Use MacOS Compliance policy in Intune to send update notification

by | Intune

In this post I will show you how to use MacOS Compliance policy in Intune to send update notification. Intune cannot directly apply updates to MacOS devices, however with the use of Compliance policy, we can mark the device non-compliant when new update is released and can notify the user in different ways.

Table Of Contents
  1. Create Notifications through Compliance policies
  2. Create Compliance Policies for macOS
  3. Verify compliance policy on MacOS device

This is a 2 step process, we are going to:

  1. Create Notifications through Compliance policies blade
  2. Create Compliance policies and setting up the notification feature.

Create Notifications through Compliance policies

Login to MEM Admin Center and navigate to Devices > Compliance Policies > Notifications. Click on Notifications

Create Notification

Under Create Notifications, specify name as macOS Old version and make following changes:

  • Email header – Include company logo : Enable
  • Email footer – Include company name: Enable
  • Email footer – Include contact information: Enable
  • Company Portal Website Link: Enable
Create notification macOS

Under Notification message templates, specify:

  • Locale: English (United States)
  • Subject: Urgent – Your device is on old version
  • Message:

Dear user,

Your device is having old operating system version. You are requested to immediately action on this by updating it to latest version.

notification message templates
  • Is Default: Check the box

Under Scope tags, click Next.

macOSCompliancePolicy 04

Under Review + Create, verify the settings and click on Create.

Review Create notification

We are ready with the notification which will be further used under compliance policies which is our next step.

Create Compliance Policies for macOS

Navigate to Devices > macOS devices, under macOS policies select Compliance policies and click Create Policy.

Create compliance policy macOS

Under Create a policy, platform will be shown as macOS and profile type as Mac compliance policy and click Create.

Mac compliance policy

Under Mac Compliance policy specify name as “MacOS Compliance” and click Next.

macOS Compliance

Under Compliance Settings, you will see multiple options to specify such as:

  • Device Health
  • Device Properties
  • System Security

We interested in Device Properties, expand it and specify:

  • Minimum OS version: 12.3.1
  • Maximum OS version:
  • Minimum OS build version:
  • Maximum OS build version:
macOS compliance settings

We have specified the minimum OS version as  macOS Monterey 12.3.1, we could have also used build version as well.

Under Actions for noncompliance, we have multiple actions to define such as:

  • Mark device noncompliant
  • Send email to end user
  • Remotely lock the noncompliant device
  • Retire the noncompliant device
actions for noncompliance

Let’s use 2 of the actions:

Mark device noncompliant as “Immediately”

Send email to end user, under Schedule (days for noncompliance), specify the number of days after which the device will be marked as noncompliance, let’s select as 0.

Under Message template, select the option to select previously created notification which will be displayed under Notification message templates.

Notification message templates

Under Additional recipients  we can specify additional email addresses, let’s say specific department’s line manager or compliance team’s ID.

Mac compliance policy

Once we have made the selection click on Next.

Under Scope Tags, click Next.

Under Assignments, target the compliance to existing group and click Next.

Mac compliance policy assignments

Under Review + Create, click on Create.

macOS actions for noncompliance

Verify compliance policy on MacOS device

Login to macOS device, once sync is initiated (you can do it manually as well either through MEM console or through Company Portal on device), policy will kick in and it will immediately mark your device as non-compliant if version is less than 12.3.1.

Under Company Portal, you will see list of devices and specific macOS device will show:

macOS not in compliance

You need to update settings on this device. See status for details.
This device does not meet company compliance and security policies. You need to make some changes to this device so that you can access company resources.

Click 3 horizontal dots to get more details.

You will see notification as: MacBook Pro is not in compliance.

macOS not in compliance

Update device settings message will show you Update your operating system with message “You need to update your operating system to 12.3 or later.”

macOS update your operating system notification

If you go back to MEM admin center, you will see device is now marked as Not Compliant.

macOS marked as not compliant

You will also get email notification to the user. This is the same notification which we created previously.

macOS not compliant notification email

Update the device, once it is done device will be marked as compliant again.

macOSCompliancePolicy 23b
macOSCompliancePolicy 23c

Discover more from SCCM | Intune | Azure | Enterprise Mobility & Security

Subscribe to get the latest posts to your email.

Leave a Reply