Set up enrollment for macOS devices in Intune
Intune lets you manage macOS devices to give users access to company email and apps.
As an Intune admin, you can set up enrollment for company-owned macOS devices and personally owned macOS devices ("bring your own device" or BYOD).
Complete the following prerequisites before setting up macOS device enrollment:
- Make sure your device is eligible for Apple device enrollment.
- Configure domains
- Set the MDM Authority
- Create groups
- Configure the Company Portal
- Assign user licenses in the Microsoft 365 admin center
- Get an Apple MDM push certificate
User-owned macOS devices (BYOD)
You can let users enroll their own personal devices into Intune management. This is known as “bring your own device” or BYOD. After you’ve completed the prerequisites and assigned user licenses, your users can enroll their devices by:
- going to the Company Portal website or
- downloading the Mac Company Portal app at aka.ms/EnrollMyMac.
You can also send your users a link to online enrollment steps: Enroll your macOS device in Intune.
For information about other end-user tasks, see these articles:
Company-owned macOS devices
For organizations that purchase devices for their users, Intune supports the following macOS company-owned device enrollment methods:
- Apple's Device Enrollment Program (DEP): Organizations can purchase macOS devices through Apple's Device Enrollment Program (DEP). DEP lets you deploy an enrollment profile “over the air” to bring devices into management.
- Device enrollment manager (DEM): You can use a DEM account to enroll up to 1,000 devices.
Block macOS enrollment
By default, Intune lets macOS devices enroll. To block macOS devices from enrollment, see Set device type restrictions.
Enroll virtual macOS machines for testing
macOS virtual machines are only supported for testing. You should not use macOS virtual machines as production devices for your end users.
You can enroll macOS virtual machines for testing using either Parallels Desktop or VMware Fusion.
For Parallels Desktop, you need to set the hardware type and the serial number for the virtual machines so that Intune can recognize them. Follow Parallels' instructions for setting hardware type and serial number to set up the necessary settings for testing. We recommend that you match the hardware type of the device running the virtual machines to the hardware type of the virtual machines that you're creating. You can find this hardware type in Apple menu > About this Mac > System Report > Model Identifier.
For VMware Fusion, you need to edit the .vmx file to set the virtual machine's hardware model and serial number. We recommend that you match the hardware type of the device running the virtual machines to the hardware type of the virtual machines that you're creating. You can find this hardware type in Apple menu > About this Mac > System Report > Model Identifier.
User Approved enrollment
User Approved MDM enrollment is a type of macOS enrollment that you can use to manage certain security-sensitive settings. For more information, see Apple's support documentation.
Starting in November 2019, all new user-owned macOS enrollments will be User Approved because the user must manually install the management profile in order to successfully enroll. During the enrollment process, the user will install the Apple management profile in System Preferences > Profiles. Instructions to install the management profile are available in the macOS Company Portal app.
Devices enrolled prior to November 2019 might not be User Approved if the user didn't manually approve the management profile. However, users can go back and approve the management profile by going to System Preferences > Profiles > choose the Management Profile > Approve.
Find out if a device is User Approved
- Sign in to the Microsoft Endpoint Manager Admin Center.
- Choose Devices > All devices> choose the device > Hardware.
- Check the User approved enrollment field.
After macOS devices are enrolled, you can create custom settings for macOS devices.