Affinity Macos

For Platform, choose macOS. Select Next to go to the Management Settings page. For User Affinity, choose whether or not devices with this profile must enroll with or without an assigned user.
Affinity Photo - redefines the boundaries for professional photo editing software for the Mac. With a meticulous focus on workflow it offers sophisticated tools for enhancing, editing and retouching your images in an incredibly intuitive interface with all the power and performance you need. What's new in Affinity Photo Version 1.9.3.
Affinity Photo (macOS) Updates Download the latest and previous versions Latest version Download version 1.9.2 732.23MB, DMG.

Affinity Macos X
Macos Affinity Designer
Macos Affinity Photo
Cpu Affinity Macos

-->

Personal and organization-owned devices can be enrolled in Intune. On macOS devices, the Company Portal app or the Apple Setup Assistant authenticates users, and starts the enrollment. Once they're enrolled, they receive the policies and profiles you create.

Affinity Macos X

You have the following options when enrolling macOS devices:

Note

For both iOS/iPadOS and macOS, user device affinity is established with the additional Azure AD login to the Company Portal app as mentioned above. That is also when device compliance is assessed, and the device shows up as compliant in the Microsoft Endpoint Manager admin center.

Enrollment through Apple Configurator is available for iOS/iPadOS devices. It's not available for macOS devices. When you create a macOS enrollment profile, it appears that Apple Configurator is an option. This behavior is a known issue, and will be fixed in a future release (no ETA). Do not create a macOS enrollment profile with Apple Configurator. It doesn't work.

This article:

Describes your Company Portal app options for each enrollment method.
Provides recommendations on the macOS enrollment method to use.
Includes an overview of the administrator and user tasks for each enrollment type.

For more specific information, see Enroll macOS devices.

Tip

This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.

Before you begin

For an overview, including any Intune-specific prerequisites, see Deployment guidance: Enroll devices in Microsoft Intune.

BYOD: Device enrollment

Use for personal or bring your own devices (BYOD). Not a traditional 'enrollment' method, as it uses an app configuration profile. This option manages apps on the device. Devices aren't enrolled.

Feature	Use this enrollment option when
Devices are personal or BYOD.	✔️
Need to enroll a few devices, or a large number of devices (bulk enrollment).	✔️
You have new or existing devices.	✔️
Devices are associated with a single user.	✔️
You use the device enrollment manager (DEM) account.	✔️ Be aware of impact and any limitations using DEM account.
Devices are managed by another MDM provider.	❌ When a device enrolls, MDM providers install certificates and other files. These files must be removed. The quickest way may be to unenroll, or factory reset the devices. If you don't want to factory reset, then contact the MDM provider.
Devices are owned by the organization or school.	❌ Not recommended for organization-owned devices. Organization-owned devices should be enrolled using Automated Device Enrollment (in this article) or Apple Configurator. You can add the MacBook serial numbers to the corporate device identifiers to mark the devices as corporate. But, by default, devices are marked personal.
Devices are user-less, such as kiosk, dedicated, or shared.	❌ These devices are organization-owned. User-less devices should be enrolled using Automated Device Enrollment (in this article) or Apple Configurator.

Device enrollment administrator tasks

This task list provides an overview.

Be sure your devices are supported.
Be sure the Apple MDM push certificate is added to Endpoint Manager, and is active. This certificate is required to enroll macOS devices. For more information, see Get an Apple MDM push certificate.
There isn't a Company Portal app for macOS devices in the Apple App Store, or through VPP. Users must manually download and run the Company Portal app installer package. They sign in with their organization account (user@contoso.com), and then step through the enrollment. Once they enroll, they must approve the enrollment profile.
When they approve, the device is added to your organization Azure AD. Then, it's available to Intune to receive your policies and profiles.
Be sure to communicate this information with your users.

Device enrollment end user tasks

Your users must do the following steps. For more specific information on the end user steps, see Enroll your macOS device using the Company Portal app.

Download and run the Company Portal app installer package.
Open the Company Portal app, and sign in with their organization account (user@contoso.com). Once they sign in, they must approve the enrollment profile (System preferences). When users approve, the device is enrolled, and considered managed. If they don't approve, then they're not enrolled, and won't receive your policy and profiles.

For more specific information on the end user steps, see Enroll your macOS device using the Company Portal app.

Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan.

Automated Device Enrollment (ADE) (supervised)

Previously called Apple Device Enrollment Program (DEP). Use on devices owned by your organization. This option configures settings using Apple Business Manager (ABM) or Apple School Manager (ASM). It enrolls a large number of devices, without you ever touching the devices. These devices are purchased from Apple, have your preconfigured settings, and can be shipped directly to users or schools. You create an enrollment profile in the Endpoint Manager admin center, and push this profile to the devices.

