Getty Images/iStockphoto


How to enroll and manage Mac devices with Intune MDM

Organizations may turn to basic MDM platforms to help manage Mac devices in a Windows-focused environment. Often, these platforms provide just enough management.

Organizations might deploy macOS devices in a primarily Windows-oriented workplace, which can create desktop management challenges for IT.

Whether the macOS devices are a part of an organization's fleet of managed devices for a design department, C-level management or even BYOD users, IT administrators need to find a way to secure and manage these desktops. Some mobile device management (MDM) platforms, despite their name, offer basic desktop management controls that can help out in these situations.

Why organizations use MDM to manage macOS desktops

To facilitate users working from their preferred devices, IT must ensure those devices are secure and compliant with its organization's policies for accessing corporate data and resources. Apple devices, in general, come with some great built-in MDM capabilities. IT can use these capabilities to manage Mac devices within organizations and configure key settings to keep data and resources safe and secure.

MDM can key in on specific device restrictions while requiring specific built-in macOS features, such as FileVault, Firewall and Gatekeeper. Many MDM platforms provide configuration options to address those capabilities.

IT can configure these capabilities using an MDM solution standalone or with Apple Business Manager (ABM). The MDM-ABM pairing allows organizations to take the management of Apple devices to the next level by creating supervised devices. Supervision empowers organizations to configure additional device restrictions and device features. That includes settings regarding the installation of apps and settings regarding the installation of software updates.

Apple macOS devices become automatically supervised when IT uses Automated Device Enrollment (ADE) -- a functionality within ABM for enrolling devices into MDM.

On top of the MDM capabilities, many MDM platforms deliver an additional configuration layer for advanced management capabilities. For example, Microsoft Intune, which includes MDM capabilities as part of the Microsoft Endpoint Manager platform, includes the additional Microsoft Intune management agent. That agent provides custom scripting capabilities on macOS desktops, and IT can ensure it installs automatically with the proper scripts. Those scripting capabilities create an additional configuration layer. With that layer in place, IT can set up almost any device controls with custom scripting.

What enrollment options are available for macOS devices?

IT administrators need to enroll macOS devices in an MDM platform to manage them properly. There are numerous methods IT could use to enroll macOS devices, often related to device ownership.

The following are the most common options for MDM enrollment:

  • MDM-specific app. MDM vendors provide a dedicated app for enrolling and setting up devices. It ensures that those devices comply with the company policies. For example, when looking at Microsoft Intune, that specific app is the Company Portal app. The user has to download the Company Portal app and follow the on-screen steps to enroll the Mac device. After enrollment is complete, Intune has them marked as personal devices. In this scenario, IT administrators don't have all the remote management capabilities that come with other enrollment options. Some personal information is not visible to the Intune administrator to preserve the user's privacy.
  • Automated Device Enrollment (ADE). The most common method for enrolling corporate-owned devices is using ADE, the method for devices registered in ABM. The Microsoft Intune ADE process provides a direct integration automatically, as the name implies. Once a registered device boots up, the user can follow the out-of-box experience to configure and enroll the Apple devices. After enrollment, these devices are registered as corporate devices. These devices are automatically supervised, and the IT administrators will have all the macOS management capabilities available via the MDM platform.
  • MDM-specific options. Different MDM platforms provide specific enrollment options for bulk enrollment or kiosk devices. Sticking with the Microsoft Intune example, there is a direct enrollment option via Apple Configurator. IT can use Mac devices that don't need a specific user affinity. IT can also use a Device Enrollment Manager account to enroll up to 1,000 devices with a single account. Other MDM vendors offer similar enrollment options exclusive to their platforms -- in some cases with multiple variations of those custom options.

Note: IT admins can register Mac devices in ABM via the reseller of the device. Alternatively, starting with iOS 15, it's possible to use Apple Configurator on iOS to register Mac devices with ABM.

How to enroll Mac devices in MDM

While it isn't universally the best option, the most common enrollment method that IT will need to know is enrollment via a companion app. That method is tailored to BYOD, but Mac administrators can also use it for corporate-owned devices when there is no ABM available. In either case, the device is, by default, registered as a personal device in Microsoft Intune. Desktop admins can manually adjust this if needed. IT can perform the task of Mac enrollment using the Company Portal app through the following steps:

1. Open a browser and navigate to Microsoft's site to download the Company Portal installer file under the Install Company Portal app.

2. After it's downloaded, open the installer and follow the prompts to ensure proper installation.

3. Once the installation is successful, open the Company Portal app and sign in with a work or school account.

4. Once signed in with the Company Portal app open, click Begin to start the enrollment process.

5. On the Review privacy information page, verify the information that the organization can see and click Continue (Figure 1).

An image of the Company Portal app displaying the Mac's privacy information.
Figure 1. The privacy information that the IT department can and can't see on the managed Mac displayed in the Company Portal app.

6. On the Install management profile page, perform the following actions:

  • Click on Download profile to download the management profile (Figure 2).
  • On the Manage Profile settings page, click Install to install the management profile.
  • On the verification dialog box, click Install to install the management profile.
  • On the credentials dialog box, provide administrator credentials to start the enrollment.
An image of the downloadable management profile for Macs.
Figure 2. The management profile within the Company Portal app that IT can download for Mac management.

7. On the Check device settings page, verify the enrollment and compliance status of the device and click Done.

Once the enrollment of the Mac device is complete, IT can navigate to the location System Preferences > Profiles > Management Profile to verify the level of control that the IT administrators have over the device.

Next Steps

What are the best file managers for Mac devices?

Dig Deeper on Desktop management

Virtual Desktop