Intune apple configurator

Intune apple configurator DEFAULT

Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment

Important

Apple recently changed from using the Apple Device Enrollment Program (DEP) to using Apple Automated Device Enrollment (ADE). The Microsoft Intune user interface doesn't currently reflect that change. Currently, you'll still see Device Enrollment Program in the Intune portal. Wherever you see references to DEP, Intune now uses Automated Device Enrollment.

You can set up Intune to enroll iOS/iPadOS devices purchased through Apple's Automated Device Enrollment (ADE). Automated Device Enrollment lets you enroll large numbers of devices without ever touching them. Devices like iPhones, iPads, and MacBooks can be shipped directly to users. When a user turns on the device, Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured settings and the device enrolls into management.

To enable ADE, you use the Intune portal and either the Apple Business Manager (ABM) portal or the Apple School Manager (ASM) portal. In either Apple portal, you need a list of serial numbers or a purchase order so you can assign devices to Intune for management. You create ADE enrollment profiles in Intune. These profiles contain settings that are applied to devices during enrollment. ADE can't be used with a Device Enrollment Manager account.

Note

ADE sets device configurations that can't necessarily be removed by end users. Therefore, before ADE is used, the device must be wiped to return it to an out-of-box (new) state. For more information, see Deployment guide: Enroll iOS and iPadOS devices.

If you experience sync problems during the enrollment process, you can look for solutions at Troubleshoot iOS/iPadOS device enrollment problems.

Automated Device Enrollment and Company Portal

ADE enrollments aren't compatible with the App Store version of the Company Portal app. You can give users access to the Company Portal app on an ADE device. You might want to provide this access for one of the following reasons:

  • To let users choose which corporate apps they want to use on their devices
  • To use modern authentication to complete the enrollment process
  • To provide a staged enrollment in which the device is enrolled and receives device policies before users authenticate in Company Portal

To enable modern authentication during enrollment, push the app to the device by using Install Company Portal with VPP (Volume Purchase Program) in the ADE profile. For more information, see Automatically enroll iOS/iPadOS devices with Apple's ADE.

To enable the Company Portal to update automatically and provide the Company Portal app on devices already enrolled with ADE, deploy the Company Portal app through Intune as a required VPP app with an application configuration policy applied. Deploy the Company Portal app in this way to enable Device Staging for devices only without user affinity. With Device Staging, a device is fully enrolled and receives device policies before the addition of a user affinity. Device Staging can also be used to transition a device without user affinity, to a device with user affinity.

What is supervised mode?

Apple introduced supervised mode in iOS/iPadOS 5. An iOS/iPadOS device in supervised mode provides more management control, like blocking of screen captures and blocking of the installation of apps from App Store. So it's especially useful for corporate-owned devices. Intune supports configuring devices for supervised mode as part of ADE.

Support for unsupervised ADE devices was deprecated in iOS/iPadOS 11. In iOS/iPadOS 11 and later, ADE-configured devices should always be supervised. The ADE is_supervised flag will be ignored in iOS/iPadOS 13.0 and later. All iOS/iPadOS devices with version 13.0 and later are automatically supervised when enrolled with Automated Device Enrollment.

Prerequisites

Supported volume

  • Maximum enrollment profiles per token: 1,000.
  • Maximum Automated Device Enrollment devices per profile: Same as the maximum number of devices per token (200,000 devices per token).
  • Maximum Automated Device Enrollment tokens per Intune account: 2,000.
  • Maximum Automated Device Enrollment devices per token: We recommend that you don't exceed 200,000 devices per token. Otherwise you might have sync problems. If you have more than 200,000 devices, split the devices into multiple ADE tokens.
    • About 3,000 devices per minute sync from ABM/ASM over to Intune. We recommend that you wait to manually sync again from the admin console until enough time has passed for all of the devices to sync over (total number of devices/3,000 devices per minute).

Get an Apple Automated Device Enrollment token

Before you can enroll iOS/iPadOS devices with ADE, you need an ADE token (.p7m) file from Apple. This token lets Intune sync information about ADE devices that your corporation owns. It also allows Intune to upload enrollment profiles to Apple and to assign devices to those profiles.

