Enroll macOS devices

  • 5 minutes

You can let users enroll their personal Mac devices for Intune management (BYOD) or enroll the devices as corporate-owned devices.

Once you've completed the prerequisites and assigned users licenses, they can download the Intune Company Portal app for macOS, and follow the enrollment instructions in the app.

Company-owned macOS devices

For organizations that buy devices for their users, Intune supports the following macOS company-owned device enrollment methods:

  • Apple Business Manager (ABM)
  • Apple’s Automated Device Enrollment (ADE)
  • Apple School Manager
  • Apple Configurator
  • Intune Device Enrollment Manager (DEM) account
  • Automated Device Enrollment (formerly DEP). Organizations can purchase Mac devices through Apple's Automated Device Enrollment program. This lets you deploy an enrollment profile “over the air” to bring devices into management.

Apple Automated Device Enrollment (ADE) is an online service that automates the enrollment and configuration of Apple macOS devices to MDM. Apple ADE is only available for devices that an organization purchases through either Apple or authorized resellers to provide to employees.

To enable ADE enrollment, you use both the Intune and Apple Business/School Manager portals. A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. In the Apple portal, an administrator can preconfigure device settings, including what applications and company services each device can access, and set devices to automatically enroll to MDM. macOS devices enrolled in ADE don't require manual configuration, and users never have to click on MDM links or manually install the Company Portal app to initially enroll the device.

If an organization allows its users to bring their own devices, the users should perform the regular macOS BYOD enrollment. But if the company provides employees with Macs that are part of Automated Device Enrollment, users can enroll those devices to MDM by performing the following steps:

  1. Turn on your Mac.

  2. After you select your Language and region, connect your device to Wi-Fi.

  3. On the Migration Assistant screen, choose whether you want to:

    • Transfer from a Mac, Time Machine backup, or startup disk
    • Transfer from a Windows PC
    • Not now (Set up as new device)

  4. Once you’ve connected to Wi-Fi, the Remote Management screen will appear.

    • This will say:
      • [Your Company] can automatically configure your computer.
      • Remote Management allows your administrator to set up email and network accounts, install and configure apps, and manage settings. An administrator may disable features, install and remove apps, monitor and restrict your Internet traffic and remotely erase this computer.

  5. Log in with your credentials (Work account or Apple ID, depending on your company's setup). Logging in installs the management profile that will let your company give you access to its resources, such as email and apps.

  6. Agree to the Terms and Conditions and decide whether you want to send diagnostic information to Apple.

  7. Once you complete your enrollment, your device may prompt you to take more actions to finish the macOS Setup Assistant, such as enabling FileVault, setting up Touch ID, or creating a local computer account.

Tip

When you use macOS ADE enrollment profiles, configure macOS account configuration with LAPS. LAPS creates a local admin account with an encrypted, Intune-managed password, reducing risk from shared credentials. Pair it with a standard user account to enforce least-privilege access for end users.

You can enable ADE enrollment for large numbers of devices without ever touching them. You can ship devices like MacBooks and iMacs directly to users. When the user turns on the device, the Setup Assistant runs with preconfigured settings and the device enrolls into management.

For more information, refer to Automatically enroll macOS devices with Apple's Automated Device Enrollment.

Supervised mode (User Approved MDM)

A macOS device enrolled via Automated Device Enrollment is considered "Supervised" and can be managed with more controls. As such, it’s especially useful for corporate-owned devices. Intune supports configuring devices for supervised mode as part of ADE. We recommend that you use supervised mode even though it requires initial portal configurations. It gives you access to many policy settings in Intune that are otherwise unavailable, such as kernel extension management, software update delays, and strict payload restrictions.

Note that with macOS 11 (Big Sur) and later, Apple requires User Approved MDM (UAMDM) or Automated Device Enrollment to manage these advanced payloads. ADE automatically grants this required supervised/user-approved status without manual intervention.

Enroll your macOS device using Company Portal

  1. Download the Intune Company Portal for macOS installer (.pkg file) from the Microsoft website.

  2. Run the installer and open the Company Portal app.

  3. On the Company Portal Welcome screen, click Sign in, and then sign in with your work or school account.

  4. Follow the instructions given in the Company Portal to download the management profile. You will be prompted to open System Settings (or System Preferences) to manually install and approve the downloaded management profile. The end-user experience can vary based on the policies assigned to the user and/or device.