In this post I will go through on how to enroll MacOS in Intune. Apple Devices can be enrolled into Intune and can be managed through it. Both kind of device ownership can be managed whether it is Personal or Corporate. There are few prerequisites needs to be met for enrollment process which consists of configuring Apple MDM Push Certificate.
Mac devices needs to be enrolled first before it can be managed. Once MacOS device is enrolled with Intune Company Portal, device can securely gain access to work or school email, files and apps. Once in managed mode, mobile device management (MDM) provider such as Intune, will be able to apply company policies.
Set up Apple ID
The first thing to do is to create Apple ID. Login to Apple website and create Apple ID. Don’t log out and navigate to MEM portal for further configuration.
Setting up Apple Push Certificate
We need to set up Apple Push Certificate on Intune. Login to MEM Portal and navigate to Home > Devices > macOS > macOS enrollment.
Intune requires an Apple MDM Push certificate to manage Apple devices which is part of Prerequisites for enrolling the Apple MacOS devices. Click on Apple MDM Push certificate.
This will open Configure MDM Push Certificate blade, we will be going through each phase to complete the configuration.
- Click on “I Agree” to grant Microsoft permission to send info to Apple.
- Click on Download your CSR, this is the Intune certificate signing request which will be required at next stage. The certificate will be downloaded with csr extension, name I got was IntuneCSR.csr.
- Click on Create your MDM push Certificate to open another URL with Apple Push Certificates Portal.
We are going to create a push certificate which will be required for integrating it with Intune. Click on Create a Certificate
Provide easy to remember notes something like this “Certificate for Apple MacOS” and upload your Certificate signing Request signed by your third-party server vendor to create a new push certificate. This requires you to select Vendor-Signed Certificate Signing Request which we created in step#2 (while clicking on Download your CSR), IntuneCSR.csr was selected and click on Upload.
Confirmation page will appear with following Certificate details:
Service: Mobile Device Management
Vendor: Microsoft Corporation
Click on Download to grab certificate in .pem format, I got following certificate downloaded MDM_ Microsoft Corporation_Certificate.pem
Let’s go back to MEM portal where we were on Configure MDM Push Certificate page.
4. Enter the Apple ID used to create your Apple MDM push certificate.
5. Browse to your Apple MDM push certificate to upload, select the Apple MDM push certificate we recently created with .pem extension and click on Upload
Wait for a while and you will get notification Your MDM push certificate was successfully created.
Once we go to macOS enrollment page again, we will see that MDM Push Certificate is created with expiration date, Apple ID, Subject ID etc.
Install Intune Company Portal / Enroll Device
Before performing installing Company Portal / Enrolling device, make sure to assign appropriate Intune License which consists of following licenses:
Microsoft Enterprise Mobility + Security (EMS)
Enterprise Mobility + Security E3
Enterprise Mobility + Security E5
Microsoft 365 E3
Microsoft 365 E5
Login to Mac device and download Company Portal, once downloaded execute CompanyPortal-Installer.pkg file.
(Note: You won’t be able to install Company Portal from App Store as this app is available only on the App Store for iPhone and iPad)
This will launch Install Intune Company Portal Installer, click Continue.
On License page, click Continue.
On Installation Type page, click Install.
On Installation page, we will see the installation will trigger.
Wait for the installation to get completed.
We will see Company Portal is installed, click on Sign into login with username credentials having appropriate Intune license assigned.
Once logged in, we can see Set up Portal access asking more information to register the device, this is required for set up your device to access your email, devices, Wi-Fi, and apps for work, click Begin.
On Review privacy information page, you will see the message what your organization can’t do vs can do, click Begin.
On Install management profile page, click on Download profile.
This will launch Management Profile page, click on Install.
Confirmation page will open, once again click on Install to initiate the install profile for Management Profile
Once Management Profile is installed, you can see the status showing as Verified and it will show all the right MDM authority is having. At bottom it will display “This Mac is supervised and managed by MDM authority”
On Checking device settings page, you will get success message and click on Done to exit.
Company Portal is installed now, launch it and we can see MDM authority details on the top along with various tabs such as devices, apps, support. The device details will be visible, we can see:
Device Name: Manish’s MacBook Pro
Status: In compliance
Model: MacBook Pro
Operating system: macOS
Ownership type: Personal
Verify Enrollment status of MacOS on Intune
Let’s verify the status of Enrollment status of MacBook Pro Laptop, login to MEM Portal – macOS devices by navigating to Home > Devices > macOS > macOS devices, we can see device enrolled and managed by Intune.
The ownership of the device is showing as Personal, this can be changed. Click on the device name.
Click on Properties, under Device ownership drop down menu we have 2 options: Personal and Corporate to change the settings.
MacOS device is successfully enrolled to Microsoft Intune and can be managed now. Important aspect for initial configuration is to configure “Apple MDM Push Certificate”, another important thing to remember is to renew the certificate well in time or else you need to re-enroll all existing devices with new push certificate. List of certificates will be displayed under Certificates for Third-Party Servers