Microsoft released almost two weeks ago Conditional Access for Macos operating systems as part of Azure AD, which allows you to control that you only allow access from devices that are managed by Microsoft Intune and that are compliant. At the same time Microsoft released the preview of the Company Portal for the same device platform. Until now devices needed to be enrolled via the web portal, like described earlier in this blog late 2015.
Conditional Access in action
For a long time applications connecting Exchange Online via the Exchange Web Services, like the Microsoft Outlook for Macos app did not work with Conditional Access. Either you want to allow it or block it via Exchange Online by configuring the EwsAllowMacOutlook setting in the Organizational Config of Exchange (Online). For Outlook this is finally fixed via Conditional Access.
To be able to show the Company Portal at best we need to enable Conditional Access in Azure AD. This can be done for all Cloud Apps or just for Office 365 Exchange Online. Targeting the Device platforms for Conditional Access can be done per platforms at the time or by selecting All platforms (including unsupported), this should be the option if you want to target all platforms.
So after enabling Conditional Access in Azure AD to also control Macos devices you will see that when accessing Exchange Online from the Microsoft Office Outlook app that you will need to enroll the device to get access.
Also when trying to access Outlook Web App ( https://outlook.office.com ) a message that the organization require device management to allow access to Exchange Online.
Enrolling the device via the Intune Company Portal
So as mentioned the Microsoft Intune Company Portal for Macos devices is in preview and can be used to enroll your device and check compliance. Let’s see how the experience looks like.
First of all you can download the Company Portal here.
So after downloading and starting the Company Portal you need to logon. First you need to click Sign In to start the process.
You will be redirected to the logon page and you need to authenticate with your credentials. Next you will need to go through the same enrollment experience like we have with iOS and Android devices.
The users will be informed why they need to enroll the device.
Also information is shared about the privacy of the user.
Next enroll the device in Microsoft Intune.
During the enrollment process the management profile will be installed at the Mac and all other recourses like Wi-Fi and VPN profiles will be deployed.
After the device is enrolled and marked as complaint we are done.
The company portal shows information about the device, like the name, manufacturer, OS and model. also information about the compliance state is shown.
In the Device menu we are able to Sync the device for new policies, rename and remove the device.
So what about compliance?
So what happens if a device is not compliant or becomes not compliant? The device will be marked as Not in compliance in the company portal and when looking for more information the user will see what is wrong so that the user is able to fix it and get compliant.
Trying to get access to Outlook Web App will result in the following message that a complaint device is required.
The story around management of Macos devices is getting better and better, be sure to test the Microsoft Intune Company Portal if you have Microsoft Intune and (unmanaged) Macos devices in your environment.
Till next time!
