- Ascent (jeanrouch) Mac Os Catalina
- Ascent (jeanrouch) Mac Os 11
- See Full List On Docs.microsoft.com
- Ascent (jeanrouch) Mac Os Download
- Ascent (jeanrouch) Mac Os X
©2011 Apogee Imaging Systems Inc. Alta and Ascent are. Linux and Mac OS X drivers. Apogee has collected all of our brochures and mechanical drawings onto an Integration Starter Kit CD, together with software drivers and documentation. Free on request. Siri must be enabled for this to work, so if you turned it off you would need to turn it back on again in Siri settings. Any change made to the Siri voice, gender, or accent will apply to all Siri interaction on the Mac, so whether you summon Siri through the Dock, menu bar, keyboard shortcut, using Hey Siri, or the Touch Bar, does not matter, the voice change will apply universally. Mac OS X & macOS names. As you can see from the list above, with the exception of the first OS X beta, all versions of the Mac operating system from 2001 to 2012 were all named after big cats. Sep 13, 2010 Ascent is an application for Macintosh that can import tracks from GPS eXchange files, or upload them directly from Garmin USB devices. These tracks are displayed in a browser window, sorted by week. A track can be opened and displayed with multiple accompaniments, and data such as speed, heart rate and slope can be used in a customizable.
-->Use shell scripts to extend device management capabilities in Intune, beyond what is supported by the macOS operating system.
Note
Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. To view a sample script, see Rosetta 2 Installation Script.
Prerequisites
Ensure that the following prerequisites are met when composing shell scripts and assigning them to macOS devices.
- Devices are running macOS 10.13 or later.
- Devices are managed by Intune.
- Shell scripts begin with
#!
and must be in a valid location such as#!/bin/sh
or#!/usr/bin/env zsh
. - Command-line interpreters for the applicable shells are installed.
Important considerations before using shell scripts
- Shell scripts require that the Microsoft Intune management agent is successfully installed on the macOS device. For more information, see Microsoft Intune management agent for macOS.
- Shell scripts run in parallel on devices as separate processes.
- Shell scripts that are run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
- An end user is required to sign in to the device to execute scripts running as a signed-in user.
- Root user privileges are required if the script requires making changes that a standard user account cannot.
- Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions, such as if the disk is full, if the storage location is tampered with, if the local cache is deleted, or if the Mac device restarts.
Create and assign a shell script policy
Sign in to the Microsoft Endpoint Manager Admin Center.
Select Devices > macOS > Scripts > Add.
In Basics, enter the following properties, and select Next:
- Name: Enter a name for the shell script.
- Description: Enter a description for the shell script. This setting is optional, but recommended.
In Script settings, enter the following properties, and select Next:
- Upload script: Browse to the shell script. The script file must be less than 200 KB in size.
- Run script as signed-in user: Select Yes to run the script with the user's credentials on the device. Choose No (default) to run the script as the root user.
- Hide script notifications on devices: By default, script notifications are shown for each script that is run. End users see a IT is configuring your computer notification from Intune on macOS devices.
- Script frequency: Select how often the script is to be run. Choose Not configured (default) to run a script only once.
- Max number of times to retry if script fails: Select how many times the script should be run if it returns a non-zero exit code (zero meaning success). Choose Not configured (default) to not retry when a script fails.
In Scope tags, optionally add scope tags for the script, and select Next. You can use scope tags to determine who can see scripts in Intune. For full details about scope tags, see Use role-based access control and scope tags for distributed IT.
Select Assignments > Select groups to include. An existing list of Azure AD groups is shown. Select one or more user or device groups that are to receive the script. Choose Select. The groups you choose are shown in the list, and will receive your script policy.
Note
- Shell scripts assigned to user groups applies to any user logging in to the Mac.
- Updating assignments for shell scripts also updates assignments for Microsoft Intune MDM Agent for macOS.
In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the script policy is deployed to the groups you chose.
The script you created now appears in the list of scripts.
