Enrolling Apple Devices in Microsoft 365
The course is part of these learning paths
In this course, we review the enrollment options available and processes to follow for enrolling Apple devices such as iPhones, iPads, and Macs in Microsoft 365. We look at some prerequisites and the options available for enrolling each type of device. We also work through a few hands-on demonstrations.
Understand the enrollment options and procedures for enrolling different Apple devices in Microsoft 365.
- Anyone who wants to earn a Microsoft 365 certification
- Anyone who needs to enroll devices in Intune and Mobile Device Manager within Microsoft 365
You will require a basic understanding of Mobile Device Management in Microsoft 365.
Welcome to macOS Enrollment Options. Over the next few minutes, we’re gonna take a look at the different enrollment options that are available for macOS devices. We’ll look at BYOD Device Enrollment for macOS devices, and at Automated Device Enrollment.
BYOD Device enrollment is used for personal macOS devices. It’s not recommended for corp-owned devices. If you need to enroll corp-owned devices, you should use Automated Device Enrollment, which we’ll talk about it a minute.
Now, I do want to say up front that BYOD Device Enrollment really isn’t what you would consider to be a traditional "enrollment" method because what it does is, it uses an app configuration profile to manages apps on devices. So, while it’s often referred to as a device enrollment method, devices aren't actually enrolled. That’s something to keep in mind.
You can use BYOD Device Enrollment to enroll a small number of devices, and you can use it to enroll a large number of devices, via bulk enrollment. The BYOD Device enrollment method works with new and existing devices that are associated with a single user.
Before attempting to us BYOD Device Enrollment, you need ensure that your macOS devices are supported, and you need to ensure that you’ve acquired an Apple MDM push certificate, added it to Endpoint Manager, and you need to ensure it is active. This all needs to be done because the MDM certificate is required to enroll macOS devices.
Since there is no Company Portal app available for macOS devices in the app store, users of these devices have to manually download and run the Company Portal app installer package in order to enroll their devices. The process is simple. After installing the Company Portal app, macOS users must sign in with their organization accounts and then step through the enrollment process. Once enrolled, they have to approve the enrollment profile. Once a user approves the enrollment profile, the macOS device is added to the organization’s Azure AD, which in turn, makes it available to Intune to receive your organization’s policies and profiles.
Automated Device Enrollment, or ADE, is the other enrollment option available for macOS devices. This method was previously known as the Apple Device Enrollment Program, or DEP. You can use ADE to set up automated Intune enrollment for macOS devices that have been purchased through Apple Business Manager or through Apple School Manager, because ADE configures settings, using those services.
After purchasing the macOS devices from Apple, they can be shipped directly to your users or organization with your pre-configured settings already configured on them. You then create an enrollment profile in the Endpoint Manager admin center to push your profile the devices.
Before attempting to use ADE to enroll macOS devices, you need to ensure that your devices are supported and that you have access to either the Apple Business Manager portal or the Apple School Manager portal, depending on your environment. You also need to ensure that you have an Apple ADE token and that it is active.
You should also make sure that you’ve added your Apple MDM push certificate to Endpoint Manager, and that it’s active. As was the case with BYOD device enrollment, the MDM certificate is required for enrolling macOS devices using ADE as well. Before creating your enrollment profile, you’ll need to decide how you want your users to authenticate on their devices. You can use the legacy Setup Assistant, or you can use Setup Assistant with Modern Authentication.
When using Setup Assistant with Modern Authentication, you get the benefits that you see on your screen:
- You can wipe the device.
- You can use multi-factor authentication.
- Users can be prompted to update expired passwords when they first sign in.
- Users can be prompted to reset expired passwords during enrollment.
- Devices can be registered in Azure AD.
- I should point out that Microsoft recommends using Setup Assistant with modern authentication.
The MacOS deployment guide provides step-by-step enrollment procedures and also provides additional details about both BYOD Device Enrollment and Automated Device Enrollment. To read the deployment guide, visit the URL that you see on your screen:
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.