Welcome! In this article, we aim to provide guidance on enrolling MacBooks using various Types of MacOS Enrolment Methods in Microsoft Intune. We will explore the enrolment process for personal, company-owned in detail. Additionally, we will outline the necessary steps for each enrolment method.
In our recent blog post, we provided valuable information on the Best way to Add Mac Devices to Apple Business Manager ABM or ASM and to Intune. We gave a brief overview of how Apple’s device management solutions have evolved over the years and their role in MDM. Additionally, we provided step-by-step instructions for manually adding Mac devices to ABM.
Also, as we discussed in our earlier posts, Microsoft Intune supports 6 platforms such as Windows, iPadOS/iOS, macOS, Android, ChromeOS, and Linux OS. Let’s review each enrolment step available by Microsoft to set up macOS enrolment for company-owned and BYOD(Bring Your Own Devices).
As both company-owned (Corporate) and BYOD (Personal) setup devices can be managed in MDM Microsoft Intune. However, a few prerequisites need to be met before the setup of the device enrolment process, as discussed below.
- Get Intune Environment Ready for iOS / Mac Devices Microsoft Endpoint Manager
- Microsoft Intune Vs Jamf macOS Device Management Enhancements
Steps to Enable MacOS Enrolment in Microsoft Intune
Before enrolling MacBooks in Intune, it is essential to complete a preliminary check, here are the steps mentioned below in detail.
| No. of Steps | Enable enrolment in Intune | Description |
|---|---|---|
| 1 | Verify that devices are eligible for Apple device enrolment | Eligible for macOS v10.9 or later |
| 2 | Configure domains | Make sure to have the organisation domain configured/exists in Intune |
| 3 | Set the MDM Authority | Choose the MDM authority e.g., Intune standalone, Co-management(e.g., JAMF+Intune). |
| 4 | Get an Apple MDM push certificate | Download and configure the trust relationship certificate from the Apple Push Certificates Portal. |
| 5 | Assign user licenses to the Microsoft 365 admin center | Make sure to have the required licenses to use Intune |
| 6 | Create groups | Create security and M365 groups to manage license and access |
| 7 | Configure the Company Portal app | Configure the company portal app as per the organization’s standards |
Types of MacOS Enrolment Methods
Once preliminary checks are done, Let us understand how many types of enrolment methods are available for macOS devices in Intune, it may differ for different OS types. Also, IT Admins need to be aware that the enrolment methods are created according to different use and purpose of devices in the organization before pushing enrollment profiles to the devices.
- Company-Owned (Corporate)
- Apple Automated Device Enrolment (ADE)
- Device Enrolment Manager (DEM)
- Direct Enrolment
- User-Owned (BYOD)
Company-Owned MacOS Device Enrolment
As discussed above in the enrolment types in Intune, the Company-owned macOS enrolment method is developed for devices owned by the organization, gets enrolled in bulk, and is used only for Organizational work. This enrollment category is further divided into 3 sub-categories :
- Apple Automated Device Enrolment
- In this method, we can automate the enrolment experience of company-purchased macOS devices through Apple Business Manager or Apple School Manager.
- Device enrolment manager (DEM)
- In this method, particularly for large-scale deployments, IT Admins with device enrolment manager permissions can enroll up to 1,000 devices with a single Azure AD account.
- Direct enrolment
- In this method, the Direct enrolment process enrolls devices without end-user intervention. This method requires physical access to the mac need to be enrolled.
User-Owned MacOS Device Enrolment
The other enrollment category would be User owned macOS enrolment method which supports bring-your-own-device (BYOD) devices where employees can enroll their personal MacBooks with limited access to Organisational resources (e.g., M365 Apps).
As we have understood the use and purpose of each macOS enrolment sub-categories using Intune explained above, Let us dive further into the detailed step-by-step process of how to configure each enrollment methods in Intune portal.
Automated Device Enrolment (ADE)
In this method, IT Admins don’t need to configure the devices before assigning them to end users. However, the details of the newly purchased device need to be added to ABM (Apple Business Manager) or ASM ( Apple School Manager) either by the authorized Apple seller or can be added manually added by IT Admins.
Once the device gets added, Intune automatically syncs with Apple to obtain device info from the enrollment program account and deploys preconfigured enrolment profiles to Macs over the air. Setup Assistant and device enrollment begin once the Mac gets turned on.
Prerequisites
Let’s discuss what prerequisites are required. When enrolling in ADE, Admins must verify the following points before creating an enrolment profile or adding new devices.
- Access to Apple School Manager or Apple Business Manager
- List of device serial numbers purchased through Apple authorized seller.
