March 31, 2023

Onboarding to ABM

Onboarding to ABM

Welcome to part four of the All-In-One guide to managing Apple devices with Microsoft Intune. Till now, we have discussed how the devices are enrolled in any MDM solution, different types of enrollment, and how to decide between Apple Business Manager or Apple Business Essentials, or Apple School Manager. Here's the link to the first three parts:

  1. The need to manage devices and data
  2. Getting Started - Apple Device Enrollment types & MDM
  3. Device Deployment: ABM or ASM, or ABE? (intuneirl.com)

Overview

Apple Business Manager is a web-based portal that helps IT administrators manage iPhone, iPad, and Mac devices. This portal works with a third-party MDM solution, allowing you to purchase content easily in volume.

Pre-requisites

To automatically add devices to Apple Business Manager, the following conditions must be met:

  1. If the device was purchased directly from Apple, the purchaser must have used an enrolled and verified Apple Customer Number.
  2. If the device was purchased directly from a participating Apple Authorized Reseller or a cellular carrier, the device must be linked to that reseller's Reseller Number.
  3. The device must have been ordered after March 1, 2011, whether purchased directly from Apple or a participating Apple Authorized Reseller or cellular carrier.

Enrollment in ABM is simple and takes only a few minutes. Any business can sign-up for ABM subject to the service terms and conditions. The first thing to get started is registering in D-U-N-S.

What is the "D-U-N-S" number?

The Data Universal Numbering System, commonly abbreviated as DUNS or D-U-N-S, is a proprietary system developed and managed by Dun & Bradstreet (D&B) that assigns a unique numeric identifier to a “DUNS number” to a single business entity.

D-U-N-S
D-U-N-S

It was introduced in the 1960s for credit reporting and is now standard followed worldwide.

A nine-digit number is assigned to each business entity with a unique, separate, and distinct operation to identify them. The DUNS number is random, and the digits have no apparent significance.

Why "D-U-N-S" number is required for Apple Services?

When an organization decides to buy Apple devices, they must buy Apple Enterprise services to buy & manage these devices. ABM, Apple Developer Portal, etc., requires the organization to have a DUNS number. If an organization wants to distribute apps to different geographical locations, it needs to have ABM subscriptions, and then for enrolling in ABM, you will need a DUNS number.

D-U-N-S Number will be used to check your organization’s identity and legal entity status as part of our enrollment verification process for joining the Apple Developer Program or the Apple Developer Enterprise Program. The company/business must be recognized as a legal entity (such as a corporation, limited partnership, or limited liability company) to enter into the legal terms and obligations of the Apple Developer Program agreements. It does not allow DBAs, fictitious businesses, trade names, and branches to register for it. Companies and educational institutions must provide a D-U-N-S Number registered to their legal entity.

Steps for requesting a "D-U-N-S" number

It could be possible that D&B may have already assigned your organization a free D-U-N-S Number. Before enrolling, look up your organization to see if you have a D-U-N-S Number. If your company is not listed, you can submit your information to Dun & Bradstreet for a free D-U-N-S Number.

You’ll be asked for the following information when looking up your organization:

  • Legal entity name
  • Headquarters address
  • Mailing address
  • Your work contact information

A D&B representative will contact you directly for more information (such as your business type or the number of employees) as part of their verification process.

  1. Click or copy the following link to your browser  Get a D-U-N-S Number – Establish Your Business – D&B (dnb.com)
  2. Select your Primary Reason for D-U-N-S Number Registration from the drop-down menu.
  3. Complete the company information sections. You must provide information about your organization, like legal name, address, contact name & title.
  4. Review Details
  5. Click the “Submit” button to complete your request.
  6. Once you have completed the entire process, you will receive a confirmation email.  It will take 24 to 48 hours to receive your D‐U‐N‐S Number, which you will receive via email for your records.

The next step is to get onboarded with Apple Business Manager. So, we continue with logging into ABM. The enrollment process is as below:

Sign-up for ABM

  1. Sign in to Apple Business Manager or Apple School Manager.
  2. Click "Enroll Now."
  3. Enter the information for your organization, like Organization Name, D-U-N-S number, Phone Number, etc.

The user signing up for the ABM for the first time by default becomes the first administrator on ABM as they enrol in ABM on behalf of the organization. This administrator should agree to the program and software license agreements of ABM. The initial account administrator can create/give four other users as "administrators" in the ABM. Also, these accounts can't be associated with any existing Apple ID or other Apple services.

Apple will review all the information provided and will contact this representative, and they may be asked for additional information by phone or email before the enrollment is approved.

Your the location where your organization is registered
Choose the location where your organization is registered.
Enrollment Review
Enrollment Review

Once your call has been received and Apple confirms your eligibility for Apple Business Manager (ABM), you'll get an email asking you to agree to the Terms and Conditions. Be aware that the link in the email is time-sensitive and will expire after a week. If you don't complete this step within the 7-day timeframe, you'll have to reach out to Apple once more to proceed.

