Connecting to Intune will turn on the MDM option in Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration info from the Intune instance for compliance purposes.
BEFORE DIVING IN
This article is dedicated to the connection details for macOS devices. Click here to access the article with the connection details for Windows devices.
Make sure that the devices you wish to monitor are enrolled through the Intune Company Portal website or app. Devices can be enrolled by any of these methods. If your employees are already enrolled, it is not necessary for them to install the Company Portal application.
Make sure that your Entra (formerly Azure) account has already been populated with users.
Make sure you have an existing Microsoft Endpoint Manager group containing all users that need to be monitored. Both types of 'Microsoft 365' and 'Security' are supported.
Make sure that all devices that need to be synced have the user's email address entered into the device's User Principal Name field. Also, ensure this value matches the Personnel email address in Drata.
You will need a Global Administrator account in order to set everything up in Entra/Intune.
At this time, while Drata’s device compliance checks using the Intune connection check device settings directly for Hard Disk Encryption, the rest of Drata’s device compliance checks confirm the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
If all three of the above criteria are met, Drata will show that device as passing for the other device compliance checks.
Additional Considerations:
The integration supports only computers. iOS and iPadOS devices are not supported.
The application list for each device can take up to seven days to sync. This is because Intune updates the discovered apps list once every seven days after Intune was installed.
1Password is only detected when it is installed via Intune.
Intune cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on either Intune's discovered apps list or Intune's Managed Apps list.
Drata supports both the Intune Discovered Apps list and Intune Managed Apps list natively.
Currently, policies and configuration profiles set up using Intune Settings Catalog are not supported. In order for compliance data to sync, you must use the policy and configuration profile types defined in this help article.
Overview of what we're going to set up
Create policies on Microsoft Endpoint Manager. These are necessary for MacOS Auto Updates, Firewall, Disk Encryption, Lock Screen, and Antivirus compliance data.
Sync devices to get the latest policies and actions from Intune.
Create an Intune OAuth app on Entra ID and obtain the app’s Application ID (client ID), Tenant ID, and app secret.
Grant permissions to the app.
Connect to your Intune instance in Drata.
Create Compliance Policy
Sign in to the Microsoft Endpoint Manager admin center.
Go to Devices > Compliance Policies > Policies > Create Policy.
Select 'macOS' as platform for this policy.
In the next tab, give it a 'Name' and 'Description' that helps you identify the policy you are creating. For example:
Go to the bottom of the page and click on 'Next'
You will see the 'Compliance settings' tab. Here you will configure the settings for your policy.
Note: if you want to learn more about compliance settings, click here.
Click on 'Device Health'
Go to 'Require system integrity protection' and select 'Require'
Under 'System Security', set 'Require a password to unlock devices' to Require. Set 'Maximum minutes of inactivity before password is required' to 15 minutes:
Scroll down to 'Encryption' and set 'Require encryption of data storage on device' to 'Require'
Scroll down to 'Device Security' and set 'Firewall' to 'Enable'.
Under 'Gatekeeper', select 'Mac App Store and identified developers' in the dropdown to limit apps downloaded to only identified developers.
Configure other settings as your business requires.
Setting 'Actions for noncompliance' is optional.
Assign this new policy to users. You can do so by selecting 'Add groups' or 'Add all users' based on your company’s configuration.
After assignment of policy to the users, you should see the 'Review + Create' section. Click on the 'Create' button to complete this step.
MacOS Updates Profile
Create a new configuration profile to sync software update settings.
NOTE: If you already have an existing MacOS Updates profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.
Select Devices > Configuration Profiles > Create profile.
When creating a profile, make sure to select:
Platform: macOS
Profile Type: Templates
Template name: Custom
Click Create
On the 'Basics' page, enter the following name exactly as provided:
Drata - Software Updates
Add an optional description and click 'Next'.
Now go to the 'Configuration settings' tab and set the 'Custom configuration profile name':
Drata - Software Updates
NOTE: Ensure the custom configuration profile name matches the overall custom profile name above.
For the 'Deployment Channel' field, choose 'Device Channel.'
Create a file on your machine (any-name.xml) with the XML below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AutomaticallyInstallMacOSUpdates</key>
<true/>
<key>AutomaticallyInstallAppUpdates</key>
<true/>
<key>AutomaticCheckEnabled</key>
<true/>
<key>CriticalUpdateInstall</key>
<true/>
<key>PayloadDisplayName</key>
<string>Software Update</string>
<key>PayloadIdentifier</key>
<string>com.apple.SoftwareUpdate.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadUUID</key>
<string>de247aa4-10db-4f48-8dda-91aff64fcdfe</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Software Update</string>
<key>PayloadIdentifier</key>
<string>Software&SecurityUpdates1.0.cf7e812a-9415-47e9-909b-f1560532d5ce</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>da7e79e8-6311-4266-9621-c1b7b3496893</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Once the file has been created, upload it to the Configuration profile file.
Assign this new profile to users. You can do so by selecting 'Add groups,' 'Add all users,' or 'Add all devices' based on your company’s configuration.
Go to 'Review + create' tab, review your settings, and click 'Create' when ready to save your new profile.
