IntuneDeviceConfigurationPolicyMacOS¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Write | String | ||
| DisplayName | Key | String | ||
| Description | Write | String | ||
| AddingGameCenterFriendsBlocked | Write | Boolean | ||
| AirDropBlocked | Write | Boolean | ||
| AppleWatchBlockAutoUnlock | Write | Boolean | Blocks users from unlocking their Mac with Apple Watch. | |
| CameraBlocked | Write | Boolean | Blocks users from taking photographs and videos. | |
| ClassroomAppBlockRemoteScreenObservation | Write | Boolean | Blocks AirPlay, screen sharing to other devices, and a Classroom app feature used by teachers to view their students' screens. This setting isn't available if you've blocked screenshots. | |
| ClassroomAppForceUnpromptedScreenObservation | Write | Boolean | Unprompted observation means that teachers can view screens without warning students first. This setting isn't available if you've blocked screenshots. | |
| ClassroomForceAutomaticallyJoinClasses | Write | Boolean | Students can join a class without prompting the teacher. | |
| ClassroomForceRequestPermissionToLeaveClasses | Write | Boolean | Students enrolled in an unmanaged Classroom course must get teacher consent to leave the course. | |
| ClassroomForceUnpromptedAppAndDeviceLock | Write | Boolean | Teachers can lock a student's device or app without the student's approval. | |
| CompliantAppListType | Write | String | Device compliance can be viewed in the Restricted Apps Compliance report. | none, appsInListCompliant, appsNotInListCompliant |
| CompliantAppsList | Write | MSFT_MicrosoftGraphapplistitemMacOS[] | ||
| ContentCachingBlocked | Write | Boolean | ||
| DefinitionLookupBlocked | Write | Boolean | Block look up, a feature that looks up the definition of a highlighted word. | |
| EmailInDomainSuffixes | Write | StringArray[] | Emails that the user sends or receives which don't match the domains you specify here will be marked as untrusted. | |
| EraseContentAndSettingsBlocked | Write | Boolean | ||
| GameCenterBlocked | Write | Boolean | ||
| ICloudBlockActivityContinuation | Write | Boolean | Handoff lets users start work on one MacOS device, and continue it on another MacOS or iOS device. Available for macOS 10.15 and later. | |
| ICloudBlockAddressBook | Write | Boolean | Blocks iCloud from syncing contacts. | |
| ICloudBlockBookmarks | Write | Boolean | Blocks iCloud from syncing bookmarks. | |
| ICloudBlockCalendar | Write | Boolean | Blocks iCloud from syncing calendars. | |
| ICloudBlockDocumentSync | Write | Boolean | Blocks iCloud from syncing documents and data. | |
| ICloudBlockMail | Write | Boolean | Blocks iCloud from syncing mail. | |
| ICloudBlockNotes | Write | Boolean | Blocks iCloud from syncing notes. | |
| ICloudBlockPhotoLibrary | Write | Boolean | Any photos not fully downloaded from iCloud Photo Library to device will be removed from local storage. | |
| ICloudBlockReminders | Write | Boolean | Blocks iCloud from syncing reminders. | |
| ICloudDesktopAndDocumentsBlocked | Write | Boolean | ||
| ICloudPrivateRelayBlocked | Write | Boolean | ||
| ITunesBlockFileSharing | Write | Boolean | Blocks files from being transferred using iTunes. | |
| ITunesBlockMusicService | Write | Boolean | ||
| KeyboardBlockDictation | Write | Boolean | Block dictation, which is a feature that converts the user's voice to text. | |
| KeychainBlockCloudSync | Write | Boolean | Disables syncing credentials stored in the Keychain to iCloud | |
| MultiplayerGamingBlocked | Write | Boolean | ||
| PasswordBlockAirDropSharing | Write | Boolean | ||
| PasswordBlockAutoFill | Write | Boolean | ||
| PasswordBlockFingerprintUnlock | Write | Boolean | Requires user to set a non-biometric passcode or password to unlock the device. | |
| PasswordBlockModification | Write | Boolean | Blocks user from changing the set passcode. | |
| PasswordBlockProximityRequests | Write | Boolean | ||
| PasswordBlockSimple | Write | Boolean | Block simple password sequences, such as 1234 or 1111. | |
| PasswordExpirationDays | Write | UInt32 | Number of days until device password must be changed. (1-65535) | |
| PasswordMaximumAttemptCount | Write | UInt32 | ||
| PasswordMinimumCharacterSetCount | Write | UInt32 | Minimum number (0-4) of non-alphanumeric characters, such as #, %, !, etc., required in the password. The default value is 0. | |
| PasswordMinimumLength | Write | UInt32 | Minimum number of digits or characters in password (4-16). | |
