This page provides instructions on how to enrolling your existing device into Intune.

Table of Contents:

Prerequisites

• MacOS device with minimum OS level of 12.0 (Monterey)

• The current account must be an administrator

• Device is unbound from Active Directory

• Enrollment completed by the Primary User of the device

1. Device Enrollment

Note: Enrollment can take up to 1 hour to finalizing syncing and installing all settings and required applications. Please ensure you allocate enough time for the process to finish.

Open the Terminal app and type in the below command. You will be prompted to enter in your MacOS password.

               sudo profiles renew -type enrollment

Open

You will then be prompted by the Remote Management for University of Waterloo, which will cover the screen. Please read through the rest of the section then return.

Click the Enroll button to continue. If you get any error message, please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket.

Open

If you select Not now, there will be a notification in the System Settings to enroll.

You may be prompted to enter your Mac password to proceed with the enrollment.

Next, you’ll be asked to enter your University of Waterloo email address and password, along with applicable DUO authentication requests.

Once authenticated, the enrollment will install. Click Quit when the enrollment is complete.

After the enrollment is finalized, the initial Intune Management Profile will be installed under System Settings > Privacy & Security > Profiles. The subsequent profiles applicable to your device will install as the device connects in with Intune.

These profiles include enforced settings that help secure the device, such as enabling FileVault, password requirements, OS update enforcement, and disabling guest accounts. Options in the System Settings that are greyed out, are now enforced by Intune and cannot be changed. It can take up to 1 hour to finalize installing all settings and required applications. It is recommended to leave the device on and connected to the internet.

After additional profiles have installed, outside of the initial “Management Profile”, proceed with step 2.

2. Password Requirements

Passwords that do not meet the requirements as enforced by Intune, will be prompted to reset at next login. Passwords can be changed under System Settings > Login Password > Change.

Max Password Age: 730 Days
Max Grace Period before requiring Password: 1 Minute
Minimum Complex Characters: 1
Password History: 6
Require Alphanumeric Password: True
Minimum Length: 8

Once you have ensured the login account has a secure password, proceed to step 3.

3. FileVault

FileVault is an additional layer of security for MacOS, performing disk encryption on the device. Our Intune policies will force your MacOS to enable FileVault and perform a disk encryption. The next time you logout or restart the device, you will be prompted for your MacOS password to enable the encryption. This can be bypassed up to 3 times before it will be forced to Enable Now.

Note: You may receive an “Incorrect Password” prompt in the FileVault window. This is likely due to a requirement to update your MacOS password to meet security standards. The next time you login to the device, you should be prompted to update your password, then the FileVault window should reappear.

If you are not prompted to enable FileVault, your device may already be encrypted. This can be validated by going to System Settings > Privacy & Security > FileVault.

If it is set to Off, the policy may not have synced yet and will require a bit of time or you have not logged out or restarted the device since the policy had applied. You may either logout/restart or set FileVault to On.

If it is set to On, your FileVault key will need to be rotated so that Intune can manage it. Instructions continued below.

FileVault Key Rotation – Only required if the device is already FileVault encrypted

Open the Terminal app and type in the below commands. You will be prompted to enter in your MacOS password, your MacOS user name and password again.

If you are unsure of what your user name is set to, it should be what is listed to the left of the @ symbol (in green in the above image). You can also press CTRL+Z to escape the command and type whoami into Terminal. You’ll then need to retype the sudo command above.

Once completed, a new personal recovery key will be issued. There is no need to write this down as there is a self-service option to get the key, as well as Intune Support Admins can receive this from the portal.

Company Portal and Self-Service options

The Intune Company Portal app allows device users to perform various self-service functions such as, device syncing and compliance through check status, and installing available applications. The Company Portal app will automatically install upon enrollment.

Upon launching the Company Portal app, you will be prompted to Sign In with your University of Waterloo credentials, along with applicable DUO authentication requests.

You will then see a list of devices that are associated with your UofW ID in Intune.

Note: Not all UofW managed devices are currently enrolled in Intune. In addition, you may see more devices than your primary assigned device. Please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket to have devices unassigned.

Check Status

In the Company Portal app, clicking on the ellipsis then selecting Check status will sync the Mac with Intune, prompting the device to check its compliance status, download any missing profiles, apply policies, and/or required applications

If the device’s status is listed as Not in compliance, there are pending requirements that still need to be met on the device. These can include enabling FileVault and/or updating your Mac password.

If your Mac continues to be Not in compliance, please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket.

Available Applications

The Company Portal app allows users to download and install a curated list of applications.

In the Company Portal app, click on the Apps tab, then select your desired application, and click Install.

Application install timing may vary based on application size, Intune server load, bandwidth, routing, and/or device specs.

FileVault Recovery Key

The FileVault recovery key is required to decrypt your data in the event that you are locked out of your device. You can a retrieve this from the Microsoft Intune Web Company Portal by selecting the device and clicking on Get recovery key. If you are unable to access the site, an Intune admin can receive the key from the portal. Please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket for assistance.

Devices that have not allowed Intune to manage the key, cannot have their FileVault key accessed in this fashion.

In the event that neither the FileVault key or account password are usable, the device may be required to be completely wiped and re-imaged. Use Disk Utility to erase a Mac with Apple silicon - Apple Support Use Disk Utility to erase an Intel-based Mac - Apple Support

Questions/Feedback

Mac Enrollment Feedback form

Email - Feedback, Questions or Help

Related articles