Monitor a shell script policy
You can monitor the run status of all assigned scripts for users and devices by choosing one of the following reports:
- Scripts > select the script to monitor > Device status
- Scripts > select the script to monitor > User status
Important
Irrespective of the selected Script frequency, the script run status is reported only the first time a script is run. Script run status is not updated on subsequent runs. However, updated scripts are treated as new scripts and will report the run status again.
Once a script runs, it returns one of the following statuses:
- A script run status of Failed indicates that the script returned a non-zero exit code or the script is malformed.
- A script run status of Success indicated that the script returned zero as the exit code.
Troubleshoot macOS shell script policies using log collection
You can collect device logs to help troubleshoot script issues on macOS devices.
Requirements for log collection
The following items are required to collect logs on a macOS device:
- You must specify the full absolute log file path.
- File paths must be separated using only a semicolon (;).
- The maximum log collection size to upload is 60 MB (compressed) or 25 files, whichever occurs first.
- File types that are allowed for log collection include the following extensions: .log, .zip, .gz, .tar, .txt, .xml, .crash, .rtf
Collect device logs
Sign in to the Microsoft Endpoint Manager admin center.
In Device status or User status report, select a device.
Select Collect logs, provide folder paths of log files separated only by a semicolon (;) without spaces or newlines in between paths.
For example, multiple paths should be written as/Path/to/logfile1.zip;/Path/to/logfile2.log
.Important
Multiple log file paths separated using comma, period, newline or quotation marks with or without spaces will result in log collection error. Spaces are also not allowed as separators between paths.
Select OK. Logs are collected the next time the Intune management agent on the device checks in with Intune. This check-in usually occurs every 8 hours.
Note
- Collected logs are encrypted on the device, transmitted and stored in Microsoft Azure storage for 30 days. Stored logs are decrypted on demand and downloaded using Microsoft Endpoint Manager admin center.
- In addition to the admin-specified logs, the Intune management agent logs are also collected from these folders:
/Library/Logs/Microsoft/Intune
and~/Library/Logs/Microsoft/Intune
. The agent log file-names areIntuneMDMDaemon date--time.log
andIntuneMDMAgent date--time.log
. - If any admin-specified file is missing or has the wrong file-extension, you will find these file-names listed in
LogCollectionInfo.txt
.
Log collection errors
Log collection may not be successful due to any of the following reasons provided in the table below. To resolve these errors, follow the remediation steps.
Error code (hex) | Error code (dec) | Error message | Remediation steps |
---|---|---|---|
0X87D300D1 | 2016214834 | Log file size cannot exceed 60 MB. | Ensure that compressed logs are less than 60 MB in size. |
0X87D300D1 | 2016214831 | The provided log file path must exist. The system user folder is an invalid location for log files. | Ensure that the provided file path is valid and accessible. |
0X87D300D2 | 2016214830 | Log collection file upload failed due to expiration of upload URL. | Retry the Collect logs action. |
0X87D300D3, 0X87D300D5, 0X87D300D7 | 2016214829, 2016214827, 2016214825 | Log collection file upload failed due to encryption failure. Retry log upload. | Retry the Collect logs action. |
2016214828 | The number of log files exceeded the allowed limit of 25 files. | Only up to 25 log files can be collected at a time. | |
0X87D300D6 | 2016214826 | Log collection file upload failed due to zip error. Retry log upload. | Retry the Collect logs action. |
2016214740 | The logs couldn't be encrypted as compressed logs were not found. | Retry the Collect logs action. | |
2016214739 | The logs were collected but couldn't be stored. | Retry the Collect logs action. |
Custom attributes for macOS
You can create custom attribute profiles which enable you to collect custom properties from managed macOS device using shell scripts.
Create and assign a custom attribute for macOS devices
Sign in to the Microsoft Endpoint Manager Admin Center.
Select Devices > macOS > Custom attributes > Add.
In Basics, enter the following properties, and select Next:
- Name: Enter a name for the script.
