Hello Everyone. Welcome to part 3 of the series. This would be the last part of Simple Way to Add iOS to Apple Business Manager and Manage in Intune – Part 3. I hope you find the first two parts helpful in adding the iOS/iPadOS devices which your organization procures to the ABM portal.
We have divided the series into three parts, and the first part discusses how iOS/iPadOS devices are added to the Apple Business Manager portal. In the second part, we have explored how to integrate ABM and Intune, create the MDM Servers and Sync the added devices to Intune.
Now let’s learn how to create a profile that would be assigned the ABM devices and minimize the number of steps shown while setting up the devices. These profiles also enrol the ABM devices while setting up the device to Intune. Also, we can discuss the user experience while setting up the device.
In the profile, we can define how devices can be enrolled to Intune, either with User Affinity or without User Affinity, what kind of Authentication method should be used, whether apps to be downloaded from the Volume Purchase Program or directly from the App Store and many more. Let’s see how we can create and assign
- Simple Way to Add iOS to Apple Business Manager and Manage in Intune – Part 1
- Simple Way to Add iOS to Apple Business Manager and Manage in Intune – Part 2
Add iOS to Apple Business Manager Create and Assign the Device profiles
Enrolment Token profiles define the number of steps that should be shown to the end users while setting up the device and how the device will be enrolled to Intune. Follow the below steps to create the profile.
- Sign in to the Microsoft Endpoint Manager admin centre https://intune.microsoft.com.
- Click on Devices > iOS/iPadOS > iOS/iPadOS enrolment
- Select Enrollment Program Tokens
- Click on Profiles > Create profiles > iOS/iPadOS
Now provide the Name and Description to the profile on the Basics page and click on Next to Management settings page.
Under the Management Settings page, configure the “User Affinity & Authentication Method” to define how the user should authenticate the enrolment and the enrolment method.
User Affinity: These settings define how the device should be enrolled, whether with Enroll with User Affinity or Enrol without User Affinity. Enrol with User affinity is used for devices that users will use. Enrol without User Affinity will be used for shared devices or Kiosk Devices.
Authentication Method: Now, we need to choose which authentication method to be used for enrolling the device. Available options are as below.
- Company portal authentication will happen through the Company portal app. The company portal app will be installed as soon as the device is set up is finished.
- Setup Assistant(legacy): This method is used when you don’t want to use Modern Authentication features like MFA.
- Setup Assistant With Modern Authentication: Use this method to authenticate the users while setting up the device and installing the company portal app.
Install Company Portal with VPP
We need to decide how the Company Portal app will be installed on the user’s device. Intune provides two options through the Volume Purchase Program and Directly from App Store. You can select the token if you have already set up Volume Purchase. If you don’t have VPP enabled, select Don’t use VPP.
Run Company Portal in Single App Mode
When set to Yes, the device will be run on Sigle App mode until the user completes the enrollment. Users cannot quit the Company portal app and use other apps until the enrollment is completed. For our testing, I selected it as No.
Now let’s see the Management options Intune provides Admins to manage the corporate Owned iOS devices. All devices assigned to this profile will be Supervised by default, providing more control/management over the device.
Locked enrollment: Locked Enrollment blocks users from removing the Management profiles from the device’s settings. Select Yes to enable this feature, else make it No.
NOTE! Users cannot delete the MDM profile if a reseller or Apple adds the device to the ABM portal. If the device is added manually by Apple Configurator 2 or other means, users can delete the MDM profile in the first 30 days. After that, they cannot delete the MDM profile.
Sync with computers: When selected Allow All, the devices are synced with all the devices they connect. To block from Syncing, we can select Deny All. If you want to allow Apple Configurator, select Apple Configurator with a certificate. Once you select it, you need to upload the certificate.
Now we can customize how the device name should be shown in Intune Admin Centre. We can define the template under the Device Name Section, which works only for Supervised devices. To configure this, we need to enable the below settings.
Apply device name template (supervised only): Select Yes, if you want to define the template else, leave it as No.
Device Name Template: Here, we can define the template for the Device name. Intune provides two variables for this {{SERIAL}}, {{DEVICETYPE}}. Based on the template device name will be displayed in Admin Centre. I chose {{SERIAL}}-{{DEVICETYPE}} to show the serial number followed by the Device name.
