Part 3 of the mega-series for managing iOS devices Apple Business Manager provides a quick and smooth onboarding process for devices purchased by organizations either directly from Apple or Apple Authorized Resellers or wireless carriers. After signing up for Apple Business Manager, you need to complete four steps before you
Part 3 of the mega-series for managing iOS devices
Apple Business Manager provides a quick and smooth onboarding process for devices purchased by organizations either directly from Apple or Apple Authorized Resellers or wireless carriers. After signing up for Apple Business Manager, you need to complete four steps before you can start distributing and managing the devices. Automated Device Enrollment (previously known as Device Enrollment Program) helps organizations to enroll large numbers of devices without users ever touching them.
When a user powers on the device, Setup Assistant, which you can easily configure to modify the out-of-box experience for Apple products, runs with the configured settings, and the device enrolls into Intune.
As we have discussed in the previous post that ADE enrollments aren’t compatible with the App Store version of the Company Portal app. To fix this, you need to configure the app configuration policy for the comp portal as described here.
Max volume supported by Intune & ADE:
You need an Apple MDM Push certificate to manage your iOS/iPadOS and macOS devices in Microsoft Intune. This token enables devices to enroll via Intune Comp Portal or ADE/ASM/AC2. Follow the steps mentioned in this article to create the Apple MDM push certificate and upload it to Intune Portal.
Sign in to the MEM Portal, choose Devices > Enroll devices > Apple enrollment > Apple MDM Push Certificate, and follow these steps:
1. Select I agree. to give Microsoft permission to send data to Apple.
2. Select Download your CSR to download and save the file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
3. Select Create your MDM push Certificate to the Apple Push Certificates Portal and sign in with your organization id. (Please use a corporate id as your Apple ID preferably, it should be a service account. Avoid using your personal Apple ID.)
4. Select Create a Certificate.
5. Read and agree to the terms and conditions. Then select Accept.
6. Select Choose File and select the CSR file you downloaded in Intune.
7. Select Upload.
8. On the confirmation page, select Download. The certificate file (.pem) downloads to your device. Save this file as we will upload it in Intune.
9. Return to the admin center and enter your Apple ID as a reminder for when you need to renew the certificate.
10. Browse to your Apple MDM push certificate to upload. Select Upload to finish configuring the MDM push certificate.
So the pre-requisite is done, but before you can enroll iOS/iPadOS devices, you would need an Apple Server Token (.p7m) file from Apple. This token syncs information from Intune to ADE devices that your corporation owns. It also allows Intune to assign enrollment profiles to Apple and to assign devices to those profiles.
Follow the steps below to create & upload the ADE token:
1. In Intune portal, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens > Add.
2. Select Download the Intune public key certificate required to create the token. This step downloads and saves the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple Business Manager portal.
4. Click on Create a token via Apple Business Manager to open the Apple Business Manager portal for creating your ADE token (MDM server).
5. Sign in with your company’s Apple ID in Apple Business Manager.
6. Click your name at the bottom of the sidebar > Preferences, then click “Add” to add MDM Server.
7. Upload the public key you downloaded from Intune in step 2. You can type the server name to identify your MDM tenant quickly.
8. After you save the MDM server, select it and download the token (.p7m file).
9. Now, back to Intune portal – Step 4. Upload the token and click Next and then save.
In the next part of this blog, I will help you with creating Enrollment Profile and will walk you through the entire enrollment process for a supervised device. Stay Tuned… 🙂
