Microsoft Intune - macOS device registration

macOS Device Enrollment - registering macOS devices in Intune

• What is device enrollment in Intune?
• Set up enrollment for macOS devices in Intune
• Deployment guide: Enroll macOS devices in Microsoft Intune

Devices with the macOS operating system, owned by the organization and personal devices, can be enrolled in Intune and then managed. Either the Company Portal app or the Apple Setup Assistant, which authenticates the user and initiates the registration, is used.

Note: Setup Assistant is an app that automatically runs after a new macOS installation or when a new (or wiped) Mac is turned on. It walks the user through the basic device setup.

Note: Apple Configurator is an app that configures Apple devices. Intro to Apple Configurator

Enrollment methods for Intune

Methods that the user can trigger (the device will be marked as personally-owned):

• Bring-your-own-device (BYOD) - the user can use the Company Portal website or app, which will result in registration in Azure AD and automatically also in Intune

Methods used by the administrator (the device will be marked as company-owned):

• Apple Automated Device Enrollment (ADE) - for devices purchased through Apple Business Manager, automatic device registration is done remotely (over-the-air), using the Setup Assistant
• Direct Enrollment (DE) - we create an Apple Configurator profile, export it (.mobileconfig) and install it on the macOS device, this method does not assign the device to a user, so you can't use Company Portal, etc. (it's a kiosk-type device), uses Apple Configurator
• Device Enrollment Manager (DEM) - a special account that has permission to register and manage multiple (1000) corporate devices, uses the Company Portal app, this method does not assign the device to a user, Add device enrollment managers

Certificate from Microsoft Intune MDM Device CA

When the computer registers in Intune, it is issued a certificate, similar to when registering in Azure AD. The name of the certificate is Intune Device ID (which is different from the Azure AD Device ID) and is issued by the authority Microsoft Intune MDM Device CA, the root authority is Microsoft Intune Root Certification Authority. The validity is (approximately) 1 year and we can find it in the System Keychain.

Apple MDM Push Certificate

• Get an Apple MDM push certificate

The first step for registering macOS devices (and also iOS and iPad) is to obtain an Apple MDM push certificate. This is needed for managing macOS and iOS/iPadOS devices in Intune. It is recommended to use a general corporate account (not a user account) to obtain the certificate.

Note: The certificate must be renewed every year.

There are a few ways to configure the certificate in Intune:

• Microsoft Endpoint Manager admin center- Devices - macOS - macOS enrollment - Apple MDM Push Certificate
• Microsoft Endpoint Manager admin center- Devices - Enroll devices - Apple enrollment - Apple MDM Push Certificate

The procedure is described in the documentation, and the individual steps are on the configuration page. Briefly, it involves downloading the request (CSR), which we use to obtain the certificate from Apple Create your MDM push Certificate. We need to sign in with our corporate Apple ID, and it is linked to the issued certificate.

Certificate renewal (Renew)

We need to renew the certificate every year. The procedure is similar to the initial setup, and the configuration page guides us through it. Renew Apple MDM push certificate. We download the request (CSR). We sign in to Apple with the account that issued the original certificate. We find the old certificate and click Renew, upload the CSR, and issue the certificate. We then upload it to Intune.

Enrollment using the Company Portal - company portal

• Enroll your macOS device using the Company Portal app

We need to install the Company Portal app, which we can download through the web Company Portal or directly aka.ms/EnrollMyMac.

• run the Company Portal app
• sign in with the Azure AD account - Sign in
• the access setup wizard is offered, start it with the Begin button (the Postpone button will launch the Company Portal app without device registration)
• privacy information is displayed (what the company can and cannot see), continue with Continue

• the device is registered in Azure AD

• we install the Management Profile - click Download profile

• it opens in System Settings - Privacy & Security - Profiles (a notification is also displayed)
• we open the downloaded profile and install it with Install

• the profile installation performs the device registration in MDM (we confirm with a password), we can open it and view the device's permissions information
• we return to the wizard in the Company Portal and finish - Done

Automated Device Enrollment (ADE) - automatic enrollment with Apple Business Manager

• Automatically enroll Macs with Apple Business Manager or Apple School Manager

Automatic enrollment in Intune works for new or wiped macOS devices purchased through the Apple enrollment program (such as Apple Business Manager or Apple School Manager). We can send the new device directly to the employee. When the computer is turned on, the setup assistant (Setup Assistant) starts and performs the device registration in Intune. A pre-configured enrollment profile is used.

