It’s a best practice to enroll corporate owned iOS/iPadOS devices via the Apple Automated Device Enrollment (ADE) program (PKA Device Enrollment Program – DEP). It offers “out of the box” security because the enrollment with the MDM solution will start automatically and the user can’t work around it. Next to automatic device enrollment it makes it possible to set devices in supervised mode, which offers more policy settings to apply and in combination with the Apple Volume Purchase Program (VPP), no Apple ID is required during enrollment and for installing company published applications.
The good news is that this Apple services is free. The company needs to enroll in to the ADE and VPP programs via the Apple Business Manager (ABM). For more information see https://business.apple.com/#enrollment. Once the company is enrolled, devices purchased from that moment on can be automatically added by your authorized Apple reseller to your Apple Business Manager. However, adding devices that have already been purchased takes a little more effort.
In this blog
In this blog I will show you step-by-step how to add already purchased iOS/iPadOS devices to the Apple Business Manager. I will do that in the following steps.
- Create an Apple Configurator Enrollment Profile in Microsoft Intune
- Install the Apple Configurator 2 on a macOS device
- Create a Wi-Fi Profile
- Create a Blueprint
- Add an iOS/iPadOS device to the Apple Business Manager
Before you start, keep in mind the following requirements and conditions.
- Microsoft Intune environment up-and-running
- Access to the Apple Business Manager with an Administrator account
- A device running macOS 10.15.6 or later
- Physical access to the iOS/iPadOS device
- Devices needs to be connected to the macOS device via USB and will get a factory reset
Step 1 : Create an Apple Configurator Enrollment Profile in Microsoft Intune
The first step is to create an Enrollment Profile for the Apple Configurator (will be installed later on). Therefore, open a browser and go to the Microsoft Endpoint Manager admin center.
Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment and click Apple Configurator
Open the Profiles page and click + Create
Fill in a Name for the profile, and optionally a Description. Click Next.
Select Enroll with user affinity (or without user affinity if you want to use the devices as a kiosk device or something). Set Select where users must authenticate to Company Portal. Click Next.
After creation, open de Profile and click Export Profile. Copy the Profile URL and save it in a Notepad or something. We need this URL later when Configuring the Apple Configurator 2 application.
Step 2 : Install the Apple Configurator 2 on a macOS device
In this step we going to install the Apple Configurator 2 application from the Apple Store on a device running macOS. Open the Store and search for “Apple Configurator 2”.
After the installation click Open
Click Get Started
The Apple Configurator 2 is now installed on the macOS device.
3. Create a Wi-Fi Profile
An internet connection is required on the devices when you add them to the Apple Business Manager via the Apple Configurator 2 application. Therefore, it is recommended to create a Wi-Fi profile so devices will connect automatically during the onboarding process.
If you not configuring a Wi-Fi profile you can still add devices, but you have to connect the device manually to a Wi-Fi network during the onboarding.
To create a Wi-Fi Profile, click File > New Profile
Open the Wi-Fi tab and click on Configure
Fill in the information of the Wi-Fi network, make sure Auto Join is selected and save the profile.
4. Create a Blueprint
A Blueprint is a template of settings within the Apple Configurator 2 application. Once you have created a Blueprint you can easily apply it to new connected devices. In this step I will show you how to create a blueprint.
Within the Apple Configurator 2 application go to File > New Blueprint
Give the Blueprint a name and open it.
Click the Prepare button
Select Prepare with : Manual Configuration. Make sure only Add to Apple School Manager or Apple Business Manager and Allow devices to pair with other computers is selected as shown in the screenshot above.
Select New Server and click Next
Fill in a name, for example Microsoft Endpoint Manager. In the Host name or URL field copy the MDM link from step one in this blog. Click Next
Select appleconfigurator2.manage.microsoft.com and click Next
Login with your Apple Business Manager admin account.
Select Generate a new supervision identity and click Next
Select Don’t show any of these steps and click Next
Click Choose to select the in step 3 created Wi-Fi profile.
Click Done. The Blueprint is now ready to use.
5. Add an iOS/iPadOS device to the Apple Business Manager
In this step I will add my old iPhone 8 device to the Apple Business Manager. Connect the iOS/iPadOS device via USB cable to the macOS device.
If the device is correctly connected, it will be shown in the Apple Configurator 2 application.
How click on the Blueprints button and select the just created Blueprint (in this case “Futureworkplace”).
Click Apply (be aware that the device will get a factory reset!)
The device will now be added to the Apple Business Manager.
Within the Apple Business Manager, the new devices will automatically be assigned to “Apple Configurator 2”. This can be changed to the MDM server of Microsoft Intune.
Make sure your sync your Apple Business Manager with Microsoft Intune before enrolling the device.