IntuneDeviceConfigurationPolicyMacOS

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String
DisplayName Key String
Description Write String
AddingGameCenterFriendsBlocked Write Boolean
AirDropBlocked Write Boolean
AppleWatchBlockAutoUnlock Write Boolean Blocks users from unlocking their Mac with Apple Watch.
CameraBlocked Write Boolean Blocks users from taking photographs and videos.
ClassroomAppBlockRemoteScreenObservation Write Boolean Blocks AirPlay, screen sharing to other devices, and a Classroom app feature used by teachers to view their students' screens. This setting isn't available if you've blocked screenshots.
ClassroomAppForceUnpromptedScreenObservation Write Boolean Unprompted observation means that teachers can view screens without warning students first. This setting isn't available if you've blocked screenshots.
ClassroomForceAutomaticallyJoinClasses Write Boolean Students can join a class without prompting the teacher.
ClassroomForceRequestPermissionToLeaveClasses Write Boolean Students enrolled in an unmanaged Classroom course must get teacher consent to leave the course.
ClassroomForceUnpromptedAppAndDeviceLock Write Boolean Teachers can lock a student's device or app without the student's approval.
CompliantAppListType Write String Device compliance can be viewed in the Restricted Apps Compliance report. none, appsInListCompliant, appsNotInListCompliant
CompliantAppsList Write MSFT_MicrosoftGraphapplistitemMacOS[]
ContentCachingBlocked Write Boolean
DefinitionLookupBlocked Write Boolean Block look up, a feature that looks up the definition of a highlighted word.
EmailInDomainSuffixes Write StringArray[] Emails that the user sends or receives which don't match the domains you specify here will be marked as untrusted.
EraseContentAndSettingsBlocked Write Boolean
GameCenterBlocked Write Boolean
ICloudBlockActivityContinuation Write Boolean Handoff lets users start work on one MacOS device, and continue it on another MacOS or iOS device. Available for macOS 10.15 and later.
ICloudBlockAddressBook Write Boolean Blocks iCloud from syncing contacts.
ICloudBlockBookmarks Write Boolean Blocks iCloud from syncing bookmarks.
ICloudBlockCalendar Write Boolean Blocks iCloud from syncing calendars.
ICloudBlockDocumentSync Write Boolean Blocks iCloud from syncing documents and data.
ICloudBlockMail Write Boolean Blocks iCloud from syncing mail.
ICloudBlockNotes Write Boolean Blocks iCloud from syncing notes.
ICloudBlockPhotoLibrary Write Boolean Any photos not fully downloaded from iCloud Photo Library to device will be removed from local storage.
ICloudBlockReminders Write Boolean Blocks iCloud from syncing reminders.
ICloudDesktopAndDocumentsBlocked Write Boolean
ICloudPrivateRelayBlocked Write Boolean
ITunesBlockFileSharing Write Boolean Blocks files from being transferred using iTunes.
ITunesBlockMusicService Write Boolean
KeyboardBlockDictation Write Boolean Block dictation, which is a feature that converts the user's voice to text.
KeychainBlockCloudSync Write Boolean Disables syncing credentials stored in the Keychain to iCloud
MultiplayerGamingBlocked Write Boolean
PasswordBlockAirDropSharing Write Boolean
PasswordBlockAutoFill Write Boolean
PasswordBlockFingerprintUnlock Write Boolean Requires user to set a non-biometric passcode or password to unlock the device.
PasswordBlockModification Write Boolean Blocks user from changing the set passcode.
PasswordBlockProximityRequests Write Boolean
PasswordBlockSimple Write Boolean Block simple password sequences, such as 1234 or 1111.
PasswordExpirationDays Write UInt32 Number of days until device password must be changed. (1-65535)
PasswordMaximumAttemptCount Write UInt32
PasswordMinimumCharacterSetCount Write UInt32 Minimum number (0-4) of non-alphanumeric characters, such as #, %, !, etc., required in the password. The default value is 0.
PasswordMinimumLength Write UInt32 Minimum number of digits or characters in password (4-16).
PasswordMinutesOfInactivityBeforeLock Write UInt32 Set to 0 to require a password immediately. There is no maximum number of minutes, and this number overrides the number currently set on the device.
PasswordMinutesOfInactivityBeforeScreenTimeout Write UInt32 Set to 0 to use the device's minimum possible value. This number (0-60 minutes) overrides the number currently set on the device.
PasswordMinutesUntilFailedLoginReset Write UInt32
PasswordPreviousPasswordBlockCount Write UInt32 Number of new passwords that must be used until an old one can be reused. (1-24)
PasswordRequired Write Boolean Specify the type of password required.
PasswordRequiredType Write String Specify the type of password required. deviceDefault, alphanumeric, numeric
PrivacyAccessControls Write MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem[] Configure an app's access to specific data, folders, and apps on a device. These settings apply to devices running macOS Mojave 10.14 and later.
SafariBlockAutofill Write Boolean Blocks Safari from remembering what users enter in web forms.
ScreenCaptureBlocked Write Boolean
SoftwareUpdateMajorOSDeferredInstallDelayInDays Write UInt32
SoftwareUpdateMinorOSDeferredInstallDelayInDays Write UInt32
SoftwareUpdateNonOSDeferredInstallDelayInDays Write UInt32
SoftwareUpdatesEnforcedDelayInDays Write UInt32 Delay the user's software update for this many days. The maximum is 90 days. (1-90)
SpotlightBlockInternetResults Write Boolean Blocks Spotlight from returning any results from an Internet search
TouchIdTimeoutInHours Write UInt32
UpdateDelayPolicy Write StringArray[] none, delayOSUpdateVisibility, delayAppUpdateVisibility, unknownFutureValue, delayMajorOsUpdateVisibility
WallpaperModificationBlocked Write Boolean
Assignments Write MSFT_DeviceManagementConfigurationPolicyAssignments[] Represents the assignment to the Intune policy.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Intune Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.

