Conditional Access for Macs
We would like to have conditional access for client computers that run OS X so users are enforced to enroll their devices as soon as they decide to install a mail client or OneDrive for Business.
As of the most recent service release, you can now set a conditional access policy that requires Mac devices to be enrolled into Intune and compliant with its device compliance policies. For example, users can download the Intune Company Portal app for macOS and enroll their Mac devices into Intune. Intune evaluate whether the Mac device is compliant or not with requirements like PIN, encryption, OS version, and System Integrity.
I am still having trouble with OneDrive recognising that my Mac is enrolled via Company Portal. When I try to configure OneDrive I get a message that login was successful but my machine is not enrolled:
Help us keep your device secure
Your sign-in was successful but your admin requires your device to be managed by MYCompanyName to access this resource.
The following information might be useful to your administrator:
Access rules set by MYCompanyName require device management
App name: OneDrive SyncEngine
App id: ab9b8c07-8f02-4f72-87fa-#########
IP address: ##.###.###.###
Device identifier: not available
Device platform: macOS
Device state: Unregistered
There is no application set to open the URL browser://go.microsoft.com/fwlink/?linkid=############
Search the App Store for an application that can open this document, or choose an existing application on your computer.
App Store does not help
Choosing the Application - CompanyPortal does not work either
The URL works partly, if you remove the"Browser://" it now brings you to the download Company portal part, however I can still not use OneDrive.
Anyone got an idea or a similar issue?
Is there any chance that Microsoft will let Conditional Access for Mac to work side by side with other MDM solutions? Enterprises have already been managing their Mac fleet with MDM solutions such as Casper. It's not possible to have 2 MDM profiles, and Intune is not a substitute for Casper. Surely this is technically possible, with a bit of a hack I was able export the Workplace Join certificates from an entrolled Mac without Casper then import them into a Mac with Casper MDM profile. Just by importing the certificates Conditional access and Casper was able to work at the same time! The problem is this process is clunky and not that secure. Please allow Intune/Company portal to be installed on Mac's without requiring it to create an MDM profile!
May have been a timing issue for us, but the conditional access option for macOS now appears successfully in our portal. Many thanks, great work Intune team!
Marius Olsen commented
No checkbox for OS X to enable conditional access on this platform. Can only see iOS, Android, Windows 10 Mobile and Windows.
Might there be some confusion here ? There are COMPLIANCE policies that have MacOS as an option now, however there are still no Conditional Access policy options for MacOS, can you please confirm ??
Paul Ellis commented
I still do not see OSX as an option in the Exchange Online Conditional Access policy,
will enrolling the Mac allow the end users to connect their thick Outlook client,
or would Conditional Access still block them ?
@Cathy any update on this ?
Aaron Marks commented
@Cathy, do you have update?
Martijn van Loenen commented
ETA was Q1 2017, but what will be the new ETA ???
I heard from our TAM a Preview might be coming for this feature. Can you please provide more of an insight into this? Thanks
Tyler Klobassa commented
Any ETA on the use of Enterprise/Personal Macs with Conditional Access?
Chris Moore commented
We have OS X configuration & compliance, and from the errors provided when CA is enabled, it can clearly detect the OS from the browser pages (certainly obvious in Exchange Online)... All we're missing is the bit to tie it together!
Definitely hoping for this to be picked up soon.
Aaron Marks commented
Intune Conditional Access would be nearly complete if Mac Conditional Access was released alongside EWS Conditional Access.
Silvio Rodriguez commented
Any update on the ETA?
We are counting on this
We are counting on this
We really need this. Please provide any ETA you can and let us preview it.
Looks like this is coming soon... https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications Are you able to provide an ETA?