automated device enrollment

3 Topics

Intune macOS ADE: support for minimum macOS version enforcement before Platform SSO registration
Hi everyone, I would like to ask whether Microsoft Intune has any supported method, roadmap, or recommended workaround for enforcing a minimum or target macOS version during Automated Device Enrollment before Setup Assistant continues. The scenario is macOS zero-touch deployment with Intune, Automated Device Enrollment, Setup Assistant with modern authentication, Await final configuration, and Platform SSO registration during ADE. Platform SSO registration during Setup Assistant depends on newer macOS capabilities. In addition, some macOS deployment scenarios, such as Platform SSO password sync and macOS LAPS, may require or strongly benefit from a specific macOS version being installed before the user completes enrollment. Today, Intune can manage macOS software updates after enrollment using Declarative Device Management software update policies. However, that does not fully solve the issue where the Mac starts ADE on an older macOS version. In that case, the device may begin Setup Assistant and Platform SSO registration before the required macOS version is installed. What I am looking for is an Intune-native equivalent of enforcing a minimum or target macOS version during ADE, before Setup Assistant continues. Ideally, the macOS ADE enrollment profile in Intune would support options such as: - Minimum required macOS version - Target specific macOS version - Target specific build, if supported - Latest eligible macOS version for the device - Apply the OS update before Platform SSO registration and final configuration - Reporting in Intune showing whether the ADE OS update was required, started, completed, skipped, or failed Without this capability, organizations using Intune-only macOS deployment may still need manual IT staging or macOS restore/update before handing devices to users. This weakens the zero-touch deployment model, especially when adopting Platform SSO registration during Automated Device Enrollment. 1. Is there currently any supported way in Intune to enforce a minimum or target macOS version during ADE before Setup Assistant continues? 2. Is this capability on the Intune roadmap? 3. Are there any recommended workarounds for organizations deploying Platform SSO registration during ADE where a specific macOS version is required? Thanks in advance for any guidance from the Intune team or the community.
KacperM
Jun 12, 2026 Place Microsoft Intune
66Views
0likes
1Comment
VPP Licensing Issues
Hi there, i'm currently getting frustrated on the following problem: At first the outline: We want users to choose: Do you want to use a personal device? If so you can enroll in MDM with type "User Enrollment". If the user "qualifies" to receive a corporate iOS device, we're using Automated Device Enrollment via ABM No on to the issue: App Assignment for the App MS Teams Required: All devices, with an include filter (All ADE Devices), Device based licensing Idea: this should only happen when using corporate devices Available: All Users, with an exclude filter (All ADE devices), User based licensing Idea: All devices which are not corporate should apply this one. App Assignment for the App MS Whiteboard No Required Assignment Available: All Users, with an exclude filter (All ADE devices), User based licensing Idea: All devices which are not corporate should apply this one. Azure AD Security Group with all Users using corporate ios devices, Device based licensing Idea: All devices which ARE corporate should apply this one. What is the result? The Whiteboard App is working perfectly: When using an ADE device, the device bases license is used. (therefore a silent installation happens, after the user choose "Install app" from Company Portal.) When using an User Enrolled device, the user based license is used. Great! As soon as an App has additionally a required assignment, the whole thing brokes up: When the user on the user enrolled devices tries to install the app from company portal, nothing happens. Intune shows the total misleading error: "Device VPP licensing is only applicable for iOS 9.0+ devices. (0x87D13B69)" The device is way above 9.0 AND the device shouldn't use device licensing. (Of course User Enrollment doesn't support device licensing) I'm totally aware of the fact, that we have to use "user based licensing" for User Enrolled devices AND we have to use Device Based licensing when using ADE and want to install silently or the user don´'t has an apple-id. How can we achive this scenario? We totally don't want to have to choose between either ADE or User Enrollment. Any help, as always is highly appreciated. 🙂 Cheers, Patrick!
Solved
PatrickF11
Jul 15, 2025 Place Microsoft Intune
17KViews
1like
21Comments
Failed to create MacOS Enrollment Profile
Hello hoping someone out there might have encountered this or have some advice.. I am trying out Intune in combination with Apple Business Manager (ABM). I followed the guides on setting up ABM with our Azure AD and Intune environments, created the required MDM Push Certificates, VPP tokens, etc. I was able to setup the Intune MDM successfully in Intune and ABM, and created an iOS device enrollment profile in Intune which worked well and was able to automatically enroll an iPhone and successfully deploy the company portal app and other apps to it. The issue I'm having is when I go to create the MacOS device Enrollment profile in Intune I select the existing MDM program token and go thru the process but it fails to create the MacOS enrollment profile and instead I get an error "Failed to create <profile name here>". I've tried various settings with the enrollment profile, I even created a new apple enrollment token and tried to setup the MacOS profile with the new token but I get the same error. I followed the article https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-macos and don't see any missing steps... I've got the company portal app configured with the PKG as a LOB but it won't even get that far since there isn't an enrollment profile to automatically enroll the MacOS device into Intune. The device however is getting sync'd from ABM and is visible under the Apple enrollment token's device list. Granted I could manually install the Company Portal to enroll the mac with Intune but I am trying to automate this process as best as I can and use the enrollment profile to do so. Any advice or direction you might suggest? From what I can tell everything seems setup correctly... and iOS/Windows devices are working fine its just MacOS I'm stuck on. Thank you in advance.
Solved
TGreen880
Apr 18, 2023 Place Microsoft Intune
6.6KViews
1like
16Comments