Microsoft Intune: Recovery Lock management for macOS

🚨 The Signal: Intune now manages macOS Recovery Lock passwords, preventing users from bypassing device management via recovery mode. This enhances device integrity and control over company-owned macOS assets.

The Impact

Security teams and macOS administrators are affected, reducing the risk of unauthorised macOS reinstallation and management bypass.

• Security Teams: Reduced risk of device tampering and data exfiltration.
• macOS Administrators: Enhanced control over company-owned macOS devices.
• End Users: Restricted ability to alter device configuration via recovery mode.

The Action

1. Navigate to Microsoft Intune admin center > Devices > macOS > Configuration profiles.
2. Create a new profile or edit an existing one.
3. Select 'Device restrictions' or 'Custom settings' (depending on Intune UI updates).
4. Locate and configure 'Recovery Lock password' settings.
5. Assign the profile to relevant macOS device groups.

Domain: Intune · Impact: high · Workload: Intune · Essential Eight: User Application Hardening · ISM: ISM-1412, ISM-1485, ISM-1486, ISM-1542, ISM-1585, ISM-1667, ISM-1668, ISM-1669, ISM-1670, ISM-1823, ISM-1824, ISM-1859, ISM-1860