This message showed up in the message center for Office 365 – and we have been waiting for this for a long time. Soon we can start testen Conditional Access for MacOS.


If you already have Conditional Access rules setup for device platforms and are using “All platforms” then when Microsoft is enabling support for MacOS you need to take action.

CA - MacOSx - 00


Conditional access is expanding the coverage of platforms that can be secured by adding support for MacOS. Public preview of MacOS Conditional Access support will be introduced by the end of August. Conditional access policies that are defined for “All platforms” will now also support MacOS platform.

How does this affect me?

To secure access of MacOS devices with conditional access, you are required to create a compliance policy for MacOS devices in your tenant. In the absence of a compliance policy, users who enroll the devices with Intune will be considered compliant and get access to the resources protected by conditional access.


First you need to create a Intune Compliance Policy for MacOS

CA - MacOSx - 01

There are 3 different categories for MacOS compliance settings

  • Device health
  • Device properties
  • System Security

Device health

Require a system integrity protection : Set this to Require to check if your macOS devices have system integrity protection enabled. This requires OS X El Capitan or later.

About System Integrity Protection on your Mac

CA - MacOSx - Device Health.png

Device properties

Minimum OS version : When a device does not meet the minimum OS version requirement, it is reported as noncompliant. A link with information on how to upgrade appears. The user can choose to upgrade their device. After that, they can access company resources.
Maximum OS version : When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

CA - MacOSx - Device Properties

System security settings


Require a password to unlock mobile devices : Set this to Require so users need to enter a password before they can access their device.
Simple passwords : Set this to Block so user can’t create a simple password like 1234 or 1111.
Minimum password length : Specify the minimum number of digits or characters that the password must have.
Password type : Specify whether the user must create an Alphanumeric password or a Numeric password.
Number of non-alphanumeric character in password : If you set Required password type to Alphanumeric , use this setting to specify the minimum number of character sets that the password must have.

Maximum minutes of inactivity before password is required : Specify the idle time before the user must reenter their password.
Password expiration (days): Select the number of days (between 1 and 250) before the password expires and they must create a new one.
Number of previous passwords to prevent reuse : Specify the number of previously used passwords that cannot be reused.

CA - MacOSx - System Security.png


Read more at :

Create a device compliance policy for macOS devices (preview) with Intune