Onboard and offboard macOS devices into Microsoft Purview solutions using Intune

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement and the What is Microsoft Purview? article.

You can use Intune to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you do not have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices

Applies to:

Before you begin

Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune

Onboarding a macOS device into Compliance solutions is a six phase process.

  1. Create system configuration profiles
  2. Get the device onboarding package
  3. Deploy the onboarding package
  4. Enable system extension
  5. Get the installation package
  6. Deploy the installation package

Create system configuration profiles

  1. You'll need these files for this procedure.
file needed for source
Onboarding package downloaded from the compliance portal Onboarding package, file name DeviceComplianceOnboarding.xml
accessibility accessibility.mobileconfig
full disk access fulldisk.mobileconfig
Network filer netfilter.mobileconfig]
System extensions sysext.mobileconfig
MDE preference com.microsoft.wdav.mobileconfig
MAU preference com.microsoft.autoupdate2.mobileconfig
Installation package downloaded from the compliance portal Installation package, file name *wdav.pkg*

Tip

You can download the .mobileconfig files individually or in single combined file that contains:

  • accessibility.mobileconfig
  • fulldisk.mobileconfig
  • netfilter.mobileconfig
  • system extensions

If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.

  1. Open the Microsoft Endpoint Manager center > Devices > Configuration profiles.

  2. Choose: Create profile

  3. Choose:

    1. Platform = macOS
    2. Profile type = Templates
    3. Template name = Custom
  4. Choose Create

  5. Choose a name for the profile, like AccessibilityformacOS in this example. Choose Next.

  6. Choose the accessibility.mobileconfig file that you downloaded in step 1 as the configuration profile file.

  7. Choose Next

  8. On the Assignments tab add the group you want to deploy these configurations to and choose Next.

  9. Review your settings and choose Create to deploy the configuration.

  10. Repeat steps 3-11 to create profiles for the:

    1. fulldisk.mobileconfig file
    2. com.microsoft.autoupdate2.xml file
    3. MDE preferences com.microsoft.wdav.xml file
      1. set Antivirus engine passive mode = true or false. Use trueif deploying DLP only. Use false or do not assign a value if deploying DLP and Microsoft Defender for Endpoint (MDE).
    4. netfilter.mobileconfig
  11. Open Devices > Configuration profiles, you should see your created profiles there.

  12. In the Configuration profiles page, choose the profile that you just created, in this example AccessibilityformacOS and choose Device status to see a list of devices and the deployment status of the configuration profile.

Get the device onboarding package

  1. In Compliance center open Settings > Device Onboarding and choose Onboarding.

  2. For Select operating system to start onboarding process choose macOS.

  3. For Deployment method choose Mobile Device Management/Microsoft Intune.

  4. Choose Download onboarding package. This contains the onboarding code in the DeviceComplianceOnboarding.xml file.

Deploy the onboarding package

  1. Open the Microsoft Endpoint Manager center > Devices > Configuration profiles.

  2. Choose: Create profile.

  3. Choose:

    1. Platform = macOS
    2. Profile type = Templates
    3. Template name = Custom
  4. Choose Create

  5. Choose a name for the profile, like OnboardingPackage in this example. Choose Next.

  6. Choose the DeviceComplianceOnboarding.xml file as the configuration profile file.

  7. Choose Next

  8. On the Assignments tab add the group you want to deploy these configurations to and choose Next.

  9. Review your settings and choose Create to deploy the configuration.

Enable system extension

  1. In the Microsoft Endpoint Manager center select Create Profile under Configuration Profiles

  2. Choose:

    1. Platform = macOS
    2. Profile type = Templates
    3. Template name = Extensions
  3. Choose Create

  4. In the Basics tab, give this new profile a name.

  5. In the Configuration settings tab expand System Extensions.

  6. Under Bundle identifier and Team identifier, set these values

Bundle identifier Team identifier
com.microsoft.wdav.epsext UBF8T346G9
com.microsoft.wdav.netext UBF8T346G9
  1. On the Assignments tab add the group you want to deploy these configurations to and choose Next.

  2. Choose Next to deploy the configuration.

Get the installation package

  1. In Compliance center open Settings > Device Onboarding and choose Onboarding.

  2. For Select operating system to start onboarding process choose macOS

  3. For Deployment method choose Mobile Device Management/Microsoft Intune

  4. Choose Download installation package. This will give you the wdav.pkg file.

Important

Before you can deploy the wdav.pkg. package via Intune, it must be reformatted using the Intune App Wrapping Tools for Mac into the wdav.pkg.intunemac format.

Deploy the Microsoft DLP installation package

  1. Follow the procedures in How to add macOS line-of-business (LOB) apps to Microsoft Intune to convert the wdav.pkg file into the proper format and deploy it through Intune.

Offboard macOS devices using Intune

Note

Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to six months.

  1. In Microsoft Endpoint Manager center, open Devices > Configuration profiles, you should see your created profiles there.

  2. In the Configuration profiles page, choose the wdav.pkg.intunemac profile.

  3. Choose Device status to see a list of devices and the deployment status of the configuration profile

  4. Open Properties and Assignments

  5. Remove the group from the assignment. This will uninstall the wdav.pkg.intunemac package and offboard the macOS device from Compliance solutions.