You can enroll and manage user owned (BYOD) or company owned Apple Mac devices using Intune. After you enroll the device in Intune, users can access work related apps, emails securely. IT administrators can assign organization policies and create device compliance policies on managed devices to meet the compliance in order to access work resources. Deployment of applications on Mac device can be done from Microsoft Intune admin center.
There are different ways to enroll a macOS device into Intune. Along with that there are few prerequisites configuration on Intune admin center before starting the enrollment process. In this blog post, we are going to discuss different ways of macOS Enrollment and also see the steps to enroll a macOS device.
Personally Owned (BYOD) macOS device Enrollment
You can enroll user’s owned BYOD (bring your own device) type devices into Intune. Intune administrator must allow macOS devices under Enrollment restrictions on Intune admin center to enroll personally owned macOS devices. For enrolling this type of device, you will need to Install either Company Portal App or Go to Company Portal website and add your device.
Company Owned macOS device Enrollment
There are three ways to enroll a Company Owned macOS device into Intune. Company owned macOS device enrollment provides more management capability to an Intune administrator than a device enrolled via User Owned BYOD type enrollment. You can use any of the below methods for enrolling a company owned macOS device.
- Apple Automated Device Enrollment.
- Device enrollment manager (DEM).
- Direct enrollment.
Steps to Enroll Personally Owned (BYOD) macOS device
In this blog post, we will enroll a personally owned (BYOD) device into Intune. There are two steps required for enrollment, First is to Configure Apple MDM push certificate on Intune admin center and second is to Install Company Portal App on macOS device.
If you have not yet configured Apple MDM push certificate on Intune Admin center, then you can follow the link “Configure Apple MDM Push certificate using Intune” to configure it first. Then you can Install the Company Portal app on the device.
- Apple MDM Push Certificate.
- Install Company Portal Application on macOS device
Install Company Portal App on macOS
Click on the link Install Company Portal Application which will first request a confirmation from you to allow downloads. Click on Allow to allow the download of Company portal Installer. Once its installed, a pop-up on top right hand side corner should confirm the download. Click on it to Launch the Installer.
Click on Continue on Introduction window to start the Installation process.
Click on Continue on Software license Agreement screen to proceed.
Click on Agree button to accept the Software License Agreement.
Click on Install button to proceed with Installation. As its shown in the window, This will take 145.7 MB of space on your computer. Make sure the disk is not full and you have enough space in hard drive before proceeding.
Provide administrator password and then click on Install Software button.
The installation could take from few seconds to few minutes to complete. Once its complete, you will see a message “The Installation was successful.“
As we no longer need to keep the Setup Installer file, click on Move to Bin button to remove it.
Microsoft AutoUpdate will launch automatically to check if all Microsoft apps are updated.
You can click on Update button to update Microsoft apps. Once all the apps are up to date. You can close the window.
Now, Using Spotlight Search on macOS, search for Company Portal app and click on it to launch.
When Company Portal App is launched. Proceed to Click on the Sign in button.
Provide company / organization’s provided user account details and click on Sign in to proceed.
Click on Begin to proceed.
Review privacy information and check what your organization can see / access in terms of device management. If you are fine this information, press Continue to proceed.
Registering your Mac device to Microsoft Entra ID (Microsoft Azure Active Directory).
Click on Download profile button to Download Management profile on your device.
After you Download Management profile, A pop-up will appear on top right hand side to confirm that profile has been downloaded. Also, it should automatically take you to Management Profile screen from where you can Install it.
If you do not get below window opened automatically, you can go to System Settings > General > Profiles where you can find Management Profile with warning Sign. Double-click on it and then Click on Install button.
| Fix for Profile Installation Failed Error |
|---|
You may get an error message ““Profile Installation Failed”. Could not obtain the final profile using the Encrypted Profile Service. The credentials within your profile may have expired. Try downloading a new profile.” when trying to Install the Management profile. I have written a blog post on how to fix this error message. You can find the link here: macOS Profile installation failed while Intune enrollment |
After Management Profile is installed successfully. You can go back to System Settings > General > Profiles and double-click on Installed / Active Mangement Profile to find more information about it.
This Management Profile provides below useful Information:
- Installed date
- Rights / Control it provides to MDM service provider.
- Certificate Details etc.
As you can see from below screenshot. Intune has the rights / control to:
- Erase all data on this computer
- Add or remove configuration profiles
- Add or remove provisioning profiles
- Lock Screen
- Change Settings
- Application and media management
- Query security information
- Query restrictions
- Query computer information
- Query network configuration
- Query Installed applications
- Query Installed configuration profiles
- Query Installed provisioning proiles
Verify macOS registration on Entra ID admin center
Now that the device registration has been completed successfully, we can check its status from Microsoft Entra ID. let’s check the steps:
- Login on Microsoft Entra admin center.
- Click on Devices > All devices under Identity.
- You can find that MacBook Pro has been registered in Entra ID / Azure Active Directory. Notice the MDM column says Microsoft Intune as its managed by Microsoft Intune MDM solution.
Verify macOS registration on Intune admin center
We can also verify macOS device status on Intune admin center to confirm its listed under All devices. Please follow below steps to check and confirm macOS device registration.
- Login on Microsoft Intune admin center
- Go to Devices > All devices
- You should be able to find the new Mac registered with Intune. Also note that the Compliance Status and Primary user UPN as well which is in my case MeganB@cloudinfra.net
If you have not yet created Device compliance policies for Mac then you should create one to cover macOS device platform. As this Mac device is now enrolled into Intune, you can manage this device, deploy configuration policies, deploy scripts and applications and monitor it from Microsoft Intune admin center.
Conclusion
In this blog post, we have seen how to enroll a macOS device into Intune. This is a step by step guide with screenshots which provides steps on enrollment of a Mac device. We also discussed about the Error message “Profile Installation failed” and how to fix this error message. This error occurs during the Installation of Management profile on macOS device.