Onboard and offboard macOS devices into Microsoft Purview solutions using Intune
You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.
Use this procedure if you do not have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Before you begin
- Make sure your macOS devices are onboarded into Intune and are enrolled in the Company Portal app.
- Make sure you have access to the Microsoft Intune admin center.
- Create the user groups that you're going to assign the configuration updates to.
- OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices to have native Endpoint DLP support on Microsoft Edge.
The three most recent major releases of macOS are supported.
Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune
Onboarding a macOS device into Compliance solutions is a multi-phase process.
- Get the device onboarding package
- Deploy the mobileconfig and onboarding packages
- Publish the application
Download the following files:
|mdatp-nokext.mobileconfig||System mobile config file|
If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.
Get the device onboarding package
In Microsoft Purview Compliance center open Settings > Device Onboarding and then choose Onboarding.
For the Select operating system to start onboarding process option, choose macOS.
For Deployment method, choose Mobile Device Management/Microsoft Intune.
Choose Download onboarding package.
Extract the .ZIP file and open the Intune folder. This contains the onboarding code in the DeviceComplianceOnboarding.xml file.
Deploy the mobileconfig and onboarding packages
Open the Microsoft Intune admin center and navigate to Devices > Configuration profiles.
Choose: Create profile.
Select the following values:
- Platform = macOS
- Profile type = Templates
- Template name = Custom
Enter a name for the profile, such as Microsoft Purview System MobileConfig, and then Choose Next.
mdatp-nokext.mobileconfigfile that you downloaded in Step 1 as the configuration profile file.
On the Assignments tab, add the group you want to deploy these configurations to and then choose Next.
Review your settings and then choose Create to deploy the configuration.
Repeat steps 2-9 to create profiles for the:
- DeviceComplianceOnboarding.xml file. Name it Microsoft Purview Device Onboarding Package
- com.microsoft.wdav.mobileconfig file. Name it Microsoft Endpoint Device Preferences
Open Devices > Configuration profiles. The profiles you created now display.
In the Configuration profiles page, choose the profile that you just created. Next, choose Device status to see a list of devices and the deployment status of the configuration profile.
For the upload to cloud service activity, if you only want to monitor the browser and the URL in the browser address bar, you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress.
Here is an example com.microsoft.wdav.mobileconfig.
Publish the application
Microsoft Endpoint data lost protection is installed as a component of Microsoft Defender for Endpoint on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions
In the Microsoft Intune admin center, open Apps.
Select By platform > macOS > Add.
Choose App type=macOS, and then choose Select. Choose Microsoft Defender for Endpoint.
Keep the default values and then choose Next.
Add assignments and then choose Next.
Review your chosen settings and then choose Create.
You can visit Apps > By platform > macOS to see the new application in the list of all applications.
OPTIONAL: Allow sensitive data to pass through forbidden domains
Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.
Say that sending sensitive data via Outlook Live (outlook.live.com) is permissible, but that sensitive data must not be exposed to microsoft.com. However, when a user accesses Outlook Live, the data passes through microsoft.com in the background, as shown:
By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.
In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, outlook.live.com. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.
So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable DLP_browser_only_cloud_egress and DLP_ax_only_cloud_egress. Here's how.
To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:
Open the com.microsoft.wdav.mobileconfig file.
DLP_browser_only_cloud_egressto enabled and set
DLP_ax_only_cloud_egressto enabled as shown in the following example.
<key>dlp</key> <dict> <key>features</key> <array> <dict> <key>name</key> <string>DLP_browser_only_cloud_egress</string> <key>state</key> <string>enabled</string> </dict> <dict> <key>name</key> <string>DLP_ax_only_cloud_egress</string> <key>state</key> <string>enabled</string> </dict> </array> </dict>
Offboard macOS devices using Intune
Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including reference to any alerts it has had, will be retained for up to six months.
In the Microsoft Intune admin center, open Devices > Configuration profiles. The profiles you created are listed.
On the Configuration profiles page, choose the wdav.pkg.intunemac profile.
Choose Device status to see a list of devices and the deployment status of the configuration profile.
Open Properties and then Assignments.
Remove the group from the assignment. This will uninstall the wdav.pkg.intunemac package and offboard the macOS device from Compliance solutions.