You can create custom attribute profiles which enable you to collect custom properties from managed macOS device using shell scripts.
Introduction to Custom Attributes
If you are managing MacOS Devices in Intune you can use custom attributes to really get into the nitty-gritty of device management. Custom Attributes are basically outputs of shell scripts and can help to scoop up all kinds of specific info about the devices. This is super useful because it gives you a much clearer picture and more control over all the macOS devices in your organization. These scripts are pretty flexible and they can dig up a lot of detailed data, which is awesome for keeping track of and handling a bunch of different devices effectively.
Configure Custom Attributes
Custom Attrbites are basically the outputs of your shell script. In the next chapter we will focus on two examples how a Shell Script can look like that will output the information we want.
To start with Custom Attributes go to the Custom Attributes menu in the Intune Portal.
You can click on the above link or get there by following this steps:
- Intune Portal
- Devices
- MacOS
- Custom Attributes
Here you can add a new Custom Attribute by clicking on the +Add button.
After clicking on the Add button you can give it a Name and a Description. In my case it looks like this:
Click on “Next”. Now we can upload the script and set the Data type to “String”. (You may have to select another Type depending on the script output)
Assign it to a Group of MacOS Devices or Users and its done.
You can check the results after clicking on any of the created Custom Attributes:
Lets now check both use cases.
Use Cases
There are multiple use cases for Custom Attributes in Intune for MacOS. I have picked two of them to demonstrate Custom Attributes.
List all Local Admins
Today, without Platform SSO, many enterprises that have MacOS Devices have atleast one local admin (accessible to the user) on the managed MacOS Devices. Intune does not provide a list of local administrators so lets create a shell script that will do this for us:
#!/bin/bash
# Script to list all local admin users
echo "Listing all local admin users:"
dscl . -read /Groups/admin GroupMembershipDownload from GitHub
The output of the script is in the Result column. Example:
Get Last Reboot Time
Use this script to get the last reboot time of your MacOS Devices.
#!/bin/bash
# Script to get the last reboot time formatted
# Extracting the timestamp from the sysctl command
timestamp=$(sysctl kern.boottime | awk '{print $5}' | tr -d ',')
# Converting the timestamp to a formatted date
formatted_date=$(date -r $timestamp "+%Y-%m-%d %H:%M:%S")
echo "Last Reboot Time: $formatted_date"Download from GitHub
The output of the script is in the Result column. Example:
Microsoft has also released a few Scripts for Custom Attributes here: GitHub
Microsoft Docs about Custom Attributes: Microsoft Learn
Conclusion
In conclusion, leveraging custom attributes in Intune for MacOS devices, like listing local admins and tracking last reboot times, is a powerful and efficient way to enhance device management. These shell script-based attributes provide a clear and detailed view of device statuses, significantly improving the management and security of MacOS devices in any organization.
1 thought on “Get Local Admins and Last Reboot Time on MacOS Devices Using Custom Attributes”
Comments are closed.