2 Replies

  • We only just got ABM setup and our first Mac enrolled and in my experience so far the iPhone app and that process works great, but when the user goes through the initial enrollment they sign-in with their company email to "enroll" but then they still are given the steps to create a local account.  This first account, like normal Apple behavior, is a local admin.  Additionally, you have to deploy the Company Portal app as a "required" assignment and the user has to sign-in to it to complete the Intune enrollment.

    We only have one Mac setup and so far it wasn't too bad, but it would be nice if their AzureAD account was the local account and that we had control over whether or not that was an admin account as well.  There are a number of other options related to MacOs that I have yet to explore so I'll be curious to hear what others respond to you regarding your questions as I have the same ones.

    Was this post helpful? thumb_up thumb_down
  • We've sorted out how we're going to do it -   We enroll the devices in ABM, assign then to Intune and all the policies/Apps push - we've got the managed apple ID for the primary user - nothing unusual here.  We also create an alternate local account Mac1Admin.  On the Mac1Admin account we sign into a personal Apple ID using a Mac1@domain.onmicrosoft.com (we've claimed the domain.com for the managed IDs) so IT has control manage it.  On the personal Apple ID we just enable Find My Mac so we've still got the iCloud based access to Find My Mac which we've found is more useable than the Intune based remote lock etc.  It's not a purely automated system yet, but we've only get a couple to configure at a time that we need to roll out and everyone is local so it's not a big deal to get our hands on it before handing it to primary user.

    If we dealt with purely remote users etc, we'd need to find a better way of doing it, but this suits our needs.

    Was this post helpful? thumb_up thumb_down

Read these next...