| PasswordMinutesOfInactivityBeforeLock | Write | UInt32 | Set to 0 to require a password immediately. There is no maximum number of minutes, and this number overrides the number currently set on the device. | |
| PasswordMinutesOfInactivityBeforeScreenTimeout | Write | UInt32 | Set to 0 to use the device's minimum possible value. This number (0-60 minutes) overrides the number currently set on the device. | |
| PasswordMinutesUntilFailedLoginReset | Write | UInt32 | ||
| PasswordPreviousPasswordBlockCount | Write | UInt32 | Number of new passwords that must be used until an old one can be reused. (1-24) | |
| PasswordRequired | Write | Boolean | Specify the type of password required. | |
| PasswordRequiredType | Write | String | Specify the type of password required. | deviceDefault, alphanumeric, numeric |
| PrivacyAccessControls | Write | MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem[] | Configure an app's access to specific data, folders, and apps on a device. These settings apply to devices running macOS Mojave 10.14 and later. | |
| SafariBlockAutofill | Write | Boolean | Blocks Safari from remembering what users enter in web forms. | |
| ScreenCaptureBlocked | Write | Boolean | ||
| SoftwareUpdateMajorOSDeferredInstallDelayInDays | Write | UInt32 | ||
| SoftwareUpdateMinorOSDeferredInstallDelayInDays | Write | UInt32 | ||
| SoftwareUpdateNonOSDeferredInstallDelayInDays | Write | UInt32 | ||
| SoftwareUpdatesEnforcedDelayInDays | Write | UInt32 | Delay the user's software update for this many days. The maximum is 90 days. (1-90) | |
| SpotlightBlockInternetResults | Write | Boolean | Blocks Spotlight from returning any results from an Internet search | |
| TouchIdTimeoutInHours | Write | UInt32 | ||
| UpdateDelayPolicy | Write | StringArray[] | none, delayOSUpdateVisibility, delayAppUpdateVisibility, unknownFutureValue, delayMajorOsUpdateVisibility |
|
| WallpaperModificationBlocked | Write | Boolean | ||
| Assignments | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | |
| Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the Intune Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. |
MSFT_DeviceManagementConfigurationPolicyAssignments¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| dataType | Write | String | The type of the target assignment. | #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget |
| deviceAndAppManagementAssignmentFilterType | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | none, include, exclude |
| deviceAndAppManagementAssignmentFilterId | Write | String | The Id of the filter for the target assignment. | |
| groupId | Write | String | The group Id that is the target of the assignment. | |
| collectionId | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) |
MSFT_MicrosoftGraphapplistitemMacOS¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| odataType | Write | String | #microsoft.graph.appleAppListItem |
|
| appId | Write | String | ||
| appStoreUrl | Write | String | ||
| name | Write | String | ||
| publisher | Write | String |
MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| accessibility | Write | String | notConfigured, enabled, disabled |
|
| addressBook | Write | String | Blocks iCloud from syncing contacts. | notConfigured, enabled, disabled |
| appleEventsAllowedReceivers | Write | MSFT_MicrosoftGraphmacosappleeventreceiver[] | ||
| blockCamera | Write | Boolean | ||
| blockListenEvent | Write | Boolean | ||
| blockMicrophone | Write | Boolean | ||
| blockScreenCapture | Write | Boolean | ||
| calendar | Write | String | Blocks iCloud from syncing calendars. | notConfigured, enabled, disabled |
| codeRequirement | Write | String | ||
| displayName | Write | String | ||
| fileProviderPresence | Write | String | notConfigured, enabled, disabled |
|
| identifier | Write | String | ||
| identifierType | Write | String | bundleID, path |
|
| mediaLibrary | Write | String | notConfigured, enabled, disabled |
|
| photos | Write | String | notConfigured, enabled, disabled |
|
| postEvent | Write | String | notConfigured, enabled, disabled |
|
| reminders | Write | String | Blocks iCloud from syncing reminders. | notConfigured, enabled, disabled |
| speechRecognition | Write | String | notConfigured, enabled, disabled |
|
| staticCodeValidation | Write | Boolean | ||
| systemPolicyAllFiles | Write | String | notConfigured, enabled, disabled |
|
| systemPolicyDesktopFolder | Write | String | notConfigured, enabled, disabled |
