Merge pull request #6974 from MicrosoftDocs/lenewsad-patch-4

v-dihans · web-flow · commit 62b3aa662337 · 2022-04-01T11:20:32.000-06:00
Update macos-enroll.md
diff --git a/memdocs/intune/enrollment/macos-enroll.md b/memdocs/intune/enrollment/macos-enroll.md
@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 03/23/2022
+ms.date: 03/29/2022
 ms.topic: overview
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -35,35 +35,34 @@ ms.collection:
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-Intune lets you manage macOS devices to give users access to company email and apps.
-
-As an Intune admin, you can set up enrollment for company-owned macOS devices and personally owned macOS devices ("bring your own device" or BYOD). 
-
-## Prerequisites
+ Microsoft Intune supports enrollment on personal and company-owned devices. This article describes the methods and features you can use to enroll personal, company-owned, and VM devices in Intune. 
+ 
+## Enable enrollment in Microsoft Intune  
 
-Complete the following prerequisites before setting up macOS device enrollment:
+Complete these steps first to enable enrollment in your Microsoft Intune tenant. 
 
-- [Make sure your device is eligible for Apple device enrollment](https://support.apple.com/en-us/HT204142#eligibility).
-- [Configure domains](../fundamentals/custom-domain-name-configure.md)
-- [Set the MDM Authority](../fundamentals/mdm-authority-set.md)
-- [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md)  
-- Assign user licenses in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854)
-- [Create groups](../fundamentals/groups-add.md)
-- [Configure the Company Portal app](../apps/company-portal-app.md)
+1. [Verify that devices are eligible for Apple device enrollment](https://support.apple.com/en-us/HT204142#eligibility)
+2. [Configure domains](../fundamentals/custom-domain-name-configure.md)
+3. [Set the MDM Authority](../fundamentals/mdm-authority-set.md)
+4. [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md)  
+5. Assign user licenses in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854)
+6. [Create groups](../fundamentals/groups-add.md)
+7. [Configure the Company Portal app](../apps/company-portal-app.md)
 
+## Enroll devices
+After you enable enrollment, use one of the supported methods described in this section to enroll user-owned and company-owned devices.   
 
-## User-owned macOS devices (BYOD)
+### User-owned macOS devices (BYOD)
 
-Intune supports *bring-your-own-device*, or *BYOD*, which lets people enroll their personal devices themselves. To set up enrollment for BYOD scenarios, complete the prerequisites in this article. Then tell your device users to use one of these options to enroll devices:  
+Intune supports *bring-your-own-device*, or *BYOD*, which lets people enroll their personal devices themselves. To finish setting up enrollment for BYOD scenarios, tell your licensed users to use one of these options to enroll devices:  
 
 - Sign in to [Company Portal website](https://portal.manage.microsoft.com) and follow on-screen instructions to add device. 
 - Install Company Portal app for Mac at [aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac) and follow-on screen instructions to add device.    
 
+### Company-owned macOS devices
+Intune supports the following enrollment methods for company-owned macOS devices. Select a hyperlinked method to open its setup steps. 
 
-## Company-owned macOS devices
-Intune supports the following enrollment methods for company-owned macOS devices:  
-
-- [Apple Automated Device Enrollment](device-enrollment-program-enroll-macos.md): Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air, so you don't need to have physical access to devices.  
+- [Apple Automated Device Enrollment](device-enrollment-program-enroll-macos.md): Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air, so you don't need to have physical access to devices.   
 - [Device enrollment manager (DEM)](device-enrollment-manager-enroll.md): Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.   
 - [Direct enrollment](device-enrollment-direct-enroll-macos.md): Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. This method requires you to have physical access to the Macs you're enrolling.  
 
@@ -85,17 +84,19 @@ Intune supports the use of bootstrap tokens on enrolled Macs running macOS 10.15
  
 The bootstrap token is automatically generated when:  
 
-* A newly-enrolled Mac checks in with Intune and 
+* A newly enrolled Mac checks in with Intune and 
 * A secure token-enabled user (typically an Intune administrator) signs in to the Mac with their cleartext password
 
 The token is then automatically escrowed to Microsoft Intune. You can use a command line tool to manually view, generate, and escrow a bootstrap token on supported macOS devices, if needed. For more information, see [Use secure token, bootstrap token, and volume ownership in deployments](https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/1/web/1.0) on Apple Support.  
 
 ### Manage kernel extensions and software updates  
 A bootstrap token can be used to approve the installation of both kernel extensions and software updates on a Mac with Apple silicon. 
 
-To utilize the bootstrap token to perform user-initiated software updates, the mac must be enrolled with automated device enrollment up until macOS 11.1 or you must restart the Mac in recovery mode and downgrade its security settings. With macOS 11.2+, a mac only needs to be supervised in order for the bootstrap token to perform user-initiated software updates. For more information, see [Change security settings on the startup disk of a Mac with Apple silicon](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) on Apple Support.
+User-initiated software updates can be carried out with a bootstrap token on Macs that are running macOS, version 11.1, and enrolled via automated device enrollment. To authorize user-initiated software updates on a device that isn't enrolled via automated device enrollment, you must restart the Mac in recovery mode and downgrade its security settings. You can also utilize the bootstrap token for software updates on Macs running macOS 11.2 and later, with the only requirement being that the device needs to be supervised. 
 
