Microsoft released almost two weeks ago Conditional Access for Macos operating systems as part of Azure AD, which allows you to control that you only allow access from devices that are managed by Microsoft Intune and that are compliant. At the same time Microsoft released the preview of the Company Portal for the same device platform. Until now devices needed to be enrolled via the web portal, like described earlier in this blog late 2015.

Conditional Access in action

For a long time applications connecting Exchange Online via the Exchange Web Services, like the Microsoft Outlook for Macos app did not work with Conditional Access. Either you want to allow it or block it via Exchange Online by configuring the EwsAllowMacOutlook setting in the Organizational Config of Exchange (Online). For Outlook this is finally fixed via Conditional Access.

To be able to show the Company Portal at best we need to enable Conditional Access in Azure AD. This can be done for all Cloud Apps or just for Office 365 Exchange Online. Targeting the Device platforms for Conditional Access can be done per platforms at the time or by selecting All platforms (including unsupported), this should be the option if you want to target all platforms.


Conditional Access for Macos

So after enabling Conditional Access in Azure AD to also control Macos devices you will see that when accessing Exchange Online from the Microsoft Office Outlook app that you will need to enroll the device to get access.


Access is blocked via the Outlook App, device needs to be enrolled

Also when trying to access Outlook Web App ( ) a message that the organization require device management to allow access to Exchange Online.


Also Outlook Web App is blocked

Enrolling the device via the Intune Company Portal

So as mentioned the Microsoft Intune Company Portal for Macos devices is in preview and can be used to enroll your device and check compliance. Let’s see how the experience looks like.

First of all you can download the Company Portal here.

So after downloading and starting the Company Portal you need to logon. First you need to click Sign In to start the process.


Sign in to the Company Portal

You will be redirected to the logon page and you need to authenticate with your credentials. Next you will need to go through the same enrollment experience like we have with iOS and Android devices.

Screen Shot 2017-09-04 at 2.58.12 PM

We need to enroll and get compliant

The users will be informed why they need to enroll the device.

Screen Shot 2017-09-04 at 2.58.26 PM

Why enroll your device?

Also information is shared about the privacy of the user.

Screen Shot 2017-09-04 at 2.58.38 PM

Privacy information

Next enroll the device in Microsoft Intune.

Screen Shot 2017-09-04 at 2.58.49 PM

start enrolling

Screen Shot 2017-09-04 at 2.59.29 PM

Management Profile installed

During the enrollment process the management profile will be installed at the Mac and all other recourses like Wi-Fi and VPN profiles will be deployed.

Screen Shot 2017-09-04 at 3.00.19 PM

Device is enrolled and compliant

After the device is enrolled and marked as complaint we are done.

Screen Shot 2017-09-04 at 3.00.30 PM

Screen Shot 2017-09-04 at 3.00.51 PM

Company Portal

The company portal shows information about the device, like the name, manufacturer, OS  and model. also information about the compliance state is shown.

Screen Shot 2017-09-04 at 4.46.52 PM

Device options

In the Device menu we are able to Sync the device for new policies, rename and remove the device.

Screen Shot 2017-09-04 at 4.45.04 PM

Access to Exchange Online via Outlook allowed

So what about compliance?

So what happens if a device is not compliant or becomes not compliant? The device will be marked as Not in compliance in the company portal and when looking for more information the user will see what is wrong so that the user is able to fix it and get compliant.

Screen Shot 2017-09-04 at 4.49.13 PM

Trying to get access to Outlook Web App will result in the following message that a complaint device is required.

Requires a compliant device

The story around management of Macos devices is getting better and better, be sure to test the Microsoft Intune Company Portal if you have Microsoft Intune and (unmanaged) Macos devices in your environment.

Till next time!