Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Conditional Access for Macs

We would like to have conditional access for client computers that run OS X so users are enforced to enroll their devices as soon as they decide to install a mail client or OneDrive for Business.

(split from https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/8793778-conditional-access-for-pc-s-and-mac-s)

359 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    AdminCathy Moya (UserVoice admin for Intune, Microsoft Intune) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    As of the most recent service release, you can now set a conditional access policy that requires Mac devices to be enrolled into Intune and compliant with its device compliance policies. For example, users can download the Intune Company Portal app for macOS and enroll their Mac devices into Intune. Intune evaluate whether the Mac device is compliant or not with requirements like PIN, encryption, OS version, and System Integrity.
    https://docs.microsoft.com/en-us/intune/whats-new

    24 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • DT commented  ·   ·  Flag as inappropriate

        Dear Cathy,

        I am still having trouble with OneDrive recognising that my Mac is enrolled via Company Portal. When I try to configure OneDrive I get a message that login was successful but my machine is not enrolled:

        Help us keep your device secure
        Your sign-in was successful but your admin requires your device to be managed by MYCompanyName to access this resource.

        The following information might be useful to your administrator:
        Access rules set by MYCompanyName require device management
        App name: OneDrive SyncEngine
        App id: ab9b8c07-8f02-4f72-87fa-#########
        IP address: ##.###.###.###
        Device identifier: not available
        Device platform: macOS
        Device state: Unregistered

        There is no application set to open the URL browser://go.microsoft.com/fwlink/?linkid=############

        Search the App Store for an application that can open this document, or choose an existing application on your computer.

        App Store does not help
        Choosing the Application - CompanyPortal does not work either
        The URL works partly, if you remove the"Browser://" it now brings you to the download Company portal part, however I can still not use OneDrive.

        Anyone got an idea or a similar issue?

      • Robert commented  ·   ·  Flag as inappropriate

        Is there any chance that Microsoft will let Conditional Access for Mac to work side by side with other MDM solutions? Enterprises have already been managing their Mac fleet with MDM solutions such as Casper. It's not possible to have 2 MDM profiles, and Intune is not a substitute for Casper. Surely this is technically possible, with a bit of a hack I was able export the Workplace Join certificates from an entrolled Mac without Casper then import them into a Mac with Casper MDM profile. Just by importing the certificates Conditional access and Casper was able to work at the same time! The problem is this process is clunky and not that secure. Please allow Intune/Company portal to be installed on Mac's without requiring it to create an MDM profile!

      • D commented  ·   ·  Flag as inappropriate

        May have been a timing issue for us, but the conditional access option for macOS now appears successfully in our portal. Many thanks, great work Intune team!

      • Marius Olsen commented  ·   ·  Flag as inappropriate

        No checkbox for OS X to enable conditional access on this platform. Can only see iOS, Android, Windows 10 Mobile and Windows.

      • D commented  ·   ·  Flag as inappropriate

        Hi Cathy,

        Might there be some confusion here ? There are COMPLIANCE policies that have MacOS as an option now, however there are still no Conditional Access policy options for MacOS, can you please confirm ??

      • Paul Ellis commented  ·   ·  Flag as inappropriate

        I still do not see OSX as an option in the Exchange Online Conditional Access policy,
        will enrolling the Mac allow the end users to connect their thick Outlook client,
        or would Conditional Access still block them ?

      • Anonymous commented  ·   ·  Flag as inappropriate

        I heard from our TAM a Preview might be coming for this feature. Can you please provide more of an insight into this? Thanks

      • Chris Moore commented  ·   ·  Flag as inappropriate

        We have OS X configuration & compliance, and from the errors provided when CA is enabled, it can clearly detect the OS from the browser pages (certainly obvious in Exchange Online)... All we're missing is the bit to tie it together!

        Definitely hoping for this to be picked up soon.

      • Aaron Marks commented  ·   ·  Flag as inappropriate

        Intune Conditional Access would be nearly complete if Mac Conditional Access was released alongside EWS Conditional Access.

      ← Previous 1

      Feedback and Knowledge Base