MSDN Documentation

Intune macOS Enrollment

This document outlines the process and considerations for enrolling macOS devices into Microsoft Intune. Intune, part of Microsoft Endpoint Manager, provides cloud-based mobile device management (MDM) and mobile application management (MAM) for your organization's devices.

Prerequisites

  • An active Microsoft Intune subscription.
  • An Apple Business Manager (ABM) or Apple School Manager (ASM) account.
  • Devices must be running macOS 10.15.4 (Catalina) or later.
  • Internet connectivity for devices.

Enrollment Methods

There are several ways to enroll macOS devices into Intune. The recommended method for corporate-owned devices is Automated Device Enrollment (ADE) via Apple Business Manager or Apple School Manager.

1. Automated Device Enrollment (ADE)

ADE streamlines the enrollment process by allowing devices to be automatically enrolled into Intune upon initial setup. This method is ideal for devices purchased directly from Apple or authorized resellers.

  1. Configure ADE in Intune:
    • In the Microsoft Endpoint Manager admin center, navigate to Devices > macOS > macOS enrollment.
    • Select Enrollment program tokens, then click Add.
    • Follow the prompts to upload your ABM/ASM token.
  2. Assign Devices to Intune: In Apple Business Manager or Apple School Manager, assign devices to your Intune MDM server.
  3. User Experience: When a user powers on a new Mac and connects to the internet, they will be guided through the setup assistant and automatically enrolled into Intune.

2. Manual Enrollment (User Self-Enrollment)

Users can manually enroll their macOS devices by downloading and running the Intune Company Portal application.

  1. Download Company Portal: Users can download the Company Portal app from the Mac App Store.
  2. Sign In: Users launch the Company Portal app and sign in with their organizational credentials.
  3. Follow Prompts: The app will guide the user through the enrollment process, which typically involves downloading and installing a management profile.

3. Bulk Enrollment (for existing devices)

For devices already in use, you can use the Company Portal app or scripting to enroll them. This often requires user interaction.

Configuration Profiles

Once enrolled, you can deploy configuration profiles to manage various aspects of macOS devices, including:

  • Wi-Fi and VPN settings
  • Email profiles
  • Security settings (passcode requirements, firewall)
  • Software updates
  • Restrictions

These profiles are created and managed within the Microsoft Endpoint Manager admin center under Devices > macOS > Configuration profiles.

App Deployment

Intune allows you to deploy applications to macOS devices in a managed way. You can deploy apps from the App Store, custom apps, or web apps.

Navigate to Apps > macOS to manage your app deployments.

Key Considerations

  • User Permissions: Ensure users have the necessary permissions to install management profiles and apps.
  • Network Requirements: Devices need access to Intune and other Microsoft cloud services.
  • macOS Version Compatibility: Always check the latest Intune documentation for supported macOS versions.
  • Token Expiration: ADE tokens have an expiration date and need to be renewed annually.

For detailed step-by-step instructions and advanced configurations, please refer to the official Microsoft Intune macOS enrollment documentation.