MSFT_DeviceManagementConfigurationPolicyAssignments

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of the target assignment. #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget
deviceAndAppManagementAssignmentFilterType Write String The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. none, include, exclude
deviceAndAppManagementAssignmentFilterId Write String The Id of the filter for the target assignment.
groupId Write String The group Id that is the target of the assignment.
collectionId Write String The collection Id that is the target of the assignment.(ConfigMgr)

MSFT_MicrosoftGraphapplistitemMacOS

Parameters

Parameter Attribute DataType Description Allowed Values
odataType Write String #microsoft.graph.appleAppListItem
appId Write String
appStoreUrl Write String
name Write String
publisher Write String

MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem

Parameters

Parameter Attribute DataType Description Allowed Values
accessibility Write String notConfigured, enabled, disabled
addressBook Write String Blocks iCloud from syncing contacts. notConfigured, enabled, disabled
appleEventsAllowedReceivers Write MSFT_MicrosoftGraphmacosappleeventreceiver[]
blockCamera Write Boolean
blockListenEvent Write Boolean
blockMicrophone Write Boolean
blockScreenCapture Write Boolean
calendar Write String Blocks iCloud from syncing calendars. notConfigured, enabled, disabled
codeRequirement Write String
displayName Write String
fileProviderPresence Write String notConfigured, enabled, disabled
identifier Write String
identifierType Write String bundleID, path
mediaLibrary Write String notConfigured, enabled, disabled
photos Write String notConfigured, enabled, disabled
postEvent Write String notConfigured, enabled, disabled
reminders Write String Blocks iCloud from syncing reminders. notConfigured, enabled, disabled
speechRecognition Write String notConfigured, enabled, disabled
staticCodeValidation Write Boolean
systemPolicyAllFiles Write String notConfigured, enabled, disabled
systemPolicyDesktopFolder Write String notConfigured, enabled, disabled
systemPolicyDocumentsFolder Write String notConfigured, enabled, disabled
systemPolicyDownloadsFolder Write String notConfigured, enabled, disabled
systemPolicyNetworkVolumes Write String notConfigured, enabled, disabled
systemPolicyRemovableVolumes Write String notConfigured, enabled, disabled
systemPolicySystemAdminFiles Write String notConfigured, enabled, disabled

MSFT_MicrosoftGraphmacosappleeventreceiver

Parameters

Parameter Attribute DataType Description Allowed Values
allowed Write Boolean
codeRequirement Write String
identifier Write String
identifierType Write String bundleID, path

Description

This resource configures an Intune device configuration profile for an MacOS Device.

