Share via

macOS ADE Enrollment

Mian Mudasir Bari 0 Reputation points
2026-03-18T13:56:07.2133333+00:00

I understand that Windows and macOS behave differently in Intune, but I would like confirmation from Microsoft Support based on our specific scenario. We are enrolling macOS devices through Automated Device Enrollment (ADE) viaABM, where users authenticate during Setup Assistant. Additionally, we are using Platform SSO (PSSO) integrated with Microsoft Entra ID.

What I would like to confirm is the following:

If we change the Primary User of a macOS device in Intune after it has already been enrolled through ADE with ABM and PSSO, will the device continue to sync properly and receive apps and policies assigned to the new user? Or will macOS continue to rely on the original user who completed the enrollment during Setup Assistant, regardless of any changes made to the Primary User field in the Intune admin center?

My current understanding is that macOS enrollment is tied to the identity of the user who completes Setup Assistant, rather than the Primary User field in Intune. However, I would like to validate whether this behavior is correct.

Microsoft Security | Intune | Configuration
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pauline Mbabu 1,835 Reputation points Microsoft Employee
    2026-04-17T10:59:14.0966667+00:00

    Hello Mian,
    Based on current Microsoft and Apple documentation, your understanding is correct for this scenario: when a macOS device is enrolled through Automated Device Enrollment with Apple Business Manager and the user authenticates during Setup Assistant, the enrollment and user context are bound to the identity that completes Setup Assistant, and this remains the effective user identity for user based management moving forward. Changing the Primary User field in the Intune admin center after enrollment does not rebind macOS to a different user in the same way it does for Windows; instead, macOS continues to rely on the original enrollment user for user targeted app and policy evaluation, while device targeted assignments continue to apply normally. Platform SSO with Microsoft Entra ID further reinforces this behavior because it provisions identity artifacts such as the workplace join certificate and local account mapping during enrollment and user sign in, and these are not reissued simply by changing the Primary User attribute post enrollment. As a result, if you need a different user to fully take ownership of the device for user based assignments, Microsoft guidance and real world behavior indicate that a wipe and re enrollment through ADE with the new user signing in during Setup Assistant is required for a clean and supported outcome. Relevant documentation for reference includes the Intune macOS enrollment overview at https://dori-uw-1.kuma-moon.com/en-us/intune/device-enrollment/apple/guide-macos, Platform SSO for macOS with Intune at https://dori-uw-1.kuma-moon.com/en-us/intune/intune-service/configuration/platform-sso-macos, and Apple’s description of Platform SSO during enrollment at https://developer.apple.com/documentation/devicemanagement/implementing-platform-sso-during-device-enrollment.

    0 comments
  2. Q&A Assist
    2026-03-18T13:56:30.9533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For macOS devices enrolled through Automated Device Enrollment (ADE) with user affinity, Intune ties the device’s user association to the identity that completes Setup Assistant at enrollment time, not to later changes of the Primary User field.

    From the documented behavior:

    • For iOS/iPadOS and macOS with Apple Automated Device Enrollment (DEP/ADE with User Affinity), the enrolling user is automatically assigned as the primary user during enrollment:
      • “iOS/iPadOS, macOS | Apple Automated Device Enrollment (DEP with User Affinity) | Enrolling user | During enrollment.”
    • For ADE without user affinity, there is no primary user and user-based targeting does not apply.

    This means:

    • The user who authenticates in Setup Assistant (with modern auth or legacy) becomes the Intune primary user at enrollment time.
    • Changing the Primary User later in the Intune admin center does not change the original enrollment identity on the macOS device itself; it only changes Intune’s logical primary user association.
    • App and policy targeting behavior depends on how assignments are scoped:
      • Device-based assignments (to the device, device groups, or all devices) continue to apply regardless of primary user changes.
      • User-based assignments are evaluated against the currently signed-in user’s Microsoft Entra ID and group membership. Changing the Intune primary user does not re-enroll the device or change which Entra ID account the Platform SSO session and Setup Assistant enrollment were originally bound to.

    Therefore, the understanding is correct: macOS ADE enrollment is fundamentally tied to the user who completes Setup Assistant with their Microsoft Entra credentials. Updating the Primary User field in Intune after enrollment does not change that underlying enrollment identity and does not by itself “rebind” the device to a different user for PSSO or enrollment. The device will still receive:

    • All device-targeted apps and policies as normal.
    • User-targeted apps and policies based on the Entra ID account actually used on the Mac (and its group membership), not solely on the Primary User value stored in Intune.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.