COPE – Existing Device Enrollment
This page provides instructions on how to enrolling your existing device into Intune.
Table of Contents:
1. Device Enrollment
Please review and complete all pre-requisites before beginning: Prerequisites
Download and install the Company Portal app from either of the links below.
Enroll your Mac with Intune Company Portal | Microsoft Learn
Once installed, launch the Company Portal app and click Sign in. You may be prompted with a Microsoft login page, use your University of Waterloo credentials. It may sign you in directly if you’re already using Office 365 products on the device.
In the Set up University of Waterloo access window, click Begin.
You can review the privacy information and what access will be provided with the device being managed. Click Continue.
Click Download profile.
The Profiles window should pop up, if not navigate to System Settings > General > Device Management > Profiles (Older macOS devices may have this under Privacy & Security). The double-click on the Management Profile and click Install.
You’ll then be prompted with your macOS login password, type it in and click Enroll.
When the device is successfully enrolled, the banner will state the Mac is supervised and managed by: University of Waterloo.
Return to the Company Portal app while it finishes checking device settings.
Note: If you receive a message stating “Compliance policies haven’t been assigned to this device”, wait a minute or two, then click the Retry button.
Once complete, click Done and move on to step 2.
2. Contact your IST Representative
Devices enrolled in Intune using COPE are considered “Personal”. You’ll need to contact your IST Representative using one of the links below, so that they can properly associate the device for management within the tenant.
After receiving clearance from IST, move on to step 3.
3. Finalize Enrollment
Open the Company Portal app, click on the ellipsis then select Check status. This will sync the Mac with Intune, prompting the device to check its compliance status, download any missing profiles, apply policies, and/or required applications.
After the enrollment is finalized, the initial Intune Management Profile will be installed under System Settings > General > Device Management > Profiles (Older macOS devices may have this under Privacy & Security). The subsequent profiles applicable to your device will install as the device connects in with Intune.
These profiles include enforced settings that help secure the device, such as enabling FileVault, password requirements, OS update enforcement, and disabling guest accounts. Options in the System Settings that are greyed out, are now enforced by Intune and cannot be changed. It can take up to 1 hour to finalize installing all settings and required applications. It is recommended to leave the device on and connected to the internet.
After several additional profiles have installed, specifically the FileVault Escrow Profile, proceed with step 2.
4. Password Requirements
Passwords that do not meet the requirements as enforced by Intune, will be prompted to reset at next login. Passwords can be changed under System Settings > Login Password > Change.
Max Grace Period before requiring Password: 1 Minute
Password History: 6
Minimum Length: 8
Once you have ensured the login account has a secure password, proceed to step 5.
5. FileVault
Requirement: FileVault Escrow Profile – as noted in steps above.
FileVault is an additional layer of security for macOS, performing disk encryption on the device. Our Intune policies will force your macOS to enable FileVault and perform a disk encryption. The next time you logout or restart the device, you will be prompted for your macOS password to enable the encryption.
Note: You may receive an “Incorrect Password” prompt in the FileVault window. This is likely due to a requirement to update your macOS password to meet security standards. The next time you login to the device, you should be prompted to update your password, then the FileVault window should reappear.
If you are not prompted to enable FileVault, your device may already be encrypted. This can be validated by going to System Settings > Privacy & Security > FileVault.
If it is set to Off, the policy (FileVault Escrow Profile) may not have synced yet and will require a bit of time or you have not logged out or restarted the device since the policy had applied. You may either logout/restart or set FileVault to On.
If it is set to On, your FileVault key will need to be rotated so that Intune can manage it. Instructions continued below.
FileVault Key Rotation – Only required if the device is already FileVault encrypted
Requirement: FileVault Escrow Profile – as noted in steps above.
Open the Terminal app and type in the below commands. You will be prompted to enter in your macOS password, your macOS user name and password again.
cd /Applications/Utilities
sudo fdesetup changerecovery -personal
If you are unsure of what your user name is set to, it should be what is listed to the left of the @ symbol (in green in the above image). You can also press CTRL+Z to escape the command and type whoami into Terminal. You’ll then need to retype the sudo command above.
Once completed, a new personal recovery key will be issued. There is no need to write this down as there is a self-service option to get the key. Additionally, if you submit a UWaterloo Help Portal - Jira Service Management ticket, IT can receive your FileVault Recovery Key from the tenant.
Company Portal
Launch the Company Portal app and perform a Check Status to sync the device to Intune. Company Portal (Available Apps and Self-Service Options) - IST Knowledge Base - Confluence (atlassian.net) It is recommended to perform this action regularly to ensure your device is kept up to date.
Related articles
Need help?
Contact the IST Service Desk online or 519-888-4567 ext. 44357.
Article feedback
If you’d like to share any feedback about this article, please let us know.