James Vincent

Enrolling an Apple Mac into Intune via Apple Business Manager

In the run up to Christmas, when everything starts to wind down for change freeze etc, I’ve decided to revisit the fruit bowl and demonstrate how to register a Mac into Apple Business Manager, and Enrol it into Intune.

If you’re not excited by that then the TL;DR, is that it’s very similar (identical?) to how you’d register an iOS device into ABM (using Configurator app, or having it pre-assigned via authorised reseller) and enrolling it into MDM.

Prerequisites

  • A macOS device running a fairly new OS
  • An Apple Business Manager account
    • Or, an Authorised Reseller from which you purchase devices
  • An iOS device, or similar, capable of running the Configurator App
  • An MDM platform (Intune, in this example)

Method

Ensure Apple Business Manager is configured to publish macOS devices into your MDM platform.

By mirroring this configuration and setting your MDM platform as the “default assignment” it makes no difference as to whether a device becomes ABM registered through your Authorised Reseller, or via Apple Configurator application.

In this guide, I’ve used Apple Configurator to push my device into ABM – which involves using the Configurator app on an iOS device to scan the Spherical QR code offered by the mac device during Setup Wizard. Though its largely irrelevant as to how the device gets into ABM at this point, for a device to be corporately configured using Automated Device Enrollment, it has to come via ABM.

With the device registered in ABM, and assigned to the relevant MDM platform, log in to Intune. I am assuming that Intune is configured with Apple Push Notification certificates and VPP, which you would have done if you’re enrolling and managing iOS devices etc…

With the above, we need to ensure that we also have;

  • A Compliance Policy for macOS devices
  • An Enrollment Profile for macOS devices
  • and for good measure, we’ll publish Company Portal

Within Intune, click Devices, goto Device Onboarding and Enrollment – click Apple across the top tabs.

Click on Enrollment Program Tokens and select your Enrollment Program Token.

Under Manage, click on Profiles and Create Profile. Select macOS.

Configure the profile as you desire.

Within the Account Settings section, it’s worth highlighting that unless you have external ways of adding or managing users, failing to configure this section, could leave you unable to login to your device (as no user will be configured on the device!)

After creating the profile, got back to your Enrollment Program Token and click on Set Default Profile.

Back at the root of your Enrollment Program Token, click on Devices, and then force a Sync. A sync between ABM and Intune can only occur once in a 15-minute window, so ensure your device is visible in ABM before hitting Sync.

After a few seconds, if you refresh, your newly registered ABM devices should appear in Intune.

Clicking on the device that appears should reveal a blade which contains the device information, and more importantly, the Assigned Profile.

Once the Assigned Profile is defined, you can theoretically begin to provision the device. But before we do that, lets ensure we have a Compliance Policy in place, and a configuration to assign.

Within Intune, go back to Devices on the left menu, and under Manage Devices select Compliance.

Click on Create Policy and then macOS.

Define your compliance settings. Assign this to all devices, or a collection that contains your macOS devices.

Because we’ve stipulated the use of Company Portal during Setup, we’ll now deploy that as a required application. More so for demonstration purposes, but still.

Company Portal for macOS can be downloaded and installed using the macOS LOB apps feature. The version downloaded and deployed is a “point in time” installer, meaning that the version you publish is the version that will always be installed. The package WILL need to be updated periodically to ensure users get the best experience during initial enrollment.

With the package downloaded, goto Apps > macOS and click Create within Intune. Select Other Line-of-business app.

Select the downloaded Company Portal package, and the configuration will be prepopulated for you. Tweak the name and description, populate the Publisher field and click Next.

Assign to all devices (or your device collection), click Next. Finally, click Create.

Microsoft also offers a scripted solution for deploying the latest package at the time of deployment, but this prevents you from reporting against installations, hence the use of LOB in this example. See the note below, this relates to ALL installation methods.

Note: Once installed, the Company Portal for macOS app will automatically update using Microsoft AutoUpdate.

With Intune configured, you can now move over to the device(s) in question and set about enrolling them for use. Proceed with the Setup Wizard.

Once you’ve connected to the WiFi, the device will phone home, acknowledge it’s a managed device and request Enrollment.

Click Enrol, and provide your Microsoft credentials (with which you must be Intune licensed).

Continue with the Setup Wizard and create an account (if not pre-configured). Follow the wizard through to the end, and you’ll end up at your desktop. Shortly after which, Intune will update to reflect the enrollment.

Now you’ve got your macOS device enrolled in Intune, you’re free to create any and all the Configuration Profiles that you require.

Enjoy!

James avatar

James

I am a UK based Modern Workplace Architect, with an enthusiasm for Device Management.

Leave a Reply

Your email address will not be published. Required fields are marked *