In this post I will show you how to use MacOS Compliance policy in Intune to send update notification. Intune cannot directly apply updates to MacOS devices, however with the use of Compliance policy, we can mark the device non-compliant when new update is released and can notify the user in different ways.
This is a 2 step process, we are going to:
- Create Notifications through Compliance policies blade
- Create Compliance policies and setting up the notification feature.
Create Notifications through Compliance policies
Under Create Notifications, specify name as macOS Old version and make following changes:
- Email header – Include company logo : Enable
- Email footer – Include company name: Enable
- Email footer – Include contact information: Enable
- Company Portal Website Link: Enable
Under Notification message templates, specify:
- Locale: English (United States)
- Subject: Urgent – Your device is on old version
Your device is having old operating system version. You are requested to immediately action on this by updating it to latest version.
- Is Default: Check the box
Under Scope tags, click Next.
Under Review + Create, verify the settings and click on Create.
We are ready with the notification which will be further used under compliance policies which is our next step.
Create Compliance Policies for macOS
Navigate to Devices > macOS devices, under macOS policies select Compliance policies and click Create Policy.
Under Create a policy, platform will be shown as macOS and profile type as Mac compliance policy and click Create.
Under Mac Compliance policy specify name as “MacOS Compliance” and click Next.
Under Compliance Settings, you will see multiple options to specify such as:
- Device Health
- Device Properties
- System Security
We interested in Device Properties, expand it and specify:
- Minimum OS version: 12.3.1
- Maximum OS version:
- Minimum OS build version:
- Maximum OS build version:
We have specified the minimum OS version as macOS Monterey 12.3.1, we could have also used build version as well.
Under Actions for noncompliance, we have multiple actions to define such as:
- Mark device noncompliant
- Send email to end user
- Remotely lock the noncompliant device
- Retire the noncompliant device
Let’s use 2 of the actions:
Mark device noncompliant as “Immediately”
Send email to end user, under Schedule (days for noncompliance), specify the number of days after which the device will be marked as noncompliance, let’s select as 0.
Under Message template, select the option to select previously created notification which will be displayed under Notification message templates.
Under Additional recipients we can specify additional email addresses, let’s say specific department’s line manager or compliance team’s ID.
Once we have made the selection click on Next.
Under Scope Tags, click Next.
Under Assignments, target the compliance to existing group and click Next.
Under Review + Create, click on Create.
Verify compliance policy on MacOS device
Login to macOS device, once sync is initiated (you can do it manually as well either through MEM console or through Company Portal on device), policy will kick in and it will immediately mark your device as non-compliant if version is less than 12.3.1.
Under Company Portal, you will see list of devices and specific macOS device will show:
You need to update settings on this device. See status for details.
This device does not meet company compliance and security policies. You need to make some changes to this device so that you can access company resources.
Click 3 horizontal dots to get more details.
You will see notification as: MacBook Pro is not in compliance.
Update device settings message will show you Update your operating system with message “You need to update your operating system to 12.3 or later.”
If you go back to MEM admin center, you will see device is now marked as Not Compliant.
You will also get email notification to the user. This is the same notification which we created previously.
Update the device, once it is done device will be marked as compliant again.