From Enrollment to Compliance: Managing macOS Devices with Microsoft Intune - Part 1

Remo ErnstRemo Ernst
13 min read

Introduction

As macOS devices increasingly become part of the modern enterprise environment, IT professionals face the challenge of managing these devices seamlessly and securely. Microsoft Intune offers a powerful solution, enabling unified endpoint management (UEM) for macOS alongside Windows, iOS, and Android platforms. In this blog, I’ll walk through the entire lifecycle of managing macOS devices with Intune—from initial enrollment to ensuring full compliance with your organization’s policies.

Understanding Microsoft Intune for macOS Management

Microsoft Intune empowers IT teams to manage various operating systems through a single console, simplifying operations while enhancing security and compliance.

Key Benefits Include:

  • Centralized device management

  • Policy-driven configuration and compliance

  • Integration with Azure Active Directory and Microsoft Endpoint Manager

Managing macOS devices with Intune ensures your Apple fleet is just as secure, compliant, and manageable as your Windows devices.

Preparing for macOS Device Enrollment (Checklist)

Before you enroll any devices, preparation is crucial. Make sure

Checklist for Readiness:

  • Apple Business Manager (ABM): Required for Automated Device Enrollment (ADE).

  • Apple MDM Push Certificate: Allows secure communication between Apple devices and your organization's MDM system.

  • Intune Licensing: Confirm that users are assigned proper Intune licenses.

Check out this awesome overview made by: Aaron Dinnage https://m365maps.com/

  • Network Configuration: Ensure that your Endpoints reach the Microsoft Network Endpoints for Intune services. Here’s a list of all Endpoints (IPs and DNS Names)
# Get a list of all IP Addresses Microsoft Intune Network Endpoints
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips

# Get a list of all DNS Names of Microsoft Intune Network Endpoints
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls

For more Details about Network Endpoints check: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/intune-endpoints

Setup

Apple Business Manager (ABM)

Apple Business Manager (ABM) is a free, web-based portal designed by Apple to help organizations easily deploy and manage Apple devices like iPhones, iPads, Macs, and Apple TVs. It acts as a bridge between your organization, Apple, and your Mobile Device Management (MDM) solution—such as Microsoft Intune.

The following company and personal details are required without exception for creating a new Apple Business Manager account:

Company Information:

Requester (Applicant) Information:

  • First Name

  • Last Name

  • Business Email Address

  • Job Role or Function

Verifier (Person in Higher Management):

The verifier must be someone in a senior management position authorized to approve the request.

  • First Name

  • Last Name

  • Business Email Address

  • Job Role or Function

Once the prerequisites are met, the setup process can begin.

First, we need to create an Apple Business Manager account.
To do this, head over to https://business.apple.com and click on "Sign up now."

Next, enter your personal details and your company information.
Ensure that this matches the information provided for the requester (Applicant).

Important:

Use a personal email address rather than a generic one (e.g., it@company.xy), as Apple verifies that the address belongs to a real person — if it doesn’t, your verification might fail!

Now, enter the required information for the Verifier — someone from higher management.
Apple will contact this person by email or phone to complete the verification process.

After submitting all the details, you should be able to log in to the Apple Business Manager.
To continue with the setup, you’ll need to wait until the verification process is complete.

Note: This process may take a few days to complete.

Administrator Account

Once the verification is completed, I recommend creating a generic admin account in Apple Business Manager.
I use this account for the further setup steps.
You’ll need an Administrator account later to generate certificates and tokens.
It also makes it easier to renew them in the future, especially if more than one person manages Apple devices in your organization.

Apple MDM Push Certificate

The first thing we need to create after successfully setting up the Apple Business Manager account is an Apple Push Certificate.

An Apple MDM Push Certificate is required to manage iOS, iPadOS, and macOS devices in Microsoft Intune.
It also allows devices to enroll using:

  • The Intune Company Portal app

  • Apple bulk enrollment methods, like the Device Enrollment Program, Apple School Manager, and Apple Configurator

Create a Push Certificate

Go to Intune > Devices > macOS > Enrollment and click on Apple MDM Push Certificate.

This will open a new blade.
In Step 1, make sure to check "I agree."
Then, in Step 2, click "Download your CSR" to download the Certificate Request file.

  • You will download a file named IntuneCSR.csr

In Step 3, select "Create your MDM Push Certificate."
You’ll be redirected to the Apple Business Manager.

Now log in with your Apple Business Manager Administrator account (use the generic admin account you created!).
Then click on "Create a Certificate."
(I already have two existing certificates)

Next, review and accept the license terms to continue.

In the final step, upload the IntuneCSR.csr file to generate the certificate.

🎉 You’ve successfully created the push certificate!

Download the certificate to your device — we’ll need to upload it to Intune in the next step!

Switch back to Intune and enter the Apple ID you used to create the Push Certificate in Step 4.

In Step 5, upload the Push Certificate you downloaded from Apple Business Manager and hit Upload!

