Intune Policies for MacOS

1. Device Configuration Profiles (Settings and Restrictions)

Purpose: Configure system settings, restrict features

  • General Settings

    • Set custom name, wallpaper

    • Configure login window preferences

    • Prevent local account creation

  • Device Restrictions

    • Disable camera, iCloud sync, Siri, AirDrop, Bluetooth, etc.

    • Restrict app installation

    • Prevent users from modifying Wi-Fi, VPN, or proxy settings

    • Disable System Preferences access

    • Block USB drives and external media

  • Security Settings

    • Require FileVault (disk encryption)

    • Require password after sleep or screen saver

    • Set password complexity requirements

    • Block Touch ID for login

    • Disable system diagnostics submission

  • System Preferences Restrictions

    • Prevent access to Network, Security, or Users & Groups panes

2. Compliance Policies

Purpose: Define what makes a device "compliant"

  • Require:

    • Password + complexity

    • Encryption (FileVault enabled)

    • Minimum macOS version

    • Antivirus status

    • Company Portal app installed

    • Not jailbroken/rooted

  • Custom compliance messaging

  • Mark as non-compliant → trigger Conditional Access (block apps/resources)

3. App Protection Policies (MAM)

Purpose: Control data access inside apps (mainly for Office apps)

  • Prevent copy/paste between personal and work apps

  • Require encryption for app data

  • Require PIN or biometric to open apps

  • Wipe corporate data if the app is inactive or the device is unenrolled

  • Prevent saving to local storage

Note: Limited to Intune-managed apps like Microsoft 365 (Word, Outlook, Excel, etc.)

4. App Configuration Policies

Purpose: Pre-configure app settings for users

  • Pre-sign-in URLs, default tenant ID (for Teams, Outlook, etc.)

  • Automatically sign users into Office apps

  • Block specific features within apps (e.g., signatures in Outlook)

  • Set up VPN settings for apps

5. Shell Script Deployment

Purpose: Push custom scripts to Macs for extra control

  • Remove admin rights from user

  • Configure system preferences

  • Block USB storage

  • Set proxy settings

  • Disable terminal or system processes

  • Modify plist files or local configuration files

6. Endpoint Security Policies

Purpose: Harden the OS and ensure security posture

  • Antivirus (if 3rd party installed like SentinelOne, CrowdStrike)

  • Disk Encryption (FileVault)

    • Enable and escrow recovery keys

    • Require for compliance

  • Firewall Settings

    • Enable macOS firewall

    • Configure incoming/outgoing rules

  • Attack Surface Reduction

    • Configure system integrity protection

    • Block sharing features

7. Conditional Access Policies (via Azure AD)

Purpose: Control access to company resources based on device compliance

  • Only allow access if:

    • Device is compliant

    • Device is Intune-enrolled

    • Device is from a known location

  • Block access to:

    • Outlook

    • SharePoint

    • Teams

    • Other SaaS apps (Salesforce, Dropbox, etc.)

8. Application Deployment Policies

Purpose: Install apps silently or on-demand

  • VPP Apps (Apple Business Manager)

    • Microsoft 365

    • Company Portal

    • Antivirus

  • .pkg file uploads

    • Custom apps

    • CLI tools

  • App install behavior

    • Required or available

    • Install during check-in

    • Notify on install or silent

9. Enrollment Profiles

Purpose: Control user experience during device setup

  • Create standard user during setup (no admin rights)

  • Skip Setup Assistant screens (Apple ID, Siri, etc.)

  • Lock MDM enrollment (cannot remove)

  • Assign profiles to ADE-enrolled devices

REFERENCES

PreviousProduct IntroductionNextEnroll your macOS device using the Company Portal app

Last updated

Was this helpful?