Finished drafting 2203 feature

lenewsad · lenewsad · commit 712819b3c812 · 2022-03-09T20:56:57.000-05:00
diff --git a/memdocs/intune/enrollment/macos-enroll.md b/memdocs/intune/enrollment/macos-enroll.md
@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 06/12/2020
+ms.date: 03/23/2022
 ms.topic: overview
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -46,31 +46,83 @@ Complete the following prerequisites before setting up macOS device enrollment:
 - [Make sure your device is eligible for Apple device enrollment](https://support.apple.com/en-us/HT204142#eligibility).
 - [Configure domains](../fundamentals/custom-domain-name-configure.md)
 - [Set the MDM Authority](../fundamentals/mdm-authority-set.md)
-- [Create groups](../fundamentals/groups-add.md)
-- [Configure the Company Portal](../apps/company-portal-app.md)
+- [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md)  
 - Assign user licenses in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854)
-- [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md)
+- [Create groups](../fundamentals/groups-add.md)
+- [Configure the Company Portal app](../apps/company-portal-app.md)
 
-## User-owned macOS devices (BYOD)
 
-You can let users enroll their own personal devices into Intune management. This is known as "bring your own device" or BYOD. After you've completed the prerequisites and assigned user licenses, your users can enroll their devices by:
-- Going to the [Company Portal website](https://portal.manage.microsoft.com) or
-- Downloading the Mac Company Portal app at [aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac).
+## User-owned macOS devices (BYOD)
 
-You can also send your users a link to online enrollment steps: [Enroll your macOS device in Intune](../user-help/enroll-your-device-in-intune-macos-cp.md).
+People can BYOD, or *bring-your-own-device*, and enroll personal devices in Intune themselves. To set up enrollment for BYOD scenarios, complete the prerequisites in this article. Then tell your device users to use one of these options to enroll devices:  
 
-For information about other end-user tasks, see these articles:
+- Sign in to [Company Portal website](https://portal.manage.microsoft.com) and follow on-screen instructions to add device. 
+- Install Company Portal app for Mac at [aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac) and follow-on screen instructions to add device.    
 
-- [Resources about the end-user experience with Microsoft Intune](../fundamentals/end-user-educate.md)
-- [Using your macOS device with Intune](../user-help/enroll-your-device-in-intune-macos-cp.md)
 
 ## Company-owned macOS devices
-For organizations that purchase devices for their users, Intune supports the following macOS company-owned device enrollment methods:
-- [Apple's Automated Device Enrollment (ADE)](device-enrollment-program-enroll-macos.md): Organizations can purchase macOS devices through ADE. ADE lets you deploy an enrollment profile "over the air" to bring devices into management.
-- [Device enrollment manager (DEM)](device-enrollment-manager-enroll.md): You can use a DEM account to enroll up to 1,000 devices.
-- [Direct enrollment](device-enrollment-direct-enroll-macos.md): Direct enrollment does not wipe the device.
+Intune supports the following enrollment methods for company-owned macOS devices:  
+
+- [Apple Automated Device Enrollment](device-enrollment-program-enroll-macos.md): Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air,so you don't need to have physical access to devices.  
+- [Device enrollment manager (DEM)](device-enrollment-manager-enroll.md): Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.   
+- [Direct enrollment](device-enrollment-direct-enroll-macos.md): Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. Because there is no user associated, you can't use the Company Portal or Microsoft Intune apps to enroll devices. Instead, you download the profile and transfer it to the macOS device. This method requires you to have physical access to the Macs you're enrolling. 
+
+## Bootstrap tokens    
+
+> [!NOTE]
+> This feature is in public preview. It isn't available in GCC High and government cloud tenants.  
+
+Intune supports the use of bootstrap tokens on enrolled Macs running macOS 10.15 or later. Bootstrap tokens grant volume ownership status to local user accounts, so that non-admin users can approve important operations that an admin would otherwise need to do.  Operations such as: 
+
+* User-initiated software updates  
+* Silent FileVault encryption  
+* Kernel extension installation on Apple silicon  
+
+ You can utilize bootstrap tokens on supervised Macs, and Macs enrolled via automated device enrollment.   
+
+### Get bootstrap token  
+ 
+The bootstrap token is automatically generated when:  
+
+* A newly-enrolled Mac checks in with Intune and 
+* A secure token-enabled user (typically an Intune administrator) signs in to the Mac with their clear text password
+
+The token is then automatically escrowed to Microsoft Intune. You can use a command line tool to manually view, generate, and escrow a bootstrap token, if needed. For more information, see [Use secure token, bootstrap token, and volume ownership in deployments](https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/1/web/1.0) on Apple Support.  
 