🎉 Done! We've successfully created the Apple Push Certificate in Intune.
You should now see the following details:

Now we’re ready to enroll and configure macOS (and iOS/iPadOS) devices.
All the necessary configuration options are now available.

Don't Forget: Renew Your Apple Push Certificate Annually

The Apple Push Certificate is valid for one year from the date of creation.
It’s essential to renew it before it expires to keep managing your Apple devices without disruption.

Important:
If you miss the renewal date, you still have a 30-day grace period to renew the certificate.
If you don't renew it within those 30 days, you’ll be forced to create a new certificate and manually re-enroll all managed devices — a process that can be time-consuming and disruptive.

Tip:
Set yourself a calendar reminder well in advance of the expiration date to ensure a smooth renewal and avoid unnecessary rework.

How to Renew the Apple Push Certificate

Renewing the Apple Push Certificate is very similar to creating it the first time.
Just follow these steps:

  • In Intune, go to Devices > macOS > Enrollment > Apple MDM Push Certificate.

  • Download a new Certificate Request file (IntuneCSR.csr).

  • Go to the Apple Business Manager (Link in Step 3 in Intune portal)

  • Locate your existing certificate (linked to your Apple ID).

  • Click on Renew.

  • Upload the new CSR file.

  • Download the renewed certificate.

Once done, upload the new certificate back into Intune — just like you did when first creating it.

Note: Make sure to use the same Apple ID you used for the original certificate. Otherwise, Intune won’t recognize the renewal.

Enrollment Program Token

What Is an Enrollment Program Token?

The Enrollment Program Token (also known as DEP Token) connects Apple Business Manager with Microsoft Intune.

It allows you to:

  • Automatically assign Apple devices (Mac, iPhone, iPad) to Intune as soon as they’re purchased or added to Apple Business Manager.

  • Enable zero-touch enrollment — users just turn on the device, and it’s automatically configured with your company’s settings and policies.

This token ensures your devices are securely enrolled and managed from the moment they leave the box — saving time and reducing manual setup.

How to Generate and Upload the DEP Token in Intune

To connect Apple Business Manager with Intune, you need to create and upload an DEP Token. Here’s how:

1. Go to Intune

  • In the Microsoft Intune portal, go to Devices > Enrollment > Apple > Enrollment Program Tokens.

  • Click Create.

  • Check I agree

  • Click Download your public key

This will download a certificate file named IntuneKey[Date, Time].pem.
You’ll need to upload this file in the next step within Apple Business Manager.

2. Go to Apple Business Manager

  • Sign in to business.apple.com using your Administrator Apple ID

  • (1) - In the bottom left corner, click on your name and select Preferences

  • (2) - Under Your MDM Servers, click the plus icon (+) to add a new server

  • (3) - Give your MDM server a name — for example: Cloud Alp or Intune Cloud Alp

  • (4) - Check Allow this MDM Server to release devices.

    • See more details below

  • (5) - Upload the certificate file IntuneKey[Date, Time].pem from Step 1

  • (6) - Click Save

What Does “Allow this MDM Server to Release Devices” Mean in Apple Business Manager?

This determines whether your MDM server (In this example Intune) is allowed to permanently remove devices from your Apple Business Manager organization.

Releasing a device means:

  • It is permanently removed from your Apple Business Manager account.

  • After a reset, the device will no longer be automatically enrolled in MDM.

  • It can be used like a normal, unmanaged Apple device.

  • This action is permanent and cannot be undone.

    • re-enroll the device, you’ll need to manually add it to Apple Business Manager.

When Should You Enable This?

Enable this setting if:

  • You want Intune to automatically release devices you’re retiring, selling, or handing over.

  • You trust your MDM and want to streamline the offboarding process.

When Should You Leave It Disabled?

Leave it off if:

  • You want to manually control which devices are released.

  • You want to prevent accidental removal of devices from Apple Business Manager.

3. Download MDM Server Token

In Apple Business Manager, you should now see your MDM server listed.
Click on "Download MDM Server Token" to get the token required for Intune.

This will download a file with the extension .p7m.

4. Upload MDM Server Token to Intune and create the DEP Token

Once you've downloaded the file, switch back to Intune and upload the MDM Server Token.
Make sure to enter the Apple ID you used to create the token in Apple Business Manager.

After clicking Create, you’ll see that the token is valid for one year.
Remember: it must be renewed before it expires to keep automatic enrollment working smoothly.

What Happens When the DEP Token Expires?

If the DEP Token expires, the connection between Apple Business Manager and Microsoft Intune is broken.

Here’s what that means:

  • Automatic enrollment stops working — newly assigned devices won’t appear in Intune.

  • You can't manage existing assignments or push changes from Apple Business Manager to Intune.

  • Devices already enrolled remain managed, but no new devices can be added through Apple Business Manager.

Good to know:
You won’t need to re-enroll existing devices, but you must renew the token as soon as possible to restore full functionality.

Tip: Set a reminder to renew the token before the 12-month period ends!

