/
Existing Device Enrollment

Existing Device Enrollment

This page provides instructions on how to enrolling your existing device into Intune.

Table of Contents:

1. Device Enrollment

Please review and complete all pre-requisites before beginning: Prerequisites

Note: Enrollment can take up to 1 hour to finalizing syncing and installing all settings and required applications. Please ensure you allocate enough time for the process to finish.

Open the Terminal app and type in the below command. You will be prompted to enter in your macOS password.

               sudo profiles renew -type enrollment

Terminal app shows last login time on the first line. User can input the command and password here.

You will then be prompted by the Remote Management for University of Waterloo, which will cover the screen. Please read through the rest of the section then return.

Click the Enroll button to continue. If you get any error message, please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket.

Remote management menu states that 'This Mac is owned by University of Waterloo. Remote management is required and will allow this organization to set up email and network accounts, install and configure apps, and manage the lettings of this Mac.' There is also a link below that message to learn more about remote management.

If you select Not now, there will be a notification in the System Settings to enroll.

System settings menu shows a notification titled 'Enroll in Remote Management,' underneath the user's profile.

You may be prompted to enter your Mac password to proceed with the enrollment.

Setup Assistant menu states 'Setup Assistant is trying to enroll you in a remote management (MDM) service. Enter your password to allow this.' You can then input your username and Mac password.

Next, you’ll be asked to enter your University of Waterloo email address and password, along with applicable DUO authentication requests.

New window states 'Allow 'University of Waterloo' to manage your computer. You can input your UW email in the Microsoft sign-in window.

Once authenticated, the enrollment will install. Click Quit when the enrollment is complete.

Remote Management menu will show a message stating 'enrollment complete' with a green checkmark icon. Quit button is located in the bottom right corner.

 

After the enrollment is finalized, the initial Intune Management Profile will be installed under System Settings > General > Device Management > Profiles (Older macOS devices may have this under Privacy & Security). The subsequent profiles applicable to your device will install as the device connects in with Intune.

Privacy and Security tab is located on the leftmost side toolbar of the System Settings window. The Profiles window has a list of the various profiles on your device.

These profiles include enforced settings that help secure the device, such as enabling FileVault, password requirements, OS update enforcement, and disabling guest accounts. Options in the System Settings that are greyed out, are now enforced by Intune and cannot be changed. It can take up to 1 hour to finalize installing all settings and required applications. It is recommended to leave the device on and connected to the internet.

After several additional profiles have installed, specifically the FileVault Escrow Profile, proceed with step 2.

2. Password Requirements

Passwords that do not meet the requirements as enforced by Intune, will be prompted to reset at next login. Passwords can be changed under System Settings > Login Password > Change.

The notification will appear underneath the top toolbar, stating 'Password Policy Updated. Update your password to meet your organization's new password requirements.'


Max Grace Period before requiring Password: 1 Minute
Password History: 6
Minimum Length: 8

Password change menu states that 'resetting the account password doesn't reset the password for the user's 'login' keychain. It also lists the password requirements, and allows you to input a password hint.

Once you have ensured the login account has a secure password, proceed to step 3.

3. FileVault

Requirement: FileVault Escrow Profile – as noted in steps above.

FileVault is an additional layer of security for macOS, performing disk encryption on the device. Our Intune policies will force your macOS to enable FileVault and perform a disk encryption. The next time you logout or restart the device, you will be prompted for your macOS password to enable the encryption.

FileVault menu states that 'Your administrator requires that you enable FileVault. It secures the data on your disk by encrypting its contents automatically. You can log in 'x' (up to 3) more times before you must enable. FileVault. Enabling FileVault menu states that it 'encrypts your volume using your login process. The initial setup may take a minute.'

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: You may receive an “Incorrect Password” prompt in the FileVault window. This is likely due to a requirement to update your macOS password to meet security standards. The next time you login to the device, you should be prompted to update your password, then the FileVault window should reappear.

If you are not prompted to enable FileVault, your device may already be encrypted. This can be validated by going to System Settings > Privacy & Security > FileVault.

FileVault can be found at the bottom of the Privacy and Security menu.

If it is set to Off, the policy (FileVault Escrow Profile) may not have synced yet and will require a bit of time or you have not logged out or restarted the device since the policy had applied. You may either logout/restart or set FileVault to On.

If it is set to On, your FileVault key will need to be rotated so that Intune can manage it. Instructions continued below.

FileVault Key Rotation – Only required if the device is already FileVault encrypted

Requirement: FileVault Escrow Profile – as noted in steps above.

Open the Terminal app and type in the below commands. You will be prompted to enter in your macOS password, your macOS user name and password again.

cd /Applications/Utilities

sudo fdesetup changerecovery -personal

Terminal app menu where you can input the command, Mac password and Mac username and password again. Username is in the second line, right below last login.

If you are unsure of what your user name is set to, it should be what is listed to the left of the @ symbol (in green in the above image). You can also press CTRL+Z to escape the command and type whoami into Terminal. You’ll then need to retype the sudo command above.

Once completed, a new personal recovery key will be issued. There is no need to write this down as there is a self-service option to get the key. Additionally, if you submit a UWaterloo Help Portal - Jira Service Management ticket, IT can receive your FileVault Recovery Key from the tenant.

Company Portal

Launch the Company Portal app and perform a Check Status to sync the device to Intune. Company Portal (Available Apps and Self-Service Options) - IST Knowledge Base - Confluence (atlassian.net) It is recommended to perform this action regularly to ensure your device is kept up to date.

Related articles

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know.