Zehadi Alam
Introduction
Universities that manage Apple devices can enroll them into Intune using Automated Device Enrollment. To do this, access to Apple School Manager is needed, as it provides the enrollment token required for integration with Intune. The following section demonstrates the process of how to set up an MDM server within Apple School Manager, connect it to Intune, and enable synchronization between the two platforms to ultimately enroll Apple devices with Intune.
Procedure
1. Sign in to Apple School Manager (https://school.apple.com/). If you do not have access, you can reach out to me and I will create you an account.
2. Click on your name at the bottom left of the screen and select Preferences.
3. Click on Add next to Your MDM Servers
4. Name your MDM Server and leave the Allow this MDM Server to release devices unchecked.
5. In Intune, navigate to Enrollment Program Tokens and click Create: https://intune.microsoft.com/#view/Microsoft_Intune_Enrollment/DepTokensPaging.ReactView
The Intune public key certificate must be retrieved for the MDM server.
6. Select I agree and download your public key.
7. In Apple School Manager, upload the public key and then download the MDM server token. This server token must be uploaded to Intune.
8. Once the MDM server has been created, you can assign devices to it. Navigate to devices https://school.apple.com/#/main/devices and search by the serial number of the device. You can also use filters and search by the Apple Sales Order Number.
9. Once your device has been found in the results, you can assign it to your MDM server.
10. In Intune, click on your enrollment program token and run a sync. This will allow the devices added to your MDM server in Apple School Manager to appear in Intune. Intune automatically syncs once every 12 hours. If you manually sync, you can only do so once every 15 minutes.
11. Create an enrollment profile to allow your Apple devices to enroll with Intune. You can create a profile for macOS and iOS/iPadOS.
12. When creating a macOS enrollment profile, you have the option of enrolling the device with or without user affinity. User affinity associates a primary user with the device. The end user's name will be shown under the primary user section of the device when it is queried in Intune. Enrollment without user affinity is suitable for scenarios where it does not make sense to associate a primary user with the device (e.g. shared devices). If you choose to enroll with User Affinity, the following settings are recommended.
13. The next section allows you to control the Setup Assistant experience by hiding or showing the various displays that are presented to the end user when they set up their Mac. This configuration is left to the IT unit to decide. At CAES, we hide everything except for Touch ID and Face ID, FileVault, and Wallpaper.
14. For the Account Settings section, it is recommended to configure the creation of a local account as follows. This will ensure that the user's username is their UGA MyID.
15. Review and create the enrollment profile.
16. Once the enrollment profile is created, click into it to assign the devices that were synced from your MDM server in Apple School Manager.
17. Click on Assign Devices and then Add Devices
18. Select the devices you would like to assign to your enrollment profile and click Add.
19. Save the assignment
20. Macs with the serial numbers assigned to the enrollment profile will begin the Intune enrollment process during Setup Assistant. To trigger Intune enrollment on a Mac that is already deployed and in use, run the following command in Terminal and let the end user authenticate if enrollment with User Affinity has been configured in the enrollment profile.
sudo profiles renew -type enrollment