Microsoft Endpoint Manager's August 2208 service release includes two extensibility capabilities providing IT admins with greater control over compliance for Zero Trust security management. We're releasing custom compliance for Windows, which allows IT admins to collect customer-specific compliance settings to make better informed decisions about access to corporate resources. We're also providing control for macOS compliance, giving admins the ability to view macOS shell scripts and custom attributes during upload and after policy creation. I hope you appreciate these enhancements as deployment wraps up for the month. I look forward to your feedback. Please comment on this post or connect with me on LinkedIn.
Flexibility to define device compliance settings
IT admins often want flexibility in defining and applying the device settings needed to allow secure access to company resources and thus, apply one of the principles of Zero Trust: least privilege access. While a wide set of Windows configuration service providers (CSPs) are supported in Endpoint Manager, such as BitLocker and Windows Defender Firewall, many organizations want to evaluate compliance using additional settings on these devices based on their unique needs.
In November, we announced the public preview of custom compliance and in 2208, that capability is generally available for you to use! Custom compliance for Windows allows you to write a PowerShell script to detect almost any setting, such as BIOS version or operating system version, or to detect other information like whether a specific application is installed, and report that back to Intune's device compliance engine. You then can provide a JSON definition file for each custom compliance setting that includes remediation messages, even through the Company Portal app. This functionality can help your users understand how to get compliant again.
We've received a lot of positive feedback during the public preview of this capability. Organizations have appreciated the flexibility to use custom compliance to check for specific apps in their Windows environment. If the apps weren't present, the device was not in compliance and the user could not access corporate resources through Microsoft 365. We look forward to hearing what custom compliance policies organizations create now that the feature is generally available.
The screenshot below provides an example of configuring custom compliance in Endpoint Manager.
A screenshot of the Create custom script screen with an example PowerShell script to detect custom settings on Windows, which can be used to calculate compliance.
IT admins and support agents have frequently requested flexibility and discoverability with script management on macOS devices. In 2208, we've introduced the capability for IT admins to audit and validate shell scripts and custom attributes for macOS devices from upload through policy creation and delivery.
Now, IT admins can load a script and confirm that it's applied as defined throughout its lifecycle, even when applied on a device. This helps with both validating that the appropriate shell was applied and troubleshooting on a device when the results weren't as expected. Being able to see the applied script can immediately reduce the time to troubleshoot any script policy. You can see a short demo of this experience here:
Here are two screen shots from the Endpoint Manager admin center of the scripting experience:
A screenshot showing contents during script policy creation.
A screenshot showing properties of the previously uploaded script.
For more information on working with macOS shell scripts, see the following documentation:
Please share your comments, questions, and feedback, so we can continue to improve the endpoint user experience and simplify IT administration. Simply comment on this post or connect with me on LinkedIn.