Share via

macOS ADE Enrollment

Mian Mudasir Bari 0 Reputation points
2026-03-18T13:56:07.2133333+00:00

I understand that Windows and macOS behave differently in Intune, but I would like confirmation from Microsoft Support based on our specific scenario. We are enrolling macOS devices through Automated Device Enrollment (ADE) viaABM, where users authenticate during Setup Assistant. Additionally, we are using Platform SSO (PSSO) integrated with Microsoft Entra ID.

What I would like to confirm is the following:

If we change the Primary User of a macOS device in Intune after it has already been enrolled through ADE with ABM and PSSO, will the device continue to sync properly and receive apps and policies assigned to the new user? Or will macOS continue to rely on the original user who completed the enrollment during Setup Assistant, regardless of any changes made to the Primary User field in the Intune admin center?

My current understanding is that macOS enrollment is tied to the identity of the user who completes Setup Assistant, rather than the Primary User field in Intune. However, I would like to validate whether this behavior is correct.

Microsoft Security | Intune | Configuration
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-18T13:56:30.9533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For macOS devices enrolled through Automated Device Enrollment (ADE) with user affinity, Intune ties the device’s user association to the identity that completes Setup Assistant at enrollment time, not to later changes of the Primary User field.

    From the documented behavior:

    • For iOS/iPadOS and macOS with Apple Automated Device Enrollment (DEP/ADE with User Affinity), the enrolling user is automatically assigned as the primary user during enrollment:
      • “iOS/iPadOS, macOS | Apple Automated Device Enrollment (DEP with User Affinity) | Enrolling user | During enrollment.”
    • For ADE without user affinity, there is no primary user and user-based targeting does not apply.

    This means:

    • The user who authenticates in Setup Assistant (with modern auth or legacy) becomes the Intune primary user at enrollment time.
    • Changing the Primary User later in the Intune admin center does not change the original enrollment identity on the macOS device itself; it only changes Intune’s logical primary user association.
    • App and policy targeting behavior depends on how assignments are scoped:
      • Device-based assignments (to the device, device groups, or all devices) continue to apply regardless of primary user changes.
      • User-based assignments are evaluated against the currently signed-in user’s Microsoft Entra ID and group membership. Changing the Intune primary user does not re-enroll the device or change which Entra ID account the Platform SSO session and Setup Assistant enrollment were originally bound to.

    Therefore, the understanding is correct: macOS ADE enrollment is fundamentally tied to the user who completes Setup Assistant with their Microsoft Entra credentials. Updating the Primary User field in Intune after enrollment does not change that underlying enrollment identity and does not by itself “rebind” the device to a different user for PSSO or enrollment. The device will still receive:

    • All device-targeted apps and policies as normal.
    • User-targeted apps and policies based on the Entra ID account actually used on the Mac (and its group membership), not solely on the Primary User value stored in Intune.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.