This step-by-step guide demonstrates how to create custom attributes for macOS using Intune. The custom attribute profiles enable you to collect custom properties from managed macOS devices using shell scripts.
When you enroll a Mac device in Intune, most of the device information is already gathered through the agent. If you need to query the advanced inventory information from your remote Mac devices, custom attributes are the solution.
Typically, the macOS management schema does not include the data collected by custom attributes. The majority of Mac administrators are aware that Intune permits shell scripts to be used for deployment. This capability actually improves the Mac’s device management capabilities.
What are custom attributes for macOS?
A custom attribute is basically a shell script that is executed on the macOS devices to collect specific information. For example, you can make use of a custom attribute to retrieve the last reboot time of a device, get the physical RAM, etc.
If you’re confused between Shell scripts and Custom attributes, here is some information. Shell scripts are intended to configure system settings and apply changes on your Mac devices. For example, setting up a desktop wallpaper, deploying fonts for Mac, etc. Without necessarily requiring device modifications, custom attributes offer accurate information about macOS devices.
By default, custom attributes execute every eight hours. You cannot change the frequency of a deployed custom attribute, and you cannot run it on demand. Whereas shell scripts offer more flexibility in terms of defining the script frequency, the maximum number of times to retry if script fails and much more.
Prerequisites
If you’re going to create a custom attribute policy in Intune to gather critical information about your Mac devices, ensure that the following prerequisites are met:
- Remote Mac devices should be running macOS 12.0 or later.
- The mac devices should be managed by Intune MDM.
- Devices must be connected directly to the Internet. Connection through a proxy is not supported.
- Shell scripts begin with #! and must be in a valid location, such as #!/bin/sh or #!/usr/bin/env zsh.
- Command-line interpreters for the applicable shells are installed.
Prepare the Custom Attribute Script
The custom attribute that we are going to deploy checks the physical RAM on the Mac device. However, before you deploy a custom attribute with Intune, you must manually verify if the script works correctly.
To do so, you can test the working of the below script by running it in the terminal app on your macOS device. Copy the script into a text application and save it as getphysicalram.zsh.
#!/bin/zsh
#set -x
## Returns the physical RAM on Mac devices
RAMbytes=$(sysctl hw.memsize | awk '{print $2}')
typeset -i RAMGB
(( RAMGB = $RAMbytes / (1024 * 1024 * 1024) ))
echo $RAMGB "GB"
Create Custom Attributes for macOS using Intune
Let’s go through the steps for creating a custom attribute policy in Intune for macOS devices:
Step 1: Create a custom attribute policy
- Sign in to the Microsoft Intune admin center.
- Select Devices > By platform > macOS.
- Under Organize devices > Custom attributes for macOS, click Create.
In the Basics tab, enter the following properties, and select Next:
- Name: Enter a name for the custom attribute policy.
- Description: Enter a description for the shell script. This setting is optional, but recommended.
Step 2: Configure Attribute Settings
In Attribute settings, configure the following:
Data type of attribute: You’ll have to select a data type of the result that the script returns. If you have a basic understanding about the data types, this should be easy for you. For a custom attribute script, the available values are String, Integer, and Date.
Script: Click on the folder icon and select a script file.
Here is important information from Microsoft while configuring the attribute settings.
- The shell script that upload here must echo the attribute to be reported. Furthermore, the data type of the output must match the data type of the attribute in the custom attribute profile.
- The result returned by the shell script must be 20KB or less.
Click Next.
Step 3: Assign the Custom Attribute Script
In the Assignments tab, choose your target Microsoft Entra groups to assign the script policy. If you are testing this script in your organization, I recommend assigning it to a pilot device group that mostly includes the devices and users intended for testing. Upon successful deployment, you can expand the policy to larger groups.
After you have selected the groups, they will appear in the list, and will receive your script policy.
This is the last step where you review the custom attribute policy settings. A summary of the policy settings that you’ve configured is presented on the screen. If everything looks good, click Add to save the script.
You should see a new notification in the top-right corner of Intune admin center “Custom attribute successfully assigned“. The script policy is now deployed to the groups you selected.
Monitor a custom attribute policy in Intune
After you’ve assigned a custom attribute profile to your Entra groups, you can monitor its assignment in the Intune admin center.
In the Intune admin center, go to Devices > macOS > Organize devices > Custom attributes for macOS. On the right-hand side, select the custom attribute policy that you wish to monitor. The Overview section shows the count of devices or users on which script execution was successful or failed.
Note: If the policy was aimed for users, check User Status and if it was for devices, check Device Status.
Understanding Custom Attribute Status and Results
Our custom attribute profile that we assigned was aimed at retrieving the physical RAM on the Mac devices.
If the custom attribute script status shows as failed, it means the script returned a non-zero exit code or the script is malformed. You’ll have to revisit the script and correct it if there are any errors. The error is reported in the Result column.
If the custom attribute script status shows as succeeded, it indicates that the script returned zero as the exit code.
To check the result, select your custom attribute policy and under Monitor, select Device Status. The output echoed by the script is reported in the Result column. In the below screenshot, we see the custom attribute has collected the details of physical RAM for the Mac device, and it is 8 GB.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.