-## Block macOS enrollment
+### Manage kernel extensions  
+A bootstrap token can be used to approve the installation of both kernel extensions and software updates on a Mac with Apple silicon. Kernel extenstion management is automatically available on Macs running macOS 11 or later and enrolled via automated device enrollment. 
+
+To enable it on a device that wasn't enrolled via automated device enrollment, you must restart the device in recoveryOS and downgrade its security settings. Shut down the device and then complete these steps as the device reboots:     
+
+1. Press and hold the power button until you see **Loading startup options**.  
+
+2. Select **Options** > **Continue**.
+
+3. If requested, enter the administrator account's password.  
+
+4. The Mac enters recovery mode and opens macOS Recovery. Select **Utilities** > **Startup Security Utility**.  
+
+5. Select the startup disk you want to use for the security policy. If the disk is encrypted with FileVault:
+    a. Select Unlock.   
+    b. Enter the password. 
+    c. Select Unlock.  
+
+6. Select **Security Policy**.
+
+7. From the security options, select **Reduced Security**.
+8. Enter the administrator's username and password. 
+9. Select from the available settings. Your options: 
+    - **Allow user management of kernel extensions from identified developers**: Select the checkbox to allow local users to approve the installation of software that uses legacy kernel extensions.  
+    - **Allow remote management of kernel extensions and automatic software updates**: Select the checkbox to authorize remote management of legacy kernel extensions and software updates in Intune.
+
+9. Select **OK**.
+
+10. Restart your Mac for the changes to take effect.  
+
+> [!TIP]
+> If you have problems starting up your Mac with Apple silicon, and think the problem is caused by third-party software installed on the device, try starting your Mac in safe mode.    
+
+## Block macOS enrollment  
 By default, Intune lets macOS devices enroll. To block macOS devices from enrollment, see [Set device type restrictions](enrollment-restrictions-set.md).
 
 ## Enroll virtual macOS machines for testing
@@ -84,7 +136,7 @@ For Parallels Desktop, you need to set the hardware type and the serial number f
 
 For VMware Fusion, you need to [edit the .vmx file](https://kb.vmware.com/s/article/1014782) to set the virtual machine's hardware model and serial number. We recommend that you match the hardware type of the device running the virtual machines to the hardware type of the virtual machines that you're creating. You can find this hardware type in **Apple menu** > **About this Mac** > **System Report** > **Model Identifier**. 
 
-## User Approved enrollment
+## User approved enrollment
 
 User Approved MDM enrollment is a type of macOS enrollment that you can use to manage certain security-sensitive settings. For more information, see [Apple's support documentation](https://support.apple.com/HT208019).  
  
@@ -100,4 +152,8 @@ BYOD macOS MDM enrollments prior to June 2020 may not be user approved if the en
 
 ## Next steps
 
-After macOS devices are enrolled, you can [create custom settings for macOS devices](../configuration/custom-settings-macos.md).
+* For user-help documentation, which provides step-by-step enrollment instructions for device users, see [Enroll your macOS device in Intune](../user-help/enroll-your-device-in-intune-macos-cp.md). You can also create your own instructions if you prefer to capture your organization's branded or customized enrollment experience.  
+
+* After macOS devices are enrolled, you can [create custom settings for macOS devices](../configuration/custom-settings-macos.md).
+
+* 