- Description: Enter a description for the script. This setting is optional, but recommended.
In Attribute settings, enter the following properties, and select Next:
- Data type of attribute: Select the data type of the result that the script returns. Available values are String, Integer, and Date.
- Script: Select a script file.
Additional details:
- The shell script must echo the attribute to be reported and the data type of the output must match the data type of attribute in the custom attribute profile.
- The result returned by the shell script must be 20KB or less.
Note
When using
Date
type attributes, ensure that the shell script returns dates in ISO-8601 format. See the examples below.To print an ISO-8601-compliant date with time-zone:
To print an ISO-8601-compliant date in UTC time:
In Assignments, click Select groups to include. When you choose Select groups to include an existing list of Azure AD groups is shown. Select one or more user or device groups that are to receive the script. Choose Select. The groups you choose are shown in the list, and will receive your script policy. Alternatively, you can choose to select All users, All devices, or All users and all devices by selecting one of these options in the dropdown box next to Assign to.
Note
- Scripts assigned to user groups applies to any user logging in to the Mac.
In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the script policy is deployed to the groups you chose.
The script you created now appears in the list of custom attributes.
Monitor a custom attribute policy
You can monitor the run status of all assigned custom attribute profiles for users and devices by choosing one of the following reports:
- Custom attributes > select the custom attribute profile to monitor > Device status
- Custom attributes > select the custom attribute profile to monitor > User status
Important
Shell scripts provided in custom attribute profiles are run every 8 hours on managed Macs and reported.
Once a custom attribute profile runs, it returns one of the following statuses:
- A status of Failed indicates that the script returned a non-zero exit code or the script is malformed. The error is reported in the Result column.
- As status of Success indicates that the script returned zero as the exit code. The output echoed by the script is reported in the Result column.
Frequently asked questions
Ascent (jeanrouch) Mac Os Catalina
Why are assigned shell scripts not running on the device?
There could be several reasons:
- The agent might need to check-in to receive new or updated scripts. This check-in process occurs every 8 hours and is different from the MDM check-in. Make sure that the device is awake and connected to a network for a successful agent check-in and wait for the agent to check-in. You can also request the end-user to open Company Portal on the Mac, select the device and click Check settings.
- The agent may not be installed. Check that the agent is installed at
/Library/Intune/Microsoft Intune Agent.app
on the macOS device. - The agent may not be in a healthy state. The agent will attempt to recover for 24 hours, remove itself and reinstall if shell scripts are still assigned.
How frequently is script run status reported?
Script run status is reported to Microsoft Endpoint Manager Admin Console as soon as script run is complete. If a script is scheduled to run periodically at a set frequency, it only reports status the first time it runs.
When are shell scripts run again?
A script is run again only when the Max number of times to retry if script fails setting is configured and the script fails on run. If the Max number of times to retry if script fails is not configured and a script fails on run, it will not be run again and run status will be reported as failed.
What Intune role permissions are required for shell scripts?
Your assigned-intune role requires Device configurations permissions to delete, assign, create, update, or read shell scripts.
Microsoft Intune management agent for macOS
Why is the agent required?
The Microsoft Intune management agent is necessary to be installed on managed macOS devices in order to enable advanced device management capabilities that are not supported by the native macOS operating system.
How is the agent installed?
The agent is automatically and silently installed on Intune-managed macOS devices that you assign at least one shell script to in Microsoft Endpoint Manager Admin Center. The agent is installed at /Library/Intune/Microsoft Intune Agent.app
when applicable and doesn't appear in Finder > Applications on macOS devices. The agent appears as IntuneMdmAgent
in Activity Monitor when running on macOS devices.
What does the agent do?
- The agent silently authenticates with Intune services before checking in to receive assigned shell scripts for the macOS device.
- The agent receives assigned shell scripts and runs the scripts based on the configured schedule, retry attempts, notification settings, and other settings set by the admin.
- The agent checks for new or updated scripts with Intune services usually every 8 hours. This check-in process is independent of the MDM check-in.
