Merge pull request #6993 from lenewsad/Bootstrap9539461

lenewsad · web-flow · commit ddd652b7c207 · 2022-03-10T10:48:04.000-05:00
Draft for 2203 bootstrap token feature
diff --git a/memdocs/intune/enrollment/macos-enroll.md b/memdocs/intune/enrollment/macos-enroll.md
@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 06/12/2020
+ms.date: 03/23/2022
 ms.topic: overview
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -46,32 +46,56 @@ Complete the following prerequisites before setting up macOS device enrollment:
 - [Make sure your device is eligible for Apple device enrollment](https://support.apple.com/en-us/HT204142#eligibility).
 - [Configure domains](../fundamentals/custom-domain-name-configure.md)
 - [Set the MDM Authority](../fundamentals/mdm-authority-set.md)
-- [Create groups](../fundamentals/groups-add.md)
-- [Configure the Company Portal](../apps/company-portal-app.md)
+- [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md)  
 - Assign user licenses in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?LinkId=698854)
-- [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md)
+- [Create groups](../fundamentals/groups-add.md)
+- [Configure the Company Portal app](../apps/company-portal-app.md)
 
-## User-owned macOS devices (BYOD)
 
-You can let users enroll their own personal devices into Intune management. This is known as "bring your own device" or BYOD. After you've completed the prerequisites and assigned user licenses, your users can enroll their devices by:
-- Going to the [Company Portal website](https://portal.manage.microsoft.com) or
-- Downloading the Mac Company Portal app at [aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac).
+## User-owned macOS devices (BYOD)
 
-You can also send your users a link to online enrollment steps: [Enroll your macOS device in Intune](../user-help/enroll-your-device-in-intune-macos-cp.md).
+Intune supports *bring-your-own-device*, or *BYOD*, which lets people enroll their personal devices themselves. To set up enrollment for BYOD scenarios, complete the prerequisites in this article. Then tell your device users to use one of these options to enroll devices:  
 
-For information about other end-user tasks, see these articles:
+- Sign in to [Company Portal website](https://portal.manage.microsoft.com) and follow on-screen instructions to add device. 
+- Install Company Portal app for Mac at [aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac) and follow-on screen instructions to add device.    
 
-- [Resources about the end-user experience with Microsoft Intune](../fundamentals/end-user-educate.md)
-- [Using your macOS device with Intune](../user-help/enroll-your-device-in-intune-macos-cp.md)
 
 ## Company-owned macOS devices
-For organizations that purchase devices for their users, Intune supports the following macOS company-owned device enrollment methods:
-- [Apple's Automated Device Enrollment (ADE)](device-enrollment-program-enroll-macos.md): Organizations can purchase macOS devices through ADE. ADE lets you deploy an enrollment profile "over the air" to bring devices into management.
-- [Device enrollment manager (DEM)](device-enrollment-manager-enroll.md): You can use a DEM account to enroll up to 1,000 devices.
-- [Direct enrollment](device-enrollment-direct-enroll-macos.md): Direct enrollment does not wipe the device.
+Intune supports the following enrollment methods for company-owned macOS devices:  
+
+- [Apple Automated Device Enrollment](device-enrollment-program-enroll-macos.md): Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air,so you don't need to have physical access to devices.  
+- [Device enrollment manager (DEM)](device-enrollment-manager-enroll.md): Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.   
+- [Direct enrollment](device-enrollment-direct-enroll-macos.md): Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. This method requires you to have physical access to the Macs you're enrolling.  
+
+## Bootstrap tokens (preview)    
+
+> [!IMPORTANT]
+> This feature is in [public preview](../fundamentals/public-preview.md). It is not available in GCC High and government cloud tenants.  
+
+Intune supports the use of bootstrap tokens on enrolled Macs running macOS 10.15 or later. Bootstrap tokens grant volume ownership status to local user accounts, so that non-admin users can approve important operations that an admin would otherwise need to do.  Operations such as: 
+
+* User-initiated software updates  
+* Silent FileVault encryption  
+* Kernel extension installation on Apple silicon  
 
-## Block macOS enrollment
-By default, Intune lets macOS devices enroll. To block macOS devices from enrollment, see [Set device type restrictions](enrollment-restrictions-set.md).
+ You can utilize bootstrap tokens on supervised Macs, and Macs enrolled via automated device enrollment.   
+
+### Get bootstrap token  
+ 
+The bootstrap token is automatically generated when:  
+
+* A newly-enrolled Mac checks in with Intune and 
+* A secure token-enabled user (typically an Intune administrator) signs in to the Mac with their clear text password
+
+The token is then automatically escrowed to Microsoft Intune. You can use a command line tool to manually view, generate, and escrow a bootstrap token, if needed. For more information, see [Use secure token, bootstrap token, and volume ownership in deployments](https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/1/web/1.0) on Apple Support.  
+
+### Manage kernel extensions  
+A bootstrap token can be used to approve the installation of both kernel extensions and software updates on a Mac with Apple silicon. Kernel extension management is automatically available on Macs running macOS 11 or later and enrolled via automated device enrollment. 
+
+To authorize the remote management of kernel extensions on a device that isn't enrolled via automated device enrollment, you must restart the Mac in recovery mode and downgrade its security settings. For more information, see [Change security settings on the startup disk of a Mac with Apple silicon](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) on Apple Support.      
+
+## Block macOS enrollment  
+By default, Intune lets macOS devices enroll. To block macOS devices from enrollment, see [Set device type restrictions](enrollment-restrictions-set.md).  
 
 ## Enroll virtual macOS machines for testing
 
@@ -84,7 +108,7 @@ For Parallels Desktop, you need to set the hardware type and the serial number f
 
 For VMware Fusion, you need to [edit the .vmx file](https://kb.vmware.com/s/article/1014782) to set the virtual machine's hardware model and serial number. We recommend that you match the hardware type of the device running the virtual machines to the hardware type of the virtual machines that you're creating. You can find this hardware type in **Apple menu** > **About this Mac** > **System Report** > **Model Identifier**. 
 
-## User Approved enrollment
+## User approved enrollment
 
 User Approved MDM enrollment is a type of macOS enrollment that you can use to manage certain security-sensitive settings. For more information, see [Apple's support documentation](https://support.apple.com/HT208019).  
  
@@ -100,4 +124,8 @@ BYOD macOS MDM enrollments prior to June 2020 may not be user approved if the en
 
 ## Next steps
 
-After macOS devices are enrolled, you can [create custom settings for macOS devices](../configuration/custom-settings-macos.md).
+* For user-help documentation, which provides step-by-step enrollment instructions for device users, see [Enroll your macOS device in Intune](../user-help/enroll-your-device-in-intune-macos-cp.md). You can also create your own instructions if you prefer to capture your organization's branded or customized enrollment experience.  
+
+* After macOS devices are enrolled, you can [create custom settings for macOS devices](../configuration/custom-settings-macos.md).
+
+* 
