You can use Intune to enroll and manage both user-owned (BYOD) and company-owned Apple Mac devices. Once the device is enrolled in Intune, users can securely access work-related apps and emails.
In this blog post, we are going to cover the Enrollment steps of user-owned (BYOD) type macOS devices into Intune. Let’s check the steps.
Table of Contents
Prerequisites
You have the option to register personally owned macOS devices in Intune. To do this, the Intune administrator needs to grant permission for macOS devices in the Enrollment restrictions section of the Intune admin center.
Steps to Enroll Personally Owned (BYOD) macOS device
The enrollment process involves two key steps: first, configuring the Apple MDM push certificate on the Intune admin center, and second, Installing the Company Portal App on your macOS device.
- Apple MDM Push Certificate
- Install Company Portal Application
1. Configure Apple MDM Push Certificate
To configure the Apple MDM Push certificate on the Intune admin center, you can follow a step-by-step guide titled: Configure Apple MDM Push certificate on Intune
2. Install the Company Portal App
- Login on the Mac device.
- Open the link: Install Company Portal Application. [This link will straight away download CompanyPortal-Installer.pkg file on the device].
- You may get a prompt before the download starts. Click Allow.
- Launch the CompanyPortal-Installer.pkg file
- Click on Continue.
- Click on Continue.
- Click on Agree.
- Click on Install.
- Provide the administrator password and then click on the Install Software button.
- The installation of the Company Portal app has been successfully completed.
- As we no longer need to keep the Setup Installer file, click on the Move to Bin button to remove it.
- Microsoft AutoUpdate may launch automatically to check if all Microsoft apps are updated.
- To update your Microsoft apps, click on the “Update” button. After all the apps have been updated, you can then close the window.
- Just type “Company Portal” in the Spotlight Search bar, and when it appears in the search results, click on it to launch the app.
- Once the Company Portal App is launched, click on the “Sign In” button to proceed.
- Please enter the user account details provided by your company or organization, and then click on “Sign In” to continue.
- Click on Begin.
- Click Continue.
- Registering your Mac…. device with Microsoft Entra ID (Microsoft Azure Active Directory).
- To download the management profile on your device, click on the “Download Profile” button.
- After downloading the management profile, a pop-up notification will appear in the top right-hand corner to confirm that the profile has been downloaded. Additionally, it should automatically take you to the Management Profile screen, where you can proceed to Install it.
- If the Management Profile window does not open automatically, you can manually access it by going to System Settings > General > Profiles. Look for the Management Profile with a warning sign and double-click on it. Then, click on the “Install” button to proceed with the installation.
- That’s It, The MacOS device is now Enrolled with Intune.
More Information
If you want to know more information about Management Profile, you can navigate back to System Settings > General > Profiles. From there, double-click on the Installed/Active Management Profile to access more information and details about it.
This Management Profile provides below useful Information:
- Installed date
- Rights / Control it provides to MDM service providers.
- Certificate Details etc.
As you can see from the below screenshot. Intune has the rights/control to:
- Erase all data on this computer
- Add or remove configuration profiles
- Add or remove provisioning profiles
- Lock Screen
- Change Settings
- Application and media management
- Query security information
- Query restrictions
- Query computer information
- Query network configuration
- Query Installed applications
- Query Installed configuration profiles
- Query Installed provisioning processes
Confirm macOS Registration in Entra Admin Center
Now that the device registration has been completed successfully, we can check its status from the Microsoft Entra admin center. let’s check the steps:
- Login on Microsoft Entra admin center
- Click on Devices > All devices under Identity
- You’ll notice that our MacBook Pro is registered in Entra ID/Azure Active Directory. Take note of the MDM column, which indicates that it’s managed by the Microsoft Intune MDM solution.
Confirm macOS Registration from the Intune admin center
You can also verify the status of your macOS device in the Intune admin center to ensure it’s listed under “All devices.” Follow these steps to check and confirm the registration of your macOS device:
- Login on Microsoft Intune admin center
- Go to Devices > All devices
- You should be able to locate the newly registered Mac within Intune. Please make sure to take note of the Compliance Status and the Primary User UPN, which, in my case, is MeganB@cloudinfra.net.
If you haven’t already set up Device compliance policies for Mac, it’s important to create one that specifically covers the macOS device platform. Now that this Mac device is enrolled in Intune, you have the ability to manage it, deploy configuration policies, run scripts and applications, and monitor its status from the Microsoft Intune admin center.
FAQS
1. How to fix the Profile Installation Failed Error?
You might encounter an error message that reads, “Profile Installation Failed: Could not obtain the final profile using the Encrypted Profile Service. The credentials within your profile may have expired. Try downloading a new profile.” This error occurs when attempting to install the management profile.
You can refer to the blog post to help you fix the “macOS Profile Installation Failed” error during Intune enrollment.
2. What are the different ways for Enrolling Company-Owned macOS Devices?
Enrolling a company-owned macOS device into Intune offers greater management capabilities to an Intune administrator compared to a device enrolled through user-owned BYOD methods. There are three methods available for enrolling a company-owned macOS device.
- Apple Automated Device Enrollment.
- Device enrollment manager (DEM).
- Direct enrollment.
Conclusion
In this blog post, we’ve covered the process of enrolling a macOS device in Intune. This step-by-step guide includes screenshots for each enrollment step. We’ve also addressed the “Profile Installation Failed” error message and provided solutions for resolving it. This error typically occurs during the installation of the management profile on a macOS device.