Intune also provides Admis to monitor Cellular data plans. If you plan to activate the Cellular data plan, choose Activate Cellular data as Yes, else leave it as No. Now we have completed the Management Settings for iOS/iPadOS devices. These settings help admins to control the device. Now let’s see how we can improve the User experience by minimizing the number of device setup screens.
After configuring the Management settings, click Next to move to the Setup Assistant screen. This is where we define which screens to be visible to the user while settings up the device.
We can create different profiles for different departments in Intune per your organization’s requirements. Provide the Department name under the Department field. Provide the Department Phone number under the Department Phone number field.
During the setup of a new device, the user has to go through multiple screens like accepting T&C, setting up the device Passcode, and enabling Siri etc.; as these devices are supervised, we can reduce the number of screens the user views while setting up the device. Discuss with your organization and define the screens that should be shown to the users.
A few initial screens can’t be hidden, like selecting the language, setting up the country and configuring the Wi-Fi. The rest of the screens can be hidden from setting up. I have chosen a few screens, as shown in the below screenshots.
We must select Show if a particular screen should be shown to the users. Select Hide if you wish not to show the screen to the users. I have hidden all the screens except the Passcode, Terms and Conditions, FaceID and TouchID, and Device To Device Migration screens for our testing.
After selecting the required screens, click Next to Review and Create page. Review the settings once again and click on Create. The profile will be created successfully.
Now we need to assign this profile to the devices so that the device will be ready to ship the devices to the end users. Now click on devices under the MDM token. Select the devices and click on Assign profile. Now select the profile to be assigned and click on Save.
User Experience
After assigning the profiles, the devices are ready to ship to the users. Once the device is received, users can open the box and start setting up the device. As I mentioned above few initial steps cannot be hidden. Let’s see the user experience of setting up the device.
Users have to set up the language and Country settings. These screens cannot be hidden. On the Quick Start screen, select Setup Manually to proceed to further steps.
Now we need to select the Written and Spoken Languages, and users can select their interested language else, click on Continue to Wi-Fi settings, select the Wi-Fi and enter the password for Wi-Fi. After successful authentication, users will be moved to the next screen, where the device will activate and looks for any MDM profile assigned.
If the device has an MDM profile, it will retrieve the configurations and set it up as per the settings configured in the profile. Users will be presented with a Screen about Remote Management that says the organization will enrol and manage the device. Click on Next. Now the device will look for the configurations and apply them to the device.
NOTE! If the device is added manually to the ABM portal, and the user clicks on Leave Remote Management, shown in the 2nd screenshot of the above screen, the device will be released from the organization and will no longer be available in the ABM portal. We must reset the device in recovery mode and add it manually to the ABM portal.
We have allowed FaceID, Passcode, and ScreensTime screen devices to be presented with those screens. Once I set up the screens, the device’s home screen was shown.
The device is already enrolled, and the Management profile has been installed. We can check the same by going to device Settings > General > VPN & Device Management > Select the Management Profile, and you check for the MDM profile installed. Users cannot remove the MDM profile from settings if they select locked enrolment in the profile.
Even though the device is enrolled but not registered until you sign in to Company Portal. Open Company Portal app and sign in using your organizational credentials and get the device register to Azure. It will check for the Management profile and compliance. As I chose the VPP token for installing apps, the Company Portal app was already assigned to the user, and the company portal was installed without asking for AppleID.
If we have chosen not to use VPP in the profile, the user will be prompted to enter the Apple ID for installing the Company Portal app from App Store. Users can enter their personal Apple ID or leverage Managed AppleIds created by the organization.
After checking the compliance status, the user will be presented to select categories if the admins have defined categories in Intune. After selecting the categories, the user will be presented with apps assigned to the user. This completes the device enrollment to Intune, which is ready for use.
Suppose the device is transferred from one user to another user. In that case, the device should be Wiped from Intune console, Retired from Intune and reset the device using the Settings app or Apple Configurator.
Conclusion
So we have finished the series of Adding iOS devices to the ABM portal and Managing them in Intune. I hope with this, you can implement the Zero-Touch Enrolment for your corporate-owned Apple devices within your organization. Have a happy learning. Alvida Dosthon.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.