Skip to main content

Hi,

We are working on implementing Managed Blocking of Macros in Office365.  

My task was to to have every user (not computer) have the Macro Security locked to "Disable all macros without notification"
 

There was also to be an exclusion group for users who would not be controlled by the above lock.  For the exclusion group, we wanted if possible for them to be locked instead to "Disable all macros with notification" as that setting allows a user to enable macros on a document by document use

I also had to make this work with Entra or our On Premises Active Directory (to which the Mac's are bound).  As there's no linkage yet with Entra I've focused on Active Directory (AD)

I found that the settings for this in the Configuration Profile only work on a "Computer Level" even though they seem to be User settings

My Configuration Profile looks like this:

This works but generally takes a few minutes for the machine to pick up a change in the group from AD

If I try and make a second Config Profile and scope it to that AD group to have the setting locked to "Disable all macros with notification" it doesn't take.  I'm thinking because there are two Config Profiles that are scoped to the same key, that neither is used.  

Is there a way to do this that anyone can think of?  That is, for a select AD group of users we get it locked to "Disable all macros with Notification" and for everyone else we get it locked to "Disable all macros without notification"?

 

 

MacOS Device Management is done in a vastly different way than Device Management is on Windows. Apples concept of device management, is just that device management. The vast majority of configuration profiles target the machine level, which then applies to every user on the machine. How a given configuration looks and behaves is up to the application developer to decide. 

 

You are still using AD Binding and trying to scope stuff to AD groups, where this will work in theory in practice it usually does not work. Apple actively advises people not to domain bind Macs, and macOS has not been designed with this function in mind for over a decade now and domain binding causes many random problems with macOS. 

 

For the scoping part, yes Jamf supports scoping to AD group but you must keep in mind Jamfs scoping in checkin based. So there will always be a delay when scoping to something like an AD group and the configuration profile deploying. 

 

Your hunch on the two configuration profiles targeting the same domain causing problems is correct. If you have two configuration profiles targeting the same domain (ie com.microsoft.office) and targeting the same key, macOS will error the profile out, garbage in garbage out. You will need to build an exemption in to the main profile, so it is removed if the second profile ever targets the device. 

 

 

Final parting thought, macOS does support user level configuration profiles but the user must be MDM enabled. All mobile account users (accounts from AD) are MDM enabled by default. However, how configuration profiles behave with user level interaction is up to the developer and again most Apple device management is machine level.

@dlondon There is no error for setting the same key in multiple profiles, but the result of having more than one setting is officially indeterminate.

I can understand why you might want to apply the macro settings at the user level, but based on your comment it’s not working except at computer level, it may be that MS only support the latter. That wouldn’t be the first time I’ve seen that, but unfortunately the docs from MS aren’t clear if this is a requirement (although they do mention setting per user settings with the defaults command). Also be aware that for user level profiles they will only be applied when Jamf Pro checks the user’s ID (e.g. recon or check-in times) as opposed to computer level profiles which deploy almost immediately.

Thanks ​@AJPinto  and ​@sdagley and sorry for the delay in replying but this is one of our busy times just before semester and packaging is number one right now.

Yes AJ, I figured I needed some separation for the scoping too.  I hit a wall in Jamf in that I can’t use the AD groups in Jamf Smart groups so can’t use the logic I’d like where I could make a group that was all domain users minus the excluded users.  This is possible in Entra … well actually I can make that group in Entra and then use it (Dynamic Groups). It’s going to be a while before I get to that stage of moving to Entra as there’s a bunch of things in the way like network access, printing, local storage etc that still use Active Directory.

I did see that you could make a PowerShell script in Active Directory and get it to populate a group and that would work but I was thinking it would take a long time to run and then it needs to be run regularly - I really don’t want to be the person they point the finger at if there starts being slowness in AD.

I think they will just have to be happy with what I’ve got for now. 

 

Thanks again for your thoughts and suggestions - very much appreciated!

Thanks ​@AJPinto  and ​@sdagley and sorry for the delay in replying but this is one of our busy times just before semester and packaging is number one right now.

Yes AJ, I figured I needed some separation for the scoping too.  I hit a wall in Jamf in that I can’t use the AD groups in Jamf Smart groups so can’t use the logic I’d like where I could make a group that was all domain users minus the excluded users.  This is possible in Entra … well actually I can make that group in Entra and then use it (Dynamic Groups). It’s going to be a while before I get to that stage of moving to Entra as there’s a bunch of things in the way like network access, printing, local storage etc that still use Active Directory.

I did see that you could make a PowerShell script in Active Directory and get it to populate a group and that would work but I was thinking it would take a long time to run and then it needs to be run regularly - I really don’t want to be the person they point the finger at if there starts being slowness in AD.

I think they will just have to be happy with what I’ve got for now. 

 

Thanks again for your thoughts and suggestions - very much appreciated!

Hello ​@dlondon,
To enforce macro settings per user in Office365, use the Office Cloud Policy Service (OCPS) instead of Configuration Profiles, which apply at the computer level. OCPS supports user-scoped policies via Azure AD groups, allowing you to lock "Disable all macros without notification" for most users and apply "Disable all macros with notification" for an exclusion group. This setup works independently of Entra integration and is ideal for mixed environments.

Best Regards,
James Henry
 

Hi ​@james698henry - Thanks for that reply.  Any idea where there’s some good documentation on “Office Cloud Policy Service” when used for Mac?

I’m only seeing this https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/overview-cloud-policy and when I look elsewhere keep getting pointed down the route of Intune and setting up a Configuration profile for the same settings I was looking at in Jamf

Regards,

David 

Terms & ConditionsCookie settings