macOS
      Back to home
      1. Help Center
      2. macOS

      Devicie Enrollment Utility

      The Devicie Enrollment Utility is designed to simplify the process for Devicie customers enrolling their Macs into Microsoft Intune, without needing to perform a full device wipe. It ensures a clean and streamlined enrollment experience while maintaining proper device management standards.

      While wiping a Mac before enrollment is often recommended, we understand that this is not always feasible in every environment. Enrolling without proper preparation can leave devices in an incomplete or poorly managed state, leading to significant issues such as:

      • Activation Lock (Find My Mac): If enabled before enrollment, the Activation Lock Bypass will not be available to the MDM solution.
      • FileVault Encryption: If FileVault is already enabled, the recovery key will not be accessible to the MDM solution.

      The Devicie Enrollment Utility helps mitigate these challenges, ensuring smooth and compliant enrollment without unnecessary disruptions.

       

      Key Features & How It Works

      1. Compatibility Checks
        Verifies that the Mac meets minimum and maximum macOS version requirements to ensure smooth enrollment.

      2. Find My Mac Verification
        Detects if Find My Mac is enabled and alerts the end-user, guiding them to disable it before proceeding.


      3. MDM and Company Portal Cleanup
        For organizations migrating from Jamf Pro the utility triggers the unenrollment workflow and performs a thorough clean-up.
        If Company Portal was in use for device compliance by one of Microsoft's device compliance partners, the utility will make sure to uninstall Company Portal as well as remove any associated configuration and identity items

        Note: Preparatory work is required in Jamf Pro in order to allow Devicie Enrollment Utility to trigger unenrollment.

        Migrating from an MDM other than JAMF or Intune? We can help!

      4. FileVault Recovery Key Handling
        If the Mac is already FileVault encrypted at the time of enrollment, the utility automatically configures an authorization plugin to force a FileVault key renewal at next login, thereby ensuring that the Mac's recovery key is escrowed to Intune during the first reboot post-enrollment.

      5. User Privilege Elevation
        Whether enrolling via Company Portal or ABM, end-users must be local administrators to authorize enrollment. The utility elevates non-admin users temporarily to complete enrollment and reverts them back as soon as this task is finished.

      6. Trigger Automated Device Enrollment (ABM) or User-Initiated Enrollment
        Will attempt to trigger ABM enrollment, if found eligible. If device is not ABM-eligible or the ABM attempt is unsuccessful, the user will be prompted to enroll via Company Portal. This prompt is persistent, to help encourage users to complete enrollment.



      7. Post-enrollment reboot

        Once the utility has confirmed that the FileVault key escrow profile is in place and that the Intune MDM daemon is running, a final reboot is requested, ensuring that FileVault is enabled on those devices that require it, and that the FileVault key is escrowed to Intune.



        Upon logging back in, the user is notified that the enrollment process is complete.

      MDM Migration Considerations

      • When a Mac unenrolls from its existing MDM solution, as it awaits to enroll into Intune, it will lose all MDM-enforced configuration profiles. If network connectivity is configured via profile, i.e Wi-Fi password or 802.1X authentication, then this connection will be lost as soon as it is unenrolled. If MDM profiles are the only way that the Mac connects to the internet then you will need to prepare alternate methods in order for the Mac to be able to reconnect to the internet and complete the enrollment.
      • During the period that the Mac is not enrolled with any MDM provider any 3rd party applications that rely on MDM-enforced profiles to function will be affected. This includes security agents that rely on MDM-authorized system extensions and permissions.
      • If updating the MDM server assigned to your Macs in Apple Business Manager, allow at least 12-24 hours in order for this change to take affect.
      • If your Macs are assigned to a Device Compliance partner, remember to remove the management requirement before attempting to enroll them into Intune. 
        This removal is done in Intune, just head to Tenant Administration > Connectors and Tokens Partner Compliance management