Microsoft To-Do articles on MacRumors.com. Microsoft today announced the preview launch of a new 'intelligent task management app' that's designed to make it easier to plan and manage a day's.
-->This article lists and describes the different compliance settings you can configure on macOS devices in Intune. As part of your mobile device management (MDM) solution, use these settings to set a minimum or maximum OS version, set passwords to expire, and more.
This feature applies to:
- macOS
As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see get started with device compliance.
Before you begin
Create a compliance policy. For Platform, select macOS.
Device Health
- Require a system integrity protection:
- Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
- Require - Require macOS devices to have System Integrity Protection (opens Apple's web site) enabled.
Device Properties
Minimum OS required:
When a device doesn't meet the minimum OS version requirement, it's reported as non-compliant. A link with information on how to upgrade is shown. The device user can choose to upgrade their device. After that, they can access organization resources.Maximum OS version allowed:
When a device uses an OS version later than the version in the rule, access to organization resources is blocked. The device user is asked to contact their IT administrator. The device can't access organization resources until a rule changes to allow the OS version.Minimum OS build version:
When Apple publishes security updates, the build number is typically updated, not the OS version. Use this feature to enter a minimum allowed build number on the device.Maximum OS build version:
When Apple publishes security updates, the build number is typically updated, not the OS version. Use this feature to enter a maximum allowed build number on the device.
System security settings
Password
Require a password to unlock mobile devices:
- Not configured (default)
- Require Users must enter a password before they can access their device.
Simple passwords:
- Not configured (default) - Users can create passwords simple like 1234 or 1111.
- Block - Users can't create simple passwords, such as 1234 or 1111.
Minimum password length:
Enter the minimum number of digits or characters that the password must have.Password type:Choose if a password should have only Numeric characters, or if there should be a mix of numbers and other characters (Alphanumeric).
Number of non-alphanumeric characters in password:
Enter the minimum number of special characters, such as&
,#
,%
,!
, and so on, that must be in the password.Setting a higher number requires the user to create a password that is more complex.
Maximum minutes of inactivity before password is required:
Enter the idle time before the user must reenter their password.Password expiration (days):
Select the number of days before the password expires, and they must create a new one.Number of previous passwords to prevent reuse:
Enter the number of previously used passwords that can't be used.
Important
When the password requirement is changed on a macOS device, it doesn’t take effect until the next time the user changes their password. For example, if you set the password length restriction to eight digits, and the macOS device currently has a six digits password, then the device remains compliant until the next time the user updates their password on the device.
Encryption
- Encryption of data storage on a device:
- Not configured (default)
- Require - Use Require to encrypt data storage on your devices.
Device Security
Firewall protects devices from unauthorized network access. You can use Firewall to control connections on a per-application basis.
Firewall:
- Not configured (default) - This setting leaves the firewall turned off, and network traffic is allowed (not blocked).
- Enable - Use Enable to help protect devices from unauthorized access. Enabling this feature allows you to handle incoming internet connections, and use stealth mode.
Incoming connections:
- Not configured (default) - Allows incoming connections and sharing services.
- Block - Block all incoming network connections except the connections required for basic internet services, such as DHCP, Bonjour, and IPSec. This setting also blocks all sharing services, including screen sharing, remote access, iTunes music sharing, and more.
Stealth Mode:
- Not configured (default) - This setting leaves stealth mode turned off.
- Enable - Turn on stealth mode to prevent devices from responding to probing requests, which can be made my malicious users. When enabled, the device continues to answer incoming requests for authorized apps.
Gatekeeper
For more information, see Gatekeeper on macOS (opens Apple's web site).
Allow apps downloaded from these locations: Allows supported applications to be installed on your devices from different locations. Your location options:
- Not configured (default) - The gatekeeper option has no impact on compliance or non-compliance.
- Mac App Store - Only install apps for the Mac app store. Apps can't be installed from third parties nor identified developers. If a user selects Gatekeeper to install apps outside the Mac App Store, then the device is considered not compliant.
- Mac App Store and identified developers - Install apps for the Mac app store and from identified developers. macOS checks the identity of developers, and does some other checks to verify app integrity. If a user selects Gatekeeper to install apps outside these options, then the device is considered not compliant.
- Anywhere - Apps can be installed from anywhere, and by any developer. This option is the least secure.
Next steps
- Add actions for noncompliant devices and use scope tags to filter policies.
- Monitor your compliance policies.
- See the compliance policy settings for iOS devices.
Applies to: Configuration Manager (current branch)
Keep the following considerations in mind when you create and deploy applications for Mac computers.
