SYSTEM ADMIN BOOK
  • Hardware/Physical Machines
    • Physical Networking
      • Patch Panel
    • Hardware Devices
    • PC Build
    • RAID Configs
  • System Configuration
    • Windows
      • OneDrive for Business, Map as Network Drive in Windows
      • PDF Printer
      • Reset Windows Password
    • Linux
    • Mac
      • Factory Reset Mac Mini
      • Install FortiClient VPN
      • Remove FortiClient VPN for Macs
      • Setting Microsoft Teams Notifications in MacOS
      • Download and Install Whatsapp
  • Windows Server
    • Troubleshooting
      • 100% Disk Usage Issue
      • Maximum Path Length Limitation
    • Basic Configurations
      • Change Hostname
      • Change Default RDP Port
      • Create a User
      • Add user to Administrator group
      • Add user to Remote Desktop Users group
      • Allow log on locally - security policy setting
      • Allow Multiple Remote Desktop Connections
      • Enable Insure Guest Authentication
      • Shrink Partition
      • Extend Partition
    • FTP Server
      • Install FTP Server (IIS)
      • Create User Group
      • Add FTP Site (IIS)
      • User Isolation
      • Allow Firewall
      • FTP Client (FileZilla)
      • FTP Server (FileZilla)
      • Configure Passive Mode in FileZilla Server
      • Configuring Windows Firewall for FileZilla Server
      • FileZilla: Password reset
      • Generate a New Self-Signed Certificate
    • Group Policy
      • Block Access to the Control Panel for All Users
      • Create a Logon Banner (Legal Notice)
      • Enable / Disable Copy-Paste Policy
      • Disable Shutdown, Restart Options
      • Disable Multiple Session for Single User
      • Disable Automatic Lock Screen in Windows Server
    • Services
      • NSSM - the Non-Sucking Service Manager
      • Node-windows Library
    • Task Scheduler
      • Automate Program Execution
      • Restart Windows Server Daily
    • Auditing and Diagnostincs
      • Enabling the System Event Audit Log
      • Audit RDP Port Change Event
      • Check the read/write speed of your hard drive
      • Clear temp file and .trc file
    • Event Viewer
      • Restart / Shutdown Event
  • Control Panels
    • Plesk
      • Set Hard Quota on disk space for subscription(s)
      • Changing MX, A, and CNAME Records
      • Host Node.js Application
      • Add FTP account
      • Remove FTP account
      • Download a folder using Plesk File Manager
      • Install WordPress on domain using WP Toolkit
      • Change the name of a Subscription system user
      • Exporting and Importing Database Dumps
    • OVI Panel
      • DNS Zone Editor
    • SolidCP
      • Add a MS SQL database in SolidCP
    • cPanel
  • Virtualization
    • Proxmox VE
      • Introduction
      • Download Proxmox ISO
      • Prepare Installation Media
      • Launch Proxmox Installer
      • Create a VM
  • Web Servers
    • IIS
      • Install IIS
      • Configure Default Site
      • Application Pool
      • Installing PHP
      • Deploy a PHP Application
      • Deploying a Laravel app on Windows using IIS
      • Update PHP Version in IIS
      • Host a Node.js /w Next.js Application
    • JBoss
  • VPNs and Proxy Servers
    • Reverse Proxy
      • IIS - Node.js Application
  • Database Servers
    • MS SQL
      • Download and Install
      • Install SSMS
      • Uninstall an Instance of SQL Server
      • Enable SA Account
      • Change SA Account Password
      • Enable Network Access to SQL Express
      • Create and configure a user in MSSQL
      • Clear SQL Server Cache
      • Setting Infinite Timeout in SQL Server Contexts
      • Take SQL Server Database Offline
      • Memory configuration
  • Web Dev Stacks
    • MERN (w/ Next)
      • Build and Run Node.js Project with Next.js
  • IT Ticketing Systems
    • Jira Ticketing System
  • Linux Servers
  • AWS Environment
  • Azure Environment
  • Backup and Security
    • SSL Certificates
      • Types of SSL Certificates
      • IIS 10: Create CSR and Install SSL Certificate
      • IIS 7: Generate CSR for Wildcard SSL
      • IIS: Generate CSR for Multi-Domain SSL
      • OpenSSL: Generate CSR
      • IIS 10: How to Install and Configure Your SSL Certificate on Windows Server
      • IIS: Export Pfx using MMC
      • IIS: Import Pfx using MMC
      • IIS: Export Pfx using IIS Manager
      • IIS: Import Pfx using IIS Manager
      • cPanel: Export PFX
      • Godaddy-CPanel: Generate a CSR
      • Godaddy-CPanel: Install SSL Certificate
      • cPanel: Generate CSR
      • cPanel: Install SSL Certificate
      • cPanel: Install Let's Encrypt SSL
      • Plesk: Generate CSR
      • Plesk: Let's Encrypt SSL Installation
      • Plesk: Installing the SSL certificate
      • Plesk: Export Public & Private Key
      • Win-ACME Let's Encrypt SSL
      • Certbot - Install SSL
      • Export Leaf, Root, and Intermediate Files
      • XAMPP - Let's Encrypt SSL Installation
      • JBoss Web Server: CSR Generation
      • JBoss: Install SSL Certificate
    • Backup
      • Database
        • MS SQL DB Backup
        • MS SQL Restore Backup
    • Microsoft Defender for Endpoint
      • Introduction & Licenses
    • Microsoft Intune - Endpoint Management
      • Product Introduction
      • Intune Policies for MacOS
