Fix Intune Profile Installation Failed during macOS Enrollment

ByPrajwal Desai Hours

While enrolling the macOS in Intune, you may encounter a warning, “Profile Installation Failed“. Could not obtain the final profile using the Encrypted Profile Service. In this article, I will show you how to resolve this error and provide you with some troubleshooting steps.

When you register macOS devices into Intune, you might end up with several enrollment errors. Thankfully, the Intune portal now shows the device enrollment failures right on the dashboard. This makes it easy to troubleshoot the device enrollment errors.

I recently published a guide on enrolling macOS into Intune, where I covered the steps to enroll macOS devices into Intune using the company portal app. Microsoft Intune supports enrollment on personal and company-owned devices. Only when you enroll your macOS devices in Intune, you can manage them.

Intune Profile Installation Failed during macOS Enrollment

During the macOS enrollment in Intune, while installing the management profile, I encountered the following error “Profile Installation Failed”. Could not obtain the final profile using the Encrypted Profile Service. The credentials within your profile may have expired. Try downloading a new profile.

The Profile Installation Failed error appears when macOS enrollment restrictions are in place or there are existing profiles on the Mac, preventing the installation of a management profile.

Profile Installation Failed. Could not obtain the final profile using the Encrypted Profile Service
Profile Installation Failed. Could not obtain the final profile using the Encrypted Profile Service

Let’s go through the solutions to resolve the profile installation failed errors for macOS enrollment.

Solution 1: Review macOS Enrollment Restrictions in Intune

MacOS enrollment restrictions are one of the most common reasons why the management profile installation fails during macOS enrollment. Intune automatically classifies macOS devices as personally owned and allows you to enroll macOS. The device enrollment restrictions let you restrict devices from enrolling in Intune based on certain device attributes. If the device restrictions are in place that prevent enrolling macOS in Intune, you cannot enroll the mac devices.

To review the macOS enrollment restrictions in Intune, use the following steps:

  • Sign in to Intune admin center.
  • Go to Devices > Device Enrollment > Enroll Devices.
  • Select Enrollment device platform restrictions and switch to MacOS restrictions tab.

Your administrator may have created a device restriction to block enrollment of MacOS. If there are multiple restrictions created for devices, you will have to review each restriction one by one and make sure the macOS platform is allowed for enrollment. By default, the restrictions are configured to allow the macOS to be enrolled in Intune, and this is applied to All Users.

When you edit the restriction and go to the properties, you can find out whether the macOS devices are allowed to enroll or they are blocked.

Review macOS Enrollment Restrictions in Intune
Review macOS Enrollment Restrictions in Intune

Solution 2: Verify if the Apple MDM Push Certificate is valid

When you enroll iPadOS/iOS devices into Intune, one of the prerequisites is the Apple MDM Push certificate requirement. This certificate is required to manage macOS devices in Microsoft Intune. If the Apple MDM push certificate isn’t configured or if the certificate is expired, you’ll face the enrollment issues.

To verify if the MDM push certificate is active and valid, use these steps:

  1. Sign in to Microsoft Intune Admin Center.
  2. Go to Devices > macOS > macOS enrollment.
  3. Select Apple Push MDM Certificate to check the status of certificate. If the status of the certificate shows as Active, it’s all good. If the certificate shows as expired, you may have to renew it and import into Intune portal.
Verify if the Apple MDM Push Certificate is valid
Verify if the Apple MDM Push Certificate is valid

Solution 3: Check if the User is assigned an Intune License

If the user who is attempting to enroll the macOS into Intune isn’t assigned with an Intune license, the enrollment will fail, and you may not be able to download and install the management profile on macOS devices. You can review the licenses assigned to a user by going to Microsoft 365 admin center > Users > select the User and review the Licenses and Apps.

It is also critical that the user attempting to enroll macOS into Intune has the necessary permissions. The user will be unable to enroll Macs in Intune without the enrollment permissions.

Solution 4: Delete the existing Profiles on your Mac

When you install a management profile while enrolling macs in Intune, you gain access to your company apps. As a result, the success of this profile installation is critical. In some cases, the existing profiles may cause issues during the macOS enrollment and result in profile installation failed error.

You must delete the conflicting management profiles from macOS to resolve the profile installation failed issue. If an existing management profile is impeding enrollment, delete it and re-enroll the mac device. If that doesn’t work, uninstall the company portal on your MacBook, download a fresh installer, and start the enrollment process again.

Conclusion

I hope the solutions covered in this article will help you resolve the profile installation failed warning during macOS enrollment in Intune. If something else worked for you, please let me know in the comments section.

Avatar photo

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

4 Comments

  1. Avatar photo Steven Latuso says:

    In case anyone else runs into the “Profile installation failed” error on a Mac with Apple Automated Device Enrollment (ADE), the problem may be a conflict between ADE, the Company Portal, and a Device Enrollment Manager (DEM) account. I was able to complete the Company Portal setup as soon as I removed the account’s DEM role.

    Reply
  2. Avatar photo Steven Latuso says:

    I receive the “Profile installation failed” error when setting up the Intune Company Portal on MacOS devices that have been enrolled in Intune with Apple Automated Device Enrollment (ADE). The Company Portal is intended for app deployment only, not enrollment, since the devices are already corporate owned and ADE enrolled in Intune. There are no enrollment restrictions in place. All terms and conditions have been accepted in Apple School Manager. If I remove the device from ADE to test in a BYOD scenario then the Company Portal enrolls the device in Intune and available apps are listed. Return the device to ADE and it fails. Any advice?

    Reply

  3. how to login admin centre

    Reply

  4. Hi Prajwal, I am getting the same error , and tried all the all the steps you mentioned still it is unable to enroll

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *