Enroll a corporate MacOS device in Intune through Apple Business Manager

To manage the MacOS device at his full potential, you want to enroll it in a corporate way.

It’s easier to enroll a MacOS device using the company portal (MS article here). But from an Intune perspective, the thing is you get a personnal device, not a corporate one.

In this post, i enroll a macos device, in a corporate way, that i purchased on my own but not through a Apple reseller. I will use the Apple Configurator mobile app to import the device.

You can compare this method with a manual Autopilot import followed by an Intune enrollment.


I enroll a Macbook Air from 2020 running Ventura 13.2.1 OS
I also use an iOS device running the Apple Configurator. It’s necessary to import the device into the Apple Business Manager portal.

Direct enrollment is also an option, sure. But in my opinion (and MS’s), it’s more appropriated for kiosk or shared devices.

You can have more information about the three enrollment scenarios here.

ABM and Intune association

First things first, make sure the Intune tenant is associated to the Apple Business Manager portal.

You build a trust relationship certificate (certificate signing request aka CSR) from Intune and you’re gonna use it into Apple Push Certificate Portal. Be carefull with the account you use to build this relationship, because you might want an account known by several people in your organization. You upload the CSR file and you get a pem file which you’re gonna upload in Intune.

I suggest you to follow this MS post to do it properly.

Done ? Make sure you created an enrollment program following the MS article here. Basically, you download a server token from Apple Business Manager (ABM business.apple.com) portal and import it into Intune, in the enrollment program.

Steps to follow :
– Download public key from enrollment program in Intune (pem file)
– Go to ABM Portal business.apple.com > Preferences > Add MDM server > Import the public key you downloaded
– Still from ABM portal, download the MDM server token (p7m file)
– Go back to Intune, down the creation of your enrollment program token, import the server token

The association is done. My MDM server is set by default. As soon as a device is imported, he will be linked to my MDM server and enrollment program « Intune Synapsys ».

Import the device into ABM portal and Intune

I open the application Apple Configurator on my Iphone. I log in the application with my admin account who’s administrator in the Apple Business portal.

I tap on the Share Wi-fi so the Iphone will share the Wi-fi settings when the end-device will be in the enrollment state.

The application will now require to scan some kind of QR code.

Let’s turn on the Macbook Air. I resetted the device. If you compare with a Windows Device, i’m facing the OOBE screen where you select the language.

Click Continue and the so waited QR code is displayed. Scan the device with the app, it will import the device into the ABM portal. If you pass the screen of language, reboot the device. The organization screen is the third screen you will face.

You’ll notice the « connecting to network » thanks to the Wifi settings shared by the Apple Configurator application. I shut down the Macbook Air and i go into the ABM console : business.apple.com

My imported device

Here it is, my device is in ABM.

My device has the MDM server set as « Intune Synapsys ». Nice. You can also do it manually by clicking on « Edit the MDM server » once you selected the device. You also have an option for bulk association, but because i set it by default, i have nothing to do.

Let’s have a look on the Intune portal and in the enrollment program « Intune Synapsys » :

Here is my device. If it’s empty, you might want to click on the Sync button. It will sync the devices provisionned from ABM to Intune.

The device is now registered in Azure AD and imported on Intune through the ABM portal.

Just like you do with Autopilot and Windows devices, you create a dynamic group to gather the MacOS devices.

Create the dynamic group on Azure AD

Using the proper dynamic rule, you can grab every macos devices with this kind of rules :

Great, you have a dynamic group with your devices in it. This group will be used to deploy applications, configurations and more. You can also use your users groups thanks to the User Affinity (details below).

Create the enrollment profile

If you compare this step with a Windows devices scenario, this is the moment when you configure the OOBE experience by creating the Autopilot profile. In MacOS scenarios, let’s name that an « Enrollment profile ».

You’ll observe that an enrollment profile is mandatory so the device is enrolled properly in Intune.

Using an User affinity or not, that is the question.

User affinity will configure a relationship between the user and the device. If you want your user to be able to use the company portal to download applications for example, i suggest you to configure the device with a User Affinity. If the device will be used by multiple users, i suggest you to configure the enrollment profile without an User Affinity.

As for the Authentication method, the modern one is the best choice imo. OS prerequisites is the 10.15 version aka Catalina OS.

Locked enrollment is necessary so the enduser cannot remove the profile locally.

And finally, you configure the OOBE enduser’s experience by disabling or enabling screens. Notice there is no way to set the enduser account as a standard account. Keep that for later.

There is no assignment step when you create an enrollment profile. Coming from Autopilot world, i know it might seems weird.

So the enrollment profile is assigned as soon as the device is coming to the tenant, i suggest you to set your enrollment profile as default here :

Turn on the MacOS Device

One of the first screen is the Remote Management info. This Macbook has been provisionned in an organization and the OS is telling you that info.

Then, this is the Modern Authentication which we configured earlier. End-users credentials must be filled here. Notification is sent to the end-user.

Now, the end-user configures a local session. I know, it might seems weird for Windows folks like me, but the enduser will not login using his AAD account. The macOS device is registered to Azure AD, not joined.

Enduser benefits of SSO in his managed apps (proper conf necessary) with his corporate account but the session used is a local session. The user affinity is taking care of the relationship between the local session and the coporate enduser account.

This is the screen where the local session is configured and it’s an admin account :

Remember in an autopilot profile where you set the enduser account as standard ? Well, this feature doesn’t exist in a MacOS enrollment profile.

I suggest you to deal with it afterwards using a bash script to add your own corporate admin account and set the others as standard (great blog about it, love this guy). You can also leverage JAMF Pro but we keep that for another story.

The session has been created. Enduser follows the screens chosen in the enrollment profile. Enduser finally arrives to the Desktop.

Device in Intune and Azure AD

The device is enrolled in Intune and it received configuration profiles, encryption policies, applications targeted on the dynamic devices group or user groups :

Having a look on Azure AD confirm the device registered state :

Et voilà !

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s

%d blogueurs aiment cette page :