Add devices in Apple Business Manager with Intune

      5 Comments on Add devices in Apple Business Manager with Intune

To add devices in Apple Business Manager there are a two options. You can either purchase a device directly from Apple or from a participating Apple Authorised Reseller and they will add the device to your Apple Business Manager. The other way is by using Apple Configurator 2 with a MDM solution. BIn this blog I will show how you can configure Apple Configurator with Intune to enroll devices in Apple Business Manager.

 

Prerequisites

Before you can add devices you first need Setup Apple Business Manager with Intune. To perform the enrollment you will need a MacOS computer with Apple Configurator 2 installed and a cable to connect a device (e.g. iPhone, iPad, etc) to your Mac. In this post I will use a Mac Mini and a Lightning cable to connect a first gen Apple SE to enroll in Intune.

 

Setup

The Setup consists out of a few steps:

  1. Create an Apple Configurator Enrollment Profile
  2. Setup Apple Configurator 2
  3. Prepare and add the iPhone

 

Apple Configurator Enrollment Profile

Before you start with these steps you first need to setup Apple Business Manager with Intune. During this step we’re going to configure the Apple Configurator profile. This profile will be used by the Apple Configurator to enroll devices in Apple Business Manager.

 

1. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment”  or press here. Select “Apple Configurator” to setup a new profile.

 

2. In the navigation pane select “Profiles” and press “+Create” to add a new enrollment profile.

 

3. Enter a Name and description and press “Next” to continue.

 

4. Select the settings you want to use for the enrollment and press “Next”

User affinity Here you can choose to use if you want to affiliate the device with an user to allow access to company data and email or not.
Select where users must authenticate Only if you choose user affiliation you need to select where the users need to authenticate (Company Portal or Apple Setup Assistant).

 

5. Review the settings and press “Create” to create the enrollment profile.

 

6. After the enrollment profile has been created you will see an overview with all Apple Configurator profiles. Select the created profile.

 

7. Press “Export Profile” and copy the Profile URL. This you will need to setup the Apple Configurator app.

 

Setup Apple Configurator 2

During this step we’re going to configure Apple Configurator. During this setup we will add the following settings to Apple Configurator: a supervision identity, MDM server and a Wi-Fi profile for devices without a SIM card. These steps will all be performed on the MacOS computer.

 

1. Install Apple Configurator 2 on your MacOS device this is a free application which can be installed using the App Store on your Mac. Look for “Apple configurator 2”

2. Start Apple Configurator 2 and select “preferences”

 

3. Select “Organizations” in the top and press “+” to add a supervision identity.

 

4. Press “Next” to continue.

 

5. Enter your credentials for Apple Business Manager and press “Next

 

6. Select “Generate a new supervision identity” and press “Done”. This will create a self-signed root certificate.

 

7. A popup will appear to enter your credential to allow the creation of the certificate on your computer. Enter your computer credentials and press “Update Settings”

 

8. The supervision Identity has now been created. Select the “Servers” button to the MDM server.

 

9. Press the “+” sign to add a new MDM server.

 

10. Press “Next” to continue.

 

11. Enter the name of the user profile you’ve created in Intune in the “Name” field and past the Profile URL in the “Host name or URL:” field. Press “Next” to finish.

 

12. The MDM server has now been added to Apple Configurator. Close the preferences window. Next step is to add a Wi-Fi profile.

 

13. Select “File” -> “New Profile”

 

14. Select in the Navigation menu “Wi-Fi” and press “Configure”.

 

15. Enter the configuration data for the Wi-Fi Connection and close the screen.

 

16. Save the Wi-Fi profile. The configuration of Apple Configurator is now finished.

 

Prepare and add the iPhone

Before we can prepare the device with Apple Configurator we need to import the serial of the device and Assign a policy to the device in Intune.

 

1. Create a comma separated CSV containing two rows. The first row contains the serials of the device you want to import and the second row contains the description.

 

2. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” -> “Apple Configurator”  or press here. Select “Devices” and press “+Add” to add devices.

 

3. Select the created “enrollment profile” and select the csv file containing the devices. Press “Add” to upload the devices.