During the use of the Setup Assistant, the user must sign in with a Azure AD account (or also with an Apple ID). After completion, the Company Portal app needs to be installed and signed in. This completes the device registration in Azure AD and enables the use of Conditional Access.

Intune automatically synchronizes with Apple to obtain device information from the enrollment program account. We need to have access to the Apple Business Manager, where our devices are assigned.

Apple Business Manager

• Apple Business Manager Support

To use Automated Device Enrollment, we need to have our organization registered in the Apple Business Manager (we won't discuss other variants here). It is located at business.apple.com, which can only be accessed from supported browsers (on Windows, it's Chrome and Edge). We sign in using an (account) Apple ID that has administrator permissions (for main operations).

To have our Apple devices added to the Apple Business Manager at the time of purchase, we must purchase directly from Apple or from an Apple Authorized Reseller. When purchasing from an authorized reseller, we need to coordinate with them. We provide our Organization ID, which we can find in the profile - Preferences - Enrollment Information. We receive from them the Reseller Number, which we enter under Devices (if we don't have any filled in yet) or in the profile - Preferences - MDM Server Assignment.

Note: The authorized reseller can also add devices later (i.e., devices purchased before starting to use MDM).

Enrollment Program Tokens

• Automatically enroll Macs with Apple Business Manager or Apple School Manager

The first step is to link Intune and the Apple Business Manager. We use a certificate and an Apple Server Token to do this.

Note: The Token must be renewed every year.

• Microsoft Endpoint Manager admin center - Devices - macOS - macOS enrollment - Enrollment program tokens
• click Add
• check the I agree box
• download the certificate Download your public key

• in a supported browser, open the Apple Business Manager (we can use the link in the wizard)
• sign in with the corporate Apple ID that our company will use for renewing and managing the token
• click on our profile at the bottom left - Preferences
• Your MDM Servers - Add
• name it, for example Intune MDM Server, and upload the Intune public key, save Save
• download the Server Token - Download Token
• click on Default Device Assignment and set the device assignment to the Intune MDM

• return to the Microsoft Endpoint Manager admin center
• enter the Apple ID under which we downloaded the token
• upload the downloaded Apple server token
• click Next and Create

Token renewal (Renew)

We need to renew the token every year. The procedure contains some of the same steps as the initial setup. Renew enrollment program token. From the Apple Business Manager, we download the new Server Token - Download Token (we'll get a warning that the new token will reset the existing one, so we need to upload it to the MDM). In Intune, we open our token (it has an Expiring status) and click Renew token. We upload the new token and complete the wizard.

Apple Enrollment Profile

We then create an Apple enrollment profile, which defines the environment during registration (including the screens used in the Setup Assistant) and applies policies and settings to the registered device.

• Microsoft Endpoint Manager admin center- Devices - macOS - macOS enrollment - Enrollment program tokens
• select the Token - Profiles - Create profile - macOS
• enter the name (Company macOS profile)
• Enroll with User Affinity - register with user assignment
• Setup Assistant with modern authentication - (supported on macOS 10.15 and newer) for sign-in and Azure AD account registration, modern authentication is used (MFA is supported), the user must complete all Setup Assistant screens and sign in to the Company Portal app
• Locked enrollment - prevents users from unenrolling the device from Intune, if enabled, it cannot be changed without wiping the device
• Department Name, Department Phone - department name and phone number that users can use to get support
• Setup Assistant screens - we determine which Setup Assistant screens will be displayed during installation

Viewing synchronized devices

Under the created connection with the Apple Business Manager>, which we see in Intune as a Token, we can view the devices that have been transferred from Apple. We can also trigger synchronization.

• Microsoft Endpoint Manager admin center- Devices - macOS - macOS enrollment - Enrollment program tokens
• select the Token - Devices

Automatic registration from the user's perspective

• Enroll your organization-provided macOS device in management

If we have a macOS device that has been transferred from Apple to Intune, it has an assigned profile. We can then perform the initial setup, which will result in registration in Intune. This can be a newly purchased device or an older one where we have performed a reset/wipe (Erase All Content and Settings).

Note: The individual steps may vary depending on various circumstances. The Setup Assistant screens that are displayed are determined in the enrollment profile configuration.