You use the Apple Business Manager (ABM) or Apple School Manager (ASM) portal to create a token. You also use the ABM or ASM portal to assign devices to Intune for management.

Note

You can use either the ABM portal or the ASM portal to enable ADE. The rest of this article refers to the ABM portal, but the steps are the same for both portals.

Step 1: Download the Intune public key certificate

  1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment:

    Screenshot that shows Microsoft Endpoint Manager admin center.

  2. Select Enrollment Program Tokens > Add.

  3. On the Basics tab:

    1. Select I agree to give permission to Microsoft to send user and device information to Apple:

      Screenshot that shows the Add enrollment program token screen.

    2. Select Download the Intune public key certificate required to create the token. This step downloads and saves the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple Business Manager portal.

      You'll upload this .pem file in Apple Business Manager in Step 2: Go to the Apple Business Manager portal (in this article).

    3. Keep this web browser tab and page open. If you close the tab:

      • The certificate you downloaded is invalidated.
      • You have to repeat steps.
      • On the Review + create tab, the Create button isn't available, and you can't complete this procedure.

Step 2: Go to the Apple Business Manager portal

Use the Apple Business Manager portal to create and renew your ADE token (MDM server). This token is added to Intune and communicates between Intune and Apple.

Note

The following steps describe what you need to do in Apple Business Manager. For the specific steps, refer to Apple's documentation. Apple Business Manager User Guide (on Apple's website) might be helpful.

Download the Apple token

  1. In Apple Business Manager, sign in with your company's Apple ID.

  2. In this portal, complete the following steps.

    • In settings, all tokens are shown. Add an MDM server, and upload the public key certificate (.pem file) that you downloaded from Intune in Step 1: Download the Intune public key certificate (in this article).

      Use the server name to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune service.

    • After you save the MDM server, select it, and then download the token (.p7m file). You'll upload this .p7m token in Intune in Step 4: Upload your token and finish (in this article).

Assign devices to the Apple token (MDM server)

  1. In Apple Business Manager > Devices, select the devices you want to assign to this token. You can sort by various device properties, like serial number. You can also select multiple devices simultaneously.
  2. Edit device management, and select the MDM server you just added. This step assigns devices to the token.

Step 3: Save the Apple ID

  1. In your web browser, go back to the Add enrollment program token page in Intune. You should have kept this page open, as noted in Step 1: Download the Intune public key certificate (in this article).

  2. In Apple ID, enter your ID. This step saves the ID. The ID can be used in the future.

    Sreenshot that shows the Apple ID box on the Basics tab.

Step 4: Upload your token and finish

  1. In Apple token, browse to the .p7m certificate file, and then select Open.

    You downloaded this .p7m token in Step 2: Go to the Apple Business Manager portal.

  2. Select Next.

  3. (Optional.) If you want to apply scope tags to this ADE token, click Select scope tags, and then select existing scope tags. Scope tags applied to a token are inherited by profiles and ADE enrolled devices added to the token. The devices that are being referred to are the devices that have synced over from ABM/ASM, and are enrolled through Automated Device Enrollment and show up within the specific token.

    For more information on scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

    Select Next.

  4. On the Review + create tab, select Create.

With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policies to enrolled mobile devices. Intune automatically synchronizes with Apple to access your enrollment program account.

Create an Apple enrollment profile

Now that you've installed your token, you can create an enrollment profile for ADE devices. A device enrollment profile defines the settings applied to a group of devices during enrollment. There's a limit of 1,000 enrollment profiles per ADE token.

Note

Devices will be blocked if there aren't enough Company Portal licenses for a VPP token or if the token is expired. Intune will display an alert when a token is about to expire or licenses are running low.

  1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens.

  2. Select a token, and then select Profiles > Create profile > iOS/iPadOS:

    Screenshot that shows how to create an iOS and iPadOS enrollment profile in Microsoft Endpoint Manager admin center.

  3. On the Basics tab, enter a Name and Description for the profile for administrative purposes. Users don't see these details.

    Screenshot that shows the Name and Description boxes in Microsoft Endpoint Manager admin center.

