Hey @miliie,
Authenticated Enrollment is used only to authenticate the user while registering the device into Hexnode MDM.
When this mode is enabled, the user completes enrollment using the enrollment credentials provided for that process. This does not act as global SSO for macOS, and it does not automatically sign the user into Microsoft applications such as Outlook, Teams, or OneDrive after the device is configured.
It also does not sync or reset the local Mac account password when the Microsoft Entra ID password changes. App-level sign-ins and OS-level authentication remain separate unless you configure additional identity or SSO workflows outside of this enrollment authentication step.
For the FileVault part, keeping Escrow Personal Recovery Key enabled is recommended because it stores the FileVault personal recovery key securely in Hexnode. This helps administrators recover access if the user forgets the password or cannot unlock the encrypted disk. The Prevent FileVault from being disabled option should also be enabled if your organization requires devices to remain encrypted. When enabled, end users cannot turn off FileVault after the Mac is provisioned. This helps maintain encryption compliance and prevents users from removing disk encryption later.
If you do not need user authentication as part of enrollment, No Authentication is usually the simpler approach. Both modes are mainly related to the device enrollment flow and do not manage sign-in behavior for Microsoft apps after enrollment.
Best Regards,
Isabel Lora
Hexnode UEM