      • Enroll your macOS device using the Company Portal app
    • Vulnerability Scanning
      • OpenVAS Quick Guide
      • Nessus Quick Guide
    • Acronis
      • Download and Install the Acronis Cyber Protection Agent
      • Performing a file-level backup
      • Creating a disk-level backup
      • Performing a file-level recovery
      • Enabling Active Protection and Vulnerability Assessment
  • Email and Office 365
    • Troubleshooting
      • Run a message trace in the Exchange admin center
      • Not receiving email
      • Office 365 Apps Activation Error
      • Gmail Issue: Clearing Cache and Cookies
      • Excel worksheet, right click insert not functioning
      • Microsoft 365 Apps activation error: “Your organization has disabled this device”
    • Hybrid Mail Setup
      • Set Up Connectors Between Microsoft 365 and SmarterMail
    • Email Authentication
      • Protocols
    • Mail Clients
      • Outlook
        • Maximum number of Exchange accounts in an Outlook profile
        • Enable automatic forwarding in new Outlook
        • Add Email Signature
        • Create Email Singature
        • Gmail Account Login in Outlook
        • Enable desktop notifications for Outlook on the Web (OWA) in Windows
        • Move Mails to Specific Folders
      • Apple Mail
        • Add email accounts in Mail on Mac
        • Add Mail Signatures
      • Gmail
        • Mail Forwarding to Another Account
        • Set Up an Auto-Reply (Vacation Responder) in Gmail
    • Office 365
      • Intro & Subscriptions
      • How to Create a Trial Account
      • How to Access the Office 365 Admin Center
      • Creating a Tenant
      • Create Users
      • Add several users at the same time to Microsoft 365
      • Creating & Managing Roles
      • Add a Domain
      • Manage MFA
      • Let users reset their own passwords
      • Assign Global Admin Roles
      • Create APP Password
      • Change a user name and email address
      • Reset MFA for Microsoft 365 User
      • Configure email forwarding
      • Add email aliases to a user
      • Change Username or Email Address
      • Export Mailbox to PST From Office 365
      • Import PST to Exchange Online (Microsoft O365)
      • Enable archive mailboxes for Microsoft 365
      • Grant Export Permission in M365 Compliance Center
      • Generate Transfer Token
    • Google Workspace
      • Intro & Plans
      • Create your Google Workspace trial account
      • Review your DNS records
      • Adding Users
      • Create organizational units
      • Restrict access to a Google Workspace service
      • Edit user attributes
      • Manage user accounts
      • Suspend a User
      • Generate a Transfer Token
      • Reduce Licenses in Google Workspace
      • Auto-forward From Google Workspace Using Routing
      • Recovering administrator access to your account
    • MailEnable
    • SmarterMail
      • SmarterMail Installation
      • SmarterMail Server Setup
      • Installation and Configuration (Practical)
      • Enable / Disable Domain in SmarterMail
      • Enable / Disable MFA for User Accounts
      • Create an Administrator User in SmarterMail
    • Microsoft Teams
      • Guest Access vs. External Access
      • Adding Guests To Microsoft Teams Team
      • Teams Chat DIfferent Domain: Enable External Access
      • Setup Teams Time Zone and Work Hours
      • Add Contact Numbers in Profile Page
    • Microsoft Defender for Office 365
      • Remove blocked users from the Restricted entities page
    • Microsoft Purview
      • Create a Retention Policy for Archiving in M365
  • DevOps
  • Firewalls and Access Points
    • Windows Firewall
      • Allow Ports on Windows Firewall
    • Sophos Firewall
      • Set up a new firewall with Sophos Central
      • Enable Sophos Central management of Sophos Firewall
  • Networking
    • Troubleshooting
    • Cisco Router Config
    • Cisco Switch Config
      • Basic Data and Voice VLAN Setup Homelab
  • Migration
    • Drive Migration
      • Google Drive to One Drive
      • One Drive to One Drive [SharePoint Migration Tool]
      • Migrate Google files to Microsoft 365 for business
    • Mail Migration
      • Google Workspace to Office 365 (Manual Method)
      • Google Workspace to Office 365 (Automatic Method)
      • IMAP to Office 365
      • Migration Using PST File Method
      • Office 365 to Google Workspace Migration
      • G-Suite to G-Suite Migration
    • VM Migration
    • Website Migration
      • Migrating IIS Sites Using Web Deploy
      • Plesk to Plesk Migration
    • Database Migration
  • Monitoring
    • Prometheus
      • Monitoring Windows Servers Using Prometheus
    • Grafana
      • Visualize Data in Grafana
    • Loki
  • Data Center
    • HPE ProLiant ILO Configuration
  • Other Technologies
    • Some R&Ds
      • Active vs. Passive Mode in FTP
      • IIS Recycling and Virtual Memory Limit
      • IIS Application Pool
Powered by GitBook
On this page
  • 1. Device Configuration Profiles (Settings and Restrictions)
  • 2. Compliance Policies
  • 3. App Protection Policies (MAM)
  • 4. App Configuration Policies
  • 5. Shell Script Deployment
  • 6. Endpoint Security Policies
  • 7. Conditional Access Policies (via Azure AD)
  • 8. Application Deployment Policies
  • 9. Enrollment Profiles
  • REFERENCES