Apple Volume Purchase Token (VPP)

The final chapter in this Blog Post covers the Apple Volume Purchase Token (VPP Token)

What Is an Apple Volume Purchase Token (VPP) and What Is It Used For?

The Apple Volume Purchase Token (VPP Token) connects Apple Business Manager with Microsoft Intune to manage and distribute apps.

With a VPP Token, you can:

  • Purchase and assign apps (free or paid) in bulk for iOS, iPadOS, and macOS devices.

  • Silently install apps on managed devices without requiring an Apple ID.

  • Reassign app licenses between users or devices — no need to repurchase.

This makes app deployment easier, especially in larger environments where many users need the same apps.

How to Create an Apple Volume Purchase Token (VPP Token)

To distribute apps through Intune without requiring an Apple ID on each device, you need to create and upload a Volume Purchase Token (VPP Token). Here’s how to do it:

1. Sign in to Apple Business Manager

  • Go to business.apple.com and log in with your Administrator Apple ID.

  • In the bottom-left corner, click on your name and select Preferences.

  • Under Preferences, click on Payments and Billing.

  • In the Content Tokens section, find your location or organization name.

  • Click Download next to your MDM server.

  • This will download a file with the extension .vpptoken.

2. Upload the Token in Intune

  • Switch to Microsoft Intune.

  • Go to Tenant Administration > Connectors and Tokens > Apple VPP Tokens.

  • Click Create

  • Specify a Token Name for Example Cloud Alp VPP

  • Enter the Apple ID you used to Download the VPP Token file

  • upload the .vpptoken file.

Next, configure the following settings:

With these settings, you’re ready to create your VPP token.

The option "Take control of token from another MDM" in Intune is used when you are migrating the VPP (Volume Purchase Program) token from another MDM solution to Intune.

If you previously used an Apple VPP token with another MDM solution (e.g. Jamf, MobileIron, etc.), enabling this option allows Intune to take over control of that token. This ensures that app licenses and assignments can continue to be managed through Intune without having to revoke or reassign everything manually.

Under Country/Region, select your country — in my case, I’m using Switzerland.
This setting is important because some apps are only available in certain countries.
Make sure you select the correct country to avoid issues with app availability.

The “Automatic app updates” option in the VPP token settings in Intune controls whether apps purchased through Apple Business Manager (VPP) are automatically updated on managed devices.

When to enable it (Yes):

  • You want to minimize manual effort and ensure users always have the latest app version.

  • Your environment benefits from automatic feature and security updates.

When to disable it (No):

  • You prefer to control when updates are applied (e.g., in case of compatibility issues).

  • You have apps that need to be tested before rollout.

What We’ve Set Up – And Why It Matters

In this guide, we’ve set up three essential components for managing Apple devices with Microsoft Intune:

Apple Push Certificate

This certificate allows Intune to communicate securely with Apple devices (macOS, iOS, iPadOS).
It’s required for:

  • Managing Apple devices through Intune

  • Pushing policies, apps, and configurations

  • Ensuring secure communication between Intune and Apple devices

DEP Token

This token connects Apple Business Manager to Intune.
It enables:

  • Automatic (zero-touch) enrollment of Apple devices

  • Assigning newly purchased or added devices directly to Intune

  • Streamlined and secure onboarding for users and IT admins

Volume Purchase Token (VPP Token)

The VPP token allows Intune to manage and distribute apps purchased via Apple Business Manager.
It enables:

  • Bulk app purchases and deployments

  • Installing apps on managed devices without requiring an Apple ID

  • Reassigning app licenses between users or devices as needed

Also Required for iOS and iPadOS Management

The three components we’ve set up — the Apple Push Certificate, the DEP Token, and the VPP Token — are not only essential for managing macOS devices, but also for iOS and iPadOS.

To manage iPhones and iPads with Microsoft Intune, you need:

  • The Apple Push Certificate for secure communication

  • The DEP Token for zero-touch enrollment via Apple Business Manager

  • The VPP Token to silently distribute and manage apps without Apple IDs

Together, these three components form the foundation of a secure, efficient, and scalable Apple device management solution with Microsoft Intune.
They allow your organization to simplify onboarding, streamline app deployment, and maintain full control over your Apple fleet.

What’s Next?

This post is the first part of a complete guide to managing macOS devices with Microsoft Intune.
In this chapter, we’ve focused on getting everything ready — from setting up Apple Business Manager to connecting it with Intune via certificates and tokens.

In the next parts, we’ll go one step further:

Configure device policies
Manage Applications
Enforce compliance rules
Deploy security baselines and custom settings
Deploy Defender for Endpoint
Set up conditional access for macOS

With these configurations in place, your Mac fleet will be fully integrated, secured, and compliant — just like your Windows devices.

💡 More chapters may follow, depending on feedback and demand — so stay tuned!

0
Subscribe to my newsletter

Read articles from Remo Ernst directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#applebusinessmanagermacOSintuneApplemdmMobile device managementEndpointManagement

Written by

Remo Ernst
Remo Ernst