Intune
How to Block Unmanaged macOS Devices from Accessing Corporate Resources with Microsoft Intune
Topics: Intune, Security and Compliance, Systems Management
Many in IT are closely watching this topic of restricting unmanaged macOS devices, driven by zero-trust principles and the need to keep company data exclusively on corporate devices. Today, I’ll show you how to block access to Office 365 resources, including Outlook, SharePoint, and Excel. You can apply this approach to other resources too, but I’ll keep it simple for this example.
Block Unmanaged macOS Devices: Why It Matters
If you’re wondering why this might be important to set up, let’s go over a quick scenario. Without this setup, end users can access sensitive resources—like financial reports—from any macOS device, which might lead to data leaks. Another reason to enable this is to help prevent token theft, where attackers hijack your session on any device. With this policy, we can block unmanaged devices from accessing corporate data and safeguard users from token theft.
Before we get started, ensure you have a compliance policy enabled for your macOS devices. If you don’t have one, no worries—I’ve got you covered. Take a look at this guide (coming soon) to help you get started. Currently, you can’t target only Entra-joined devices. A workaround is to target devices marked as compliant, since they are Intune-only joined with a compliance policy.
Before getting started, ensure you have the following in place:
- Compliance Policy targeted to your endpoints
- Security Administrator Role (Entra ID)
Let’s fire up Intune and navigate to the Microsoft Intune admin center > Endpoint Security > Conditional Access.
Once you’re on the Conditional Access | Overview page, select +Create new policy. You’ll be presented with a blank guide for setting up your conditional access policy. Now, let’s start by giving our policy a name. I’ll call it “Require Intune Compliant Device for Corporate Access.” We can also target this policy to specific users. I encourage you to pilot it with a small group first, as it can be quite disruptive. I went ahead and added my pilot group to test this policy😊.
Next, let’s select our target resources. This step determines the apps to which the conditional access policy applies. In my case, I’m only selecting Office 365, which includes the following services. However, you can target all resources if you prefer—just be sure to test thoroughly, as this tool is powerful.
Next, select the device platforms that this policy will target. For this demonstration, I’m going to target only macOS devices, but you can also target all platforms if you would like. Select Conditions > Device platforms > Include > select device platforms (macOS).
The final step is to specify that access to Office 365 resources is granted only if the device meets the control “Require device to be marked as compliant.” Under Access Controls, click on Grant > select Grant Access > and check the box “Require device to be marked as compliant.”
Once that’s complete, enable your policy by toggling the slider to On > then click Create.
Great, now you’ve created a conditional access policy that requires macOS devices to be marked as compliant before accessing Office 365 applications.
End User Experience
This is now my experience when accessing Office 365 resources on an unmanaged device.
Conclusion
This guide has shown you how to set up a conditional access policy that blocks unmanaged macOS devices from accessing Office 365 resources. By following these steps, you enhance your security and reduce risks like token theft while keeping data safely on compliant devices. Implementing this policy is a straightforward way to protect corporate information without adding extra complexity.
Check out more macOS management posts here.
Learn more about the Right Click Tools Browser Extension bringing the power of Right Click Tools to Intune and much more.