- Authority with Microsoft Intune
- Apple MDM Push certificate (configured in Intune)
Once devices are added successfully, let us focus on how to create Certificate in Intune Portal, let us follow the steps mentioned below.
Step 1. Download the Intune Public Key Certificate
The public key certificate is needed to request a trust-relationship certificate from Apple Business Manager / Apple School Manager
InĀ the Microsoft Intune admin center https://intune.microsoft.com, go toĀ DevicesĀ >Ā macOSĀ >Ā macOS enrollment > SelectĀ Enrollment program tokens.
Click on Add to create an enrollment program token > Select I agree to grant permission to Microsoft to send user and device information to Apple > Select Download your public key on the device.
Step 2. Add MDM server and download server token
Add the MDM server for Intune to Apple Business Manager or Apple School Manager, and download the server token.
In the Microsoft Intune admin center, https://intune.microsoft.com, select from the below portal links
- Create a token via Apple Business Manager or Apple School Manager
Note! Same Apple ID you will use to renew and manage the token.
Sign in to ABM/ ASM portal with the organization’s Apple ID.
- In ABM/ ASM Portal, Go to account profile > Preferences
- Select the option to add an MDM server
- Go to MDM server assignments
- Name the MDM server
- Upload the downloaded public key file. (e.g., XXX.cer)
- Download the server token (.p7m file)
The name is for identification purposes only while in Apple Business Manager and doesn’t have to be the actual name or URL of the Microsoft Intune server.
Step 3. Assign Devices to the MDM server
After the MDM server creation in Apple Business Manager, authorized Apple sellers can start to assign devices. We can use available features like filters and bulk assignments to simplify assignment selection.
Also, we can now manually add devices to ABM or ASM in case we do not have bulk purchases from authorized sellers for small organizations. To go through the steps, follow the article: The best way to Add Mac Devices to Apple Business Manager ABM or ASM and to Intune.
Step 4. Save Apple ID
Open the Microsoft Intune admin center and enter the Apple ID used to download the server token.
Step 5. Upload server token
In Microsoft Intune admin center > Apple token field. Browse for the server token (.p7m extension), Choose Open, and then select Create.
Create an Apple Enrollment Profile
The profile defines the enrollment experience for the organization’s Mac devices and enforces enrollment policies and settings on enrolling devices. The profile is deployed to assigned devices over the air. At the end of this procedure, assign this profile to Azure AD device groups. Please follow the below steps to create a profile.
In the Microsoft Intune admin center, Under Devices > macOS enrollment > Enrollment program tokens. Select the previously created enrollment program token. To create a profile, go to Profiles blade and click on Create profile > macOS
Under Basics, enter a name and description for the profile. These will not be visible to device users.
- On the Management Settings page, configure User Affinity. User affinity determines whether devices enroll with or without an assigned user.
- Enroll without User Affinity: Select this option if the devices will be used by multiple users as shared resources and don’t need to access local user data. The Company Portal app doesn’t work on these types of devices.
- Enroll with User Affinity: Select this option if the device is assigned to a specific user. Also, the Company Portal app needs to be installed to install all business apps. We can implement Multifactor authentication (MFA) for enhanced security. Users must authenticate themselves before enrollment to confirm their identity.
- While selecting authentication methods choose,
- Setup Assistant with modern authentication: This method requires users to complete all Setup Assistant screens and sign in to the Company Portal app with their Azure AD credentials before accessing resources.
- After the User signs in to Company Portal, the device will register with Azure AD and will be added to the user’s device record in Azure AD. It can be evaluated for device compliance and gains access to resources protected by conditional access.
- If Suppose the user doesn’t sign in to the Company Portal to complete registration, they’ll be redirected to the Company Portal app each time they try to open any managed app protected by conditional access.
Note! Devices running macOS 10.15 and later can use Setup Assistant with a modern authentication method. However, older macOS devices can be set up using the legacy Setup method.
Under Management Options, By Selecting Locked Enrollment as Yes will prevent users from unenrolling their devices from Intune. After the device enrolls, the User cannot change this setting without wiping the device.
On the Setup Assistant page, configure the Setup Assistant experience. Enter department information so that users get support contact in case of any issues while enrolling the device.
- Department Name: Provide the IT Support Department name as per Organisation Structure.
- Department Phone: Provide IT support contact details in case enrolment fails, the user can reach out during activation.
Also, IT Admins have options to Show or hide the required feature while setting up the device, This can be as per organization standards. In case Admins hide the setup window, later it can be changed by the user by going to device settings.
Note! We have hidden Diagnostics Data, iCloud Diagnostics, iCloud Storage, and Auto Unlock with apple watch as per HTMD Standards.
