Use custom settings for macOS devices in Microsoft Intune
Article
Important
Don't use custom configuration profiles for sensitive information, such as Wi-Fi connections or authenticating apps, websites, and more. Instead, use the built-in profiles for sensitive information, as they're designed and configured to handle sensitive information.
Using Microsoft Intune, you can add or create custom settings for your macOS devices using a custom profile. Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't built in to Intune. These settings must be in an .xml or .mobileconfig file.
The Intune settings catalog has many macOS settings, and more are continually added. Before you create a custom profile, look for the settings in the Settings Catalog. It's possible you don't need a custom profile.
You might be able to use Apple Configurator to export existing macOS settings to an .xml or .mobileconfig file. Apple Configurator is designed for the iOS/iPadOS platform, not the macOS platform. Make sure the settings you export are compatible with the macOS version on the devices. For information on resolving incompatible settings, search for Configuration Profile Reference and Mobile Device Management Protocol Reference on the Apple Developer website.
For information on Apple's device management and payload keys, go to:
When you configure the profile, enter the following settings:
Configuration profile name: Enter a name for the policy. This name is shown on the device, and in the Intune status in the Intune admin center.
Deployment channel: Select the channel you want to use to deploy your configuration profile. If you send the profile to the wrong channel, deployment can fail. After you select a channel and save the profile, the channel can't be changed. To select a different channel, create a new profile.
User-targeted payloads don't apply to devices enrolled without user affinity. For more information on whether a payload can be used for a device configuration profile or a user configuration profile, go to Profile-Specific Payload Keys (opens Apple's developer website).
Configuration profile file: Browse to the .xml or .mobileconfig file you created. The max file size is 1000000 bytes (just under 1 MB). The imported file is shown. You can also Remove a file after it's been added.
You can also add device tokens to your .mobileconfig files. Device tokens are used to add device-specific information. For example, to show the serial number, enter {{serialnumber}}. On the device, the text shows similar to 123456789ABC, which is unique to each device. When entering variables, be sure to use curly brackets {{ }}.
App configuration tokens includes a list of variables that can be used. You can also use deviceid or any other device-specific value.
Note
Variables aren't validated in the UI, and are case sensitive. As a result, you may see profiles saved with incorrect input. For example, if you enter {{DeviceID}} instead of {{deviceid}}, then the literal string is shown instead of the device's unique ID. Be sure to enter the correct information.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Add, configure, or create settings on macOS devices to restrict features in Microsoft Intune. Set password requirements, control the locked screen, use built-in apps, add restricted or approved apps, handle bluetooth devices, connect to the cloud for backup and storage, enable kiosk mode, add domains, and control how users interact with the Safari web browser.
See the settings to configure macOS devices for AirPrint and customize the Login window to show or hide power buttons in Microsoft Intune. See the steps to get the IP address, path, and port settings of an AirPrint server in your network. Use these settings in a device configuration profile to configure macOS device features.
Use Intune to configure macOS devices use the built-in firewall to allow or block specific apps or to use stealth mode, to use Gatekeeper to determine where apps install, and to use FileVault disk encryption.
Add, configure, or create settings on macOS devices to use system extensions and kernel extensions. Also, allow users to override approved extensions, allow all extensions from a team identifier, or allow specific extensions or apps in Microsoft Intune.
Add an xml or plist file that includes key information about your app. Use a preference file device configuration profile to change key information in the property list file, and assign it to your macOS devices in Microsoft Intune.