Blog Post

Intune Customer Success
2 MIN READ

Known issue: macOS devices using stealth mode turn non-compliant after upgrading to macOS 15

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Sep 20, 2024

Updated 9/24/24: Starting in macOS 15, if you block incoming connections, it will also include stealth mode. We’re actively working on a change to only check Stealth Mode if Incoming connections is not configured. This means you’ll no longer need to configure both settings and can safely set Stealth Mode to Not configured if Incoming connections is set to Block.

 

We were recently alerted that some macOS devices may turn non-compliant after upgrading to macOS 15 if Stealth Mode is enabled in a device compliance policy. This setting is in the macOS compliance policy located under System Security. When stealth mode is enabled, the Mac devices do not respond to either “ping” requests or connection attempts from a closed TCP or UDP network. Stealth mode can be configured through compliance policy or by configuring firewall through the settings catalog.

 

Screen shot from the Microsoft Intune admin center of a macOS compliance policy.

After devices upgrade to macOS 15, they may report a non-compliant status with the Enable stealth mode setting showing an error:

Screen shot of an error for the Enable Stealth Mode setting.

 

Workaround
If you're experiencing an issue where the device turns non-compliant after upgrading to macOS 15, you can mitigate this by configuring the Stealth Mode setting to be Not configured for devices running macOS 15 and later:

Screen shot of Not Configured for Stealth Mode from the Intune admin center UI.

 

If you set Stealth Mode to Not configured in your device compliance policy, you can still enable Stealth Mode by configuring a device configuration policy to enable stealth mode on the device. This setting is located in the macOS settings catalog under Networking > Firewall:

Screen shot of where to enable Stealth Mode in the settings picker for Firewall.

Screen shot of the Enable Stealth mode in the firewall setting.

Additionally, if you want to prevent devices from upgrading to macOS 15, you can configure software update delay restrictions in the settings catalog. This will delay macOS 15 from being offered on devices for a specified period of time:

Screen shot of where to delay software updates.

 

We’ll continue to update this post as new information becomes available. If you have questions or comments for the Intune team, reply to this post or reach out on X @IntuneSuppTeam.

 

Post updates:

09/24/24: Starting in macOS 15, if you block incoming connections, it will also include stealth mode. We’re actively working on a change to only check Stealth Mode if Incoming connections is not configured. This means you’ll no longer need to configure both settings and can safely set Stealth Mode to Not configured if Incoming connections is set to Block.

Updated Sep 24, 2024
Version 3.0
macos
Support Tip
  • mazisto's avatar
    mazisto
    Copper Contributor
    Oct 04, 2024

    Hi Intune_Support_Team 

    We have made the changes as proposed and oven though device compliance in now complaint we still face connection issues. The difference in our compliance policy still has firewall and on and incoming connections as block. Does it mean that in order for this to work entirely we need to set incoming connections to not configured in the policy and disable the configurations in the settings catalog?

  • adm_arman_shaharia's avatar
    adm_arman_shaharia
    Copper Contributor
    Oct 02, 2024

    Hello benjamin_flamm - thank you for your reply. We ran a troubleshooting with microsoft support engineers and unfortunately we still could not find the reason behind it. Additionally, we did not make any changes recently. The default compliance policy is applied once the device get enrolled.

  • benjamin_flamm's avatar
    benjamin_flamm
    Icon for Microsoft rankMicrosoft
    Sep 27, 2024

    Hi adm_arman_shaharia - what setting is causing non-compliance? If it's stealth mode then you should be able to set it to Not configured as long as Incoming connections is set to Block

  • adm_arman_shaharia's avatar
    adm_arman_shaharia
    Copper Contributor
    Sep 27, 2024

    Hello Intune_Support_Team 

    In our organisation:

    • Most of the devices still did not upgraded to macOS 15 and stealth mode is not "on" as we surf through our own VPN tunnel
    • Default compliance policy assigned for the devices
    • Managed profile (from system setting) shows "unverified"
    • Removing and re-adding the profile (by disabling and enabling System Integrity Protection) turned few device into "complaint" status but the state shows "Error 65001(Not applicable)"
    • Still everyday the number of non-compliant devices are increasing.

    Could you please shed some light on it?

    Thank you very much.

     

    Best,
    Arman

  • benjamin_flamm's avatar
    benjamin_flamm
    Icon for Microsoft rankMicrosoft
    Sep 24, 2024

    TeddyC730 Updated the post to reflect that when Incoming connections is set to Block, Stealth Mode is no longer needed. This is because stealth mode is a subset of the incoming connections setting. We're working on a change to only look at the result of incoming connections if it's enabled. In the meantime, you can workaround this issue by setting Stealth Mode to Not configured.

  • TeddyC730's avatar
    TeddyC730
    Copper Contributor
    Sep 23, 2024

    Has there been a patch released yet for Stealth Mode to be enabled? Also wondering if the client block list configurations have been known to be affected as a result of this issue?