  4. Select Next.

Important

Any configuration changes on existing Enrollment profile settings, will not take effect on assigned devices until they are Factory Reset and activated again (this is when the Remote Management Payload is received on ADE devices) and this is by design by Apple and not Microsoft. The only configuration change that does not require a Factory Reset is "Device Name Template".

  1. In the User Affinity list, select an option that determines whether devices with this profile must enroll with or without an assigned user.

    • Enroll with User Affinity. Select this option for devices that belong to users who want to use Company Portal for services like installing apps.

    • Enroll without User Affinity. Select this option for devices that aren't affiliated with a single user. Use this option for devices that don't access local user data. This option is typically used for kiosk, point of sale (POS), or shared-utility devices.

      In some situations, you might want to associate a primary user on devices enrolled without user affinity. To do this task, you can send the key to the Company Portal app in an app configuration policy for managed devices. The first user that signs in to the Company Portal app is established as the primary user. If the first user signs out and a second user signs in, the first user remains the primary user of the device. For more information, see Configure the Company Portal app to support iOS and iPadOS ADE devices.

  2. If you selected Enroll with User Affinity for the User Affinity field, you now have the option to choose the authentication method to use when authenticating users. For Authentication method, select one of the following options:

    Screenshot of authentication method options.

    • Company Portal: Authenticate with the Company Portal app if you want to:

      • Use multifactor authentication.
      • Prompt users to change their passwords when they first sign in.
      • Prompt users to reset their expired passwords during enrollment.

      These features aren't supported when you authenticate by using Apple Setup Assistant.

    • Setup Assistant (legacy): Use the legacy Setup Assistant if you want users to experience the typical, out-of-box-experience for Apple products. This installs standard preconfigured settings when the device enrolls with Intune management. If you're using Active Directory Federation Services and you're using Setup Assistant to authenticate, a WS-Trust 1.3 Username/Mixed endpoint is required. Learn more.

    • Setup Assistant with modern authentication: Devices running iOS/iPadOS 13.0 and later can use this method (older iOS/iPadOS devices in this profile will fall back to using the Setup Assistant (legacy) process).

      Note

      Right now, MFA will not work for Setup Assistant with modern authentication if you are using a 3rd party MFA provider to present the MFA screen during enrollment. Only the AAD MFA screen will work during this enrollment.

      This method provides the same security as Company Portal authentication but avoids the issue of leaving end users with a device they can't use until the Company Portal installs.

      The Company Portal will be installed without user interaction (the user won't see the Install Company Portal option) in both of the following situations:

      • If you use the Install Company Portal with VPP option below (recommended).
      • If the end user sets up their Apple ID account during Setup Assistant.

      In both of these situations, the Company Portal will be a required app on the device. Also, when the end user gets to the home screen, the correct app configuration policy will automatically be applied to the device.

      Don't send a separate app configuration policy to the Company Portal for iOS/iPadOS devices after enrolling with Setup Assistant with modern authentication. Doing so will result in an error.

      If you don't use the VPP option, the user must supply an Apple ID to install the Company Portal (either during Setup Assistant or when Intune tries to install the Company Portal).

      If a conditional access policy that requires multi-factor authentication (MFA) applies at enrollment or during Company Portal sign in, then MFA is required. However, MFA is optional based on the AAD settings in the targeted Conditional Access policy.

      After completing all the Setup Assistant screens, the end user lands on the home page (at which point their user affinity is established). However, until the user signs in to the Company Portal using their Azure AD credentials and taps "Begin" at the "Setup Company access" screen, the device:

      • Won’t be fully registered with Azure AD.
      • Won’t show up in the user’s device list in the Azure AD portal.
      • Won’t have access to resources protected by conditional access.
      • Won’t be evaluated for device compliance.
      • Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by conditional access.
  3. If you selected Company Portal for your authentication method, you can use a VPP token to automatically install Company Portal on the device. In this case, the user doesn't have to provide an Apple ID. To install Company Portal by using a VPP token, select a token in Install Company Portal with VPP. You need to have already added Company Portal to the VPP token. To ensure that Company Portal continues to be updated after enrollment, make sure that you've configured an app deployment in Intune (In Endpoint Manager select Apps > All apps > Add).

