Hola everyone. I hope we are helping you to learn new things every day. I’m back with Simple Way to Add iOS to Apple Business Manager and Manage in Intune – Part 2, another interesting topic in managing iOS devices in Intune. In this part, let’s discuss integrating ABM, Assigning MDM servers to devices, and Syncing the device to Intune.
In part-1 of this series, we discussed how the devices are added to the Apple Business Manager account for devices procured directly from Apple or authorized Resellers and how to add devices that are purchased from other sources. This article will discuss the next steps before shipping the device to your organization’s end users.
Devices added to the ABM portal cannot be enrolled to any MDM solution while setting up the device without assigning an MDM server to each device. We need to create an MDM server in the Apple Business Manager portal, and this will be an integration between the MDM solution and your ABM portal.
This entire process is widely known as Device Enrolment Program, which was recently renamed Apple Device Enrollment Program. This DEP uses a server token to allow a Mobile Device Management (MDM) server to securely communicate with a DEP web service.
- Simple Way to Add iOS to Apple Business Manager and Manage in Intune – Part 1
- Enrol macOS in Intune with Step by Step Guide.
Create MDM Server in Apple Business Manager
To enrol the devices to the MDM solution right out of the box, we must integrate or add an MDM server in Apple Business Manager. We must generate a signing certificate from Intue and upload it In ABM. Let’s see how we can add an MDM server to the Apple Business Manager portal.
- Sign in to the Microsoft Endpoint Manager admin centre https://intune.microsoft.com.
- Click on Devices > iOS/iPadOS > iOS/iPadOS enrolment
- Select Enrollment Program Tokens
Now we need to create a new Enrolment program token which will be used for creating an MDM server in the Apple Business Manager portal. Click on Add.
On the Basics tab, click on I agree to grant Microsoft permission to send both user and device information to Apple. This will enable you to download a public key, download the Publick Key(.pem file). This file is required to request a trust relationship certificate from the ABM portal.
Now login to Apple Business Manager, click on your name at the bottom, and click Preferences.
Click on MDM Server Assignment. Now click on Add Server.
Note! If you have created an MDM server already, all the MDM Servers will be shown below.
Now on MDM Server Information, provide the name to the MDM Server and upload the Public Key we just downloaded from Intune. After uploading the file, click on Save.
Once the MDM server is saved, we need to download the Server Token, which is required to upload in Endpoint Manager, Select the MDM server created and Click on Download Server Token.
Now you will be prompted with a message “Downloading a new server token will reset your existing one.” When downloading the server token for the first time, we can ignore the warning and click on Download Server Token.
Now go to Endpoint Manager, upload the downloaded server token, enter the apple id used to create the MDM Server Token, and click Next.
On the Scope Tags page, add Scope tags if you have any, else, click Next. Now on the review and create page, click on Create. This will create the MDM server.
As soon as the MDM server is created, the admin will be presented with a Token Overview page. Here we can view all the details of the MDM Token and devices added to this MDM Token. We don’t have any devices added to this MDM Token, so devices are shown as 0.
Assign MDM Servers to Devices in the ABM Portal
We have successfully integrated/created an MDM server Token in Intune. Now we need to assign the MDM Server to the devices in the Apple Business Manager Portal. Let’s see how we can add an MDM server to the devices.
- Log in to Apple Business Manager Portal
- Click on Devices > Search for the device with the serial number or model name.
Now select the device you need to assign the MDM Server Token. When you select the device, you will show all the details and the source from which it has been added to the ABM portal as well. Now click on Edit MDM Server.
Select “Assign to the following MDM,” select the MDM Server we created just now, and click Continue to assign the Server.
Now admins will be shown a warning message “Are you sure you want to change the MDM server this device is assigned to?” read the message and ensure you are not changing the MDM server of an existing device. Click Confirm. This will assign the MDM Server to devices.
Sync the Devices in Intune
We have added the MDM server and assigned the MDM server for one of the devices for our testing. Now let’s see how devices are synced to Intune. In Intune, the devices will be shown under respective Enrolment program tokens. As we assigned devices to HTMD Server, the devices will be shown under this Enrollment program token.
We need to sync the Intune with the ABM portal manually. The devices will be shown only after the sync. The below steps can trigger the manual sync.
- Sign in to the Microsoft Endpoint Manager admin centre https://intune.microsoft.com.
- Click on Devices > iOS/iPadOS > iOS/iPadOS enrolment
- Select Enrollment Program Tokens
- Select the enrolment program Token just created and click on Sync
The manual sync would take a maximum of 15 minutes. We cannot initiate another sync till 15 minutes. The devices will sync even before the 15 minutes of sync. Once the sync is done, we can view devices under the enrolment program token.
We need to assign the enrolment profile to the devices to enrol the devices while setting up the devices. The device will be set up and enrolled in Intune based on these profiles. Using these profiles, we can restrict the number of screens users can see while setting up the device.
NOTE: Intune will initiate full device sync every 7 days. Intune fetches the full device report and MDM server assignment report during the full device sync. Delta Sync happens every 12 hours. We can also initiate Delta Sync manually and it will take 15 minutes to complete
Release Device from Apple Business Manager
We can release the devices from ABM and use them for regular use. To release the devices added to the ABM, follow the below steps
- Login into the ABM portal with an account having the necessary admin access
- Search for the device you want to release from the ABM
Now select the device and click on Release from ABM. Admin will be prompted with a warning message “Are you sure you want to release this device?” Read the message, and if you are sure, select the “I understand that this cannot be undone” check box and click on Release. This will release the device from the ABM portal.
If you want to add the device back to the ABM portal, you need to format the device and add the device with the help of Apple Configurator 2, as discussed above. The status of the device will be shown as Removed From ABM/ASM will be shown as Yes in Intune portal as well.
Conclusion
In this article, we have learned how we can create an MDM server using an enrolment program token and Assign the MDM server to ABM devices. Let’s learn how to create profiles to Enrolment Tokens and enrol the test device, which is added to the ABM portal using Apple Configurator 2 to Intune in part 3 of the series. Till then, Happy Learning. Adios Amigos.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.