MacOS Post Enrollment Setup
IMPORTANT!!
Tips Before Starting:
For ease of setup, use the same password as the DEM account for setting up the local MacOS account.
DEM Account Info
[email protected]
D3m4ccount!
Apple Migration Assistant does not work with Enrolled Devices
You will need to reinstall all the apps associated with the user's apple id. Follow the instructions in the KB article linked below for more info.
User access to Personal iCloud and Apple Store | Knowledge Base | Nelson Brothers IS Helpdesk
After setting up the Mac you can sync the user's desktop and documents folder with One Drive by following the KB article linked below for more info.
Sync the Desktop and Documents Folder with One Drive | Knowledge Base | Nelson Brothers IS Helpdesk
Continue with the setup as normal for the Mac OS device and use your Microsoft credentials (DEM account) when prompted.
Note: If you do not see the Microsoft login screen and are following the manual process starting in document P1, you will need to remove the device from Intune management and then from ABM and re-do the setup process from step 1 in part 1.
Note: If you do not see the Microsoft login screen and are enrolling the device after purchasing it with the Nelson brothers' Apple purchasing account, autoenrollment has failed, and you will need to enroll the device manually. Please reach out to John, or if John is not in the office, Justin or Frank, to enroll the device manually. To enroll the device manually, follow this article and come back to this article once you complete the steps in P1 P1 Manual MacOS Enrollment to ABM and MDM | Knowledge Base | Nelson Brothers IT Helpdesk
After signing in with the DEM account, you should see that the device is being enrolled with the Nelson brothers and is pulling down configuration profiles.
After the profiles are pushed, you will be prompted to create a local account. For ease of setup, use the same password as the DEM account for setting up the local MacOS account. This password will be temporary and will be overwritten with the DEM accounts' Microsoft password after we sync our local and Microsoft credentials through the company portal.
Once you are signed into the device, wait 30 minutes - 1 hour for all the profiles to fully download.
Then, accept all popups requesting permissions.
After granting permissions, navigate to the Settings app and search “Profiles” in the search bar. Ensure that both the Intune MDM Agent SCEP and Intune MDM Agent PPPC Profiles are on the device.
Important, Follow Closely:
Look for a pop-up on the top right for the Company portal stating that “Registration is required”
Click on that and you will be taken to a pop-up label “Platform single sign-on registration”
Click continue, and you will be prompted to enter your Local User Credentials. After that, you will be prompted to sign in with your Microsoft credentials. After some loading time, you will be prompted to log in to the company portal with your Microsoft credentials.
Registration is now complete; this will sync your local and Microsoft credentials. Your local credentials will no longer be available for use from this point forward.
Open the settings app and navigate to Users & Groups.
Create a local account named TempAccount and set the password. (This will allow the user to have the ability to connect to a Wi-Fi network if they are not at a company site and allow the user to log into their Microsoft account after they log into the "TempAccount")
The account will be originally created as a standard user.
IMPORTANT: Make sure to create the account with the accountname and fullname exactly as TempAccount with the exact punctuation. “T” and “A” need to be capitalized; otherwise, the removal script will not work.
Give the TempAccount the Administrator role.
Log out of your admin account on the device and restart the device.
Log in with the TempAccount and then log out of the TempAccount.
Ensure that you are being prompted to log into the TempAccount when reaching the login screen.
Change the primary user of the device from your admin account to the users EntraID account by navigating to the Intune portal and go to Devices > MacOS > Select Device > Properties > Change primary user > Search and select user account > Click save at the top of the screen.
Congratulations!! You’re Finished!!!