Ensure each targeted user is assigned one of the following supported licenses before beginning:
Microsoft Intune Plan 1
Microsoft 365 E3 / E5
Microsoft Business Premium
Enterprise Mobility + Security (EMS) E3 / E5
Corporate-owned hardware must be registered within ABM to utilize automated, zero-touch deployment.
Core Requirements:
An active Apple Business Manager account.
Hardware purchased directly from Apple or a participating authorized reseller.
Devices must be actively assigned to your Intune MDM server within the ABM portal.
Migration Tip: When migrating a large fleet (e.g., batches of 500 to 1,000 devices) from a legacy MDM like AirWatch, double-check that the specific device batches are explicitly unassigned from the old legacy server and mapped to the new Intune server token in ABM to prevent deployment conflicts.
This certificate is mandatory; it establishes the secure communication tunnel between Apple devices and Microsoft Intune.
Navigate in Intune: Tenant administration β Connectors and tokens β Apple MDM Push certificate
Execution Flow:
Download the Certificate Signing Request (CSR) from the Intune portal.
Sign in to the Apple Push Certificates Portal using a corporate Apple ID.
Upload the downloaded CSR to Apple.
Download the generated APNs certificate from Apple.
Upload the APNs certificate back into the Intune portal.
β οΈ Critical Maintenance Note: This certificate must be renewed annually using the exact same Apple ID. Failure to renew with the same ID will instantly break management communication for all currently enrolled Apple devices.
Step 4: Connect ABM to Intune (Enrollment Program Token) This step establishes the trust relationship allowing Intune to sync your Apple hardware inventory.
Navigate in Intune: Tenant administration β Connectors and tokens β Apple enrollment β Enrollment program tokens
Execution Flow:
In Intune: Click Add and download the Intune public key.
In Apple Business Manager: * Navigate to Settings β Device Management Settings β MDM Servers β Add MDM Server.
Upload the Intune public key.
Download the newly generated server token (.p7m).
In Intune: Upload the .p7m token to complete the integration.
Navigate in Intune:
Devices β macOS β macOS enrollment β Enrollment Program Tokens
Execution Flow:
Select your configured server token.
Click Profiles β Create Profile.
Name your profile (e.g., Corporate-MacBook-Profile).
Apply the following recommended configuration options to dictate the device's management behavior during its initial setup:
Setting Recommended Value
User Affinity Yes (for user-dedicated devices)
Authentication Method Setup Assistant with modern authentication
Locked Enrollment Yes
Supervised Yes
Shared iPad No
Await Final Configuration Yes
Department Name IT Department
Support Phone Helpdesk Number
To provide a streamlined, zero-touch experience for the end-user, configure the profile to hide/skip the following native macOS Setup Assistant screens:
Apple ID
Siri
Screen Time
Analytics
Appearance
Touch ID (Optional)
Privacy
iCloud Diagnostics
Apple Pay
FileVault (Skip if managing encryption separately via Intune Endpoint Security)
Action:
Assign the newly created deployment profile to the hardware synced from Apple Business Manager. For a controlled migration rollout, apply this profile to your synchronized device batches (typically 500 to 1,000 devices at a time) rather than the entire fleet at once.
Verification:
Monitor the assignment within the Intune portal and ensure the Profile Status updates to Assigned for all targeted hardware.
Admin Action: Enable Enrollment
Navigate: Devices β macOS β macOS enrollment
Action: Ensure Personally owned devices are set to Allow in your enrollment restrictions.
End-User Action: Enrollment Steps
Install: Download and install the Company Portal app from the Mac App Store (or via an IT-provided installer).
Authenticate: Open the app and sign in using your corporate Microsoft Entra credentials.
Download: Follow the prompts to download the management profile.
Install & Approve:
Open native macOS System Setting β Privacy & Security β Profiles.
Double-click the downloaded management profile to install it.
Click Approve to grant device management permissions. (The Mac is now enrolled in Intune).
Navigate: Devices β macOS β Configuration profiles β Create profile
1. Recommended Device Restrictions
Deploy a restriction profile to secure the endpoint. Consider disabling or managing:
AirDrop & AirPrint
iCloud Backup
Screen Sharing
External Storage (USB drives)
Camera & Bluetooth (depending on privacy requirements)
Game Center
2. Corporate Password Policy
Apply a strict password configuration to enforce local security:
Setting Recommended Value
Minimum Length 8β12 characters
Complexity Required (Alphanumeric/Symbols)
Password Expiration 90 days
Maximum Inactivity Lock 15 minutes
Password History 5 (Cannot reuse last 5 passwords)
Navigate: Devices β Compliance Policies β Create Policy (Platform: macOS)
Recommended Health Checks:
Configure Intune to verify the following states before granting access to corporate data:
Minimum macOS version (e.g., macOS 13.0+)
System Firewall is Enabled
FileVault Encryption is Enabled
System Password is Required
Device is Not Jailbroken/Rooted
Microsoft Defender risk level is Clear/Low (if integrated)
Navigate: Apps β macOS β Add
Supported App Types:
Microsoft 365 Suite (Edge, Outlook, Teams, OneDrive, Office)
Microsoft Defender for Endpoint
Line-of-Business (LOB) .pkg installers
Shell Script deployments
Assignment Intents:
Assign applications to your macOS dynamic groups using one of three intents:
Required: Installs silently in the background.