For more specific information on this enrollment type, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager.

Feature	Use this enrollment option when
Devices are owned by the organization or school.	✔️
You have new devices.	✔️
You have existing devices.	✔️ To enroll existing devices, see Enroll your macOS device registered in ABM/ASM with Automated Device Enrollment after Setup Assistant (opens another Microsoft article).
Need to enroll a few devices, or a large number of devices (bulk enrollment).	✔️
Devices are associated with a single user.	✔️
Devices are user-less, such as kiosk or dedicated device.	✔️
Devices are personal or BYOD.	❌ Not recommended. BYOD or personal devices should be enrolled using Device enrollment (in this article).
Devices are managed by another MDM provider.	❌ To be fully managed by Intune, users must unenroll from the current MDM provider, and then enroll in Intune. Or, you can use Device enrollment to manage specifics apps on the device. Since these devices are organization-owned, it's recommended to enroll in Intune.
You use the device enrollment manager (DEM) account.	❌ The DEM account isn't supported.

ADE administrator tasks

This task list provides an overview. For more specific information, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager.

Be sure your devices are supported.
Need access to the Apple Business Manager (ABM) portal, or the Apple School Manager (ASM) portal.
Be sure the Apple token (.p7m) is active. For more specific information, see Get an Apple ADE token.
Be sure the Apple MDM push certificate is added to Endpoint Manager, and is active. This certificate is required to enroll macOS devices. For more information, see Get an Apple MDM push certificate.
Decide how users will authenticate on their devices: Setup Assistant (legacy) or Setup Assistant with modern authentication (public preview). Make this decision before you create the enrollment profile. Using the Setup Assistant with modern authentication is considered modern authentication. Microsoft recommends using Setup Assistant with modern authentication.
For all organization-owned macOS devices, Setup Assistant (legacy) is always and automatically used, even if you don't see 'Setup Assistant' text in Endpoint Manager. Setup Assistant (legacy) authenticates the user, and enrolls the device.
- Select the Setup Assistant (legacy) when:
  - You want to wipe the device.
  - You don't want to use modern authentication features, such as MFA.
  - You don't want to register devices in Azure AD. Setup Assistant (legacy) authenticates the user with the Apple .p7m token. If it's acceptable to not register devices in Azure AD, then you don't need to install the Company Portal app. Keep using the Setup Assistant (legacy).
    If you want to use the Company Portal app for authentication instead of using Setup Assistant, or want the devices registered in Azure AD, then install the Company Portal app. After the device is enrolled, you can install the Company Portal app.
    To install the Company Portal app on devices, see add the Company Portal app. Set the Company Portal app as a required app.
    Once installed, users open the Company Portal app, and sign in with their organization Azure AD account (user@contoso.com). When they sign in, they're authenticated, and ready to receive your policies and profiles.
- Select the Setup Assistant with modern authentication when:
  - You want to wipe the device.
  - You want to use multi-factor authentication (MFA).
  - You want to prompt users to update their expired password when they first sign in.
  - You want to prompt users to reset their expired passwords during enrollment.
  - You want devices registered in Azure AD. When they're registered, you can use features available with Azure AD, such as conditional access.
  Note
  During the Setup Assistant, users must enter their organization Azure AD credentials (user@contoso.com). When they enter their credentials, the enrollment starts. If you want, users can also enter their Apple ID to access Apple specific features, such as Apple Pay.
  After the Setup Assistant completes, users can use the device. When the home screen shows, the enrollment is complete, and user affinity is established. The device isn't fully registered with Azure AD, and doesn't show in a user's device list in Azure AD.
  If users need access to resources protected by conditional access or should be fully registered with Azure AD, then install the Company Portal app. After it's installed, users open the Company Portal app, and sign in with their organization Azure AD account (user@contoso.com). During this second login, any conditional access policies are evaluated, and Azure AD registration is complete. Users can install and use organizational resources, including LOB apps.
In the Endpoint Manager admin center, create an enrollment profile. Choose to Enroll with user affinity (associate a user to the device), or Enroll without user affinity (user-less devices or shared devices).
- Enroll with user affinity: Setup Assistant authenticates the user, and enrolls the device in Intune. Also choose if users can delete the management profile, called Locked enrollment.
- Enroll without user affinity: Setup Assistant authenticates the user, and enrolls the user in Intune. Also choose if users can delete the management profile, called Locked enrollment. The Company Portal app isn't used, needed, or supported on enrollments without user affinity.

ADE end user tasks

These tasks depend on how administrators tell users to install the Company Portal app. Typically, the less end users must do to enroll, the higher chance they'll want to enroll.

Macos Affinity Designer