Intune MacOS management capabilities

Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.

First let’s look at MacOS enrollment options with Intune.

MacOS enrollment options

There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.

User driven enrollment

For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com

If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:

Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.

After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).

After sign-in is complete the device will begin the enrollment process.

For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

Apple Device Enrollment Program

The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.

During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting.  Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.

For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos

Conditional access

An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.

Compliance

Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.

Device Health

System integrity protection prevents malicious apps from modifying protected files and folders.

Device Properties

Specify which OS version and builds you’ll allow before accessing corporate resources.

System Security

Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.

Actions to take for non-compliance

Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.

Associating an Intune compliance policy with Azure AD conditional access policy

Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.

Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.

Device features

Device restrictions








Endpoint protection

Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.


Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.


Certificates

Intune supports PKCS certificates for general and S/MIME purposes.



Device and user-based certificates are both supported via SCEP


VPN

Many VPN settings are available including 3rd party VPN support.


Make note of On-demand and per-app VPN


Use a proxy server? No problem!


Wi-Fi

Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.


Customize with Apple Configurator

Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.


App deployment

Both line of business and Office apps are supported right from the UI.


When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.

The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos

One of my peers Scott Duffey @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/

Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg

Microsoft + Jamf partnership

Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?

MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.

For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf

Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/

That’s it for now, however Microsoft is always releasing updates for Intune.  Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development

Azure Information Protection… a log journey

 

Azure Information Protection (AIP) provides the ability to protect and classify information. For example, AIP policies can be created and used to classify, label, and protect data from leaking such as credit card numbers, social security numbers, or classify, label, and protect based off key words and so on.

For this post, I will not dive into details about how data protection, classification and labeling work, because there is already plenty of great documentation the teams at Microsoft provide out there on the web.  Rather I will focus on logging and reporting.  I’ll assume you’re already familiar with AIP or are using it today in some fashion.

If you’re interested in learning more about Azure Information Protection and what it can do for your organization, please visit: https://www.microsoft.com/en-us/cloud-platform/azure-information-protection

Within the Azure Information Protection umbrella we have a service called Azure Rights Management Services (Azure RMS). You’ll hear Azure Information Protection and Azure RMS terms interchanged, however I’ll stick with the term Azure RMS for the next section of the post.

 

Azure RMS

Azure RMS provides the ability to protect content, whether it’s an email or file.  Azure RMS templates which contain content permissions such as blocking printing, forwarding, editing, and much more.

To learn more about Azure RMS please visit: https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms

I encourage everyone to read through the Azure RMS FAQ as well because it will answer most questions: https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms

 

Assuming you have Azure RMS set up and your users are protecting content, the next stage is to learn about how to access the Azure RMS logs.  Log entries are generated as users apply Azure RMS templates files, share protected content with users, and when users attempt to open Azure RMS protected content.

The following link does a very good job at walking through accessing Azure RMS log files: https://docs.microsoft.com/en-us/information-protection/deploy-use/log-analyze-usage

Once the logs are downloaded using the instructions provided in the previous link, use logparser (described within the link above) to consolidate the logs into a .CSV.

 

With a .CSV file full of Azure RMS log history we can create reports from it.  We can create tables within Excel or use a cloud service such as Microsoft Power BI to import the logs into to create reports and dashboards or utilize Microsoft Log Analytics to upload the logs to create dashboards as well (more on Log Analytics in the next section).

For example, I imported the .CSV file to Power BI and created a report that shows Azure RMS protected documents and who accessed them:

image

 

I also created a Power BI report showing who shares the most Azure RMS protected files:

image

 

Lastly, I created a report to view when and what files were protected and shared:

image

The options are endless using services such as Microsoft Power BI and you can get as creative as you’d like with reporting and dashboards.

 

Classification and Labeling

Classification and Labeling provides users the ability to classify and label content. To learn more about classification and labeling and how to install the client please visit: https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection

I encourage everyone to read through the Azure Information Protection FAQ as well because it will answer most questions: https://docs.microsoft.com/en-us/information-protection/get-started/faqs-infoprotect

 

With classification and labeling, logging is localized to the Windows device via event viewer. Logging events occur when a user changes the classification label, for example changing a document labeled as confidential to personal. The classification profile I have configured requires a justification for changing the classification label and that justification is also logged in event viewer. However, having logs localized to a device makes it difficult to create a centralized report typically used for auditing or monitoring purposes. So, we must get creative with centralizing logging and reports for classification.

 

Microsoft offers a service called Log Analytics (part of the Operations Management Suite or OMS) that will ingest logs from a variety of formats. Log Analytics is similar to a SIEM (Security Information and Event Management) system, some may even call it a SIEM.

To view more details on Log Analytics please visit: https://azure.microsoft.com/en-us/documentation/articles/log-analytics-overview/

 

Working with Log Analytics 

I have a Windows client where I downloaded the Log Analytics agent to (as well as has the Information Protection client installed). To download the Log Analytics agent, sign into https://www.microsoft.com/en-us/cloud-platform/operations-management-suite (create a trial if you don’t already have a subscription) and select the “Settings” cog on the left, then “Connected Sources” and download the version of the agent that aligns to your device (e.g. 32 or 64 bit).

image

 

Once the Log Analytics agent is downloaded to the Windows device with the classification client installed, install it and run through the wizard to register the device with the Log Analytics subscription.

 

After client installation and registration is complete, within Log Analytics select the “Settings” cog and then select “Data” and “Windows Event Logs”. Add the Windows event logs you wish to monitor using the “+” sign. The “Azure Information Protection” log will contain the Azure Information Protection (classification) events. 

Note: past events from Event Viewer will not be sent to Log Analytics, only new events that are created after the Log Analytics agent will.  This is important because if there were classification label changes that took place before the Log Analytics agent was installed they will not be sent to Log Analytics, only new events post Log Analytics client install will.

 

image

 

Once the Log Analytics logging configuration is completed, start creating events by changing the classification label in a document. Watch the video below for an example:

December 2016 Update – with the release of the new AIP Client, new event IDs are now logged in Event Viewer as well as other features (updated images below).  More details here: https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/azure-information-protection-december-preview-now-available/ 

AIP_EventLogging

 

Now that we have logs in event viewer (and the device is connected to Log Analytics), navigate to Log Analytics and query for all Azure Information Protection events as shown below:

image

image

image

 

Save the query, give it a name, and add the query to your dashboard for a more real-time view as shown below:

image

 

That’s all for now, I hope you find this useful when you’re looking to manage logs that Azure Information Protection creates as well as creating reports and dashboards for visibility and compliance.