You can use Intune to enroll and manage both user-owned (BYOD) and company-owned Apple Mac devices. Once the device is enrolled in Intune, users can securely access work-related apps and emails.
This blog post will cover the enrollment steps for user-owned (BYOD) type macOS devices into Intune. Let’s check the steps.
Table of Contents
Prerequisites
You have the option to register personally owned macOS devices in Intune. To do this, the Intune administrator needs to grant permission for macOS devices in the Enrollment restrictions section of the Intune admin center.
Steps to Enroll Personally Owned (BYOD) macOS device
The enrollment process involves two key steps: first, configuring the Apple MDM push certificate on the Intune admin center, and second, Installing the Company Portal App on your macOS device.
- Apple MDM Push Certificate
- Install Company Portal Application
1. Configure Apple MDM Push Certificate
To configure the Apple MDM Push certificate on the Intune admin center, follow a step-by-step guide titled Configure Apple MDM Push certificate on Intune.
2. Install the Company Portal App
- Login on the Mac device.
- Open the link: Install Company Portal Application. [This link will immediately download the CompanyPortal-Installer.pkg file on the device.]
- You may get a prompt before the download starts. Click Allow.
- Launch the CompanyPortal-Installer.pkg file.
- Click on Continue.
- Click on Continue.
- Click on Agree.
- Click on Install.
- Provide the administrator password and then click on the Install Software button.
- The installation of the Company Portal app has been completed.
- As we no longer need to keep the Setup Installer file, click the Move to Bin button to remove it.
- Microsoft AutoUpdate may launch automatically to check if all Microsoft apps are updated.
- To update your Microsoft apps, click on the Update button. After all the apps have been updated, you can close the window.
- You can launch the app by typing Company Portal in the Spotlight Search bar and clicking on it when it appears in the search results.
- Once the Company Portal App is launched, click the Sign In button to proceed.
- Please enter the user account details provided by your company or organization, and then click Sign In to continue.
- Click on Begin.
- Click Continue.
- Registering your Mac…. device with Microsoft Entra ID (Microsoft Azure Active Directory).
- To download your device’s management profile, click the Download Profile button.
- After downloading the management profile, a pop-up notification will appear in the top right-hand corner to confirm that the profile has been downloaded. Additionally, it should automatically take you to the Management Profile screen, where you can Install it.
- If the Management Profile window does not open automatically, you can manually access it by going to System Settings > General > Profiles. Look for the Management Profile with a warning sign and double-click on it. Then, click the Install button to proceed with the installation.
- That’s It; The MacOS device is now Enrolled with Intune.
More Information
If you want more information about the Management Profile, you can navigate back to System Settings > General > Profiles. From there, double-click the Installed/Active Management Profile to access more information and details.
This Management Profile provides below Information:
- Installed date
- Rights / Control it provides to MDM service providers.
- Certificate Details etc.
As you can see from the screenshot, Intune has the rights/control to:
- Erase all data on this computer
- Add or remove configuration profiles
- Add or remove provisioning profiles
- Lock Screen
- Change Settings
- Application and media management
- Query security information
- Query restrictions
- Query computer information
- Query network configuration
- Query Installed applications
- Query Installed configuration profiles
- Query Installed provisioning processes
Confirm macOS Registration in Entra Admin Center
Now that the device registration has been completed successfully, we can check its status from the Microsoft Entra admin center. let’s check the steps:
- Sign in to the Entra admin center.
- Click on Devices > All devices under Identity.
- You’ll notice that our MacBook Pro is registered in Entra ID/Azure Active Directory. The MDM column indicates that the Microsoft Intune MDM solution manages it.
Confirm macOS Registration from the Intune admin center
You can also verify the status of your macOS device in the Intune admin center to ensure it’s listed under All devices. Follow these steps to check and confirm the registration of your macOS device:
- Sign in to the Intune admin center.
- Go to Devices > All devices.
- You should be able to locate the newly registered Mac within Intune. Please make sure to take note of the Compliance Status and the Primary User UPN, which, in my case, is MeganB@cloudinfra.net.
If you haven’t already set up Device compliance policies for Mac, creating one that specifically covers the macOS device platform is important. Now that this Mac device is enrolled in Intune, you can manage it, deploy configuration policies, run scripts and applications, and monitor its status from the Microsoft Intune admin center.
FAQS
1. Fix the Profile Installation Failed Error
You might encounter an error message that reads, “Profile Installation Failed: Could not obtain the final profile using the Encrypted Profile Service. The credentials within your profile may have expired. Try downloading a new profile.” This error occurs when attempting to install the management profile.
The blog post provides information on how to fix the macOS Profile Installation Failed error during Intune enrollment.
2. Enroll Company-Owned macOS devices
Enrolling a company-owned macOS device into Intune offers greater management capabilities to an Intune administrator than enrolling a device through user-owned BYOD methods. Three methods are available for enrolling a company-owned macOS device.
- Apple Automated Device Enrollment.
- Device enrollment manager (DEM).
- Direct enrollment.
Conclusion
In this blog post, we’ve covered enrolling a BYOD macOS device in Intune. This step-by-step guide includes screenshots for each enrollment step. We’ve also addressed the Profile Installation Failed error message and provided solutions to resolve it. This error typically occurs during the installation of the management profile on a macOS device.
