This page provides instructions on how to enrolling your new or reimaged device into Intune.

Table of Contents:

Prerequisites

• MacOS device with minimum OS level of 12.0 (Monterey)

• For reimaged devices, ensure the hard drive is properly erased. Use Disk Utility to erase a Mac with Apple silicon - Apple Support Use Disk Utility to erase an Intel-based Mac - Apple Support

• Device is unbound from Active Directory

• Enrollment completed by the Primary User of the device

1. Device Enrollment

Note: Enrollment can take up to 1 hour to finalizing syncing and installing all settings and required applications. Please ensure you allocate enough time for the process to finish.

After turning on the Mac, you will be presented with the Apple Setup Assistant. Navigate through the wizard and connect to the internet. Once connected, you may be prompted at an activation screen to restart your Mac. Continue through the wizard to receive the Remote Management window which denotes that the University of Waterloo can configure your computer. Click Continue.

Open

Next, you’ll be asked to enter your University of Waterloo email address and password, along with applicable DUO authentication requests.

Open

It will then install the enrollment profile. Click Continue and follow through the Setup Assistant wizard.

When creating the Computer Account, it is recommended that your Account name match your WatIAM username and password. While you can set any password here, passwords that don’t meet the Password requirements will be forced to changed after enrollment.

After the enrollment is finalized, the initial Intune Management Profile will be installed under System Settings > Privacy & Security > Profiles. The subsequent profiles applicable to your device will install as the device connects in with Intune.

These profiles include enforced settings that help secure the device, such as enabling FileVault, password requirements, OS update enforcement, and disabling guest accounts. Options in the System Settings that are greyed out, are now enforced by Intune and cannot be changed. It can take up to 1 hour to finalize installing all settings and required applications. It is recommended to leave the device on and connected to the internet.

After additional profiles have installed, outside of the initial “Management Profile”, proceed with step 2.

2. Password Requirements

Passwords that do not meet the requirements as enforced by Intune, will be prompted to reset at next login. Passwords can be changed under System Settings > Login Password > Change.

Max Password Age: 730 Days
Max Grace Period before requiring Password: 1 Minute
Minimum Complex Characters: 1
Password History: 6
Require Alphanumeric Password: True
Minimum Length: 8

Once you have ensured the login account has a secure password, proceed to step 3.

3. FileVault

FileVault is an additional layer of security for MacOS, performing disk encryption on the device. Our Intune policies will force your MacOS to enable FileVault and perform a disk encryption. The next time you logout or restart the device, you will be prompted for your MacOS password to enable the encryption. This can be bypassed up to 3 times before it will be forced to Enable Now.

Note: You may receive an “Incorrect Password” prompt in the FileVault window. This is likely due to a requirement to update your MacOS password to meet security standards. The next time you login to the device, you should be prompted to update your password, then the FileVault window should reappear.

Company Portal and Self-Service options

The Intune Company Portal app allows device users to perform various self-service functions such as, device syncing and compliance through check status, and installing available applications. The Company Portal app will automatically install upon enrollment.

Upon launching the Company Portal app, you will be prompted to Sign In with your University of Waterloo credentials, along with applicable DUO authentication requests.

You will then see a list of devices that are associated with your UofW ID in Intune.

Note: Not all UofW managed devices are currently enrolled in Intune. In addition, you may see more devices than your primary assigned device. Please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket to have devices unassigned.

Check Status

In the Company Portal app, clicking on the ellipsis then selecting Check status will sync the Mac with Intune, prompting the device to check its compliance status, download any missing profiles, apply policies, and/or required applications.

If the device’s status is listed as Not in compliance, there are pending requirements that still need to be met on the device. These can include enabling FileVault and/or updating your Mac password.

If your Mac continues to be Not in compliance, please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket

Available Applications

The Company Portal app allows users to download and install a curated list of applications.

In the Company Portal app, click on the Apps tab, then select your desired application and click Install.

Application install timing may vary based on application size, Intune server load, bandwidth, routing, and/or device specs.

FileVault Recovery Key

The FileVault recovery key is required to decrypt your data in the event that you are locked out of your device. You can a retrieve this from the Microsoft Intune Web Company Portal by selecting the device and clicking on Get recovery key. If you are unable to access the site, an Intune admin can receive the key from the portal. Please submit an Information Systems and Technology - Jira Service Management (atlassian.net) ticket for assistance.

In the event that neither the FileVault key or account password are usable, the device may be required to be completely wiped and re-imaged. Use Disk Utility to erase a Mac with Apple silicon - Apple Support Use Disk Utility to erase an Intel-based Mac - Apple Support

Questions/Feedback

Mac Enrollment Feedback form

Email - Feedback, Questions or Help

Related articles