 

4. When the upload is finished the device will be displayed in the “Devices” overview. The device is now ready to be enrolled with Apple Configurator.

 

5. Connect the device to the Mac and start Apple Configurator 2. Select the connected device and press “Prepare”.

 

6. Use the default settings and press “Next”.

 

7. Select the configured profile and press “Next”.

 

8. Select the organization you want to use to supervise the added device and press “Next” to continue.

 

9. Select the steps you want to show to the user to configure and press “Next” to continue.

 

10. Select the Wi-Fi profile you’ve previously configured. This will be used to communicate with Apple Business Manager and Intune. Press “Prepare” to start the process.

 

11. The preparation process will now start. This will take some minutes to complete.

 

Results

The device will be visible in Apple Business Manager. One of the changes is the addition of a new MDM server called “Apple Configurator 2”. As you can see it has 1 device connected. This is the device we just enrolled.

 

When we take a look at devices, we see the new enrolled device “iPhone SE”. The source of the device is “Apple Configurator”. The device management of the device can also be changed by pressing “Edit Device Management”.

 

This way you can the enrollment from manual to Automated Device Enrollment.

 

 

End user Experience

After you turn the device on a few steps need to be performed by the end user before the device can be used. You will need to setup language, region and network. Once the homescreen is displayed the user needs to sign-in to Itunes to install the Company Portal and other apps. After the Company Portal has been installed the user needs to sign-in to the company portal to enroll the device and set the primary user.

 

Once the user has enrolled the device, the “Primary user” en “Enrolled by” will change to the enrolled user.

 

5 thoughts on “Add devices in Apple Business Manager with Intune

  1. Peder

    Hi,
    Thank you for a great tutorial. I see the device in Apple business manager and also in intune. In intune I set a profile for the device (same place where all my other DEP devices are). I wipe the ipad, but when the step with remote management is comming it just write “invalid profile” – and it is the default profile I use for all other devices that works normally in DEP

    One things that confuses me, the profile that is created in apple configurator in intune is one profile. But when the the device is added to apple business manager and is cyned again to intune I can see the profile again. Do they have to match or which one is the one that rules ?

    Any Idea ?

    Reply
    1. Aad Lutgert Post author

      Hi Peder,

      I’ve seen some issues on forums with this error, but I haven’t seen it myself. Except for the time when I forgot to upload the csv to Intune and didn’t apply a profile in Apple Configurator (see “Prepare and add the iPhone”).

      Could you try the following?

      1. Release the device in ABM so it will be removed from ABM
      2. Reset the device and add the device using the tutorial, but do not configure the device.
      3. Select the added device in ABM and edit device management to the Intune MDM server.
      4. Go to iOS/iPadOS enrollment -> Enrollment program tokens and select the correct token
      5. Select “Devices” and sync.
      6. Your device should appear, select and assign a profile
      7. Wait some time and reset your device
      8. It should now work

      best regards, Aad

      Reply
      1. Sebastian

        Thanks so much for this guide. I really went threw hell with ABM and AC2 and still can’t set it up.
        Let me understand these steps.. we create a AC2 Profile (Enroll Type1) in Intune, to get the device into ABM. Once this happened, we will assign the device to Intune via ABM, to use the Auto Enroll Token in Intune (Enroll Type 2). If I try to do these steps with “Setup Assistant” as authentication option, it will work until I install Intune Company Portal. Here it sais, that my iPad is not enrolled and it won’t sync.
        When I try all the steps with “Company Portal” as authentication option, it will get stuck in the setup screen at “Awaiting final configuration”.
        How long should I wait after step 7 in your comment above? Do I have to wipe the device there? Does ABM provide the profile then? Sorry, but even the MS support told me, that there is no possible way to enroll with ABM, when we do not have any reseller with us, which seems absolutely wrong. Thanks in advance!

        Reply
  2. Mary

    Hi Aad,
    Thanks for that manual, really helpful.
    I wanted to clarify about user experience when enrolling the iOS device.
    Which Apple ID should be used- personal or managed Apple ID when trying to get Company portal app?
    The main goal is to enroll the device as corporate-owned and get this supervised, this would enable some useful features for corporate iPhones such as Find my.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *