Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.
Important
Use this procedure if you have already deployed Microsoft Defender for Endpoint (MDE) to your macOS devices.
Applies to:
- Customers who have MDE deployed to their macOS devices.
- Endpoint data loss prevention (DLP)
- Insider risk management
Before you begin
- Make sure your macOS devices are onboarded to Intune and enrolled in the Company Portal app.
- Make sure you have access to the Microsoft Intune admin center.
- OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices.
Note
The three most recent major releases of macOS are supported.
Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune
If Microsoft Defender for Endpoints (MDE) has already been deployed to your macOS device, you can still onboard that device into Purview solutions. Doing so is multi-phase process:
- Create system configuration profiles
- Update existing system configuration profiles
- Update MDE preferences
Prerequisites
Download the following files:
| File | Description |
|---|---|
| accessibility.mobileconfig | Used for accessibility |
| fulldisk.mobileconfig | Used to grant full disk access (FDA). |
Note
To download the files:
- Right-click the link and select Save link as....
- Choose a folder and save the file.
Create system configuration profiles
Open the Microsoft Intune admin center and navigate to Devices > macOS > Configuration.
On the Policies page choose: + Create and then choose New policy.
Select the following values:
- Platform = macOS
- Profile type = Templates
- Template name = Custom
Choose Create.
On the Basics tab, Enter a name for the profile, for instance: Microsoft Purview Accessibility Permission, and then choose Next.
On the Configuration settings tab, Choose the
accessibility.mobileconfigas the configuration profile file (downloaded as part of the prerequisites) and then choose Next.On the Assignments tab, add the group you want to deploy this configuration to and then choose Next.
Review your settings and then choose Create to deploy the configuration.
Still on the macOS > Configuration policies page. The profiles you created display (you may have to choose refresh).
Choose the new policy. Next, choose Device assignment status to see a list of devices and the deployment status of the configuration profile.
Update existing system configuration profiles
A full disk access (FDA) configuration profile should have been created and deployed previously for MDE. (For details, see Intune-based deployment for Microsoft Defender for Endpoint on Mac). Endpoint data loss prevention (DLP) requires additional FDA permission for the new application (
com.microsoft.dlp.daemon).Update the existing FDA configuration profile with the downloaded
fulldisk.mobileconfigfile.
Update MDE preferences
Find the existing MDE Preferences configuration profile. See Intune-based deployment for Microsoft Defender for Endpoint on Mac for details.
Add the following key to the .mobileconfig file, then save the file.
<key>features</key> <dict> <key>dataLossPrevention</key> <string>enabled</string> </dict>
Offboard macOS devices using Microsoft Intune
Important
Offboarding causes the device to stop sending sensor data to the portal. However, data received from the device, including references to any alerts it has had, will be retained for up to six months.
In the Microsoft Intune admin center, open Devices > Configuration. The policies you created display.
Choose the MDE preferences policy.
Under Properties > Configuration Settings, choose Edit
Remove these settings:
<key>features</key> <dict> <key>dataLossPrevention</key> <string>enabled</string> </dict>Choose **Review+**Save. This will offboard the macOS device from Purview solutions while not changing the macOS device enrollment in MDE.