MacOS Device setup with Endpoint Manager

Copper Contributor

I have recently taken over management of my company's Intune/Endpoint Manager environment for management of iOS and MacOS devices. The current setup has multiple configuration profiles that are assigned to a machine group that dynamically contains all MacOS devices. We have Endpoint Manager connected to Apple Business Manager, so the devices automatically enroll in Endpoint Manager at first boot. When the desktop support tech goes to setup a new MacOS device for a user, they create local user accounts for the user and for tech use. At that time, the configuration profiles (and some apps assigned as "required") install as expected in the background. Note: The tech does NOT login to Company Portal as this effectively assigns their user account to that machine in Endpoint Manager. Once they have completed the initial setup, they have the user login to the device and then login to Company Portal. However, to do so, the tech has to first remove the Configuration Profiles, then login to Company Portal and then the Configuration Profiles download and install again. I found that in Tenant admin > Customization > Configuration, device enrollment is set to "Available, with prompts".


My question is if we are auto-enrolling devices, would setting the "Device Enrollment" option in the Customization section of Tenant Admin be set to "Available, no prompts" or "Unavailable" get rid of this round-about issue we're seeing with the Company Portal app setup?

5 Replies
Hi, why do you want to have the tech guys configuring apps on the macs? If these are corp devices then you can push all the required configurations through Intune or using custom payloads. Even if their is such requirement then let the end user conplete the enrollment first so that device is registered in his/her name.

Removing the config profile is not a good approach as it defies the purpose of ADE.

Best Regards,

Hi @klenTAHN,

I guess you’re using User Affinity Enrolment method in your macos enrolment profile. Apple Setup Assistant prompts during the enrolment process to login to Azure which support modern authentication now.


Do you know what user the techs are using during the process(this step is before creating local admin)? To do a workaround to the issue you seeing, I would ask the techs to use the employee creds during enrollment process, this will eliminate that issue with Intune Portal and re-enrollment. Because user affinity enrolment is one to one relationship, you can’t use DEP account. Otherwise you have to use device type but that’s not your requirements. 

I have included three articles, note the 2nd one shows the enrolment when modern authentication not supported. 

Hope this helps!



From MSFT docs-

’Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air, so you don't need to have physical access to devices.’


We are currently enrolling without user affinity because the MacOS devices are not domain machines, so we cannot change the assigned user afterwards. The tech sets up a local account for the user at time of setup, and the user logs into the Company Portal with their domain credentials when they receive the machine. Since the machines are already enrolled prior to their receipt, would it be feasible to just turn off the enrollment option in the customization area for the Company Portal so that it's not trying to re-enroll when the end user signs into the CP for the first time?

Hi @klenTAHN,


It’s not possible, Company portal checks to see if the logged on user has UDA (User Device Affinity) with the device. If they don’t, it’ll try to enroll again which what you’re seeing.
Best way is to use User Affinity and sign with user creds, it’s very similar to Windows AutoPilot experience.


Hope this helps!

so what you're saying is that there is no way to configure a MacOS device prior to a user having it in their possession? our techs dont have access to user credentials to login with until they are with the user performing the device handoff.