How can I manually initiate an agent check-in from a Mac?
On a managed Mac that has the agent installed, open Company Portal, select the local device, click on Check settings. This initiates an MDM check-in as well as an agent check-in.
Alternatively, open Terminal, run the sudo killall IntuneMdmAgent
command to terminate the IntuneMdmAgent
process. The IntuneMdmAgent
process will restart immediately, which will initiate a check-in with Intune.
Note
The Sync action for devices in Microsoft Endpoint Manager Admin Console initiates an MDM check-in and does not force an agent check-in.
When is the agent removed?
There are several conditions that can cause the agent to be removed from the device such as:
- Shell scripts are no longer assigned to the device.
- The macOS device is no longer managed.
- The agent is in an irrecoverable state for more than 24 hours (device-awake time).
Why are scripts running even though the Mac is no longer managed?
When a Mac with assigned scripts is no longer managed, the agent is not removed immediately. The agent detects that the Mac is not managed at the next agent check-in (usually every 8 hours) and cancels scheduled script-runs. So, any locally stored scripts scheduled to run more frequently than the next scheduled agent check-in will run. When the agent is unable to check-in, it retries checking in for up to 24 hours (device-awake time) and then removes itself from the Mac.
How to turn off usage data sent to Microsoft for shell scripts?
To turn off usage data sent to Microsoft from the Intune management agent, open Company Portal and select Menu > Preferences > uncheck 'allow Microsoft to collect usage data'. This will turn off usage data sent for both the agent and Company Portal.
Known issues
- No script run status: In the unlikely event that a script is received on the device and the device goes offline before the run status is reported, the device will not report run status for the script in the admin console.
Additional information
When you deploy shell scripts or custom attributes for macOS devices from Microsoft Endpoint Manager, it deploys the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. The same deployment will install the x64 version of the app on Intel Mac machines. Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script in Endpoint Manager. To view a sample script, see Rosetta 2 Installation Script.
Next steps
-->This article describes the settings you can control and restrict on macOS devices. As part of your mobile device management (MDM) solution, use these settings to allow or disable features, set password rules, allow or restrict specific apps, and more.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your macOS devices.
Note
The user interface may not match the enrollment types in this article. The information in this article is correct. The user interface is being updated in an upcoming release.
Before you begin
Create a macOS device restrictions configuration profile.
Note
These settings apply to different enrollment types. For more information on the different enrollment types, see macOS enrollment.
Built-in Apps
Settings apply to: All enrollment types
Block Safari AutoFill: Yes disables the autofill feature in Safari on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to change autocomplete settings in the web browser.
Block use of camera: Yes prevents access to the camera on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow access to the device camera.
Intune only manages access to the device camera. It doesn't have access to pictures or videos.
Block Apple Music: Yes reverts the Music app to classic mode, and disables the Music service. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using the Apple Music app.
Block spotlight suggestions: Yes stops Spotlight from returning any results from an Internet search. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow Spotlight search to connect to the Internet, and get search results.
Block file transfer using Finder or iTunes: Yes disables application file sharing services. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow application file sharing services.
This feature applies to:
- macOS 10.13 and newer
Cloud and storage
Settings apply to: All enrollment types
Block iCloud Keychain sync: Yes disables syncing credentials stored in the Keychain to iCloud. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to sync these credentials.
Block iCloud Desktop and Document Sync: Yes prevents iCloud from syncing documents and data. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow document and key-value synchronization to your iCloud storage space.
Block iCloud Mail Backup: Yes prevents iCloud from syncing to the macOS Mail app. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow Mail synchronization to iCloud.
Block iCloud Contact Backup: Yes prevents iCloud from syncing the device contacts. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow contact sync using iCloud.
Block iCloud Calendar Backup: Yes prevents iCloud from syncing to the macOS Calendar app. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow Calendar synchronization to iCloud.
Block iCloud Reminder Backup: Yes prevents iCloud from syncing to the macOS Reminders app. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow Reminders synchronization to iCloud.