Once all the settings have been reviewed, click on Create to finish creating the profile.
After completing the necessary configurations in Intune and the ABM/ASM portal, the new device will be assigned in the ABM portal either by authorized Apple sellers or manually by admins in the organization. Subsequently, the enrollment profile will be automatically pushed to the Mac during setup. Only the toggled options will be presented to the end user.
Device Enrollment Manager (DEM)
A device enrollment manager (DEM) can help enroll and prepare a large number of devices for distribution. DEMs are non-admin users who can enroll and manage up to 1,000 devices, compared to 15 devices for standard user accounts.
To create a DEM account, Admins need an Intune license and an Azure AD user. Global and Intune Service Administrators can manage DEMs in the Intune admin center. Let us go through the limitations, specifications, and permissions.
Supported Enrollment Methods
In macOS enrollment, A Device enrollment manager can use only a particular method to enroll devices in Intune i.e., DEM initiated via Company Portal enrollment however, As DEM, the User account has permission to perform 3 types of enrollment for Windows devices, as shown below.
- Bulk enrollment using a provisioning package
- DEM-initiated via Company Portal enrollment
- DEM-initiated via Azure AD-join
Account Permissions
As DEM User, the account needs to have a minimum of the below Permissions to perform any activities.
- Global Administrator
- Intune Service Administrator role in Azure AD
Note! Users assigned with these roles also can view or add/ remove other DEM users in the Intune Portal.
Limitations
As the device enrollment manager (DEM) user cannot use all features in Intune, let us review the limitations of the account.
- As there are no users associated with a DEM-enrolled device, apps can not be deployed as Available.
- DEM is not compatible with Apple Automated Device Enrollment (ADE)
- DEM-enrolled devices can install VPP apps if Organisation has Apple VPP device licenses. However, We cannot use apps purchased through Apple VPP with Apple VPP user licenses, as it requires per-user Apple ID for app management.
- Using a DEM account, we can enroll max up to 1,000 devices.
- We must use device-level certificates to manage Wi-Fi and email connections.
- We can create up to 150 DEM accounts in Intune Portal.
- User-based VPN profiles do not work with DEM-enrolled devices.
Steps to Add a Device Enrollment Manager
As we have discussed all the limitations, account permissions, and supported enrolment methods. Let us follow the steps below to create a DEM account.
- In the Microsoft Intune admin center, Select Devices > Enroll Devices.
- Select Device enrollment managers. > Click on Add.
- In the User name field, enter the user principal name of the user.
- Select Add to add to the list of DEM users.
For reference, We have tried to create a DEM account in HTMD, using which up to 1000 new devices can be enrolled by Admin.
Once the user gets access, the user needs to follow the below steps while adding a new device to Intune.
- Be sure the Apple MDM push certificate is added to Intune and is active. This certificate will be required to enroll macOS devices.
- To configure the Mac using Intune, install the Company Portal app from Microsoft Portal and sign in with the DEM account, and then proceed with the enrollment.
Direct Enrollment
If we want to enroll devices that are not linked to a specific user (can be used by the service desk or kiosk), then direct enrollment can be the ideal method. However, we need to keep in mind that this method needs Admins to access the device physically to set up or enol into the organization.
In our previous posts, we have discussed in detail Direct enrollment and each step needs to perform for the enrollment profile push on Mac devices, for more details, check out our post: How to Use Direct Enrollment for macOS Using Intune
- Should you upgrade to Mac OS Ventura v13 managed using Intune
- MAC Device Management with SCCM Vs Intune
BYOD Enrolment
Intune also supportsĀ bring-your-own-device(BYOD), which lets users enroll their personal Mac devices. To finish setting up enrollment for BYOD scenarios, the user needs to follow a few steps. For more details, check out this blog: Enroll macOS in Intune with Step-by-Step Guide.
In the above article, we have also discussed in detail how to enroll macOS in Intune, reviewing each of the processes step by step. Also, we have covered the process on both Intune Portal(As Admin) steps and on client devices (User) steps to enroll the device without any issues.
Block MacOS Enrolment
As we are discussing related to macOS enrollment types, hence we also have the liberty to block or restrict the device enrollment count or a few settings in Intune portal, which can be followed by IT Admins as per organization standards. For more details, check out the article: How to Block macOS Enrollment in Intune
Conclusion
In the article, we have discussed in detail on types of enrolment using Intune MDM Platform. As per the organization’s requirements and standards, keeping in mind the device usage, Admins can choose the enrollment method and enroll the devices accordingly. Also, Intune now supports virtual macOS machines for testing purposes only.
Author
Snehasis Pani is currently working as a Mac Administrator. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering.