Onboard and offboard macOS devices into Microsoft Purview solutions using Intune

You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you do not have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices

Applies to:

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

Note

The three most recent major releases of macOS are supported.

Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune

Onboarding a macOS device into Compliance solutions is a multi-phase process.

  1. Get the device onboarding package
  2. Deploy the mobileconfig and onboarding packages
  3. Publish the application

Prerequisites

Download the following files:

File Description
mdatp-nokext.mobileconfig System mobile config file
com.microsoft.wdav.mobileconfig. MDE preferences

Tip

We recommend downloading the bundled (mdatp-nokext.mobileconfig) file, rather than the individual .mobileconfig files. The bundled file includes the following required files:

  • accessibility.mobileconfig
  • fulldisk.mobileconfig
  • netfilter.mobileconfig
  • sysext.mobileconfig

If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.

Get the device onboarding package

Screenshot of the Microsoft Intune Configuration settings tab with all fields populated.

  1. In Microsoft Purview Compliance center open Settings > Device Onboarding and then choose Onboarding.

  2. For the Select operating system to start onboarding process option, choose macOS.

  3. For Deployment method, choose Mobile Device Management/Microsoft Intune.

  4. Choose Download onboarding package.

  5. Extract the .ZIP file and open the Intune folder. This contains the onboarding code in the DeviceComplianceOnboarding.xml file.

Deploy the mobileconfig and onboarding packages

  1. Open the Microsoft Intune admin center and navigate to Devices > Configuration profiles.

  2. Choose: Create profile.

  3. Select the following values:

    1. Platform = macOS
    2. Profile type = Templates
    3. Template name = Custom
  4. Choose Create.

  5. Enter a name for the profile, such as Microsoft Purview System MobileConfig, and then Choose Next.

  6. Choose the mdatp-nokext.mobileconfig file that you downloaded in Step 1 as the configuration profile file.

  7. Choose Next.

  8. On the Assignments tab, add the group you want to deploy these configurations to and then choose Next.

  9. Review your settings and then choose Create to deploy the configuration.

  10. Repeat steps 2-9 to create profiles for the:

    1. DeviceComplianceOnboarding.xml file. Name it Microsoft Purview Device Onboarding Package
    2. com.microsoft.wdav.mobileconfig file. Name it Microsoft Endpoint Device Preferences
  11. Open Devices > Configuration profiles. The profiles you created now display.

  12. In the Configuration profiles page, choose the profile that you just created. Next, choose Device status to see a list of devices and the deployment status of the configuration profile.

Note

For the upload to cloud service activity, if you only want to monitor the browser and the URL in the browser address bar, you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress.

Here is an example com.microsoft.wdav.mobileconfig.

Publish the application

Microsoft Endpoint data loss protection is installed as a component of Microsoft Defender for Endpoint on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions

  1. In the Microsoft Intune admin center, open Apps.

  2. Select By platform > macOS > Add.

  3. Choose App type=macOS, and then choose Select. Choose Microsoft Defender for Endpoint.

  4. Keep the default values and then choose Next.

  5. Add assignments and then choose Next.

  6. Review your chosen settings and then choose Create.

  7. You can visit Apps > By platform > macOS to see the new application in the list of all applications.

OPTIONAL: Allow sensitive data to pass through forbidden domains

Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.

Say that sending sensitive data via Outlook Live (outlook.live.com) is permissible, but that sensitive data must not be exposed to microsoft.com. However, when a user accesses Outlook Live, the data passes through microsoft.com in the background, as shown:

Screenshot showing the flow of data from source to destination URL.

By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.

In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, outlook.live.com. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.

So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress. Here's how.

To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:

  1. Open the com.microsoft.wdav.mobileconfig file.

  2. Under the dlp key, Set DLP_browser_only_cloud_egress to enabled and set DLP_ax_only_cloud_egress to enabled as shown in the following example.

    <key>dlp</key>
         <dict>
             <key>features</key>
             <array>
                <dict>
                    <key>name</key>
                    <string>DLP_browser_only_cloud_egress</string>
                    <key>state</key>
                    <string>enabled</string>
                </dict>
                <dict>
                    <key>name</key>
                    <string>DLP_ax_only_cloud_egress</string>
                    <key>state</key>
                    <string>enabled</string>
                </dict>
             </array>
         </dict>
    

Offboard macOS devices using Intune

Note

Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including reference to any alerts it has had, will be retained for up to six months.

  1. In the Microsoft Intune admin center, open Devices > Configuration profiles. The profiles you created are listed.

  2. On the Configuration profiles page, choose the wdav.pkg.intunemac profile.

  3. Choose Device status to see a list of devices and the deployment status of the configuration profile.

  4. Open Properties and then Assignments.

  5. Remove the group from the assignment. This will uninstall the wdav.pkg.intunemac package and offboard the macOS device from Compliance solutions.