Apple Business Manager is a webportal created by Apple which can be used to deploy iPhone, iPad, iPod touch, Mac computers, and Apple TV. When you combine Apple Business manager with Intune you can centrally manage device settings, distribute software to all your users. You can also automatically enroll devices in Intune without touch (OOBE). By authorizing your vendor to submit purchased devices to your Apple Business Manager. This way you will be able to automatically assign a configuration profile to new devices and the device can be send directly to the end user.
To enable all these features you will need to setup Apple Business Manager with Intune. Depending of the features you will need to configure:
- Enrollment Restrictions – Check your Enrollment restrictions if Apple devices are allowed to enroll.
- Apple MDM Push Certificate (APNS) – This is required to enable device management for iOS, iPadOS and macOS devices
- Volume-Purchased Program Token (VPP) – This is used to synchronise volume purchase information with Intune and is needed to deploy software bought in Apple Business Manager.
- Automated Device Enrollment Token (DEP) – This is needed to allow automated device enrollment.
Before you start
Before you will configure the Push Certificate and Tokens it’s recommended to create a non-personal account for management tasks. This is because the Certificate and tokens are associated with the Apple ID and needs to be renewed by the same Apple ID as created. I will refer to this account as Apple Management ID. Always read the prerequisites especially If you are already using Apple Business Manager with a different MDM solution.
Configure Apple MDM Push Certificate
The Apple MDM Push Certificate is used by Intune to manage Apple devices.
1. Login to MEM admin center and go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here. Select “Apple MDM Push certificate”
2. You need to agree to allow Microsoft permission to send user and device information to Apple and press “Download your CSR”
3. Press “Create your MDM push Certificate”
4. You will be redirected to “Apple Push Certificates Portal“. Sign in with an Apple ID.
5. Select “Create a Certificate”
6. Read the contract and check the box if you agree and press “Accept”.
7. Select the downloaded CSR (step 2) and press “Upload”
8. Download the new push certificate (MDM_ Microsoft Corporation_Certificate.pem), write down the used Apple ID and sign out of the portal.
9. Enter the used Apple ID (step 9) to create the MDM push certificate, select the new push certificate (*.PEM) and press “Upload”
10. The status will change to “Active”. The Push Certificate is now configured.
Configure Volume-Purchased Program Token
With Apple Business Manager you can purchase multiple licenses for an app. Using Intune you can manage, keep track off licenses and distribute these volume purchased apps within your organization. To enable this feature in Intune you will need to configure a VPP token. The VPP token needs to be renewed every year. Please take a look at the prerequisites if you already are using Apple Business Manager with a different MDM solution.
11. Login on the Apple Business Manager portal and go to “settings” -> “Apps and Books”. Press “Download” to download the vpptoken.
12. Switch back to the MEM Admin center and go to “Tenant administration” -> “Connectors and tokens” -> “Apple VPP Tokens” or click here. Press “Create” to create a new Apple VPP token in Intune.
13. Enter a name for the token, the used Apple ID and select the downloaded “VPP token”. Press “Next” to continue.
14. Configure the following settings and click “Next”.
Country |
Select your country/region |
Type of vpp account |
Select the type of acccount |
Automatic app updates |
When enabled, Intune detects the VPP app updates inside the app store and automatically pushes them to the device when the device checks in. |
I grant Microsoft permission to send both user and device information to Apple. |
Allow Microsoft to send information. To see what data is send to Apple you can click here |
15. (Optional) If you are using scope tags within Intune you will need which you want to use. Press “Next” to continue.
16. Press “Create” to finish setup.
17. Now the setup is finished you will be able to use vpp content in Intune and assign to the users. But before you can use app and books which have been purchased in Apple Business Manager, you will first need to sync the Apple Business manager with Intune. By default the sync will be performed automatically twice a day, but you can also initiate a manual sync. To initiate a manual sync go to: “Tenant Administration” -> “Connectors and tokens” -> “Apple VPP Tokens” or click here. Select “sync” by pressing the 3 dots in the end of the vpp token.
18. After some time the applications will appear in Intune. The applications which are synced from the Apple Business Manager have the type “iOS volume purchase program app”.
