Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Community User
Community User Author

How do I add Macs purchased by employees to ABM

I want to deploy MDM (InTune) to our Macs. We have a couple dozen that were just purchased by employees and they were reimbursed. We consider these company property and will retain them in the case that employees leave.


In order to manage and enforce our security policies with InTune, my understanding was that all these devices need to be listed in our company ABM. Because they were purchased directly from Apple by employees, they are not tied to our recently created OrganizationID.


  1. In order for InTune/MDM to enforce security policies, do we need to add these legacy Macs to our ABM?
  2. Is there a way to convert a Mac to use the company ID rather than the personal ID that may be used? This may not be as important if the answer to #1 is "yes you can enforce policies on these devices".


I'd like to determine the right path to take to accomplish this in the next two weeks. We have a small number of Macs, but I need them to enforce our security policy for our compliance certification. Thanks!

Posted on Apr 4, 2023 10:17 AM

Reply
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,851 points

Posted on Apr 4, 2023 6:28 PM

You have two methods of doing this.


If you want them in your ABM, you can manually inject the retail purchased Mac by using Apple Configurator on your iPhone. Apple Configurator User Guide - Apple Support. Please notes, this is a manual process and one that you do not want to repeat for all future devices. Make sure you are buying direct from Apple or from a DEP-aware reseller so purchases are available in ABM before you receive the devices.


However, in order to do this, you must do it from Setup Assistant. If these units have already been setup and are in use, you will need to erase all contents and settings in order to trigger Setup Assistant again. Using Apple Configurator will inject these devices into ABM, thus making them eligible for automated enrollment. However, they will initially appear as assigned to Apple Configurator. You will need to reassign them to your InTune MDM in ABM and then you can erase and then run through the DEP enrollment.


The second option is that you can manually enroll the devices by using the Microsoft Company Portal app. https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp. This is obviously not as automated as DEP workflows. You will need to manually setup the device, then install Company Portal, and then go through a user-initiated enrollment process.


The ideal way of doing this is through an automated enrollment process. The units should not be purchased through retail. But since you have them, and assuming they are barely in production, you could reset them and inject using Apple Configurator. If these units are too deep into production, then use the Company Portal.


Hope this helps.


Reid



View in context

Similar questions

2 replies
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,851 points

Apr 4, 2023 6:28 PM in response to Community User

You have two methods of doing this.


If you want them in your ABM, you can manually inject the retail purchased Mac by using Apple Configurator on your iPhone. Apple Configurator User Guide - Apple Support. Please notes, this is a manual process and one that you do not want to repeat for all future devices. Make sure you are buying direct from Apple or from a DEP-aware reseller so purchases are available in ABM before you receive the devices.


However, in order to do this, you must do it from Setup Assistant. If these units have already been setup and are in use, you will need to erase all contents and settings in order to trigger Setup Assistant again. Using Apple Configurator will inject these devices into ABM, thus making them eligible for automated enrollment. However, they will initially appear as assigned to Apple Configurator. You will need to reassign them to your InTune MDM in ABM and then you can erase and then run through the DEP enrollment.


The second option is that you can manually enroll the devices by using the Microsoft Company Portal app. https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp. This is obviously not as automated as DEP workflows. You will need to manually setup the device, then install Company Portal, and then go through a user-initiated enrollment process.


The ideal way of doing this is through an automated enrollment process. The units should not be purchased through retail. But since you have them, and assuming they are barely in production, you could reset them and inject using Apple Configurator. If these units are too deep into production, then use the Company Portal.


Hope this helps.


Reid



Reply
User profile for user: Community User
Community User Author

Apr 5, 2023 6:31 AM in response to Strontium90

Thanks. Very helpful. I am sure understanding ABM and the Apple purchasing program will be beneficial as I add more clients and need to manage their Macs and Apple devices.


I am working on an eCommerce plan with Apple, so anything that we purchase new will be in ABM.


I have a compliance agent on each endpoint that checks for key security policies (AV, FileVault, FW, Password Policy, Screen Lock < 15 min) and reports anything out of compliance. Our employees are following my instructions to manually set the policies and install a security profile. This seems the easiest way to monitor what we need for an upcoming audit. I will return to the MDM project in the near future.

Reply

How do I add Macs purchased by employees to ABM

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up