Was this helpful?

  1. Backup and Security
  2. Microsoft Intune - Endpoint Management

Intune Policies for MacOS

1. Device Configuration Profiles (Settings and Restrictions)

Purpose: Configure system settings, restrict features

  • General Settings

    • Set custom name, wallpaper

    • Configure login window preferences

    • Prevent local account creation

  • Device Restrictions

    • Disable camera, iCloud sync, Siri, AirDrop, Bluetooth, etc.

    • Restrict app installation

    • Prevent users from modifying Wi-Fi, VPN, or proxy settings

    • Disable System Preferences access

    • Block USB drives and external media

  • Security Settings

    • Require FileVault (disk encryption)

    • Require password after sleep or screen saver

    • Set password complexity requirements

    • Block Touch ID for login

    • Disable system diagnostics submission

  • System Preferences Restrictions

    • Prevent access to Network, Security, or Users & Groups panes

2. Compliance Policies

Purpose: Define what makes a device "compliant"

  • Require:

    • Password + complexity

    • Encryption (FileVault enabled)

    • Minimum macOS version

    • Antivirus status

    • Company Portal app installed

    • Not jailbroken/rooted

  • Custom compliance messaging

  • Mark as non-compliant → trigger Conditional Access (block apps/resources)

3. App Protection Policies (MAM)

Purpose: Control data access inside apps (mainly for Office apps)

  • Prevent copy/paste between personal and work apps

  • Require encryption for app data

  • Require PIN or biometric to open apps

  • Wipe corporate data if the app is inactive or the device is unenrolled

  • Prevent saving to local storage

Note: Limited to Intune-managed apps like Microsoft 365 (Word, Outlook, Excel, etc.)

4. App Configuration Policies

Purpose: Pre-configure app settings for users

  • Pre-sign-in URLs, default tenant ID (for Teams, Outlook, etc.)

  • Automatically sign users into Office apps

  • Block specific features within apps (e.g., signatures in Outlook)

  • Set up VPN settings for apps

5. Shell Script Deployment

Purpose: Push custom scripts to Macs for extra control

  • Remove admin rights from user

  • Configure system preferences

  • Block USB storage

  • Set proxy settings

  • Disable terminal or system processes

  • Modify plist files or local configuration files

6. Endpoint Security Policies

Purpose: Harden the OS and ensure security posture

  • Antivirus (if 3rd party installed like SentinelOne, CrowdStrike)

  • Disk Encryption (FileVault)

    • Enable and escrow recovery keys

    • Require for compliance

  • Firewall Settings

    • Enable macOS firewall

    • Configure incoming/outgoing rules

  • Attack Surface Reduction

    • Configure system integrity protection

    • Block sharing features

7. Conditional Access Policies (via Azure AD)

Purpose: Control access to company resources based on device compliance

  • Only allow access if:

    • Device is compliant

    • Device is Intune-enrolled

    • Device is from a known location

  • Block access to:

    • Outlook

    • SharePoint

    • Teams

    • Other SaaS apps (Salesforce, Dropbox, etc.)

8. Application Deployment Policies

Purpose: Install apps silently or on-demand

  • VPP Apps (Apple Business Manager)

    • Microsoft 365

    • Company Portal

    • Antivirus

  • .pkg file uploads

    • Custom apps

    • CLI tools

  • App install behavior

    • Required or available

    • Install during check-in

    • Notify on install or silent

9. Enrollment Profiles

Purpose: Control user experience during device setup

  • Create standard user during setup (no admin rights)

  • Skip Setup Assistant screens (Apple ID, Siri, etc.)

  • Lock MDM enrollment (cannot remove)

  • Assign profiles to ADE-enrolled devices

REFERENCES

  • https://www.anoopcnair.com/device-restriction-settings-offered-by-intune/

  • https://www.stanfieldit.com/microsoft-intune-features/

PreviousProduct IntroductionNextEnroll your macOS device using the Company Portal app

Last updated 13 days ago

Was this helpful?