Configure Automated Device Enrollment Token (DEP)
19. In the MEM admin center go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” and select “Enrollment program tokens”
20. Press “Add” to create a new Enrollment program token.
21. If you allow Microsoft to share user and device data with Apple select “I agree” and press “Download your public key” to download the public key.
22. In the Apple Business Manager go to “Settings” -> Device Management Settings” and press “Add MDM server”.
23. Enter a name for your “MDM Server” and choose the downloaded public key from Intune (step 21). Press “Save” to continue.
24. Press “Download Token” to download the server token.
25. Press “Download Server Token” this will download a P7M certificate which you need to add to Intune. If you have already installed a token this will replace the existing one.
26. Enter the Apple ID used for the token creation and upload the server token. Press “Next” to continue.
27. Press “Create” to finish the setup.
Summary
You will now be able to use Intune with Apple devices and use the following features:
- Manage iOS/iPadOS and macOS devices with Intune
- Distribution of VPP Apps and Books
- Enroll devices manually
- Use Apple Automated Device Enrollment (ADE).
I have a client that I am setting up ABM for use with InTune and they have an Apple MDM token that has the (no longer available) VPP licenses with several active machines attached to it. I was wondering if you are aware of anything breaking for enrolled devices if I remove that token and replace it with the new ABM that uses a Management ID.
Hi Erik,
To which Apple MDM token do you refer? There are 3 tokens/certificates:
– Apple MDM Push Certificate (APNS)
– Volume-Purchased Program Token (VPP)
– Automated Device Enrollment Token (DEP)
If you delete the Apple MDM Push Certificate (APNS) in Intune and replace it with a new Certificate you will need to re-enroll devices in Intune. This certificate is used to manage all iOS, iPadOS and macOS devices in Intune.
best regards, Aad
I have a somewhat similar question to Erik’s.
What if someone creates a new Intune-ABM mdm key and token instead of renewing the existing one? The old token hasn’t been deleted from Intune yet but ABM is pretty clear if you upload a key it will invalidate the existing one so I assume there is no way to roll back.
Which brings me to similarities with Erik’s question – existing devices haven’t unenrolled and are still showing compliance but no longer have Comp Portal app store access and all devices no longer have any assigned enrollment profile. The latter is fixable thru grunt work of re-creating and re-assigning enrollment profiles under the new mdm token but the loss of the CP app store is suprising – can this be fixed without signing out of Comp Portal and re-enrolling the device?
Thanks for your help!
Hi, Can I use this configuration in my location (Puerto RIco).
I have my IOS manages by Merika MDM with VPP and DEP configuration, my company plan to move to Intune MDM with a new setup that generates a new token for VPP, and DEP would disrupt the current device that manages in Merika MDM. Can you advise the solution without disrupting the current enrollment on Merika MDM enroll devices.?
Aad: Great job with this. I was looking for a good document outlining the different types of tokens, certificates and how they all came together. No amount of Microsoft or Apple or other documentation did as well as a job as what you have here. Thanks very much for putting together.
Thanks for the compliment. Happy to help!
regards, Aad
Great post..
Most of the blog which I have been thru.. It never mentioned how to kick start the setup.
Will normal apple id work or not. Thanks for this post..
Do we also have post regarding device restrictions based on personal / cooperate device, custom enrollment restriction and cooperate device identifier.?
Cheers
Hi,
Depending on the situation you can use a normal Apple ID (Personal Apple ID). For some profile types like User enrollment and Shared iPad for Business a Managed Apple ID is required (see this post)
regards, Aad
i appreciate your overall work, you have put forth in a sequence of what all is required to set up Intune with ABM and DEP, great work
Do we have any idea around why devices wouldn’t be showing up after completing these steps?
Hi Daniel,
Did you assign the devices with the Intune MDM profile? Also you need to sync ABM with Intune to see the latest information.
regards, Aad
I want to know what the user experience will be after configuring this. After enabling Intune as the MDM in ABM, what happens from a user point of view? Any pop-ups, messages, tasks etc? Any disruption at all?