You can easily Enroll personally owned or corporate owned macOS devices into Intune. This allows IT administrators to manage the devices from a central cloud based service called Microsoft Intune. Enrollment of BYOD macOS devices is a straightforward process using Company Portal App.
During enrollment process of macOS device via Company Portal App, there is a step to download and Install Management Profile on the device. Download of Management Profile completes successfully but when you try to Install it, it throws an error message “Profile Installaiton failed.“. The exact error message is:
“Profile Installation Failed”. Could not obtain the final profile using the Encrypted Profile Service. The credentials within your profile may have expired. Try downloading a new profile.
The error message states that the credentials within your profile may have expired and suggests to download a new profile. However, even if you try this multiple times by restarting the app or sign-out and sign back in to Company portal app, you are getting the same error message.
There are different troubleshooting steps to fix this error message. The issue could be linked to a configuration issue on Microsoft Intune admin center related to device enrollment or a license issue. You may also have to perform troubleshooting steps locally on macOS device as well.
Its very common to get this error message if you have Installed macOS on a VMWARE Workstation and if you are trying to Enroll macOS Installed as a Virtual Machine. It could be any flavour of macOS e.g. Sonoma, Ventura, Monterey etc. You may get the same error message while trying to enroll it to Intune.
First thing you should make sure that the device must be running macOS 11 or later for Intune enrollment to work. Also, make sure the user who is Signing on to Company Portal app to enroll this device is assigned Intune license. For checking the license assignment for the user, Login on Microsoft 365 admin center > Users > Active Users > Click on the user. A pane will open on the right hand side, Click on Licenses and apps tab to check license assignment details for the user.
Apart from the above checks, you will need to verify below configuration from Intune admin center. Make sure its configured correctly.
- Enrollment device platform restrictions
- Apple MDM push certificate verification
- Update .vmx Configuration file for macOS Virtual Machine
Enrollment device Platform restrictions settings for macOS
Enrollment restrictions in Intune refer to the various policies and settings that control which devices or users can enroll in Intune and access corporate resources. This setting can be configured for each platform e.g. Windows, Android, iOS and macOS.
Enrollment device platform restriction policy defines if a personally owned device is allowed to be enrolled into Intune or not. You can check this configuration using below steps:
- Login on Microsoft Intune admin center
- Devices > Enroll devices
- Click on Enrollment device platform restrictions
- Find a Device type restrictions policy which is applied to All Users in your organization. Click on the hyperlink All Users to check the policy settings.
- Click on Properties and then Click on Edit next to Platform settings to change the policy settings.
- Make sure that macOS under Personally owned column is set to Allow.
Apple MDM push Certificate verification
To Enroll a macOS device, Apple MDM Push certificate needs to be configured. To check and confirm its status, Please follow below steps:
- Login on Microsoft Intune admin center
- Devices > Enroll devices
- Click on Apple enrollment
- Click on Apple MDM Push certificate
Make sure the Status is Active and certificate is not expired.
Update .vmx Configuration file for macOS Virtual Machine
You can create macOS Virtual machine using VMWARE Workstation tool and enroll it into Intune. However, as its not a real physical device, macOS VM enrollment into Intune bring some challenges. You could get “Profile Installation failed” error message during Installation of management profile.
I managed to tweak .vmx file of macOS virtual machine and successfully enrolled the device into Intune. Please follow below steps to fix this issue:
- Shutdown your macOS Virtual Machine (if running).
- Find Virtual Machine Installation folder from VMWARE Workstation. Right-click on the VM > Click on Settings > Options tab > Working Directory.
- Find .vmx file in the Installation directory.
Update below line
board-id.reflectHost = "FALSE"
Add below lines at the end of the file
board-id = "Mac-AB95B1DDAB278B95" hw.model.reflectHost = "FALSE" hw.model = "MacBookPro19,1" serialNumber.reflectHost = "FALSE" serialNumber = "C04939388580" SMBIOS.use12CharSerialNumber = “TRUE”
Power up the Virtual Machine and use your credentials to Sign in. Click on Apple logo on the top left hand corner > About This Mac. You will find that the model of this device is changed from Mac to MacBook Pro and its serial number has been updated as well.
Try to Install the Mangement profile again and this time it should Install Management profile successfully. Once the management profile is installed, you can check it by going to System Settings > General > Profiles > Double click on the Management Profile and check its status. You can also find the Rights/Control it provides to the MDM solution e.g. Intune.
Other Solutions for Profile Installation failed error
If you have verified all macOS related configuration from Intune admin center and also configured the .vmx file correctly but still getting this error. You can try to get hold of a physical macOS test device and try to check if it Management profile Installation is working successfully. If it works on the Physical device then its confirmed that Enrollment configuration on Intune admin center correctly configured.
Another option is to delete all management profiles from your device, restart the device and try to re-enroll it.
To check and confirm the Management profiles on a macOS, Go to System Settings > General > Profiles > Select the Management Profile you want to delete and then press delete on the keyboard. If there are multiple profiles existing then you can delete them too and try to re-enroll your device using Company Portal App.
If this does not work either, you can try to reset / re-install the macOS from scratch and then try again.
Conclusion
In this blog post, we have seen different ways to fix the “Profile Installation failed” error message. This error is generated during the Installation of Management profile on a macOS. Do check “Other Solutions for Profile Installation failed error” section for fixing this error along with all the other troubleshooting steps provided.
Even after following the troubleshooting steps given in the blog post, you are still facing this issue then you can raise a ticket with Microsoft Support to check for any specific issues / solutions.