The Intune (Mac) integration enables IT and security teams to enforce and monitor macOS device compliance via MDM. It connects Drata to Microsoft Intune so your team can synchronize policies and device posture to meet compliance requirements.
When the connection is complete, you can enable Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration info from the Intune instance for compliance purposes.
Key Capabilities
Device compliance posture (macOS): Syncs compliance results (e.g., FileVault, firewall, lock screen, software updates).
Policy existence & assignment checks: Confirms policies are mapped to devices and devices are compliant with those policies.
Prerequisites & Data Access
Must have Admin, Information Security Lead, DevOps Engineer, or Workspace Manager roles in Drata.
Devices to be monitored must be enrolled through Intune Company Portal website or app (multiple enrollment methods supported).
Devices can be enrolled by any of these methods.
If your employees are already enrolled, it is not necessary for them to install the Company Portal application.
Make sure that your Entra (formerly Azure) account has already been populated with users.
A Microsoft Endpoint Manager (Intune) group containing all users to be monitored (both “Microsoft 365” and “Security” group types supported).
Each device must have the user’s email address in the User Principal Name field, matching the Personnel email in Drata.
A Global Administrator account is required to set up in Entra/Intune.
Important Notes
Device Note
This article is for macOS devices. For Window devices, refer to Intune (Windows) Connection help article.
The integration supports only computers. iOS and iPadOS devices are not supported.
The application list for each device can take up to seven days to sync. This is because Intune updates the discovered apps list once every seven days after Intune was installed.
Compliance Note
At this time, Drata’s device compliance checks using the Intune connection directly verify Hard Disk Encryption settings. For all other checks, Drata confirms the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
If all three of the above criteria are met, Drata will show that device as passing for the other device compliance checks.
Additional Considerations
1Password is only detected when it is installed via Intune.
Intune cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on either Intune's discovered apps list or Intune's Managed Apps list.
Drata supports both the Intune Discovered Apps list and Intune Managed Apps list natively.
Permissions & Data Table
Permission/Scope | Why It’s Needed | Data Accessed (Read Only) |
| Read device compliance and inventory for macOS devices | Managed device details & compliance states |
| Read compliance & configuration policy definitions | Policies and their assignments |
| Read discovered and managed apps for compliance checks | App inventory (Discovered Apps, Managed Apps) |
| Map devices to users and groups for assignments | Basic user directory info |
| Read device management scripts relevant to posture | Script metadata associated with device management |
Step-by-Step Setup
Create compliance policies on Microsoft Endpoint Manager. These are necessary for:
MacOS Auto Updates,
Firewall,
Disk Encryption,
Lock Screen, and
Antivirus compliance data.
Sync devices to get the latest policies and actions from Intune.
Create an Intune OAuth app on Entra ID and obtain the app’s Application ID (client ID), Tenant ID, and app secret.
Grant permissions to the app.
Connect to your Intune instance in Drata.
Step 1: Create a macOS Compliance Policy (Intune)
Sign in to Microsoft Endpoint Manager admin center → Devices > Compliance Policies > Policies > Create Policy.
Select macOS as the platform.
Name and describe the policy (e.g., “Drata – macOS Compliance”).
Configure Compliance settings:
Device Health → Require system integrity protection: Require.
System Security → Require a password to unlock devices: Require.
System Security → Maximum minutes of inactivity before password is required: 15 minutes.
Encryption → Require encryption of data storage on device: Require.
Device Security → Firewall: Enable.
Gatekeeper → Allow apps downloaded from these locations: Mac App Store and identified developers.
Configure any additional settings per business requirements.
Learn more about Microsoft compliance settings.
(Optional) Configure Actions for noncompliance.
Assign to the appropriate user groups (or All users).
After assignment of policy to the users, you should see the 'Review + Create' section. Click on the 'Create' button to complete this step.
Step 2: Create a macOS Updates Configuration Profile
Note: If you already have an existing MacOS Updates profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.
Devices > Configuration Profiles > Create profile.
Platform: macOS
Profile Type: Templates
Template name: Custom
On the 'Basics' page, enter the following name exactly as provided:
Drata - Software Updates
Add an optional description → Next.
Configuration settings:
Custom configuration profile name:
Drata - Software Updates(match the overall profile name).Deployment Channel: Device Channel.
Create a local XML file (e.g.,
any-name.xml) with the following contents and upload it as the Configuration profile file:
On the 'Configuration settings' tab:
Custom configuration profile name:
Drata - Software Updates(match the overall profile name).Deployment Channel: Device Channel.
Create a local XML file (e.g.,
any-name.xml) with the following contents and upload it as the Configuration profile file:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AutomaticallyInstallMacOSUpdates</key>
<true/>
<key>AutomaticallyInstallAppUpdates</key>
<true/>
<key>AutomaticCheckEnabled</key>
<true/>
<key>CriticalUpdateInstall</key>
<true/>
<key>PayloadDisplayName</key>
<string>Software Update</string>
<key>PayloadIdentifier</key>
<string>com.apple.SoftwareUpdate.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadUUID</key>
<string>de247aa4-10db-4f48-8dda-91aff64fcdfe</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Software Update</string>
<key>PayloadIdentifier</key>
<string>Software&SecurityUpdates1.0.cf7e812a-9415-47e9-909b-f1560532d5ce</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>da7e79e8-6311-4266-9621-c1b7b3496893</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Once the file has been created, upload it to the Configuration profile file.
Assign to the appropriate groups/devices. You can do so by selecting 'Add groups,' 'Add all users,' or 'Add all devices' based on your company’s configuration.