|
| systemPolicyDocumentsFolder | Write | String | notConfigured, enabled, disabled |
|
| systemPolicyDownloadsFolder | Write | String | notConfigured, enabled, disabled |
|
| systemPolicyNetworkVolumes | Write | String | notConfigured, enabled, disabled |
|
| systemPolicyRemovableVolumes | Write | String | notConfigured, enabled, disabled |
|
| systemPolicySystemAdminFiles | Write | String | notConfigured, enabled, disabled |
MSFT_MicrosoftGraphmacosappleeventreceiver¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| allowed | Write | Boolean | ||
| codeRequirement | Write | String | ||
| identifier | Write | String | ||
| identifierType | Write | String | bundleID, path |
Description¶
This resource configures an Intune device configuration profile for an MacOS Device.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- DeviceManagementConfiguration.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All
Application permissions¶
-
Read
- DeviceManagementConfiguration.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter(Mandatory = $true)]
[PSCredential]
$credsGlobalAdmin
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneDeviceConfigurationPolicyMacOS 'myMacOSDevicePolicy'
{
Id = '01fc772e-a2ef-4c33-8b57-29b7aa5243cb'
DisplayName = 'MacOS device restriction'
AddingGameCenterFriendsBlocked = $True
AirDropBlocked = $False
AppleWatchBlockAutoUnlock = $False
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments {
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.groupAssignmentTarget'
groupId = 'e8cbd84d-be6a-4b72-87f0-0e677541fda0'
}
MSFT_DeviceManagementConfigurationPolicyAssignments {
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.groupAssignmentTarget'
groupId = 'ea9199b8-3e6e-407b-afdc-e0943e0d3c20'
})
CameraBlocked = $False
ClassroomAppBlockRemoteScreenObservation = $False
ClassroomAppForceUnpromptedScreenObservation = $False
ClassroomForceAutomaticallyJoinClasses = $False
ClassroomForceRequestPermissionToLeaveClasses = $False
ClassroomForceUnpromptedAppAndDeviceLock = $False
CompliantAppListType = 'appsNotInListCompliant'
CompliantAppsList = @(
MSFT_MicrosoftGraphapplistitemMacOS {
name = 'appname2'
publisher = 'publisher'
appId = 'bundle'
}
)
ContentCachingBlocked = $False
DefinitionLookupBlocked = $True
EmailInDomainSuffixes = @()
EraseContentAndSettingsBlocked = $False
GameCenterBlocked = $False
ICloudBlockActivityContinuation = $False
ICloudBlockAddressBook = $False
ICloudBlockBookmarks = $False
ICloudBlockCalendar = $False
ICloudBlockDocumentSync = $False
ICloudBlockMail = $False
ICloudBlockNotes = $False
ICloudBlockPhotoLibrary = $False
ICloudBlockReminders = $False
ICloudDesktopAndDocumentsBlocked = $False
ICloudPrivateRelayBlocked = $False
ITunesBlockFileSharing = $False
ITunesBlockMusicService = $False
KeyboardBlockDictation = $False
KeychainBlockCloudSync = $False
MultiplayerGamingBlocked = $False
PasswordBlockAirDropSharing = $False
PasswordBlockAutoFill = $False
PasswordBlockFingerprintUnlock = $False
PasswordBlockModification = $False
PasswordBlockProximityRequests = $False
PasswordBlockSimple = $False
PasswordRequired = $False
PasswordRequiredType = 'deviceDefault'
PrivacyAccessControls = @(
MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem {
displayName = 'test'
identifier = 'test45'
identifierType = 'path'
codeRequirement = 'test'
blockCamera = $True
speechRecognition = 'notConfigured'
accessibility = 'notConfigured'
addressBook = 'enabled'
calendar = 'notConfigured'
reminders = 'notConfigured'
photos = 'notConfigured'
mediaLibrary = 'notConfigured'
fileProviderPresence = 'notConfigured'
systemPolicyAllFiles = 'notConfigured'
systemPolicySystemAdminFiles = 'notConfigured'
systemPolicyDesktopFolder = 'notConfigured'
systemPolicyDocumentsFolder = 'notConfigured'
systemPolicyDownloadsFolder = 'notConfigured'
systemPolicyNetworkVolumes = 'notConfigured'
systemPolicyRemovableVolumes = 'notConfigured'
postEvent = 'notConfigured'
}
)
SafariBlockAutofill = $False
ScreenCaptureBlocked = $False
SoftwareUpdateMajorOSDeferredInstallDelayInDays = 30
SoftwareUpdateMinorOSDeferredInstallDelayInDays = 30
SoftwareUpdateNonOSDeferredInstallDelayInDays = 30
SoftwareUpdatesEnforcedDelayInDays = 30
SpotlightBlockInternetResults = $False
UpdateDelayPolicy = @('delayOSUpdateVisibility', 'delayAppUpdateVisibility', 'delayMajorOsUpdateVisibility')
WallpaperModificationBlocked = $False
Ensure = 'Present'
Credential = $credsGlobalAdmin
}
}
}