In the current flow of enrolling MacOS associated with ABM in Intune,
Login in Azure AD creds
Create a local MacOS account
Login to MacOS device using local account created in step 2.
Login to Company Portal using Azure AD creds.
The concern customer has is the local account that we create in step 2 gets admin rights. Their regulatory requirements requires them not to provide admin rights to end users.
Does using federated managed Apple ID eliminates step 2 in creating local account?
Use this blog as reference:
https://hmaslowski.com/home/f/corporate-macos-automated-device-enrollment-ade-to-memintune
Scroll down to "User Experience" section, on the Remote Management page we are asked to enter "Azure AD creds" and in next page we are asked to "Create Computer Account".