Onboard and offboard macOS devices into Microsoft Purview solutions using Intune

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement and the What is Microsoft Purview? article.

You can use Intune to onboard macOS devices into Microsoft Purview solutions.

Important

Use this procedure if you do not have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices

Applies to:

• Endpoint data loss prevention (DLP)
• Insider risk management

Before you begin

• Make sure your macOS devices are onboarded into Intune and are enrolled in the Company Portal app.
• Make sure you have access to the Microsoft Endpoint Manager center.
• This supports macOS version Catalina 10.15 and higher.
• Create the user groups that you are going to assign the configuration updates to.
• Install the v95+ Edge browser on your macOS devices

Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune

Onboarding a macOS device into Compliance solutions is a six phase process.

1. Create system configuration profiles
2. Get the device onboarding package
3. Deploy the onboarding package
4. Enable system extension
5. Get the installation package
6. Deploy the installation package

Create system configuration profiles

1. You'll need these files for this procedure.

file needed for	source
Onboarding package	downloaded from the compliance portal Onboarding package, file name DeviceComplianceOnboarding.xml
accessibility	accessibility.mobileconfig
full disk access	fulldisk.mobileconfig
Network filer	netfilter.mobileconfig]
System extensions	sysext.mobileconfig
MDE preference	com.microsoft.wdav.mobileconfig
MAU preference	com.microsoft.autoupdate2.mobileconfig
Installation package	downloaded from the compliance portal Installation package, file name *wdav.pkg*

Tip

You can download the .mobileconfig files individually or in single combined file that contains:

• accessibility.mobileconfig
• fulldisk.mobileconfig
• netfilter.mobileconfig
• system extensions

If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.

2. Open the Microsoft Endpoint Manager center > Devices > Configuration profiles.

3. Choose: Create profile

4. Choose:

   1. Platform = macOS
   2. Profile type = Templates
   3. Template name = Custom

5. Choose Create

6. Choose a name for the profile, like AccessibilityformacOS in this example. Choose Next.

7. Choose the accessibility.mobileconfig file that you downloaded in step 1 as the configuration profile file.

8. Choose Next

9. On the Assignments tab add the group you want to deploy these configurations to and choose Next.

10. Review your settings and choose Create to deploy the configuration.

11. Repeat steps 3-11 to create profiles for the:

    1. fulldisk.mobileconfig file
    2. com.microsoft.autoupdate2.xml file
    3. MDE preferences com.microsoft.wdav.xml file
       1. set Antivirus engine passive mode = true or false. Use trueif deploying DLP only. Use false or do not assign a value if deploying DLP and Microsoft Defender for Endpoint (MDE).
    4. netfilter.mobileconfig

12. Open Devices > Configuration profiles, you should see your created profiles there.

13. In the Configuration profiles page, choose the profile that you just created, in this example AccessibilityformacOS and choose Device status to see a list of devices and the deployment status of the configuration profile.

Get the device onboarding package

1. In Compliance center open Settings > Device Onboarding and choose Onboarding.

2. For Select operating system to start onboarding process choose macOS.

3. For Deployment method choose Mobile Device Management/Microsoft Intune.

4. Choose Download onboarding package. This contains the onboarding code in the DeviceComplianceOnboarding.xml file.

Deploy the onboarding package

1. Open the Microsoft Endpoint Manager center > Devices > Configuration profiles.

2. Choose: Create profile.

3. Choose:

   1. Platform = macOS
   2. Profile type = Templates
   3. Template name = Custom

4. Choose Create

5. Choose a name for the profile, like OnboardingPackage in this example. Choose Next.

6. Choose the DeviceComplianceOnboarding.xml file as the configuration profile file.

7. Choose Next

8. On the Assignments tab add the group you want to deploy these configurations to and choose Next.

9. Review your settings and choose Create to deploy the configuration.

Enable system extension

1. In the Microsoft Endpoint Manager center select Create Profile under Configuration Profiles

2. Choose:

   1. Platform = macOS
   2. Profile type = Templates
   3. Template name = Extensions

3. Choose Create

4. In the Basics tab, give this new profile a name.

5. In the Configuration settings tab expand System Extensions.

6. Under Bundle identifier and Team identifier, set these values

Bundle identifier	Team identifier
com.microsoft.wdav.epsext	UBF8T346G9
com.microsoft.wdav.netext	UBF8T346G9

1. On the Assignments tab add the group you want to deploy these configurations to and choose Next.

2. Choose Next to deploy the configuration.

Get the installation package

1. In Compliance center open Settings > Device Onboarding and choose Onboarding.

2. For Select operating system to start onboarding process choose macOS

3. For Deployment method choose Mobile Device Management/Microsoft Intune

4. Choose Download installation package. This will give you the wdav.pkg file.

Important

Before you can deploy the wdav.pkg. package via Intune, it must be reformatted using the Intune App Wrapping Tools for Mac into the wdav.pkg.intunemac format.

Deploy the Microsoft DLP installation package

1. Follow the procedures in How to add macOS line-of-business (LOB) apps to Microsoft Intune to convert the wdav.pkg file into the proper format and deploy it through Intune.

Offboard macOS devices using Intune

Note

Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to six months.

2. In Microsoft Endpoint Manager center, open Devices > Configuration profiles, you should see your created profiles there.

3. In the Configuration profiles page, choose the wdav.pkg.intunemac profile.

4. Choose Device status to see a list of devices and the deployment status of the configuration profile

5. Open Properties and Assignments

6. Remove the group from the assignment. This will uninstall the wdav.pkg.intunemac package and offboard the macOS device from Compliance solutions.