On Intune console, IT teams can have a very precise inventory of MacOS devices. Of course there is the “Hardware” section where you can get informations but it’s a light overview.
Using custom attributes, you can use bash scripts to have a deeper inventory. Possibilities are many, if not endless.
What is a custom attribute ?
Basically, a custom attribute is an output of a bash script runned on the MacOS device. Powershell is one of my best friends but bash is definitely a good one as well.
By running a bash command on an MacOS devices you can get pretty much anything you want to know. This output is a custom attribute.
How ?
First thing to have in mind is, what do you want to collect ?
Do you want to know who are local administrators on your devices ? The battery state ? Who is currently logged in ? Or even read logs files, get the firewall status, etc ?
Possibilities are many, it’s a question of what do you want to request. Once you’re sure about it, use the proper bash command(s) and put this output on variable.
Echo the variable. “Et voilà”.
Here is a simple example to read who is local administrators (and output formatting).
Where ?
Here.
Upload and deployment
Click on Add button and give a name to the custom attribute.
Then, chose data type of the “echoed” variable you chose on your bash script. For date output, I suggest you go there to have more informations, it’s a bit tricky.
Upload the bash script and assign it to your users or devices.
Results of a custom attribute which lists every local administrators :
The inventory is here. You can export the results of your deployment in a CSV file, which is great.
I let you imagine what you can do with it using MS Graph and automation process…
Note : I found myself re-uploading the script when I faced an “unknown” error. Don’t know exactly why but it did the trick everytime with a manual sync.
Note again : According to MS documentation, custom attributes are supposed to run automatically every 8 hours.
Custom attributes samples
Few weeks ago, I discovered a GitHub repository where few samples were shared. There are a bunch of bash scripts which are fully ready to be deployed.
It’s just a start, feel free to make your own to have a custom inventory.
Tips : I found interesting to leverage “System information panel” with the command “system_profiler” such as : system_profiler SPCameraDataType
Good post, only question I have is that there doesn’t seem to be any functionality in intune to actually use the information gathered for anything useful, or is there something i haven’t seen? Shouldn’t the information gathered by such scripts also be available on the device overview page, instead of the “results” tab of the script itself?
Hello John,
After a long pause, i’m back at my blog writing, so much topics to talk about haha.
Regarding your question, i succeded to leverage an hidden (beta) API :
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/a66cdf54-52cc-4741-a432-6e8ec5058b09/deviceRunStates?$expand=managedDevice
Where the id is my custom attributes ID
You get the result in the “result message” field.
Cheers !
Hello John,
It seems that you can do the same thing in either a shell script or custom attribute. The shell script route offers choices for how often the script is run. Other than that, are there any significant differences between these two different methods of deploying the same script?
Hello !
I’ve seen a result message for shell scripts indeed. However from the MS documentation, shell scripts reporting are updated during the first run only of the script : https://learn.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#monitor-a-shell-script-policy
You might need to update the code to update the reporting so Intune thinks it’s the first script run.
Meanwhile a custom attribute is updated every 8 hours and it’s designed for this purpose 🙂