Block iCloud Bookmark Backup: Yes prevents iCloud from syncing the device Bookmarks. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow Bookmark synchronization to iCloud.
Block iCloud Notes Backup: Yes prevents iCloud from syncing the device Notes. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow Notes synchronization to iCloud.
Block iCloud Photos backup: Yes disables iCloud Photo Library, and prevents iCloud from syncing the device photos. Any photos not fully downloaded from iCloud Photo Library are removed from local storage on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow syncing photos between the device and the iCloud Photo Library.
Block Handoff: This feature allows users to start work on a macOS device, and then continue the work they started on another iOS/iPadOS or macOS device. Yes prevents the Handoff feature on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow this feature on devices.
This feature applies to:
- macOS 10.15 and newer
Connected devices
Settings apply to: All enrollment types
- Block AirDrop: Yes prevents using AirDrop on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using the AirDrop feature to exchange content with nearby devices.
- Block Apple Watch auto unlock: Yes prevents users from unlocking their macOS device with their Apple Watch. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock their macOS device with their Apple Watch.
Ascent (jeanrouch) Mac Os 11
Domains
Settings apply to: All enrollment types
See Full List On Docs.microsoft.com
- Unmarked Email Domains: Enter one or more Email domain URLs to the list. When users send or receive an email from a domain other than the domains you added, the email is marked as untrusted in the macOS Mail app.
General
Settings apply to: All enrollment types
Block Lookup: Yes prevents user from highlighting a word, and then looking up its definition on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow the definition lookup feature.
Block dictation: Yes stops users from using voice input to enter text. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to use dictation input.
Block content caching: Yes prevents content caching. Content caching stores app data, web browser data, downloads, and more locally on devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might enable content caching.
For more information on content caching on macOS, see Manage content caching on Mac (opens another website).
This feature applies to:
- macOS 10.13 and newer
Block screenshots and screen recording: Device must be enrolled in Apple's Automated Device Enrollment (DEP). Yes prevents users from saving screenshots of the display. It also prevents the Classroom app from observing remote screens. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to capture screenshots, and allows the Classroom app to view remote screens.
Settings apply to: User approved device enrollment, Automated device enrollment (supervised)
Defer software updates: Yes allows you to delay when OS updates and non-OS updates are shown on devices. This setting doesn't control when updates are or aren't installed. When nothing is selected, Intune doesn't change or update this setting.
By default, the OS might show updates on devices as Apple releases them. By default, software updates aren't delayed. If you configure this setting, then OS and non-OS software updates are delayed, depending on the options you select. The drop-down does exactly what you choose. It can delay both, delay neither, or delay one of them.
For example, if a macOS update gets released by Apple on a specific date, then that update naturally shows on devices around the release date. Seed build updates are allowed without delay.
Delay visibility of software updates: Enter a value from 0-90 days. By default, updates are delayed for
30
days. This value applies to the Defer software updates options you select. If you only select Operating system updates, then only OS updates are delayed for 30 days. If you select Operating system updates and Non operating system updates, then both are delayed for 30 days.When the delay expires, users get a notification to update to the earliest version available when the delay was triggered.
For example, if a macOS update is available on January 1, and Delay visibility is set to 5 days, then the update isn't shown as an available update. On the sixth day following the release, that update is available, and users can install it.
This feature applies to:
- macOS 10.13.4 and newer
Settings apply to: Automated device enrollment
Disable AirPlay, view screen by Classroom app, and screen sharing: Yes blocks AirPlay, and prevents screen sharing to other devices. It also prevents teachers from using the Classroom app to see their students' screens. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow teachers to see their students' screens.
To use this setting, set the Block screenshots and screen recording setting to Not configured (screenshots are allowed).
Allow Classroom app to perform AirPlay and view screen without prompting: Yes lets teachers see their students' screens without requiring students to agree. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might require students to agree before teachers can see the screens.