Lock Screen Profile
Create a new Configuration Profile so that the device will be compliant with the 15-minute time-frame to activate the screensaver.
NOTE: If you already have an existing Lock Screen Profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
Platform: macOS
Profile Type: Templates
Template name: Custom
Select 'Create'.
On the 'Basics' page, enter the following name exactly as provided:
Drata - Screen Saver
Add an optional description and click Next.
On the 'Configuration settings' tab, make sure to set 'Device Channel' as Deployment Channel
Create a file on your machine (any-name.xml) with the XML below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>idleTime</key>
<integer>600</integer>
<key>loginWindowIdleTime</key>
<integer>600</integer>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadIdentifier</key>
<string>com.apple.screensaver.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string>
<key>PayloadUUID</key>
<string>ba9abec1-ee44-413d-b75f-63748644ca71</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Screen Saver Device</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadUUID</key>
<string>4ffe721a-f2e6-4191-a3fe-1d1a463fbbac</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Upload your xml file to the 'Configuration Profile File' section and verify your configuration matches the image below.
Assign this new profile to users. You can do so by selecting 'Add groups,' 'Add all users,' or 'Add all devices' based on your company’s configuration.
Finally, go to 'Review + create' tab to review and click on 'Create'.
FileVault Profile
Create a new Configuration Profile to ensure FileVault is active on all devices.
Log into Intune
Click on Endpoint security
Click on Disk Encryption
Click '+ Create Policy'
For 'Platform', select macOS
For 'Profile', select FileVault
Click 'Create'
In the next screen, you need to give it a name and description. We recommend using:
Drata - FileVault
Select 'Yes' for 'Enable FileVault'.
Under configuration settings, make sure the following parameters are set.
For Escrow location description of personal recovery key, add a message to help guide users on how to retrieve the recovery key for their device. For example: “You can retrieve the personal recovery key for your macOS device from the Microsoft Intune app or Company Portal.”
Note: This information can be useful for your users when you use the setting for personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.
Configure other settings as your business requires.
Assign this new profile to users. You can do so by selecting 'Add groups,' 'Add all users,' or 'Add all devices' based on your company’s configuration.
Go to Review and Create and verify your configuration.
Sync devices to get the latest policies and actions with Intune
The Sync device action forces the selected device(s) to immediately check in with Intune. When a device checks in, it receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you've assigned, without waiting for the next scheduled check-in.
Sync bulk devices
Click Devices > All devices > Bulk Device Actions.
On the 'Basics' page, enter the following:
Select macOS for OS
Select Sync for Device action
Click 'Next'.
On the 'Devices' page, select from 1 to 100 devices. Click 'Next'.
Go to 'Review + create' page, ensure your settings are correct, and click 'Create'. You will be taken back to the Devices page.
Create new App Registration
Starting from the Microsoft Intune admin center, select All services > Microsoft Entra. A new tab will open the Microsoft Entra admin center.
Select Identity > Applications > App registrations.
On the App Registration page, select + New registration.
Alternatively, for steps 1-3, you can go to portal.azure.com -> click on Microsoft Entra ID -> click on App registrations in the left sidebar -> select + New registration.
On the 'Register an application' page, enter the following name exactly as provided:
Drata - Intune App
Select the radio option for 'Accounts in this organizational directory only' (<directory name> only - Single tenant).
Click 'Register'. You are taken back to the app's Overview page.
Copy the 'Application (client) ID and Directory (tenant) ID'. Save these for the Drata connection step later.
Click 'Add a certificate or secret'.
Click + 'New client secret'.
Add a 'Description' and select '24 months' for 'Expires'. Click 'Add'.
Take note of this expiration date so you can come back and update the expiration date to ensure your Intune connection remains active in Drata.
Copy the Value (not the Secret ID) of the new secret and paste it into the Application Secret text field on the Drata slide-out panel (Note: this will be the only time you can copy this secret key). Be sure to refresh the Azure Certificates and Secrets screen to make the secret Value useable (Microsoft holds it in a pending state until the screen is refreshed).
API Permissions
Microsoft Graph has two types of permissions: Delegated and Application. The Drata OAuth app needs Application permissions.
Click API permissions.
Click '+ Add a permission'.
Click 'Microsoft Graph'.
Click 'Application permissions'.
Search for the following four permissions. Check the checkbox for each.
DeviceManagementManagedDevices.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementApps.Read.All
User.Read.All
Click 'Add permissions'.
Initially, these four new permissions will say Not granted in the Status column. Click 'Grant admin consent' to grant the app these new permissions.
Click 'Yes' in the 'Grant admin consent confirmation' popup.
Once the grant consent is successful, confirm that the Status column now says Granted.
Connect to your Intune instance in Drata
Return to Drata and select Connections (located on the bottom sidebar).
Search for Intune and connect. A drawer will extend from the right of the screen.
Enter the Intune app details you saved above: Directory (tenant) ID, Application (client) ID, and Application Secret.
Click 'Save & Test Connection'.
Configure Intune in Drata for employee onboarding
Navigate to your company name in the lower left, then click Internal Security.
Toggle on Automated via Intune on and toggle off Automated via Drata Agent to disable the Drata agent.
NOTE: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.