Delen via


Onboard and offboard macOS devices into Microsoft Purview solutions using Intune

You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you do not have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices

Applies to:

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

Note

The three most recent major releases of macOS are supported.

Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune

Onboarding a macOS device into Compliance solutions is a multi-phase process.

  1. Get the device onboarding package
  2. Deploy the mobileconfig and onboarding packages
  3. Publish the application

Prerequisites

Download the following files:

File Description
mdatp.mobileconfig System mobile config file
com.microsoft.wdav.mobileconfig. MDE preferences

Tip

We recommend downloading the bundled mdatp.mobileconfig file, rather than the individual .mobileconfig files. The bundled file includes the following required files:

  • accessibility.mobileconfig
  • fulldisk.mobileconfig
  • netfilter.mobileconfig
  • sysext.mobileconfig

If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.

Get the device onboarding package

Screenshot of the Microsoft Intune Configuration settings tab with all fields populated.

  1. In the Microsoft Purview portal open Settings > Device Onboarding and then choose Onboarding.

  2. For the Select operating system to start onboarding process option, choose macOS.

  3. For Deployment method, choose Mobile Device Management/Microsoft Intune.

  4. Choose Download onboarding package.

  5. Extract the .ZIP file and open the Intune folder. This contains the onboarding code in the DeviceComplianceOnboarding.xml file.

Deploy the mobileconfig and onboarding packages

  1. Open the Microsoft Intune admin center and navigate to Devices > macOS > Configuration.

  2. Choose: + Create and then choose New policy.

  3. Select the following values:

    1. Platform = macOS
    2. Profile type = Templates
    3. Template name = Custom
  4. Choose Create.

  5. Enter a name for the profile, such as Microsoft Purview System MobileConfig, and then Choose Next.

  6. Choose the mdatp.mobileconfig file that you downloaded in Step 1 as the configuration profile file.

  7. Choose Next.

  8. On the Assignments tab, add the group you want to deploy these configurations to and then choose Next.

  9. Review your settings and then choose Create to deploy the configuration.

  10. Repeat steps 2-9 to create profiles for the:

    1. DeviceComplianceOnboarding.xml file. Name it Microsoft Purview Device Onboarding Package
    2. com.microsoft.wdav.mobileconfig file. Name it Microsoft Endpoint Device Preferences
  11. Open Devices > Configuration profiles. The profiles you created now display.

  12. In the Configuration profiles page, choose the profile that you just created. Next, choose Device status to see a list of devices and the deployment status of the configuration profile.

Publish the application

Microsoft Endpoint data loss protection is installed as a component of Microsoft Defender for Endpoint on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions

  1. In the Microsoft Intune admin center, open Apps.

  2. Select By platform > macOS > Add.

  3. Under App type scroll to Microsoft Defender for Endpoint and select macOS.

  4. Keep the default values and then choose Next.

  5. Add assignments and then choose Next.

  6. Review your chosen settings and then choose Create.

  7. You can visit Apps > By platform > macOS to see the new application in the list of all applications.

Offboard macOS devices using Intune

Note

Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including reference to any alerts it has had, will be retained for up to six months.

  1. In the Microsoft Intune admin center, open Devices > Configuration profiles. The profiles you created are listed.

  2. On the Configuration profiles page, choose the wdav.pkg.intunemac profile.

  3. Choose Device status to see a list of devices and the deployment status of the configuration profile.

  4. Open Properties and then Assignments.

  5. Remove the group from the assignment. This will uninstall the wdav.pkg.intunemac package and offboard the macOS device from Compliance solutions.