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • DeviceManagementConfiguration.Read.All
  • Update

    • DeviceManagementConfiguration.ReadWrite.All

Application permissions

  • Read

    • DeviceManagementConfiguration.Read.All
  • Update

    • DeviceManagementConfiguration.ReadWrite.All

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $credsGlobalAdmin
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneDeviceConfigurationPolicyMacOS 'myMacOSDevicePolicy'
        {
            Id                                              = '01fc772e-a2ef-4c33-8b57-29b7aa5243cb'
            DisplayName                                     = 'MacOS device restriction'
            AddingGameCenterFriendsBlocked                  = $True
            AirDropBlocked                                  = $False
            AppleWatchBlockAutoUnlock                       = $False
            Assignments                                     = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments {
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType                                   = '#microsoft.graph.groupAssignmentTarget'
                    groupId                                    = 'e8cbd84d-be6a-4b72-87f0-0e677541fda0'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments {
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType                                   = '#microsoft.graph.groupAssignmentTarget'
                    groupId                                    = 'ea9199b8-3e6e-407b-afdc-e0943e0d3c20'
                })
            CameraBlocked                                   = $False
            ClassroomAppBlockRemoteScreenObservation        = $False
            ClassroomAppForceUnpromptedScreenObservation    = $False
            ClassroomForceAutomaticallyJoinClasses          = $False
            ClassroomForceRequestPermissionToLeaveClasses   = $False
            ClassroomForceUnpromptedAppAndDeviceLock        = $False
            CompliantAppListType                            = 'appsNotInListCompliant'
            CompliantAppsList                               = @(
                MSFT_MicrosoftGraphapplistitemMacOS {
                    name      = 'appname2'
                    publisher = 'publisher'
                    appId     = 'bundle'
                }
            )
            ContentCachingBlocked                           = $False
            DefinitionLookupBlocked                         = $True
            EmailInDomainSuffixes                           = @()
            EraseContentAndSettingsBlocked                  = $False
            GameCenterBlocked                               = $False
            ICloudBlockActivityContinuation                 = $False
            ICloudBlockAddressBook                          = $False
            ICloudBlockBookmarks                            = $False
            ICloudBlockCalendar                             = $False
            ICloudBlockDocumentSync                         = $False
            ICloudBlockMail                                 = $False
            ICloudBlockNotes                                = $False
            ICloudBlockPhotoLibrary                         = $False
            ICloudBlockReminders                            = $False
            ICloudDesktopAndDocumentsBlocked                = $False
            ICloudPrivateRelayBlocked                       = $False
            ITunesBlockFileSharing                          = $False
            ITunesBlockMusicService                         = $False
            KeyboardBlockDictation                          = $False
            KeychainBlockCloudSync                          = $False
            MultiplayerGamingBlocked                        = $False
            PasswordBlockAirDropSharing                     = $False
            PasswordBlockAutoFill                           = $False
            PasswordBlockFingerprintUnlock                  = $False
            PasswordBlockModification                       = $False
            PasswordBlockProximityRequests                  = $False
            PasswordBlockSimple                             = $False
            PasswordRequired                                = $False
            PasswordRequiredType                            = 'deviceDefault'
            PrivacyAccessControls                           = @(
                MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem {
                    displayName                  = 'test'
                    identifier                   = 'test45'
                    identifierType               = 'path'
                    codeRequirement              = 'test'
                    blockCamera                  = $True
                    speechRecognition            = 'notConfigured'
                    accessibility                = 'notConfigured'
                    addressBook                  = 'enabled'
                    calendar                     = 'notConfigured'
                    reminders                    = 'notConfigured'
                    photos                       = 'notConfigured'
                    mediaLibrary                 = 'notConfigured'
                    fileProviderPresence         = 'notConfigured'
                    systemPolicyAllFiles         = 'notConfigured'
                    systemPolicySystemAdminFiles = 'notConfigured'
                    systemPolicyDesktopFolder    = 'notConfigured'
                    systemPolicyDocumentsFolder  = 'notConfigured'
                    systemPolicyDownloadsFolder  = 'notConfigured'
                    systemPolicyNetworkVolumes   = 'notConfigured'
                    systemPolicyRemovableVolumes = 'notConfigured'
                    postEvent                    = 'notConfigured'
                }
            )
            SafariBlockAutofill                             = $False
            ScreenCaptureBlocked                            = $False
            SoftwareUpdateMajorOSDeferredInstallDelayInDays = 30
            SoftwareUpdateMinorOSDeferredInstallDelayInDays = 30
            SoftwareUpdateNonOSDeferredInstallDelayInDays   = 30
            SoftwareUpdatesEnforcedDelayInDays              = 30
            SpotlightBlockInternetResults                   = $False
            UpdateDelayPolicy                               = @('delayOSUpdateVisibility', 'delayAppUpdateVisibility', 'delayMajorOsUpdateVisibility')
            WallpaperModificationBlocked                    = $False
            Ensure                                          = 'Present'
            Credential                                      = $credsGlobalAdmin
        }
    }
}