Go to 'Review + create' tab, review your settings, and click 'Create' when ready to save your new profile.
Step 3: Create a Lock Screen (Screen Saver) Profile
Note: If you already have an existing one you may submit that profile's name to our Support team and Drata will apply it after your connection is made.
Devices > Configuration profiles > Create profile.
Platform: macOS
Profile Type: Templates
Template name: Custom
Name it
Drata - Screen Saver(exactly) → optional description → Next.Configuration settings:
Deployment Channel: Device Channel.
Upload your xml file to the 'Configuration Profile File' section and verify your configuration matches the image below. Create and upload an XML file with 10-minute (600s) timeouts:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>idleTime</key>
<integer>600</integer>
<key>loginWindowIdleTime</key>
<integer>600</integer>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadIdentifier</key>
<string>com.apple.screensaver.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string>
<key>PayloadUUID</key>
<string>ba9abec1-ee44-413d-b75f-63748644ca71</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Screen Saver Device</string>
<key>PayloadType</key>
<string>com.apple.screensaver</string>
<key>PayloadUUID</key>
<string>4ffe721a-f2e6-4191-a3fe-1d1a463fbbac</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Assign to the appropriate groups/devices. You can do so by selecting 'Add groups,' 'Add all users,' or 'Add all devices' based on your company’s configuration.
Go to 'Review + create' tab, review your settings, and click 'Create' when ready to save your new profile.
Finally, go to 'Review + create' tab to review and click on 'Create'.
Step 4: Create a FileVault Profile
In Intune: Endpoint security > Disk Encryption > + Create Policy.
Platform: macOS
Profile: FileVault
Create, then name/describe. We recommend using
Drata - FileVaultfor the name.Select 'Yes' for 'Enable FileVault'.
Configuration settings:
Escrow location description of personal recovery key: Add guidance for users on how to retrieve the recovery key for their device.
For example: “You can retrieve the personal recovery key for your macOS device from the Microsoft Intune app or Company Portal.”
Note: This information can be useful for your users when you use the setting for personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.
Configure any other settings per business requirements.
Assign this new profile to users. You can do so by selecting 'Add groups,' 'Add all users,' or 'Add all devices' based on your company’s configuration.
Go to Review and Create and verify your configuration.
Step 5: Sync Devices (Bulk) in Intune
The Sync device action forces the selected device(s) to immediately check in with Intune. When a device checks in, it receives any pending actions or policies that have been assigned to it.
This feature can help you immediately validate and troubleshoot policies you've assigned, without waiting for the next scheduled check-in.
Sync devices to get the latest policies and actions with Intune:
Select Devices > All devices > Bulk Device Actions.
On the 'Basics' page, enter the following:
Select macOS for OS
Select Sync for Device action
On the 'Devices' page, select from 1 to 100 devices.
Go to 'Review + create' page, ensure your settings are correct, and click 'Create'. You will be taken back to the Devices page.
Step 6: Create an App Registration in Entra ID
Note: Alternatively, for steps 1-3, you can go to portal.azure.com.
Click on Microsoft Entra ID
Click on App registrations in the left sidebar
Select + New registration.
From the Microsoft Intune admin center: Select All services > Microsoft Entra (opens Entra admin center).
Select Identity > Applications > App registrations.
Select + New registration.
Name:
Drata - Intune App(exactly).Supported account types: 'Accounts in this organizational directory only (<directory name> only - Single tenant).
Click 'Register'. You are taken back to the app's Overview page.
From the app Overview, copy Application (client) ID and Directory (tenant) ID. Save these for the Drata connection step later.
Click 'Add a certificate or secret'.
Go to Certificates & secrets → + New client secret.
Add Description, set Expires = 24 months, Add.
Note the expiration date for future rotation.
Copy the Value and refresh the page to activate the value. This value will be entered in the Application Secret field within Drata during the connection process.
⚠️ Do NOT copy the Secret ID.
Be sure to refresh the Azure Certificates and Secrets screen to make the secret Value useable (Microsoft holds it in a pending state until the screen is refreshed).
Step 7: Grant Microsoft Graph Application Permissions
Microsoft Graph has two types of permissions: Delegated and Application. The Drata OAuth app needs Application permissions.
In the app: API permissions
Select + Add a permission.
Then, Microsoft Graph.
Then, Application permissions.
Add these permissions:
DeviceManagementManagedDevices.Read.AllDeviceManagementConfiguration.Read.AllDeviceManagementApps.Read.AllUser.Read.AllDeviceManagementScripts.Read.All
Click Add permissions.
Click Grant admin consent and confirm. Ensure Status = Granted for all five.
Click 'Yes' in the 'Grant admin consent confirmation' popup.
Once the grant consent is successful, confirm that the Status column now says Granted.
Complete the Connection
In Drata’s Connections page, enter the following information:
Drata Field | Intune (Mac) Value |
Directory (tenant) ID | Directory (tenant) ID from Entra App Registration |
Application (client) ID | Application (client) ID from Entra App Registration |
Application Secret | Value of the client secret (copied at creation time) |
For steps on accessing and using the Connections page in Drata, refer to The Connections Page in Drata.
Configure Intune as the MDM Source in Drata
In Drata: go to your User Profile → Settings → Internal Security.
Toggle Automated via Intune on
Toggle Automated via Drata Agent off (agent takes precedence if both are on).
NOTE: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.
Government Support for Microsoft Intune GCC High
Drata supports Microsoft Intune GCC High for your MDM Connection. All of the same support and services as Microsoft Intune (outlined above) carry over to the GCC High connection as well. See image below to better understand standards for usage of the varied Microsoft Intune solutions.
