Zero-touch Apple deployment with Intune and Apple Automated Device Enrollment (DEP)
With Apple Automated Device Enrollment and Microsoft Intune, a Mac or iPhone gets itself ready out of the box. Here is how zero-touch onboarding works in a Microsoft environment.
A new employee, a sealed box with a MacBook, and the wish that the device sets itself up the moment it is turned on. That is zero-touch onboarding, and with Apple Automated Device Enrollment (ADE, formerly DEP) and Microsoft Intune it is well within reach. This post explains how the two work together.
TL;DR
- Apple Automated Device Enrollment (ADE) used to be called DEP and ties purchased Apple devices to your organization.
- Microsoft Intune is the MDM that configures the device the moment it enrolls.
- Together they give zero-touch: the device pulls its own settings, apps, and policies out of the box.
- The user logs in and gets to work, without IT ever touching the device.
- This is about device configuration; asset management is a separate layer on top.
What Apple Automated Device Enrollment (DEP) is
Apple Automated Device Enrollment is how Apple ties business-purchased devices to an organization. Buy Macs, iPhones, or iPads through Apple Business Manager or an authorized reseller, and they appear in your account automatically. You assign them to your MDM server, and from that point every device knows on first boot that it belongs to your organization.
DEP was the old name; Apple now calls it Automated Device Enrollment. The behavior is the same: the device is already tied to you on arrival, before anyone takes it out of the box.
What Microsoft Intune adds
Intune is the MDM layer in the Microsoft environment. As soon as an ADE device boots for the first time and connects, it enrolls into Intune. From there Intune takes over:
- It applies the right configuration profiles (wifi, security, restrictions).
- It installs the apps that belong to the user or the department.
- It applies compliance policies, so the device meets your security requirements.
- It ties the device to the identity in Entra ID.
How zero-touch runs in practice
| Step | Who does it | Manual work |
|---|---|---|
| Device bought via Apple Business Manager | Purchasing or reseller | No |
| Device appears in your MDM server | Automatic | No |
| Box ships straight to the employee | Logistics | No |
| Employee powers on, logs in | Employee | No |
| Intune applies config, apps, and policies | Automatic | No |
| Device ready for use | Automatic | No |
What zero-touch is not
Zero-touch onboarding handles the configuration of the device. It is not the same as asset management. The fact that Intune sees and configures a device does not yet mean you have a complete picture of your assets: purchase date, warranty, owner over time, depreciation, and what happens to the device after a departure.
Device management answers the question "is this device set up correctly and compliant". Asset management answers the question "what do I own, who has it, and what is its status across its whole lifespan". Those are two different layers.
How ServiceChanger fits in
ServiceChanger today focuses on automating access across Entra ID and on-prem AD based on rules (ABAC), plus tracking license usage based on Entra sign-in activity. Apple and Intune themselves handle the zero-touch device deployment; that is functionality of the Microsoft and Apple platform.
Asset automation around Intune is on the ServiceChanger roadmap. The idea is to tie the device data from Intune to the identity and access that ServiceChanger already manages, so the asset layer connects to the access model. ServiceChanger stays Microsoft-focused; the actual device configuration remains the work of Intune and Apple.
FAQ
Do I need Apple Business Manager? For ADE, yes. Devices need to be tied to your organization through Apple Business Manager (or an authorized reseller that links them) to get zero-touch.
Does this work for existing devices? ADE works cleanest for newly purchased devices. Existing devices can often still be enrolled, but it is less seamless than straight out of the box.
Is this the same as asset management? No. Zero-touch handles the configuration. Asset management is the layer that tracks ownership, status, and lifespan over time.
Does ServiceChanger do the Intune deployment? No. The device deployment is Intune and Apple. Asset automation around Intune is on our roadmap.
Further reading
- Is Microsoft Intune an ITAM tool? for the difference between device management and asset management.
- ITSM maturity assessment: where does your service desk stand? for where device and asset automation fit into your maturity.
Next step
Want to set up your Microsoft environment so access, and later assets, follow the identity? ServiceChanger automates access across Entra ID and on-prem AD, with asset automation around Intune on the roadmap. Book a demo or read the docs.