System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system.
Multiple Intune app protection access settings for same set of apps and users. Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. In general, a wipe would take precedence, followed by a block, then a dismissible warning. I have the same issue. On my macOS DEP device, under hardware, Supervised shows as No. No idea how to make this indicate to yes. When I run terminal command on the mac, 'profiles status -type enrollment' I can see that DEP and mdm was enrolled correctly but Intune just doesn't detect it as Supervised. You now have an.intunemac file you can distribute with Intune. Step 3 – Upload to intune. In the Intune console, go to Mobile Apps AppsAdd Line-of-business App. Choose the.intunemac file to upload. In the App Information blade, you can configure some metadata and add an icon. Click Ok, and Add and wait for the app to be uploaded.
Intune Application Protection Policy
Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app.
System Integrity Protection includes protection for these parts of the system:
Intune Macos Support
- /System
- /usr
- /bin
- /sbin
- /var
- Apps that are pre-installed with OS X
Paths and apps that third-party apps and installers can continue to write to include:
- /Applications
- /Library
- /usr/local
System Integrity Protection is designed to allow modification of these protected parts only by processes that are signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. Apps that you download from the Mac App Store already work with System Integrity Protection. Other third-party software, if it conflicts with System Integrity Protection, might be set aside when you upgrade to OS X El Capitan or later.
System Integrity Protection also helps prevent software from selecting a startup disk. To select a startup disk, choose System Preferences from the Apple menu, then click Startup Disk. Or hold down the Option key while you restart, then choose from the list of startup disks.
-->This article shows you the endpoint protection settings that you can configure for devices that run macOS. You configure these settings by using a macOS device configuration profile for endpoint protection in Intune.
Before you begin
Create a macOS endpoint protection profile.
Firewall
Use the firewall to control connections per-application, rather than per-port. Using per-application settings makes it easier to get the benefits of firewall protection. It also helps prevent undesirable apps from taking control of network ports that are open for legitimate apps.
Intune App Protection Macos Installer
Enable Firewall
Turn use of Firewall on macOS and then configure how incoming connections are handled in your environment.
- Not configured (default)
- Yes
Block all incoming connections
Block all incoming connections except the connections required for basic Internet services, such as DHCP, Bonjour, and IPSec. This feature also blocks all sharing services, such as File Sharing and Screen Sharing. If you're using sharing services, then keep this setting as Not configured.
- Not configured (default)
- Yes
When you set Block all incoming connections to Not configured, you can then configure which apps can or can't receive incoming connections.
Apps allowed: Configure a list of apps that are allowed to receive incoming connections.
- Add apps by bundle ID: Enter the bundle ID of the app. Apple's web site has a list of built-in Apple apps.
- Add store app: Select a store app you previously added in Intune. For more information, see Add apps to Microsoft Intune.
Apps blocked: Configure a list of apps that have incoming connections blocked.
- Add apps by bundle ID: Enter the bundle ID of the app. Apple's web site has a list of built-in Apple apps.
- Add store app: Select a store app you previously added in Intune. For more information, see Add apps to Microsoft Intune.
Enable stealth mode
To prevent the computer from responding to probing requests, enable stealth mode. The device continues to answer incoming requests for authorized apps. Unexpected requests, such as ICMP (ping), are ignored.
- Not configured (default)
- Yes
Gatekeeper
Allow apps downloaded from these locations
Limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to protect devices from malware, and allow apps from only the sources you trust.
- Not configured (default)
- Mac App Store
- Mac App Store and identified developers
- Anywhere
Do not allow user to override Gatekeeper
Prevents users from overriding the Gatekeeper setting, and prevents users from Control clicking to install an app. When enabled, users can Control-click any app, and install it.
- Not configured (default) - Users can Control-click to install apps.
- Yes - Prevents users from using Control-click to install apps.
Intune Data Protection Policy
FileVault
App Protection Policy Ios Intune
For more information about Apple FileVault settings, see FDEFileVault in the Apple developer content.
Important
As of macOS 10.15, FileVault configuration requires user approved MDM enrollment.
Enable FileVault
You can enable Full Disk Encryption using XTS-AES 128 with FileVault on devices that run macOS 10.13 and later.
- Not configured (default)
- Yes
When Enable FileVault is set to Yes, you can configure the following settings:
Recovery key type
Personal key recovery keys are created for devices. Configure the following settings for the personal key.
Escrow location description of personal recovery key
Specify a short message to the user that explains how and where they can retrieve their personal recovery key. This text is inserted into the message the user sees on their sign in screen when prompted to enter their personal recovery key if a password is forgotten.
Personal recovery key rotation
Specify how frequently the personal recovery key for a device will rotate. You can select the default of Not configured, or a value of 1 to 12 months.
Hide recovery key
Choose to hide the personal key from a device user during FileVault 2 encryption.
- Not configured (default) – The personal key is visible to the device user during encryption.
- Yes - The personal key is hidden from the device user during encryption.
After encryption, device users can view their personal recovery key for an encrypted macOS device from the following locations:
- iOS/iPadOS company portal app
- Intune app
- company portal website
- Android company portal app
To view the key, from the app or website, go to device details of the encrypted macOS device and select get recovery key.
Disable prompt at sign out
Prevent the prompt to the user that requests they enable FileVault when they sign out. When set to Disable, the prompt at sign-out is disabled and instead, the user is prompted when they sign in.
- Not configured (default)
- Yes - Disable the prompt at sign-out.
Number of times allowed to bypass
Set the number of times a user can ignore prompts to enable FileVault before FileVault is required for the user to sign in.
- Not configured - Encryption on the device is required before the next sign-in is allowed.
- 0 - Require devices to encrypt the next time a user signs in to the device.
- 1 to 10 - Allow a user to ignore the prompt from 1 to 10 times before requiring encryption on the device.
- No limit, always prompt - The user is prompted to enable FileVault but encryption is never required.
The default for this setting depends on the configuration of Disable prompt at sign out. When Disable prompt at sign out is set to Not configured, this setting defaults to Not configured. When Disable prompt at sign out is set to Yes, this setting defaults to 1 and a value of Not configured isn't an option.
Next steps
Intune App Protection Macos 10.13
Assign the profile and monitor its status.
You can also configure endpoint protection on Windows 10 and newer devices.