manage_intune_macos_devices
Enroll, manage, and secure macOS devices in Intune by performing actions like compliance policy enforcement, device inventory tracking, remote commands, and enrollment type configuration.
Instructions
Manage macOS devices in Intune including enrollment, compliance policies, device actions, and inventory management.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Intune macOS device management action | |
| deviceId | No | Device ID for device-specific operations | |
| filter | No | OData filter for device listing | |
| enrollmentType | No | Enrollment type | |
| assignmentTarget | No | Assignment target |
Implementation Reference
- Main handler function implementing macOS device management actions in Microsoft Intune (list, get, enroll, retire, wipe, restart, sync, remote lock, collect logs). Uses Microsoft Graph API endpoints.export async function handleIntuneMacOSDevices( graphClient: Client, args: IntuneMacOSDeviceArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'list': // List all macOS devices managed by Intune apiPath = '/deviceManagement/managedDevices'; const queryOptions: string[] = []; // Filter for macOS devices queryOptions.push(`$filter=operatingSystem eq 'macOS'`); if (args.filter) { queryOptions.push(`and ${args.filter}`); } if (queryOptions.length > 0) { apiPath += `?${queryOptions.join('')}`; } result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for get action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}`; result = await graphClient.api(apiPath).get(); break; case 'enroll': // Create enrollment invitation apiPath = '/deviceManagement/deviceEnrollmentConfigurations'; const enrollmentPayload = { displayName: 'macOS Device Enrollment', description: 'Automated macOS device enrollment', deviceEnrollmentConfigurationType: 'appleDeviceEnrollmentProgram', enableAuthenticationViaCompanyPortal: true, requireUserAuthentication: true, assignmentTarget: args.assignmentTarget }; result = await graphClient.api(apiPath).post(enrollmentPayload); break; case 'retire': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for retire action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/retire`; result = await graphClient.api(apiPath).post({}); break; case 'wipe': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for wipe action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/wipe`; const wipePayload = { keepEnrollmentData: false, keepUserData: false, macOsUnlockCode: '', // Optional unlock code for macOS persistEsimDataPlan: false }; result = await graphClient.api(apiPath).post(wipePayload); break; case 'restart': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for restart action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/rebootNow`; result = await graphClient.api(apiPath).post({}); break; case 'sync': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for sync action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/syncDevice`; result = await graphClient.api(apiPath).post({}); break; case 'remote_lock': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for remote_lock action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/remoteLock`; result = await graphClient.api(apiPath).post({}); break; case 'collect_logs': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for collect_logs action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/createDeviceLogCollectionRequest`; const logCollectionPayload = { templateType: 'predefined' // or 'custom' }; result = await graphClient.api(apiPath).post(logCollectionPayload); break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/types/intune-types.ts:2-12 (schema)Input schema (TypeScript interface) defining parameters for the manage_intune_macos_devices tool, including action types and optional filters/IDs.export interface IntuneMacOSDeviceArgs { action: 'list' | 'get' | 'enroll' | 'retire' | 'wipe' | 'restart' | 'sync' | 'remote_lock' | 'collect_logs'; deviceId?: string; filter?: string; enrollmentType?: 'UserEnrollment' | 'DeviceEnrollment' | 'AutomaticDeviceEnrollment'; assignmentTarget?: { groupIds?: string[]; userIds?: string[]; deviceIds?: string[]; }; }
- src/server.ts:723-741 (registration)Tool registration in MCP server where 'manage_intune_macos_devices' is registered with schema, metadata, and handler wrapper calling handleIntuneMacOSDevices."manage_intune_macos_devices", "Manage macOS devices in Intune including enrollment, compliance policies, device actions, and inventory management.", intuneMacOSDeviceSchema.shape, {"readOnlyHint":false,"destructiveHint":true,"idempotentHint":false}, wrapToolHandler(async (args: IntuneMacOSDeviceArgs) => { this.validateCredentials(); try { return await handleIntuneMacOSDevices(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
- src/tool-metadata.ts:127-130 (schema)Tool metadata definition including description, title, and annotations used during registration.manage_intune_macos_devices: { description: "Manage macOS devices in Intune including enrollment, compliance policies, device actions, and inventory management.", title: "Intune macOS Device Manager", annotations: { title: "Intune macOS Device Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }