Blog Post

Intune Customer Success
2 MIN READ

New permission prompt to improve macOS notification experience for users when using shell scripts

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Jul 18, 2024

Update 9/4/2024: As of August 28, 2024, the Intune agent is now receiving an updated PPPC profile that silently configures the "System Events" permission on applicable Macs. No action is needed to enable this experience. Microsoft recommends removing any other PPPC profile you may have deployed for Intune agent to configure this permission. In case of conflicting PPPC profiles on a device, set the “Hide script notifications on devices” setting to “Yes” for all script policies to ensure that the permission prompt is not shown to the user.


Starting with Intune management agent for macOS v2407.005, we’re improving reliability and consistency for macOS notifications appearing in Notification Center when using shell scripts. When a script policy with a notification command is received by the Intune agent on the Mac, the agent now requests access to “System Events” on macOS. This prompts macOS to request the device user to allow or disallow the “System Events” permission using the alert shown below.

 

An image of the notification shown when Microsoft Intune agent requests access to control "System Events".

 

If the user selects “Allow”, macOS system notifications for scripts run by the Intune agent will be enabled. If the user selects “Don’t Allow”, macOS system notifications for scripts run by the Intune agent will be disabled. The permission enables the Intune agent to consistently show notifications contained in the admin-assigned script policy.

 

Note: There’s no impact to the Intune agent’s functionality or its ability to manage devices or run assigned policies based on the users selection.

 

Screenshot of a sample ‘Contoso Admin script’ notification in the macOS Notification Center.

 

What to expect

In the coming week or soon after, the Intune agent will receive an updated Privacy Preferences Policy Control (PPPC) payload (when applicable) to configure this permission silently using mobile device management.

 

If you deploy macOS shell script that turns notifications on or have an Intune shell script policy with the setting “Hide script notifications on devices” set to “Not configured”, your managed devices will receive the prompt.

 

Screenshot of the ’Hide script notifications on devices’ setting in a macOS shell script policy.

 

Communicate to your macOS users that this prompt is expected, and they should select  “Allow” on the alert. This setting can be managed under System Preferences > Privacy and Security > Automation > Microsoft Intune Agent on macOS devices.

 

Screenshot of the Privacy and Security settings options displaying the Microsoft Intune Agent ‘Automation’ settings.

If you have any questions or feedback, leave a comment below or reach out on X @IntuneSuppTeam.

Updated Sep 04, 2024
Version 2.0
Apple
macOS
  • eddiejimenez's avatar
    eddiejimenez
    Brass Contributor
    Oct 01, 2024

    irisyn-ye Correct, in addition to the Apple Events services that I provided in the post above the last one I made. Once Apple Events and System All Policy Files have been added that prompt will go away. 

  • ennnbeee's avatar
    ennnbeee
    Copper Contributor
    Jul 19, 2024

    If you don't want to have to create your own PPPC profile to stop the acceptance prompts, I've created one for you, just update the organisation name in the mobileconfig file.

  • ennnbeee's avatar
    ennnbeee
    Copper Contributor
    Jul 23, 2024

    TonsilTim the mobilconfig file is there to set the permissions for the Intune Management Agent, so that the users don't get the permissions notification when Shell Scripts are deployed to their devices with  the setting “Hide script notifications on devices” set to "Not configured". This will not stop the notifications themselves.

     

    The Microsoft Learn article on deploying Custom Profiles is a good place to start, but from a high-level:

    1. Create a new Custom profile, give it a name.
    2. Give the configuration profiles a name (this is displayed within profiles on the device itself so it doesn't really matter what this is called) something like "Microsoft Intune Agent Permissions"
    3. Select "Device Channel" for the "Deployment channel"
    4. Upload the saved mobileconfig file (after updating the Org Name).
    5. Deploy to a group of macOS devices.

    I would then review your Shell scripts to check whether the scripts with the notification setting of "Not configured" should actually be a "Yes", and update them where appropriate.

     

     
  • eddiejimenez's avatar
    eddiejimenez
    Brass Contributor
    Aug 05, 2024

    FYI you can create these PPPC settings within Intune's Settings Catalog:

    Devices > Configuration> New > Settings Catalog > Privacy > Privacy Preferences Policy Control

     

     

  • TonsilTim's avatar
    TonsilTim
    Copper Contributor
    Aug 12, 2024

    eddiejimenez once in Privacy "Preferences Policy Control" what sub category are you choosing? I couldn't find anything that closely matches your screenshot? 

  • TonsilTim's avatar
    TonsilTim
    Copper Contributor
    Jul 23, 2024

    ennnbeee, my users are going crazy with these notifications from Intune. Could you please guide me on how to disable these notifications? Could I please get an idiot's guide on how to deploy your mobileconfig plist file? Is your plist file enabling or disabling the notifications? 

  • eddiejimenez's avatar
    eddiejimenez
    Brass Contributor
    Sep 27, 2024

    I failed to add the System All Policy Files (Full Disk Access) to the config\screenshots. Although it was working initially (weird) it stopped working a few weeks ago. Adding the System All Policy Files got this working again. 

    In case this helps anyone experiencing this: