I have already described in one of my first blogs how you can set up an Endpoint Manager development environment and enroll Windows devices via Autopilot and manage them. Apart from Windows, you can also manage iOS, Android and MacOS very well with Intune. Apple offers a good interface (MDM Protocol) to manage MacOS devices, unfortunately not all options are supported with Intune. Also in the WWDC22 there was some great new features introduces.
MacOS support was added to Intune back in 2015. At that time, the management of Mac devices was still very limited – something that has changed in the meantime. The number of companies using Mac devices is growing more and more, as is the general market share of macOS compared to Windows. This was around 3% in 2009 and has risen to 15% today (2022). Of course, Windows is still in front, but a trend can be seen.
There is a lot of worthy blog that deals with the topic MacOS management and Intune:
- Comprehensive guide to managing macOS with Intune by Oliver Kieselbach
- Corporate macOS Automated Device Enrollment (ADE) to MEM/Intune by Hubert Maslowski
- Microsoft Intune Vs Jamf macOS Device Management Enhancements by Anoop C Nair
Just to name a few. Of course there are some great other blogs.
In this blog I want to give you a step by step guide on how to enroll a macOS device in Intune. There will be more blogs in the future with the topic of managing macOS with Intune.
Prepare Intune for Mac Enrollment
Configure MDM Push Certificate
- Open the MEM Portal
- Navigate to Devices -> Enroll devices
- Navigate to Apple enrollment.
- Click on Apple MDM Push certificate.
- Activate I Agree (I grant Microsoft permission to send both user and device information to Apple).
- Download your CSR to request an Apple MDM push certificate.
- Open the link for creating an MDM push Certificate in a new browser tab
- Sign in with your Apple ID
- Click Create a Certificate
- Accept the terms and conditions
- Upload the previous downloaded CSR
- Click Upload
- Download the Certificate (Note: Make sure that this certificate does not get into the wrong hands)
- Go back to Intune and enter your Apple UserID / Email you used to create the certificate
- Upload the Certificate
- Click Upload
Check the enrollment restrictions
That a Mac enrollment is possible, the enrollment restrictions must be configured correctly.
Navigate to the menu Enrollment device platform restrictin and select MacOS restriction.
- Check if MacOS is set to Allow if not change this. If you have multiple restrictions then check the one with the highest priority and assigned to a group the mac users are in.
Enroll a device into Intune
Automated Device Enrollment with user affinity
The best experience for the user is to enroll the device via Automated Device Enrollment with user affinity. Here you can configure which screens an end-user see and configure like Touch ID, Terms and condition,…
You can also configure to require AAD auth with multifactor during out-of-box experience during automatic enrollment. How you can configure this is explained very well in the Microsoft Docs. This enrollment is really similar with the Windows Autopilot enrollment.
The prerequisites for setting up the required enrollment program token is to have an organizationally managed account (Managed Apple ID). The enrollment can be requested here. Another prerequisites is to have devices purchased in Apple School Manager or Apple’s Automated Device Enrollment.
Unfortunately, it is not always possible to buy devices with an assignment to an organization. But there is another way to unroll Mac devices. This possibility is called user-approved enrollment. This is the method we will take a closer look at.
- The first step what you has to do is to download the Company Portal from the following link on your Mac device.
- When the download is done install the company port.
- After the installation the Updater will check if there is an update available. If this is the case install the update.
- Open the Company Portal
- Click Sign in
- Click +
- Enter the UPN of your account and click Next
- Enter the password and click Sign in
- Click Begin
- Click Continue
- Click Download profile and wait until the download is completed
- Open the settings and navigate to Profiles
- Click Install..
- Click Install
- Ender your password and click Enroll
- Wait until the state is Verified
- Switch back to the Company Poral
- Wait until the Installation process is done
- Click Done
- The installation Process is finish
The user-approved enrollment process requires several manual steps. However, these are basically quite simple and should be doable by any end user. As mentioned above, the experience is much better when the enrollment is performed as automated device enrollment with user affinity. Here you also have the possibility to install the Company Portal via script directly. How you can configure the automated device enrollment and how the whole thing looks is explained very well in the blog of Hubert Maslowski.
So now let’s see if we can find the device in Intune as well.
- Switch back to the MEM Portal
- Navigate to Devices -> macOS
- Here it is!
It’s actually quite easy to enroll a Mac device into Intune. Now we have the first device enrolled in Intune. But this one has neither Configuration Profiles nor Applications assigned. We will take a look at how well this works on Mac devices in a next blog.