🎯 Purpose
✅ Enforce baseline device compliance for macOS devices, aligned with Essential Eight – COMPLY (IBP / Maturity Level 1).
➡️ Ensures macOS devices meet core security requirements before accessing corporate resources.
👥 Who is affected
✅ Devices: All macOS devices
🚫 Exclusions: None
➡️ Users must access corporate resources from a compliant macOS device.
☁️ What access is protected
✅ Applications: Microsoft 365 and other Entra‑integrated cloud applications
✅ Platform: macOS
➡️ Access is granted only when the device reports as compliant.
🔐 How compliance is enforced
✅ System Integrity Protection (SIP) is required
✅ FileVault disk encryption is enforced
✅ macOS firewall is enabled with block‑all and stealth mode
✅ Gatekeeper restricts apps to App Store and Identified Developers
✅ Enforcement occurs via Intune Compliance paired with Conditional Access
➡️ Non‑compliant devices are blocked from access after a grace period.
ℹ️ Note:
Password and OS version requirements are intentionally not enforced at the IBP / M1 stage.
⚙️ What this policy does NOT enforce
🚫 Password complexity or inactivity timeouts
🚫 Minimum or maximum macOS version
🚫 Threat protection / MTD integration
🚫 Managed email profile requirement
➡️ These controls may be introduced at higher Essential Eight maturity levels.
🟢 Policy status
✅ Enabled
✅ Enforced via Intune Compliance
✅ Conditional Access blocks access after 24‑hour grace period
📘 Essential Eight Alignment
✅ Supports Essential Eight – COMPLY
✅ Enforces OS integrity, encryption, and baseline device security
ℹ️ Additional restrictions align with Maturity Levels 2–3
📘 Practical Interpretation (Executive‑Friendly)
This compliance policy ensures that:
✅ macOS devices are encrypted and protected from tampering
✅ Insecure or modified devices cannot access corporate resources
✅ Users have time to remediate issues before access is blocked
This establishes a baseline macOS compliance posture aligned to Essential Eight while allowing for future security uplift.