To use this setting, set the Block screenshots and screen recording setting to Not configured (screenshots are allowed).
Require teacher permission to leave Classroom app unmanaged classes: Yes forces students enrolled in an unmanaged Classroom course to get teacher approval to leave the course. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow students to leave the course whenever the student chooses.
Allow Classroom to lock the device without prompting: Yes lets teachers lock a student's device or app without the student's approval. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might require students agree before teachers can lock the device or app.
Students can automatically join Classroom class without prompting: Yes lets students join a class without prompting the teacher. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might require teacher approval to join a class.
Password
These settings use the Passcode payload (opens Apple's web site).
Important
On macOS devices running 10.14.2 to 11.x (except all versions of macOS 10.15 Catalina), users are prompted to change the device password when the device updates to a new major OS version. This password update happens once. After users update the password, any other password policies are enforced. If a passcode is required in at least one policy, then this behavior only occurs for the local machine user.
Any time the password policy is updated, all users running these macOS versions must change the password, even if the current password is compliant with the new requirements. For example, when your macOS device turns on after upgrading to Big Sur (macOS 11), users need to change the device password before they can sign in.
Settings apply to: All enrollment types
Require password: Yes requires users to enter a password to access devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not require a password. It also doesn't force any restrictions, such as blocking simple passwords or setting a minimum length.
Required password type: Enter the required password complexity level your organization requires. When left blank, Intune doesn't change or update this setting. Your options:
- Not configured: Uses the device default.
- Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters.
- Numeric: Password must only be numbers, such as 123456789.
This feature applies to:
- macOS 10.10.3 and newer
Number of non-alphanumeric characters in password: Enter the number of complex characters required in the password, from 0-4. A complex character is a symbol, such as
?
. When left blank or set to Not configured, Intune doesn't change or update this setting.Minimum password length: Enter the minimum length the password must have, from 4-16 characters. When left blank, Intune doesn't change or update this setting.
Block simple passwords: Yes prevents using simple passwords, such as
0000
or1234
. When the value is blank or set to Not configured, Intune doesn't change or update this setting. By default, the OS might allow simple passwords.Maximum minutes of inactivity until screen locks: Enter the length of time devices must be idle before the screen is automatically locked. For example, enter
5
to lock devices after 5 minutes of being idle. When the value is blank or set to Not configured, Intune doesn't change or update this setting.Maximum minutes after screen lock before password is required: Enter the length of time devices must be inactive before a password is required to unlock it. When the value is blank or set to Not configured, Intune doesn't change or update this setting.
Password expiration (days): Enter the number of days until the device password must be changed, from 1-65535. For example, enter
90
to expire the password after 90 days. When the password expires, users are prompted to create a new password. When the value is blank or set to Not configured, Intune doesn't change or update this setting.Prevent reuse of previous passwords: Restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.
Maximum allowed sign-in attempts: Enter the maximum number of times that users can consecutively try to sign in before the device locks users out, from 2-11. When this number is exceeded, the device is locked. We recommend not setting this value to a low number, such as
2
or3
. It's common for users to enter the wrong password. We recommend setting to a higher value.For example, enter
5
so users can enter the wrong password up to five times. After the fifth attempt, the device is locked. If you leave this value blank, or don't change it, then11
is used by default.After six failed attempts, macOS automatically forces a time delay before a passcode can be entered again. The delay increases with each attempt. Set the Lockout duration to add a delay before the next passcode can be entered.
Lockout duration: Enter the number of minutes a lockout lasts, from 0-10000. During a device lockout, the sign in screen is inactive, and users can't sign in. When the lockout ends, user can try to sign in again.
If you leave this value blank, or don't change it, then
30
minutes is used by default.This setting applies to:
- macOS 10.10 and newer
Block user from modifying passcode: Yes stops the passcode from being changed, added, or removed. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow passcodes to be added, changed, or removed.
Block Touch ID to unlock device: Yes prevents using fingerprints to unlock devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using a fingerprint.