Important
The procedures in this topic cover information about deploying applications to Mac computers on which you installed the Configuration Manager client. Mac computers that you enrolled with Microsoft Intune do not support application deployment.
General considerations
Macbook App Store
You can use Configuration Manager to deploy applications to Mac computers that run the Configuration Manager Mac client. The steps to deploy software to Mac computers are similar to the steps to deploy software to Windows computers. However, before you create and deploy applications for Mac computers that are managed by Configuration Manager, consider the following:
Before you can deploy Mac application packages to Mac computers, you must use the CMAppUtil tool on a Mac computer to convert these applications into a format that can be read by Configuration Manager.
Configuration Manager does not support the deployment of Mac applications to users. Instead, these deployments must be made to a device. Similarly, for Mac application deployments, Configuration Manager does not support the Pre-deploy software to the user’s primary device option on the Deployment Settings page of the Deploy Software Wizard.
Mac applications support simulated deployments.
You cannot deploy applications to Mac computers that have a purpose of Available.
The option to send wake-up packets when you deploy software is not supported for Mac computers.
Mac computers do not support Background Intelligent Transfer Service (BITS) for downloading application content. If an application download fails, it is restarted from the beginning.
Configuration Manager does not support global conditions when you create deployment types for Mac computers.
Steps to create and deploy an application
The following table provides the steps, details, and information for creating and deploying applications for Mac computers.
Step | Details |
---|---|
Step 1: Prepare Mac applications for Configuration Manager | Before you can create Configuration Manager applications from Mac software packages, you must use the CMAppUtil tool on a Mac computer to convert the Mac software into a Configuration Manager.cmmac file. |
Step 2: Create a Configuration Manager application that contains the Mac software | Use the Create Application Wizard to create an application for the Mac software. |
Step 3: Create a deployment type for the Mac application | This step is required only if you did not automatically import this information from the application. |
Step 4: Deploy the Mac application | Use the Deploy Software Wizard to deploy the application to Mac computers. |
Step 5: Monitor the deployment of the Mac application | Monitor the success of application deployments to Mac computers. |
Supplemental procedures to create and deploy applications for Mac computers
Microsoft To Do App Mac Os 10
Use the following procedures to create and deploy applications for Mac computers that are managed by Configuration Manager.
Step 1: Prepare Mac applications for Configuration Manager
The process for creating and deploying Configuration Manager applications to Mac computers is similar to the deployment process for Windows computers. However, before you create Configuration Manager applications that contain Mac deployment types, you must prepare the applications by using the CMAppUtil tool. This tool is downloaded with the Mac client installation files. The CMAppUtil tool can gather information about the application, which includes detection data from the following Mac packages:
Apple Disk Image (.dmg)
Meta Package File (.mpkg)
Mac OS X Installer Package (.pkg)
Mac OS X Application (.app)
After it gathers application information, the CMAppUtil then creates a file with the extension .cmmac. This file contains the installation files for the Mac software and information about detection methods that can be used to evaluate whether the application is already installed. CMAppUtil can also process .dmg files that contain multiple Mac applications and create different deployment types for each application.
Copy the Mac software installation package to the folder on the Mac computer where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center.
On the same Mac computer, open a terminal window and navigate to the folder where you extracted the contents of the macclient.dmg file.
Navigate to the Tools folder and type the following command-line command:
./CMAppUtil<properties>
For example, say you want to convert the contents of an Apple disk image file named MySoftware.dmg that's stored in the user's desktop folder into a cmmac file in the same folder. You also want to create cmmac files for all applications that are found in the disk image file. To do this, use the following command line:
./CMApputil –c /Users/<User Name>/Desktop/MySoftware.dmg -o /Users/<User Name>/Desktop -a
Note
The application name can't be more than 128 characters.
To configure options for CMAppUtil, use the command-line properties in the following table:
Property More information -h Displays the available command-line properties. -r Outputs the detection.xml of the provided .cmmac file to stdout. The output contains the detection parameters and the version of CMAppUtil that was used to create the .cmmac file. -c Specifies the source file to be converted. -o Specifies the output path in conjunction with the –c property. -a Automatically creates .cmmac files in conjunction with the –c property for all applications and packages in the disk image file. -s Skips generating the detection.xml if no detection parameters are found and forces the creation of the .cmmac file without the detection.xml file. -v Displays more detailed output from the CMAppUtil tool together with diagnostic information. Ensure that the .cmmac file has been created in the output folder that you specified.
Create a Configuration Manager application that contains the Mac software
Use the following procedure to help you create an application for Mac computers that are managed by Configuration Manager.
