MacOS DEP enrolment with Intune – Part 2 (the Out of Box Experience)

To follow on from the last post available here I’m going to focus on the end user experience of when the user receives there new Mac, in this case a MacBook Air 13 Inch which has been procured from the Apple site, which is different to, and this will be something I blog about in the future.

So why is the Out of Box Experience something that is important to talk about, well the simple answer is that it is a different type of enrolment then what we have with MacOS devices which only have the Company Portal installed.

When enrolling a MacOS into Intune using DEP, the device will be adding into Azure AD as an “Azure AD Registered” device, this allows for the device to tagged as compliant or not for things like Conditional Access and alike.

The next thing to be aware of is that currently the MacOS DEP screen does not support an AAD account which has MFA setup, it will just return unknown user account or unknown password. You might think that with Azure AD MFA there is the ability to use App Password’s for just this case, well that doesn’t work either. So if you want to use MacOS DEP you will need to have Azure AD MFA not enabled on the account.

For those of you who don’t have a DEP enrolled MacOS I’ve used the VM created in the last blog post to capture a video of the process, on the Intune side all that is being applied is a simple “User Affinity” policy, with all of the default pages still shown (you can pick and chose which screens you see), in addition to this I have locked the policy from being removed for what it is worth.

Note there is no Audio on the video

In the video you will note I have connected it to my AppleID, but you can skip that step if you don’t want to install applications from the Apple Store, it can also be suppressed by the admin in Intune as a simple process to block staff from having there AppleID assigned to the Mac.

Good Luck


MacOS DEP enrollment with Intune – Part 1 (The Setup)

With all of the Modern Desktop projects we have been working on recently we have been getting requests around the support of that executive/senior manager in the corner office Apple device.

These conversations have traditionally gone one of two ways, the all care no responsibility approach where we will setup office and give them emails with limited support, or just a flat no we will not support them.

Around 6 months ago I realized that I should spend some time to understand the platform to provide a rounded recommendation for my client. Starting with the cheapest MacBook Air I could find I pushed myself to first understand how the Operating System worked, then what we can use Intune to manage. For those of you who have seen me running around with it you have seen the great stickers I found for it, for those who haven’t seen it well.


So enough of the waffle around why an ardent Microsoft guy is blogging about Apple on an Intune blog. This is the first blog of a few which will detail my experiences enrolling Macs into Intune and then managing them.

With Microsoft we have Windows AutoPilot, this requires device registration either by the vendor at the factory then into your Intune tenant, or by harvesting the Hardware Hash for existing devices.

In the Apple world the equivalent system is called the Device Enrollment Program (DEP), the same one you use for your iPhone’s & iPad’s albeit with a very minor difference. Existing iPhone’s & iPad’s can be manually imported into the DEP system from an Apple MacOS using the Apple Configurator 2 application, which is a great solution to start companies onto the journey for MDM, on the other hand Mac devices can not be manually loaded into the DEP system.

It is even worse then this, the advice I have been able to get from multiple Apple stores is that the Mac’s can only be registered into the DEP system at factory. Thankfully Vigilant.IT has a company account with Apple that i was able to procure a Mac to validate this solution. The process to do this was reasonably painless, and once the order was accepted the new Mac’s serial number appeared in the DEP console.

What I found surprising was that I could create a VM with VMWare Fusion and assign the serial number and it would appear to be DEP Registered, and allows for high fidelity screen captures, as an aside i attempted the same process with Parallels and host VM Serial number was passed through which is less then ideal.

To set the Serial Number in VMWare I followed this process: to edit the VMX file and add the following lines:

SMBIOS.use12CharSerialNumber = “TRUE”
serialNumber = “myserialnumb”
hw.model = “MacBookAir8,1”

This will set the Serial number to what you want it to be, in this case the serial number from the DEP system. You might ask what happens when the real device comes online, well for the Apple DEP system it doesn’t worry about what hardware is being used it just has a MacOS requesting it’s DEP Policy, while in Intune it is the last device that is registered into the system which will be fully managed.

Now we have the setup to test and validate the MacOS DEP solution, keep a look out for the next blogs in the series.