Automated Device Enrollment (ADE) through Apple Business Manager and Intune is often treated as a default requirement for any Apple device owned by an organisation. In many environments, that assumption goes unchallenged. Over time, I’ve learned that this approach can create unnecessary risk, particularly when devices are not traditional user endpoints.
Not every Mac is a laptop sitting on someone’s desk. Some Macs exist purely to provide a service. A common example is a Mac mini deployed to deliver network-wide content caching services.
In this role, the device may cache updates, optimise traffic, and dramatically reduce external bandwidth usage. Its availability directly protects the organisation’s internet connection by preventing saturation and delivering measurable bandwidth savings across the entire network.
These systems are infrastructure components, not user devices. Treating them like managed endpoints introduces a class of risk that often goes unnoticed until it causes disruption.
Why Infrastructure Macs Should Be Treated Differently
A Mac mini providing shared content services does not benefit from the same policy controls applied to laptops and mobile devices. It does not need compliance checks designed for users, nor does it need configuration profiles that assume interaction, mobility, or frequent operating system changes.
The risk comes from incidental management. A configuration profile intended for general macOS hardening, a misapplied restriction, or an enforced update policy can interfere with the service the device exists to provide. In the worst case, a routine policy change can degrade or interrupt network-wide performance.
This is where ADE can work against its original purpose. Automated enrollment is designed to enforce consistency at scale. For devices whose value lies in stability and predictability, that same automation becomes a liability.
Understanding Where Authority Actually Lives
One of the most important things to understand about ADE is where control truly resides. Apple Business Manager is the authoritative system. Intune does not decide which ADE devices it manages. Instead, it synchronises against Apple Business Manager using an enrollment token and imports whatever devices Apple still considers assigned to that MDM server.
This distinction matters. If a device remains assigned to Intune in Apple Business Manager, Intune will continue to treat it as in-scope. Deleting the device inside Intune does not override Apple’s records. On the next token synchronisation, the device will simply reappear.
This behaviour is expected and by design. Intune is reconciling its inventory against Apple’s source of truth.
Why Removing a Device Only in Intune Fails
It is common to see devices deleted in Intune with the expectation that this removes them from management permanently. In reality, this is only a temporary cleanup if Apple Business Manager still lists the device as assigned to Intune.
As long as the serial number remains associated with the Intune MDM server in Apple Business Manager, the next full sync will restore the device record. This leads to confusion, repeated cleanup efforts, and the false impression that Intune is behaving unpredictably.
The underlying issue is not Intune at all. The relationship was never broken at the Apple level.
The Two Removal Options in Apple Business Manager
Apple Business Manager provides two ways to remove a device from MDM control: unassign and release. Although they sound similar, they serve very different purposes.
Unassigning a device removes it from a specific MDM server. The device remains fully present in Apple Business Manager and continues to belong to the organisation. Any administrator with sufficient permissions can reassign it to another MDM server at any time.
This is appropriate for devices that may move between management platforms or be reassigned later. It is not sufficient for devices that should never be reintroduced to automated enrollment.
Releasing a device removes it entirely from Apple Business Manager. Once released, it no longer exists in the organisation’s inventory, cannot be assigned to any MDM server, and cannot silently return to ADE. The only way to bring it back is through Apple Configurator or a reseller re-enrolment, both of which require deliberate action.
Why Release Is the Correct Choice for Network-Critical Macs
In the case of a Mac mini delivering content services and protecting network bandwidth, unassigning is not enough. Leaving the device in Apple Business Manager means the risk still exists. Another administrator, acting with good intentions but incomplete context, could reassign it to Intune or another MDM server.
At that point, the device becomes eligible for ADE again. A future wipe, redeployment, or automated action could place it back under full management without warning.
For infrastructure systems, this is an unacceptable risk. Their protection should not depend on institutional memory or process discipline alone.
Releasing the device removes ambiguity. It ensures the Mac can never be accidentally pulled back into automated enrollment and subjected to policies it was never meant to receive.
How to Remove These Devices Correctly!
When you decide a device should not be managed through ADE, then start in Apple Business Manager, not Intune.
Locate the device by serial number and release it from the organisation. This permanently removes it from ABM and guarantees it cannot be reassigned to any MDM server.
Only after that relationship is broken should you delete the device from Intune, at that point, the deletion is final. The device will not reappear on the next token sync because Apple no longer considers it eligible for enrollment.
This order matters. Releasing first, then deleting, ensures the outcome matches the intent.
Implementing the Removal
This will remove devices from you company enrollment protection so ensure you obtain approval from the relevant sources before following this guide!
Step 1: Identify the Device in Apple Business Manager (ABM)
- Log in to Apple Business Manager with an account that has Administrator or Device Enrollment Manager permissions.
- Navigate to Devices from the sidebar.
- Use the search bar to locate the Mac by serial number or device name.
- Confirm the device is currently assigned to your Intune MDM server.
Tip: For infrastructure Macs like network-service Mac minis, double-check that the serial number matches the physical device to avoid accidental release of user devices.
Step 2: Release the Device from ABM
- Select the device in the list by clicking the checkbox next to it.
- Click the More (•••) menu at the top of the screen.
Choose Release Device.
A warning will appear: releasing is permanent. Once released, the device cannot be automatically re-enrolled in ADE.- Confirm that you want to release the device.
- The device will be removed entirely from ABM. It will no longer appear in your ABM inventory and cannot be reassigned to any MDM server without Apple Configurator or reseller intervention.
Step 3: Confirm the Device is Removed from ABM
- Search again in the Devices tab in ABM.
- The device should no longer appear in your list.
If it still appears, wait a few minutes and refresh — ABM sometimes takes a short time to process releases.
Step 4: Delete the Device in Intune
Even though the device is now released from ABM, the record still exists in Intune if it previously enrolled. To remove it completely:
Log in to Microsoft Endpoint Manager admin center.
- Navigate to Devices > macOS > All Devices (or search by device name/serial).
- Select the released Mac mini.
Click Delete (or Retire, depending on your retention preference).
Delete removes the device entirely from Intune.
Retire removes management but leaves the record for reporting/history.- Confirm the action completed
Step 5: Verify Removal
- In Intune, check that the device is no longer listed.
- In ABM, confirm it’s not in your inventory
- If Serial Number still present perform at "manaual sync"
- Navigate to : Devices > Enroll devices > Apple Enrollment > Enrollment program tokens
- Select your token and click Sync
- Confirm the released device does not reappear.
Conclusion
Automated Device Enrollment is a powerful tool when used for the right devices. It enforces consistency, reduces deployment effort, and strengthens security for user endpoints. But not every Mac should be treated as an endpoint.
Infrastructure Macs exist to provide stability, availability, and protection for the wider environment. Subjecting them to automated policy enforcement introduces unnecessary operational risk. Understanding the difference between unassigning and releasing devices in Apple Business Manager is critical to preventing accidental re-management and ensuring these systems remain fit for purpose.
In short, if a device should never be managed through ADE again, it should not merely be unassigned. It should be released.