Block password AutoFill: Yes prevents using the AutoFill Passwords feature on macOS. Choosing Yes also has the following impact:
- Users aren't prompted to use a saved password in Safari or in any apps.
- Automatic Strong Passwords are disabled, and strong passwords aren't suggested to users.
When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow these features.
Block password proximity requests: Yes prevents devices from requesting passwords from nearby devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow these password requests.
Block password sharing: Yes prevents sharing passwords between devices using AirDrop. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow passwords to be shared.
Privacy preferences
On macOS devices, apps and processes often prompt users to allow or deny access to device features, such as the camera, microphone, calendar, Documents folder, and more. These settings allow administrators to pre-approve or pre-deny access to these device features. When you configure these settings, you manage data access consent on behalf of your users. Your settings override their previous decisions.
Ascent (jeanrouch) Mac Os Download
The goal of these settings is to reduce the number of prompts by apps and processes.
This feature applies to:
- macOS 10.14 and newer
- Some settings apply to macOS 10.15 and newer.
- These settings only apply on devices that have the privacy preferences profile installed before being upgraded.
Ascent (jeanrouch) Mac Os X
Settings apply to: User approved device enrollment, Automated device enrollment
- Apps and processes: Add apps or processes to configure access. Also enter:
Name: Enter a name for your app or process. For example, enter
Microsoft Remote Desktop
orMicrosoft 365
.Identifier type: Your options:
- Bundle ID: Select this option for apps.
- Path: Select this option for non-bundled binaries, which is a process or executable.
Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing application bundle.
Identifier: Enter the app bundle ID, or the installation file path of the process or executable. For example, enter
com.contoso.appname
.To get the app bundle ID, open the Terminal app, and run the
codesign
command. This command identifies the code signature. So you can get the bundle ID and the code signature simultaneously.Code requirement: Enter the code signature for the application or process.
A code signature is created when an app or binary is signed by a developer certificate. To find the designation, run the
codesign
command manually in the Terminal app:codesign --display -r - /path/to/app/binary
. The code signature is everything that appears after=>
.Enable static code validation: Choose Yes for the app or process to statically validate the code requirement. When set to Not configured, Intune doesn't change or update this setting.
Enable this setting only if the process invalidates its dynamic code signature. Otherwise, use Not configured.
Block Camera: Yes prevents the app from accessing the system camera. You can't allow access to the camera. When set to Not configured, Intune doesn't change or update this setting.
Block Microphone: Yes prevents the app from accessing the system microphone. You can't allow access to the microphone. When set to Not configured, Intune doesn't change or update this setting.
Block screen recording: Yes blocks the app from capturing the contents of the system display. You can't allow access to screen recording and screen capture. When set to Not configured, Intune doesn't change or update this setting.
Requires macOS 10.15 and newer.
Block input monitoring: Yes blocks the app from using CoreGraphics and HID APIs to listen to CGEvents and HID events from all processes. Yes also denies apps and processes from listening to and collecting data from input devices, such as a mouse, keyboard, or trackpad. You can't allow access to the CoreGraphics and HID APIs.
When set to Not configured, Intune doesn't change or update this setting.
Requires macOS 10.15 and newer.
Speech recognition: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access the system speech recognition, and allows sending speech data to Apple.
- Block: Prevents the app from accessing the system speech recognition, and prevents sending speech data to Apple.
Requires macOS 10.15 and newer.
Accessibility: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access to the system Accessibility app. This app includes closed captions, hover text, and voice control.
- Block: Prevents the app from accessing the system Accessibility app.
Contacts: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access contact information managed by the system Contacts app.
- Block: Prevents the app from accessing this contact information.
Calendar: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access calendar information managed by the system Calendar app.
- Block: Prevents the app from accessing this calendar information.
Reminders: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access reminder information managed by the system Reminders app.
- Block: Prevents the app from accessing this reminder information.
Photos: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access the pictures managed by the system Photos app in
~/Pictures/.photoslibrary
. - Block: Prevents the app from accessing these pictures.