In the Configuration Manager console, choose Software Library > Application Management > Applications.
On the Home tab, in the Create group, choose Create Application.
On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files.
Note
If you want to specify information about the application yourself, select Manually specify the application information. For more information about how to manually specify the information, see How to create applications with Configuration Manager.
In the Type drop-down list, select Mac OS X.
In the Location field, specify the UNC path in the form <server><share><filename> to the Mac application installation file (.cmmac file) that will detect application information. Alternatively, choose Browse to browse to and specify the installation file location.
Note
You must have access to the UNC path that contains the application.
Choose Next.
On the Import Information page of the Create Application Wizard, review the information that was imported. If necessary, you can choose Previous to go back and correct any errors. Choose Next to proceed.
On the General Information page of the Create Application Wizard, specify information about the application such as the application name, comments, version, and an optional reference to help you reference the application in the Configuration Manager console.
Note
Some of the application information might already be on this page if it was previously obtained from the application installation files.
Choose Next, review the application information on the Summary page, and then complete the Create Application Wizard.
The new application is displayed in the Applications node of the Configuration Manager console.
Step 3: Create a deployment type for the Mac application
Use the following procedure to help you create a deployment type for Mac computers that are managed by Configuration Manager.
Note
If you automatically imported information about the application in the Create Application Wizard, a deployment type for the application might already have been created.
Macos App Store
In the Configuration Manager console, choose Software Library > Application Management > Applications.
Select an application. Then, on the Home tab, in the Application group, choose Create Deployment Type to create a new deployment type for this application.
Note
You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the Deployment Types tab of the <application name>Properties dialog box.
On the General page of the Create Deployment Type Wizard, in the Type drop-down list, select Mac OS X.
In the Location field, specify the UNC path in the form <server><share><filename> to the application installation file (.cmmac file). Alternatively, choose Browse to browse to and specify the installation file location.
Note
You must have access to the UNC path that contains the application.
Choose Next.
On the Import Information page of the Create Deployment Type Wizard, review the information that was imported. If necessary, choose Previous to go back and correct any errors. Choose Next to continue.
On the General Information page of the Create Deployment Type Wizard, specify information about the application such as the application name, comments, and the languages in which the deployment type is available.
Note
Some of the deployment type information might already be on this page if it was previously obtained from the application installation files.
Choose Next.
On the Requirements page of the Create Deployment Type Wizard, you can specify the conditions that must be met before the deployment type can be installed on Mac computers.
Choose Add to open the Create Requirement dialog box and add a new requirement.
Note
You can also add new requirements on the Requirements tab of the <deployment type name>Properties dialog box.
From the Category drop-down list, select that this requirement is for a device.
From the Condition drop-down list, select the condition that you want to use to assess whether the Mac computer meets the installation requirements. The contents of this list varies depending on the category that you select.
From the Operator drop-down list, choose the operator to use to compare the selected condition to the specified value to assess whether the user or device meets the installation requirements. The available operators vary depending on the selected condition.
In the Value field, specify the values to use with the selected condition and operator to assess whether the user or device meets in the installation requirement. The available values vary depending on the condition and operator that you select.
Choose OK to save the requirement rule and exit the Create Requirement dialog box.
On the Requirements page of the Create Deployment Type Wizard, choose Next.
On the Summary page of the Create Deployment Type Wizard, review the actions for the wizard to take. If necessary, choose Previous to go back and change deployment type settings. Choose Next to create the deployment type.
After the Progress page finishes, review the actions that have been taken, and then choose Close to complete the Create Deployment Type Wizard.
If you started this wizard from the Create Application Wizard, you will return to the Deployment Types page.
Deploy the Mac application
The steps to deploy an application to Mac computers are the same as the steps to deploy an application to Windows computers, except for the following differences:
The deployment of applications to users is not supported.
Deployments that have a purpose of Available are not supported.
The Pre-deploy software to the user’s primary device option on the Deployment Settings page of the Deploy Software Wizard is not supported.
Because Mac computers do not support Software Center, the setting User notifications on the User Experience page of the Deploy Software Wizard is ignored.
The option to send wake-up packets when you deploy software is not supported for Mac computers.
Note
You can build a collection that contains only Mac computers. To do so, create a collection that uses a query rule and use the example WQL query in the How to create queries topic.
For more information, see Deploy applications.
Step 5: Monitor the deployment of the Mac application
Mac App Store Download
You can use the same process to monitor application deployments to Mac computers as you would to monitor application deployments to Windows computers.
Apple Mac
For more information, see Monitor applications.