• turn on the device, the Setup Assistant will start
• choose the language (Language)
• choose the country or region (Country or Region)
• information about language and keyboard setup (Written and Spoken Languages) is displayed
• we can configure accessibility properties (Accessibility)
• connect to the Wi-Fi network (Select Your Wi-Fi Network)
• the Remote Management screen follows, with information that our company can automatically configure the device
• when continuing, a window for signing in with an Azure AD account is displayed, after successful completion we will already see the device (with the default name) in Intune

• additional steps may be Data & Privacy, Migration Assistant, Sign In with Your Apple ID, Terms and Conditions, Create a Computer Account, Enable Location Services, Select Your Time Zone, Analytics, Screen Time, Siri, Touch ID, Choose Your Look
• the operating system will start, we can rename the computer
• now we need to launch the Company Portal (if we don't automatically install it from Intune, first install it) and sign in with the Azure AD account
• we'll get the information that the device is not registered (maybe under certain conditions it will happen automatically), click Register and the device registration in Azure AD will take place

Triggering registration on an in-use device

Existing computers that are already set up and in use can also be registered in Intune using ADE. They must be imported into the Apple Business Manager and we manually trigger the registration under the administrator account:

sudo profiles renew -type enrollment

We must enter the system administrator password. A Device Enrollment notification will appear, stating that the specified company can automatically configure your Mac. Through the notification, we get to the Privacy & Security - Profiles settings, where we allow the company to manage the device. We must enter the system administrator password again. Then the Azure AD account sign-in page opens. After successful sign-in, the enrollment profile is installed and the device is registered in Intune. To register in Azure AD, we need to run the Company Portal and trigger the registration (Register).

Problem with sign-in on the Remote Management screen

In the enrollment profile, we set whether to use modern authentication (Modern Authentication) or legacy (Legacy). Accordingly, in the Setup Assistant at the Remote Management step, either a window with the modern Microsoft sign-in or just a form for the name and password will be displayed. For example, if we require the use of MFA, we must use modern authentication.

During tests, I accidentally switched the authentication to Legacy. The account didn't have MFA set at all, but after entering the password, the sign-in dialog was repeatedly displayed. No error was written. In Intune under Monitor - Enrollment failures, only Unknown Error and the Apple Bulk User enrollment method were logged. After switching to modern authentication, everything started working.

I also tried another problem where the test user had the Intune license removed from their license plan. After signing in with the Azure AD account, a general Something went wrong error was displayed. The enrollment errors only had Unknown Error again. But when this account was used in the Company Portal, the error was better, it said UserLicenseTypeInvalid.

Adding an Apple silicon computer to Apple Business Manager

• Apple Configurator User Guide

We can add some devices to the Apple Business Manager ourselves, even if they weren't purchased directly from Apple or an Apple Authorized Reseller (or the reseller didn't add them for us), and use Automated Device Enrollment. These include Macs with Apple processors (M1, M2). The procedure is described in detail in the documentation, here is just a mention.

We need an iPhone with at least iOS 15 and the Apple Configurator app installed.

• we must start the computer to boot the Setup Assistant (either a new one or perform a reset/wipe)
• we select the language and stop at the step where country or region is chosen
• we bring the iPhone with the active (and set up) Apple Configurator close to the computer
• the Add this Mac to Your Organization screen appears, where we scan the pattern
• the device is added to our account in the Apple Business Manager
• we sign in to the Apple Business Manager and assign the device to our Intune MDM Server

Viewing applied profiles - verifying that the device is connected to Intune

In the macOS system settings (System Settings), we can see if the device is managed by the organization. We see the applied management and configuration profiles (Management Profiles, Configuration Profiles). When connected to Intune, the required Management Profile will be displayed here, which we can open and see permissions, certificates, etc.

• System Settings - Privacy & Security - Profiles

Unenrollment (removal) from Intune - Unenroll macOS device

• Remove device from Company Portal for macOS app

The administrator can use the Retire action in the Microsoft Endpoint Manager admin center to unenroll the device.

The owner of the device can remove it from Intune using the Company Portal app, if removal is allowed (otherwise the option is grayed out).

• Devices - select the device
• click the menu (three dots) next to it and Remove
• confirm the removal

The computer account will still remain in Intune, and we must manually delete it (Delete) here.