Available: Appears in the Company Portal for users to install voluntarily.
Uninstall: Silently removes the application from the endpoint.
FileVault (Disk Encryption)
Navigate: Endpoint Security β Disk Encryption β Create Policy
Enable FileVault for full disk encryption.
Store recovery key in Intune (Crucial for IT admin access if the user forgets their password).
Require FileVault after sign-in.
Microsoft Defender for Endpoint
Navigate: Endpoint Security β Antivirus
Deploy the Defender agent alongside Security Baselines.
Configure: Real-time protection, Cloud-delivered protection, and Automatic updates.
Wi-Fi Profiles
Navigate: Devices β Configuration Profiles β Wi-Fi
Configure the corporate SSID, set authentication to WPA2/WPA3 Enterprise, and attach your PKCS/SCEP certificate profiles for seamless authentication.
VPN Profiles
Navigate: Devices β Configuration Profiles β VPN
Define your server address and authentication methods for supported clients (Microsoft Tunnel, Cisco AnyConnect, GlobalProtect, IKEv2).
Enable Always-on VPN for strict traffic tunneling.
Force Device Sync
Admin: Navigate to Devices β macOS β Select Device β Click Sync.
End-User: Open the Company Portal app on the Mac and click Sync.
Verify Successful Enrollment
Navigate to the device overview in Intune and confirm:
Device appears in the inventory.
Ownership is accurately flagged (Corporate vs. Personal).
Compliance state = Compliant.
Configuration profiles = Succeeded.
Required Apps = Installed.
Symptom: Device Not Appearing in Intune
Check if the APNs certificate has expired.
Verify the Apple Business Manager token status is active.
Ensure the user has a valid Intune/M365 license assigned.
Check if Enrollment restrictions are blocking the device platform.
Symptom: Automated Device Enrollment (ADE) Not Starting
Verify the hardware is assigned to the correct MDM server inside the Apple Business Manager portal.
Ensure the Intune ADE sync has completed and the Enrollment Profile is assigned.
Crucial: If the Mac was previously set up, it must be erased/factory reset before ADE will trigger the zero-touch setup assistant.
Symptom: Company Portal (BYOD) Enrollment Fails
Verify the user's Intune license.
Ensure the Company Portal app is updated to the latest version.
Confirm the user actually clicked Approve in the native macOS Privacy & Security settings (the profile will fail if not approved within 8 minutes).
Symptom: Device Marked as "Non-Compliant"
Review the specific compliance report in Intune. Common culprits include:
FileVault encryption is still processing.
The OS needs a minor version update.
The user's local password does not meet the complexity requirements.
This framework outlines the recommended architectural and security standards for deploying and managing macOS devices within a Microsoft Intune enterprise environment.
π’ Corporate-Owned Hardware
Standard: Strictly utilize Apple Business Manager (ABM) integrated with Automated Device Enrollment (ADE).
Objective: Guarantees zero-touch provisioning, out-of-the-box management, and hardware-tied MDM authority.
π± Personally Owned Devices (BYOD)
Standard: Utilize Company Portal enrollment exclusively.
Objective: Maintains a clear boundary between personal privacy and corporate data security without requiring a full device takeover.
π« Locked Enrollment
Action: Enable Locked Enrollment on all corporate ADE deployment profiles.
Objective: Prevents end-users from maliciously or accidentally deleting the MDM management profile from System Settings.
π Modern Authentication
Action: Configure the macOS Setup Assistant to use Modern Authentication.
Objective: Delivers a streamlined, branded onboarding experience and ensures Microsoft Entra ID sign-in and MFA challenges occur natively during the initial setup phase.
π FileVault Encryption Protocol
Action: Ensure FileVault recovery keys are configured to escrow directly to Intune before enforcing encryption policies.
Objective: Prevents catastrophic data lockouts by guaranteeing IT has the recovery key securely stored in the cloud before the disk encrypts.
π Zero Trust Architecture
Action: Deploy Microsoft Defender for Endpoint, Intune Compliance Policies, and Entra Conditional Access as a unified stack.
Objective: Enforces the Zero Trust modelβensuring only healthy, compliant, and threat-free devices can access corporate SaaS applications and network resources.
π Phased Rollouts (Piloting)
Action: Always pilot new enrollment profiles, configuration payloads, and major macOS version updates.
Objective: Validate stability, app compatibility, and the end-user experience on a small, controlled group of IT or champion devices before executing a broad deployment to the production environment.