Media library: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access Apple Music, music and video activity, and the media library.
- Block: Prevents the app from accessing this media.
Requires macOS 10.15 and newer.
File provider presence: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access the File Provider app, and know when users are using files managed by the File Provider. A File Provider app allows other File Provider apps to access the documents and directories stored and managed by the containing app.
- Block: Prevents the app from accessing the File Provider app.
Requires macOS 10.15 and newer.
Full disk access: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access all protected files, including system administration files. Apply this setting with caution.
- Block: Prevents the app from accessing these protected files.
System admin files: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access some files used in system administration.
- Block: Prevents the app from accessing these files.
Desktop folder: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access files in the user's Desktop folder.
- Block: Prevents the app from accessing these files.
Requires macOS 10.15 and newer.
Documents folder: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access files in the user's Documents folder.
- Block: Prevents the app from accessing these files.
Requires macOS 10.15 and newer.
Downloads folder: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access files in the user's Downloads folder.
- Block: Prevents the app from accessing these files.
Requires macOS 10.15 and newer.
Network volumes: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access files on network volumes.
- Block: Prevents the app from accessing these files.
Requires macOS 10.15 and newer.
Removable volumes: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to access files on removable volumes, such as a hard disk.
- Block: Prevents the app from accessing these files.
Requires macOS 10.15 and newer.
System events: Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app to use CoreGraphics APIs to send CGEvents to the system event stream.
- Block: Prevents the app from using CoreGraphics APIs to send CGEvents to the system event stream.
Apple events: This setting allows apps to send a restricted Apple event to another app or process. Select Add to add a receiving app or process. Enter the following information of the receiving app or process:
Identifier type: Select Bundle ID if the receiving identifier is an application. Select Path if the receiving identifier is a process or executable.
Identifier: Enter the app bundle ID, or the installation path of the process receiving an Apple event.
Code requirement: Enter the code signature for the receiving application or process.
A code signature is created when an app or binary is signed by a developer certificate. To find the designation, run the
codesign
command manually in the Terminal app:codesign --display -r -/path/to/app/binary
. The code signature is everything that appears after=>
.Access: Allow a macOS Apple Event to be sent to the receiving app or process. Your options:
- Not configured: Intune doesn't change or update this setting.
- Allow: Allows the app or process to send the restricted Apple event to the receiving app or process.
- Block: Prevents the app or process from sending a restricted Apple event to the receiving app or process.
Save Global game jam 20 mauritius infotainment mac os. your changes.
Restricted apps
Settings apply to: All enrollment types
Type of restricted apps list: Create a list of apps that users aren't allowed to install or use. Your options:
- Not configured (default): Intune doesn't change or update this setting. By default, users might have access to apps you assign, and built-in apps.
- Approved apps: List the apps that users are allowed to install. To stay compliant, users must not install other apps. Apps that are managed by Intune are automatically allowed, including the Company Portal app. Users aren't prevented from installing an app that isn't on the approved list. But if they do, it's reported in Intune.
- Prohibited apps: List the apps (not managed by Intune) that users aren't allowed to install and run. Users aren't prevented from installing a prohibited app. If a user installs an app from this list, it's reported in Intune.
Apps list: Add apps to your list:
App Bundle ID: Enter the bundle ID of the app. You can add built-in apps and line-of-business apps. Apple's web site has a list of built-in Apple apps.
To find the URL of an app, open the iTunes App Store, and search for the app. For example, search for
Microsoft Remote Desktop
orMicrosoft Word
. Select the app, and copy the URL. You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.App name: Enter a user-friendly name to help you identify the bundle ID. For example, enter
Intune Company Portal app
.Publisher: Enter the publisher of the app.
Import a CSV file with details about the app, including the URL. Use the
, ,
format. Or, Export to create a list of apps you added, in the same format.
Next steps
Assign the profile and monitor its status.
You can also restrict device features and settings on iOS/iPadOS devices.