsoft Intune Admin portal https://intune.microsoft.com/.
- Select Devices > Configuration profiles > Create profile or Navigate directly to macOS > Configuration profiles. Here, in this case platform will be prepopulated.
In Create Profile, Select macOS in Platform, and Select Profile Type as Settings Catalog. Click on the Create button.
In the macOS Basics tab, enter the descriptive name for the new profile. For example, Disable Console Logon, and add a description for the profile to understand the policy usage and Select Next.
On the Configuration settings tab, With the settings catalog, you can choose which settings you want to configure. Click on Add Settings to browse or search the catalog for the settings you want to configure.
Search for “Console” or “Disable Console Access”. Select the “Login > Login Window Behavior” from the search result. Select “Disable Console Access” and close the pane.
This policy setting allows you to configure the Login Window Behavior payload to set preferences for user login, control the user’s ability to restart and shut down devices from the login window, and set the appearance of the login window.
The next step is to toggle “Disable Console Logon” to Enabled. If true, disregards the >console special user name, which will provide a command line UI and click on Next.
Using Scope tags, you can assign a tag to filter the profile to specific IT groups. One can add scope tags (if required) and click Next to continue.
Now in Assignments, in Included Groups, you need to click on Add Groups, choose Select Groups to include one or more groups, and click Next to continue.
In the Review + Create tab, you need to review your settings. After clicking Create, your changes are saved, and the profile will be assigned to the added devices group.
A notification will appear automatically if you see it in the top right-hand corner. One can easily see that the Policy “Disable Console Logon” was created successfully. Also, if you check the Configuration Profiles list, the Policy is visible there with the tag NEW.
Note! The device groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.
Monitor macOS Policy Deployment
Intune provides several features to monitor and manage device configuration profiles. Once the configuration profile is applied, To monitor Intune policy assignment, from the list of Configuration Profiles, select the policy you targeted, and here you can check the device and user check-in status.
If you click View Report, additional details are displayed. Additionally, you can quickly check the update as devices/users check-in status reports:
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.