October 19, 2022

macOS Management with Intune - The Prologue

macOS Management with Intune - The Prologue


macOS is the operating system that powers every MacBook. As per Apple,it lets you do things you can't do with other computers. Yeah, it's a never ending argument but not let's get into it and get those Macs managed with Intune.

Although most laptops/desktops we manage daily are PCs, there will still be a few Macs in your inventory that you want to manage. With Microsoft Intune, you can easily streamline device management for your macOS devices.

Over the coming days, we will explore all the possibilities of enrolling personal and company-owned MacBooks with industry-standard policies; restrictions. Let's get started, then.

Things to Consider Before Enrolling macOS in Intune

A few prerequisites must be met before any Apple device can be enrolled in Intune. I have covered them in my previous posts - but let's revisit them again.

  1. Devices purchased in Apple School Manager or Apple's Automated Device Enrollment
  2. A list of serial numbers or a purchase order number.
  3. Intune configured MDM authority.
  4. Apple MDM Push certificate

After you enable enrollment, you can also enrol user-owned macOS devices as BYOD in Intune.

Company-owned macOS devices

Intune supports the following enrollment methods for company-owned macOS devices

1. Automated Device Enrollment (ADE)

2. Device Enrollment Manager (DEM)

3. Direct Enrollment

User-approved enrollment

All Mac enrollments in Intune are considered user-approved. User-approved enrollment lets you manage macOS devices that aren't part of Apple Business Manager and provides the same level of controlas supervised macOS. Intune automatically turns on supervision for user-approved devices. The only major difference is that the user signs in to the Company Portal app to initiate enrollment.

Apple MDM push certificate

You need an Apple MDM Push certificate to manage your iOS/iPadOS and macOS devices in Microsoft Intune. This token enables devices to enrol via Intune Comp Portal or ADE/ASM/AC2.

Sign in to Intune Portal, choose Devices > Enroll devices > Apple enrollment > Apple MDM Push Certificate, and follow these steps:

  1. Select I agree to give Microsoft permission to send data to Apple.
  1. Select Download your CSR to download and save the file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
  1. Select Create your MDM push Certificate to the Apple Push Certificates Portal and sign in with your organization id. (Please use a corporate id as your Apple ID, preferably, it should be a service account. Avoid using your personal Apple ID.
  1. Select Create a Certificate.
  1. Read and agree to the terms and conditions. Then select Accept.
  1. Select Choose File and select the CSR file you downloaded in Intune.
  1. Select Upload.
  1. On the confirmation page, select Download. The certificate file (.pem) downloads to your device. Save this file as we will upload it in Intune.
  1. Return to the admin center and enter your Apple ID as a reminder for when you need to renew the certificate.
  1. Browse to your Apple MDM push certificate to upload. Select Upload to finish configuring the MDM push certificate.

Create and Upload the Apple Automated Device Enrollment token

So the pre-requisite is done, but before you can enrol macOS devices, you would need an Apple Server Token (.p7m) file from Apple. This token syncs information from Intune to ADE devices that your corporation owns. It also allows Intune to assign enrollment profiles to Apple and to assign devices to those profiles.

Follow the steps below to create & upload the ADE token:

  1. In Intune portal, select Devices > macOS > macOS enrollment > Enrollment Program Tokens > Add.
  1. Select Download the Intune public key certificate required to create the token. This step downloads and saves the encryption key (.pem) file locally. The .pem file requests a trust relationship certificate from the Apple Business Manager portal.
  1. Click on Create a token via Apple Business Manager to open the Apple Business Manager portal for creating your ADE token (MDM server).
  1. Sign in with your company’s Apple ID in Apple Business Manager.
  1. In Apple Business Manager, click your account name at the bottom of the sidebar, then choose Preferences from the pop-up menu

  1. Upload the public key you downloaded from Intune in step 2. You can type the server name to identify your MDM tenant quickly;
  1. After you save the MDM server, select it and download the token (.p7m file).

You’ll be informed that download a new server token will reset any existing tokens. This is OK since we are creating a new connection so click the Download Server Token button.

  1. Now, back to Intune portal – Step 4. Upload the token and click Next and then save. 

Assign devices to the Apple token (MDM server)

  1. In Apple Business Manager > Devices, select the devices you want to assign to this token. You can also choose multiple devices simultaneously or define that all devices are, by default, assigned to this token.
  2. Edit device management and select the MDM server you just added. 

Create an Apple Enrollment Profile

Once you’ve installed your token, the next step is creating an enrollment profile for devices. A device enrollment profile defines the settings that will be applied to the devices in this profile.

  1. In the Intune portal, choose Devices > macOS > macOS Enrollment > Enrollment program tokens.
  1. Select a token, choose Profiles, and then choose to Create profile > macOS.
  1. Provide a Name and Description for the profile (These details will not be visible to users) and click Next.
  1. In the management settings page, select “Enroll with User Affinity”, as we will use this profile to enrol devices associated with users.
  1. As we selected Enroll with User Affinity for the User Affinity field and chose the Setup Assistant with modern authentication as the authentication method.

The advantage of using modern authentication with setup assistance is that until & unless the user signs in to the Company Portal using his/her Azure AD credentials, the device:

  • Won’t be fully registered with Azure AD.
  • Won’t show up in the user’s device list in the Azure AD portal.
  • Won’t have access to resources protected by conditional access.
  • Won’t be evaluated for device compliance.
  • Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by conditional access.

With locked enrollment, you make the device more secure as it disables macOS settings that allow the management profile to be removed from the System Preferences menu or through the Terminal. After device enrollment, the user cannot change this setting without wiping the device.

  1. On the Setup Assistant page, update settings for “Department” & “Department Phone Number” and choose to show or hide the Setup Assistant screens on the device when the user sets it up.
  1. Select Next to go to Review + create.
  1. To save the profile, choose to Create.

Sync managed devices

Now that Intune has permission to manage your devices, we have to synchronize Intune with Apple to see your managed devices in Intune portal.

Sync managed devices

Now that Intune has permission to manage your devices, we have to synchronize Intune with Apple to see your managed devices in Intune portal.

We have everything in place. Should we now distribute the devices to users? No..wait! This was just the initial part; before you roll out any device to your end users, ensure compliance policies, restrictions & mandatory apps are configured in Intune. So, let us move to the next part of the series with configuring compliance policies & enforcing restrictions and pushing the mandatory apps to the users/devices.

Stay In(tuned) 👩‍💻👩‍💻 and be #intuneinspired