MacOS DEP enrollment with Intune – Part 1 (The Setup)

With all of the Modern Desktop projects we have been working on recently we have been getting requests around the support of that executive/senior manager in the corner office Apple device.

These conversations have traditionally gone one of two ways, the all care no responsibility approach where we will setup office and give them emails with limited support, or just a flat no we will not support them.

Around 6 months ago I realized that I should spend some time to understand the platform to provide a rounded recommendation for my client. Starting with the cheapest MacBook Air I could find I pushed myself to first understand how the Operating System worked, then what we can use Intune to manage. For those of you who have seen me running around with it you have seen the great stickers I found for it, for those who haven’t seen it well.


So enough of the waffle around why an ardent Microsoft guy is blogging about Apple on an Intune blog. This is the first blog of a few which will detail my experiences enrolling Macs into Intune and then managing them.

With Microsoft we have Windows AutoPilot, this requires device registration either by the vendor at the factory then into your Intune tenant, or by harvesting the Hardware Hash for existing devices.

In the Apple world the equivalent system is called the Device Enrollment Program (DEP), the same one you use for your iPhone’s & iPad’s albeit with a very minor difference. Existing iPhone’s & iPad’s can be manually imported into the DEP system from an Apple MacOS using the Apple Configurator 2 application, which is a great solution to start companies onto the journey for MDM, on the other hand Mac devices can not be manually loaded into the DEP system.

It is even worse then this, the advice I have been able to get from multiple Apple stores is that the Mac’s can only be registered into the DEP system at factory. Thankfully Vigilant.IT has a company account with Apple that i was able to procure a Mac to validate this solution. The process to do this was reasonably painless, and once the order was accepted the new Mac’s serial number appeared in the DEP console.

What I found surprising was that I could create a VM with VMWare Fusion and assign the serial number and it would appear to be DEP Registered, and allows for high fidelity screen captures, as an aside i attempted the same process with Parallels and host VM Serial number was passed through which is less then ideal.

To set the Serial Number in VMWare I followed this process: to edit the VMX file and add the following lines:

SMBIOS.use12CharSerialNumber = “TRUE”
serialNumber = “myserialnumb”
hw.model = “MacBookAir8,1”

This will set the Serial number to what you want it to be, in this case the serial number from the DEP system. You might ask what happens when the real device comes online, well for the Apple DEP system it doesn’t worry about what hardware is being used it just has a MacOS requesting it’s DEP Policy, while in Intune it is the last device that is registered into the system which will be fully managed.

Now we have the setup to test and validate the MacOS DEP solution, keep a look out for the next blogs in the series.