question

PaD-7009 avatar image
0 Votes"
PaD-7009 asked JarvisSun-MSFT commented

Intune MacOS auto enrollment using Apple Biz Manager (ABM)

In the current flow of enrolling MacOS associated with ABM in Intune,

  1. Login in Azure AD creds

  2. Create a local MacOS account

  3. Login to MacOS device using local account created in step 2.

  4. Login to Company Portal using Azure AD creds.

The concern customer has is the local account that we create in step 2 gets admin rights. Their regulatory requirements requires them not to provide admin rights to end users.

Does using federated managed Apple ID eliminates step 2 in creating local account?

Use this blog as reference:
https://hmaslowski.com/home/f/corporate-macos-automated-device-enrollment-ade-to-memintune

Scroll down to "User Experience" section, on the Remote Management page we are asked to enter "Azure AD creds" and in next page we are asked to "Create Computer Account".

mem-intune-generalmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered JarvisSun-MSFT commented

@PaD-7009 Thanks for posting in our Q&A.
As I know, the way which you have mentioned seems to be infeasible. This step of create local account is not controlled by enrollment profile. MacOS requires a local account by default, this behavior is apple design.
Thanks for understanding.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaD-7009 avatar image PaD-7009 ·

Apple's doc says that user will be able to login using Azure AD creds into their device.

reference:
https://support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-apdb19317543/web
"They can then use their Azure AD credentials to sign in to their assigned iPad or Mac"


0 Votes 0 ·
JarvisSun-MSFT avatar image JarvisSun-MSFT PaD-7009 ·

@PaD-7009 Thanks for the reply. The official article you provided is step 4 for using Azure AD credentials to sign in, of course this is no problem. We are concerned about how to skip step 2 in creating local account. As far as I know it is not controlled by intune, it can't be achieved so far.
Given this situation, it is better to create an online support ticket to double confirm this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

0 Votes 0 ·