Rediger

Del via


Use direct enrollment for macOS devices

Manually enroll new or existing corporate-owned Macs via direct enrollment with Apple Configurator. Direct enrollment is ideal for bulk enrollments and when you don't have access to Apple School Manager, Apple Business Manager, or when you require a wired network connection. You must have physical access to the Macs to configure and deploy the enrollment profile.

Direct enrollment lets you enroll the device prior to distribution, and doesn't wipe the device upon enrollment. Devices enrolled this way aren't associated with a user so we recommend this option for shared or kiosk-style devices. These types of devices are purpose driven and commonly used in businesses by frontline workers to scan items, print tickets, get digital signatures, or manage inventory.

We recommend direct enrollment if you:

  • Are in a region/country that doesn't support Apple Business Manager or Apple School Manager.
  • Don't want to use Apple Business Manager or Apple School Manager because you want to limit admin control over devices, or because you don't want to set up all of the requirements.
  • Need a wired internet connection to enroll devices, or have an unreliable internet connection.

You can use this method to enroll one or more Macs. If you have many devices, it will take some time to enroll them because you must transfer and open the enrollment profile on each Mac you're enrolling.

Devices are deployed without user affinity. If you need devices to have user affinity, enroll Macs in Intune via Apple automated device enrollment.

See the following visual guide for a summary of all enrollment options and features available for macOS:

A visual representation of Intune enrollment options by platform
Download PDF version | Download Visio version

Apps

Apps requiring user affinity, such as the Intune Company Portal app, aren't supported on Macs enrolled via direct enrollment. The Company Portal app isn't used, needed, or supported for enrollments without user affinity. Be sure device users don't install the Company Portal app from the Apple App Store on enrolled devices.

Certificates

This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.

Devices that are already enrolled in Intune do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running macOS 13.1 or later.

Prerequisites

If the Mac you're setting up is enrolled in another MDM provider, you must unenroll it before you can enroll it in Intune. Also, make sure that you don't have a device platform restriction targeted at iOS/iPadOS devices, because it will cause the enrollment profile to fail on enrolling Macs.

Step 1: Create enrollment profile

A device enrollment profile defines the settings applied during direct enrollment. These settings are applied only once. Follow these steps to create an Apple Configurator enrollment profile for the Macs you're enrolling.

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Enrollment.
  3. Select the Apple tab.
  4. Under Bulk Enrollment Methods, select Apple Configurator.
  5. Go to Profiles > Create.
  6. The Create Enrollment Profile page opens. For Basics, type a Name and Description for the profile. These details can help you quickly find your profile in the admin center. Device users don't see these details.

Tip

You can use the name field to create a dynamic membership rule for Microsoft Entra groups. The enrollmentProfileName parameter lets you quickly assign devices with this enrollment profile to the appropriate groups. For more information, see Dynamic group rule syntax.

  1. For User Affinity, choose Enroll without user affinity. This configuration confirms that you're setting up devices without user association. Direct enrollment with user affinity, although available, isn't supported on Macs.

  2. Select Create to save the profile.

Step 2: Export enrollment profile

In this step, you export the enrollment profile.

  1. After you create the profile in the admin center, go to Profiles.

  2. Choose the profile you want to export. Then select Export profile.

  3. A new pane opens. Under Direct enrollment, choose Download profile.

  4. Save the .mobileconfig file. An enrollment profile file is only valid for two weeks. After that time, you must recreate it.

    Note

    You can download as many enrollment profiles as you need. Downloading a new profile does not render the previous one invalid, however, it also doesn't extend the expiration date for the previously downloaded file.

Step 3: Install enrollment profile

In this step, you install the enrollment profile on the enrolling Mac.

  1. Transfer the .mobileconfig file from your device to the Mac you want to enroll.
  2. Double-click the file to open it.
  3. When you're prompted to install the management profile, select Install.
  4. Select Install again to confirm you want to install the management profile.
  5. Sign in with an administrator account on the Mac, and then select OK.

The Mac is now enrolled in Microsoft Intune and ready-to-manage. Other profiles assigned to the device begin installing immediately.

Next steps

Start managing enrolled devices in the Microsoft Intune admin center.