-Kernel extension management is automatically available on Macs running macOS 11 or later and enrolled via automated device enrollment. To authorize the remote management of kernel extensions on a device that isn't enrolled via automated device enrollment, you must restart the Mac in recovery mode and downgrade its security settings. For more information, see [Change security settings on the startup disk of a Mac with Apple silicon](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) on Apple Support.      
+Kernel extension management is automatically available on Macs running macOS 11 or later and enrolled via automated device enrollment. To authorize the remote management of kernel extensions on a device that isn't enrolled via automated device enrollment, you must restart the Mac in recovery mode and downgrade its security settings.
+
+For more information about changing security settings, see [Change security settings on the startup disk of a Mac with Apple silicon](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) on Apple Support.      
 
 ## Block macOS enrollment  
 By default, Intune lets macOS devices enroll. To block macOS devices from enrollment, see [Set device type restrictions](enrollment-restrictions-set.md).  
@@ -121,40 +122,43 @@ For more information, see the following topics in the Parallels knowledge base:
 * [How to enroll a macOS VM in Parallels Desktop using Intune](https://kb.parallels.com/en/124564)  
 * [How to find and change the serial number](https://kb.parallels.com/123455)  
 
-
 ### VMware Fusion
 Add the following lines to your .vmx file to set the VM's hardware model and serial number. The values shown in this sample are examples.  
 
 ```md
 serialNumber = "ABC123456789"  
 hw.model = "MacBookAir10,1"  
-```
-
+```  
 Enter any string of alphanumeric characters for the serial number. For hardware model, we recommend using the model of the device that's running the VM. To find your Mac's hardware model, select the Apple menu and go to **About This Mac** > **System Report** > **Model Identifier**.   
 
 See the VMware customer connect website for more information about [editing the .vmx file for your VMware Fusion VM](https://kb.vmware.com/s/article/1014782).  
 
 ### Apple Silicon 
-No changes are required for virtual machines running on Apple Silicon hardware. Parallels Desktop and VMware Fusion are supported on Macs with Apple Silicon, so if you set up a VM this way, you don't need to modify the hardware model ID or serial number. 
+No changes are required for virtual machines running on Apple Silicon hardware. Parallels Desktop and VMware Fusion are supported on Macs with Apple Silicon, so if you set up a VM this way, you don't need to modify the hardware model ID or serial number.  
 
-## User approved enrollment
+## User-approved enrollment
+
+All Mac enrollments in Intune are considered user-approved. User-approved enrollment lets you manage macOS devices that aren't part of Apple School Manager or Apple Business Manager. It provides the same level of control as supervised macOS devices enrolled using Automated Device Enrollment or Apple Configurator. 
+
+Intune automatically turns on supervision for user-approved devices running macOS 11 and later. It also does this for enrolled devices that later update to macOS 11 or later.  
 
-User Approved MDM enrollment is a type of macOS enrollment that you can use to manage certain security-sensitive settings. For more information, see [Apple's support documentation](https://support.apple.com/HT208019).  
- 
-As of June 2020, all new macOS MDM enrollments in Intune, including those not done through Automated Device Enrollment (ADE), are considered user approved. The end-user must manually install the management profile in **System Preferences** > **Profiles**, and thus provide approval of the management profile. System Preferences is launched automatically from the Company Portal app for BYOD macOS users. [Instructions to install the management profile](../user-help/enroll-your-device-in-intune-macos-cp.md) are provided in the Company Portal app.     
 
-BYOD macOS MDM enrollments prior to June 2020 may not be user approved if the end-user did not manually provide approval of the management profile in **System Preferences** > **Profiles**. For BYOD enrollments after June 2020, the Company Portal app launches **System Preferences** for the user and the user will need to select Install. If the user didn't approve the management profile during enrollment, the user can go to **System Preferences** > **Profiles**, choose the management profile, and select **Approve** to approve the profile at a later point in time.
+> [!NOTE]
+> Intune announced support for user approved enrollment in June 2020. BYOD enrollments that occured before that time may not be user-approved. For more information about Apple devices becoming user approved, see [User approved MDM enrollment](https://support.apple.com/HT208019) on the Apple Support website. 
+
+### User experience     
+The device user signs in to the Company Portal app to initiate enrollment. Company Portal then opens the device's system preferences and prompts the user to install the management profile. Company Portal provides in-app instructions to help users find the profile. Users go to **System Preferences** > **Profiles** to  approve the management profile installation. Device users that don't provide approval during enrollment can return to system preferences later to give approval.  
 
-### Find out if a device is User Approved
+### Find out if device is user approved  
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Choose **Devices** > **All devices**> choose the device > **Hardware**.
-3. Check the **User approved enrollment** field.
+2. Choose **Devices** > **All devices**.
+3. Choose a macOS device.
+4. From the side menu, select **Hardware**.  
+5. Check the value next to **User approved enrollment**.  
 
 
 ## Next steps
 
 * For user-help documentation, which provides step-by-step enrollment instructions for device users, see [Enroll your macOS device in Intune](../user-help/enroll-your-device-in-intune-macos-cp.md). You can also create your own instructions if you prefer to capture your organization's branded or customized enrollment experience.  
 
-* After macOS devices are enrolled, you can [create custom settings for macOS devices](../configuration/custom-settings-macos.md).
-
-* 
+* After macOS devices are enrolled, you can [create custom settings for macOS devices](../configuration/custom-settings-macos.md).  
