Setup Apple Business Manager in Intune

In this blog we will look at how to configure Apple Business Manager in Intune to manage your corporate owned devices and allow for bulk enrollment.

Note. Apple Business Manager is only available in selected countries, please verify that your country is available for enrollment into this program.
Availability of Apple programs and payment methods for education and business – Apple Support

Prerequisites

• Devices purchased from a supported channel
• Mobile device management (MDM) authority
• An Apple MDM push certificate

Supported volume

• Maximum enrollment profiles per token: 1,000.
• Maximum Automated Device Enrollment devices per profile: Same as the maximum number of devices per token (200,000 devices per token).
• Maximum Automated Device Enrollment tokens per Intune account: 2,000.
• Maximum Automated Device Enrollment devices per token: We recommend that you don’t exceed 200,000 devices per token. Otherwise, you might have sync problems. If you have more than 200,000 devices, split the devices into multiple ADE tokens.
  • About 3,000 devices per minute sync from ABM/ASM over to Intune. We recommend that you wait to manually sync again from the admin console until enough time has passed for all of the devices to sync over (total number of devices/3,000 devices per minute).

Enroll Your Organization

To buy content, configure automatic device enrollment in Intune and create accounts for your managers you need to enroll your organization.

1. In a browser navigate to Enroll in Apple Business Manager
2. Enter the required information
   
3. Once you have submitted the enrollment, an AppleCare agent will research your organization.
   
4. An Apple Deployment Programs Support Agent will contact the verification contact supplied to verify a few details and complete the enrollment process.
5. You will receive an email to confirm the contact that should accept the Terms and Conditions
   
6. You will then receive another email to get started with the creation of an Apple ID and setting up Apple Business Manager
   

Setup Apple VPP Token

1. In Apple Business Manager, in the left bottom click on your Account > Preferences > Payments and Billing
2. Click on you Organization Name and save the .vpptoken.
   
3. In the Microsoft Endpoint Manager admin center, Tenant Administration > Connectors and Tokens > Apple VPP Tokens
   
4. Click +Create
   
5. Enter the Token name, Apple ID and upload the Token downloaded in Step 2 and click Next
   
6. Select the Country/Region, Type of VPP account and select Yes to automatically update app associated with the VPP Token. Click Next and Create.
   

Get an Apple Device Enrollment token

Now that we have enrolled our organization, we can continue to setup the enrollment program token.

1. In the Microsoft Endpoint Manager admin center, click Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens
   
2. Click on Add
   
3. Grant permission to Microsoft to send both user and device information to Apple by ticking I agree.
4. Click Download your public key to download and save the encryption key file locally. The file is used to request a trust-relationship certificate from the Apple portal.
5. Click Create a token for Apple’s Device Enrollment Program to open Apple’s Deployment Program portal, and sign in with your company Apple ID. You can use this Apple ID to renew your token.
   
6. In Apple’s Deployment Programs portal, in the left bottom click on your Account > Preferences > MDM Server Assignment > Add MDM Server
   
7. For MDM Server Name, enter a preferred name such as “Intune”.
8. Click Choose File… to upload the .pem file downloaded in Step 4, and then click Save.
   
9. In the left bottom click on your Account > Preferences > “Your MDM Server Name” click Download Token.
   
10. In the Microsoft Endpoint Manager admin center, enter the Apple ID used and upload the Token downloaded in Step 9 and click Next.
11. Click Create.
    

Create an Apple enrollment profile

Now that we’ve installed our token, we can create an enrollment profile for Apple Device Enrollment devices. A device enrollment profile defines the settings applied to a group of devices during enrollment.

 Note.

Devices will be blocked if there aren’t enough Company Portal licenses for a VPP token or if the token is expired. Intune will display an alert when a token is about to expire, or licenses are running low.

1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens.
2. Select a Enrollment program token that was created previously and then select Profiles > Create profile > iOS/iPadOS:

1. On the Basics tab, enter a Name and Description for the profile and click Next

1. In the User Affinity list, select Enroll with User Affinity.
2. In the Authentication Method list, select Company Portal.

1. In the Install Company Portal with VPP, select the VPP token for your organization.

To ensure that user interaction isn’t required, you’ll probably want to make Company Portal an iOS/iPadOS VPP app, make it a required app, and use device licensing for the assignment. Make sure that the token doesn’t expire and that you have enough device licenses for Company Portal. If the token expires or runs out of licenses, Intune installs the App Store Company Portal instead and prompts for an Apple ID. If you set the authentication method to Company Portal, make sure that the device enrollment process is completed within the first 24 hours of the Company Portal download to the ADE device. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.

1. Select Yes for Run Company Portal in Single App Mode until authentication.

Note. Multifactor authentication isn’t supported on a single device locked in Single App Mode. This limitation exists because the device can’t switch to a different app to complete the second factor of authentication. If you want multifactor authentication on a Single App Mode device, the second factor must be on a different device.

This feature is supported only for iOS/iPadOS 11.3.1 and later.

1. If you want devices using this profile to be supervised, select Yes in the Supervised list:

1. In the Locked enrollment list, select Yes.
   

Locked enrollment disables iOS/iPadOS settings that allow the management profile to be removed from the Settings menu. After device enrollment, you can’t change this setting without wiping the device. To use this option, the device must have the Supervised management option set to Yes.

If a device is enrolled with locked enrollment, the user won’t be able to use Remove Device or Factory Reset in the Company Portal app. The options will be unavailable to the user. Also, the user won’t be able to remove the device on the Company Portal website. If a BYOD device is converted to an Apple ADE device and enrolled with a profile that has locked enrollment enabled, the user will be allowed to use Remove Device and Factory Reset for 30 days. After 30 days, the options will be disabled or unavailable. For more information, see Prepare devices manually.

1. In the Sync with computers list, select Allow all.
   
2. You can specify a naming format for devices that’s automatically applied when they’re enrolled and upon each successive check-in. To create a naming template, select Yes under Apply device name template. Then, in the Device Name Template box, enter the template to use for the names that use this profile. You can specify a template format that includes the device type and serial number.
   
3. Click Next
4. On the Setup Assistant, enter the Department and phone number.
   
5. Select the Setup Assistant screens that you would like to show or hide during the process.
6. Click Next.
7. Click Create.

Assign an enrollment profile to devices.

Before devices can be enrolled, you need to assign an enrollment program profile to them.

• 1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens. Select the token in the list.
  2. Select Devices. Select devices in the list, and then select Assign profile.
  3. Under Assign profile, choose a profile for the devices, and then select Assign.
     

Assign a default profile.

You can choose a default profile to be applied to all devices that enroll with a specific token.

1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens. Select the token in the list.
2. Select Set Default Profile, select a profile in the list, and then select Save. The profile will be applied to all devices that enroll with the token.

Sync managed devices.

Now that we have setup our enrollment token we can sync the devices that we have purchased through a supported channel.

1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens.
2. Click the token we created earlier, and then select Devices > Sync:

Distribute devices to users

You’ve set up management and syncing between Apple and Intune and assigned a profile to let your ADE devices enroll. You can now distribute devices to users. Devices with user affinity require each user be assigned an Intune license.