Getting Started with Mac Management in Microsoft Intune

I have already described in one of my first blogs how you can set up an Endpoint Manager development environment and enroll Windows devices via Autopilot and manage them. Apart from Windows, you can also manage iOS, Android and MacOS very well with Intune. Apple offers a good interface (MDM Protocol) to manage MacOS devices, unfortunately not all options are supported with Intune. Also in the WWDC22 there was some great new features introduces.

MacOS support was added to Intune back in 2015. At that time, the management of Mac devices was still very limited – something that has changed in the meantime. The number of companies using Mac devices is growing more and more, as is the general market share of macOS compared to Windows. This was around 3% in 2009 and has risen to 15% today (2022). Of course, Windows is still in front, but a trend can be seen.

There is a lot of worthy blog that deals with the topic MacOS management and Intune:

Just to name a few. Of course there are some great other blogs.

In this blog I want to give you a step by step guide on how to enroll a macOS device in Intune. There will be more blogs in the future with the topic of managing macOS with Intune.

Prepare Intune for Mac Enrollment

Configure MDM Push Certificate

  • Open the MEM Portal
  • Navigate to Devices -> Enroll devices
  • Navigate to Apple enrollment.
  • Click on Apple MDM Push certificate.
  • Activate I Agree (I grant Microsoft permission to send both user and device information to Apple).
  • Download your CSR to request an Apple MDM push certificate.
  • Click Create a Certificate
  • Accept the terms and conditions
  • Upload the previous downloaded CSR
  • Click Upload
  • Download the Certificate (Note: Make sure that this certificate does not get into the wrong hands)
  • Go back to Intune and enter your Apple UserID / Email you used to create the certificate
  • Upload the Certificate
  • Click Upload

Check the enrollment restrictions

That a Mac enrollment is possible, the enrollment restrictions must be configured correctly.
Navigate to the menu Enrollment device platform restrictin and select MacOS restriction.

  • Check if MacOS is set to Allow if not change this. If you have multiple restrictions then check the one with the highest priority and assigned to a group the mac users are in.

Enroll a device into Intune

Automated Device Enrollment with user affinity

The best experience for the user is to enroll the device via Automated Device Enrollment with user affinity. Here you can configure which screens an end-user see and configure like Touch ID, Terms and condition,…
You can also configure to require AAD auth with multifactor during out-of-box experience during automatic enrollment. How you can configure this is explained very well in the Microsoft Docs. This enrollment is really similar with the Windows Autopilot enrollment.

The prerequisites for setting up the required enrollment program token is to have an organizationally managed account (Managed Apple ID). The enrollment can be requested here. Another prerequisites is to have devices purchased in Apple School Manager or Apple’s Automated Device Enrollment.

User-approved enrollment

Unfortunately, it is not always possible to buy devices with an assignment to an organization. But there is another way to unroll Mac devices. This possibility is called user-approved enrollment. This is the method we will take a closer look at.

  • The first step what you has to do is to download the Company Portal from the following link on your Mac device.
  • When the download is done install the company port.
  • After the installation the Updater will check if there is an update available. If this is the case install the update.
  • Open the Company Portal
  • Click Sign in
  • Click +
  • Enter the UPN of your account and click Next
  • Enter the password and click Sign in
  • Click Begin
  • Click Continue
  • Click Download profile and wait until the download is completed
  • Open the settings and navigate to Profiles
  • Click Install..
  • Click Install
  • Ender your password and click Enroll
  • Wait until the state is Verified
  • Switch back to the Company Poral
  • Wait until the Installation process is done
  • Click Done
  • The installation Process is finish

The user-approved enrollment process requires several manual steps. However, these are basically quite simple and should be doable by any end user. As mentioned above, the experience is much better when the enrollment is performed as automated device enrollment with user affinity. Here you also have the possibility to install the Company Portal via script directly. How you can configure the automated device enrollment and how the whole thing looks is explained very well in the blog of Hubert Maslowski.

So now let’s see if we can find the device in Intune as well.

  • Switch back to the MEM Portal
  • Navigate to Devices -> macOS
  • Here it is!

Conclusion

It’s actually quite easy to enroll a Mac device into Intune. Now we have the first device enrolled in Intune. But this one has neither Configuration Profiles nor Applications assigned. We will take a look at how well this works on Mac devices in a next blog.

One thought on “Getting Started with Mac Management in Microsoft Intune

  1. I was unsure if I could manage writing such a long article in the beginning. Your writing style has captivated me. Your writing is always top-quality. Great Article Neil. This article is excellent. Even though I only read it a couple of times in the past I didn’t make any comments. However, I thought that the article merited being mentioned.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s