Onboard and offboard macOS devices into Microsoft Purview solutions using Intune

You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.

Applies to:

• Endpoint data loss prevention (DLP)
• Insider risk management

Before you begin

• Make sure your macOS devices are onboarded into Intune and are enrolled in the Company Portal app.
• Make sure you have access to the Microsoft Intune admin center.
• Create the user groups that you're going to assign the configuration updates to.
• OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices to have native Endpoint DLP support on Microsoft Edge.

Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune

Onboarding a macOS device into Purvoiew solutions is a multi-phase process.

1. Get the device onboarding package
2. Deploy the mobileconfig and onboarding packages
3. Publish the application

Prerequisites

Download the following files:

Get the device onboarding package

1. In the Microsoft Purview portal open Settings > Device Onboarding and then choose Onboarding.

2. For the Select operating system to start onboarding process option, choose macOS.

3. For Deployment method, choose Mobile Device Management/Microsoft Intune.

4. Choose Download onboarding package.

5. Extract the .ZIP file and open the Intune folder. This contains the onboarding code in the DeviceComplianceOnboarding.xml file.

Deploy the mobileconfig and onboarding packages

1. Open the Microsoft Intune admin center and navigate to Devices > macOS > Configuration.

2. Choose: + Create and then choose New policy.

3. Select the following values:

   1. Platform = macOS
   2. Profile type = Templates
   3. Template name = Custom

4. Choose Create.

5. On the Basics page, Enter a name for the profile, such as Microsoft Purview System MobileConfig, and then Choose Next.

6. On the Configuration settings page, Choose the mdatp.mobileconfig file that you downloaded in the pre-requisites section as the configuration profile file.

7. Choose Next.

8. On the Assignments tab, add the group you want to deploy these configurations to and then choose Next.

9. Review your settings and then choose Create to deploy the configuration.

10. Repeat steps 2-9 to create profiles for the:

    1. DeviceComplianceOnboarding.xml file. Name it Microsoft Purview Device Onboarding Package
    2. com.microsoft.wdav.mobileconfig file. Name it Microsoft Endpoint Device Preferences

11. In the macOS Configuration policies page, the policies you created now display. Select Refresh if your changes don't show up right away.

12. Choose the profile that you just created. Next, view the Device and user check-in status report of the configuration policy.

Publish the application

Microsoft Endpoint data loss protection is installed as a component of Microsoft Defender for Endpoint on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions

1. In the Microsoft Intune admin center, open Apps.

2. Select macOS.

3. On the macOS > macOS apps page, select Create.

4. On the Select app type > Create app slider, select the App type drop-down and then macOS under Microsoft Defender for Endpoint.

5. Choose the Select button.

6. On the App Information tab, keep the default values and then choose Next.

7. On the Assignments tab, add assignments and then choose Next.

8. You can visit Apps > macOS to see the new application listed.

Offboard macOS devices using Intune

1. In the Microsoft Intune admin center, open Devices > macOS > Configuration. The policies you created are listed.

2. Select Microsoft Endpoint Device Preferences policy.

3. Under Properties > Assignments, choose Edit.

4. Remove the group from the assignment. This will uninstall the com.microsoft.wdav.mobileconfig configuration profile file and offboard the macOS device from Purview solutions.