When verified the administrator will be emailed instructions for setting up ABM for the business. A verification code will be sent to your email id and phone number entered when creating the managed ID. Enter the code sent to verify.

You will be then asked to create a managed Apple ID. Accept the Terms & Conditions for using Apple Business Manager and you are in!

ABM provisioned
ABM provisioned

User, Permissions, and Role Management in ABM

In Apple Business Manager, each user is assigned one or multiple roles that outline their capabilities within the system. Some roles even have the authority to oversee other roles. For instance, a user designated as an Administrator has the ability to manage those in Manager or Staff roles.

It's worth noting that users holding the Administrator or People Manager roles cannot log in via federated authentication; they are only permitted to oversee the federated authentication process.

Furthermore, each role is defined by a collection of privileges that apply to all users holding that specific role. Staff roles come with minimal privileges, Manager roles offer more, and those in the Administrator role enjoy the most extensive range of privileges.

Every user in ABM must have at least one role, and each role has certain privileges. The below table will help you with a basic idea of the roles available in ABM:

The privileges (rights) with roles in ABM are:

  • People Privileges
  • Device Privileges
  • Content Privileges
  • Staff Privileges
  • Basic Privileges

Add a New User in ABM

(The user signing up for the ABM for the first time by default becomes the first administrator in ABM).

  • Click Users in the left sidebar, click the Add button, enter the required details, and click Save.

Create sign-in information for the new user:

Sign in to Apple Business Manager and click Users, then search for the newly created user.

  • Select the user from the list and click Create Sign-in to create new sign-in information for the new user.
  • Select how you want to send the information to the user. You can either download the information as a pdf or CSV, or you can e-mail the information to the user.

Integrate ABM with Intune

You need an Apple MDM Push certificate to manage your iOS/iPadOS and macOS devices in Microsoft Intune. This token enables devices to enroll via Intune Comp Portal or ADE/ASM/AC2. Follow the steps below to create the Apple MDM push certificate and upload it to the Intune Portal.

Step 1. Grant Microsoft permission to send user and device information to Apple

  • Sign in to the Intune Admin Center, navigate to Devices > Enrollment > Apple enrollment > Apple MDM Push Certificate
  • Select I agree. to give Microsoft permission to send data to Apple
  • Select Download your CSR to download and save the file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.

Step 2: Create Apple Push Notification Certificate

  • AppleSelect Create your MDM push Certificate to the Apple Push Certificates Portal and sign in with your organization ID.
💡
Remember to use a corporate ID as your Apple ID, The recommendation is that it should be a service account. Avoid using your personal Apple ID.
  • Select Create a Certificate.
  • Read and agree to the terms and conditions. Then select Accept.
  • Select Choose File and select the CSR file you downloaded in Intune.
  • Select Upload.
  • On the confirmation page, select Download. The certificate file (.pem) downloads to your device. Save this file as we will upload it in Intune.
  • Return to the admin center and enter your Apple ID as a reminder for when you need to renew the certificate
  • Browse to your Apple MDM push certificate to upload. Select Upload to finish configuring the MDM push certificate.

Step 3. Create and Upload Apple Automated Device Enrollment Token

So the pre-requisite is done, but before you can enroll iOS/iPadOS devices, you would need an Apple Server Token (.p7m) file from Apple. This token syncs information from Intune to ADE devices that your corporation owns. It also allows Intune to assign enrollment profiles to Apple and to assign devices to those profiles.

Follow the steps below to create & upload the ADE token:

  • In Intune portal, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens > Add
  • Select Download the Intune public key certificate required to create the token. This step downloads and saves the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple Business Manager portal.
  • Click on  Create a token via Apple Business Manager to open the Apple Business Manager portal for creating your ADE token (MDM server).
  • Sign in with your company’s Apple ID in Apple Business Manager.
  • Click your name at the bottom of the sidebar > Preferences, then click “Add” to add MDM Server.
  • Upload the public key you downloaded from Intune in step 2. You can type the server name to identify your MDM tenant quickly.
  • After you save the MDM server, select it and download the token (.p7m file).
  • Now, back to Intune portal – Step 4. Upload the token and click Next and then save.

Step 4: Assign Devices to the Apple Token (Server)

  • In Apple Business Manager > Devices, select the devices you want to assign to this token. You can also choose multiple devices simultaneously or define that all devices are by default assigned to this token.
  • Edit device management and select the MDM server you just added.

Summary:

With your Apple Business Manager (ABM) instance now set up, you're ready to begin adding devices. You can do this yourself or request your reseller to do it for you. Coming up next, we'll delve into Apple Configurator, focusing not on the standard setup but on automated configurations.