    To ensure that user interaction isn't required, you'll probably want to make Company Portal an iOS/iPadOS VPP app, make it a required app, and use device licensing for the assignment. Make sure that the token doesn't expire and that you have enough device licenses for Company Portal. If the token expires or runs out of licenses, Intune installs the App Store Company Portal instead and prompts for an Apple ID.

    Note

    If you set the authentication method to Company Portal, make sure that the device enrollment process is completed within the first 24 hours of the Company Portal download to the ADE device. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.

    Screenshot that shows the options for installing the Company Portal app with VPP.

    For more information about connecting Intune to Apple Volume Purchase Program (VPP), see Manage Apple volume-purchased apps. After you've connected to VPP, you can add the Company Portal app to your Apple Business Manager/Apple School Manager inventory so it can be assigned through Intune.

  4. If you selected Setup Assistant (legacy) for the authentication method but you also want to use Conditional Access or deploy company apps on the devices, you need to install Company Portal on the devices and sign in to complete the Azure AD registration. To do so, select Yes for Install Company Portal. If you want users to receive Company Portal without having to authenticate in to the App Store, in Install Company Portal with VPP, select a VPP token. Make sure the token doesn't expire and that you have enough device licenses for the Company Portal app to deploy correctly.

  5. If you select a token for Install Company Portal with VPP, you can lock the device in Single App Mode (specifically, the Company Portal app) right after the Setup Assistant completes. Select Yes for Run Company Portal in Single App Mode until authentication to set this option. To use the device, the user must first authenticate by signing in with Company Portal.

    Note

    Multifactor authentication isn't supported on a single device locked in Single App Mode. This limitation exists because the device can't switch to a different app to complete the second factor of authentication. If you want multifactor authentication on a Single App Mode device, the second factor must be on a different device.

    This feature is supported only for iOS/iPadOS 11.3.1 and later.

    Screenshot that shows the Run Company Portal in Single App Mode option.

  6. If you want devices using this profile to be supervised, select Yes in the Supervised list:

    Screenshot that shows the Supervised option.

    Supervised devices give you more management options and disabled Activation Lock by default. Microsoft recommends that you use ADE as the mechanism for enabling supervised mode, especially if you're deploying large numbers of iOS/iPadOS devices. Apple Shared iPad for Business devices must be supervised.

    Users are notified that their devices are supervised in two ways:

    • The lock screen says: This iPhone is managed by company name.
    • The Settings > General > About screen says: This iPhone is supervised. Company name can monitor your Internet traffic and locate this device.

    Note

    If a device is enrolled without supervision, you need to use Apple Configurator if you want to set it to supervised. To reset the device in this way, you need to connect it to a Mac with a USB cable. For more information, see Apple Configurator Help.

  7. In the Locked enrollment list, select Yes or No. Locked enrollment disables iOS/iPadOS settings that allow the management profile to be removed from the Settings menu. After device enrollment, you can't change this setting without wiping the device. To use this option, the device must have the Supervised management option set to Yes.

    Note

    If a device is enrolled with locked enrollment, the user won't be able to use Remove Device or Factory Reset in the Company Portal app. The options will be unavailable to the user. Also, the user won't be able to remove the device on the Company Portal website.

    If a BYOD device is converted to an Apple ADE device and enrolled with a profile that has locked enrollment enabled, the user will be allowed to use Remove Device and Factory Reset for 30 days. After 30 days, the options will be disabled or unavailable. For more information, see Prepare devices manually.

  8. If you selected Enroll without User Affinity and Supervised in the previous steps, you need to decide whether to configure the devices to be Apple Shared iPad for Business devices. If you select Yes for Shared iPad, multiple users will be able to sign in to a single device. Users will authenticate by using their Managed Apple IDs and federated authentication accounts or by using a temporary session (like the Guest account). This option requires iOS/iPadOS 13.4 or later. With Shared iPad, all Setup Assistant panes after activation are automatically skipped.

    Note

    A device wipe will be required if an iOS/iPadOS enrollment profile with Shared iPad enabled is sent to an unsupported device. Unsupported devices include any iPhone models, and iPads running iPadOS/iOS 13.3 and earlier. Supported devices include iPads running iPadOS 13.3 and later.

    If you configured your devices as Apple Shared iPad for Business devices, you need to set Maximum cached users. Set this value to the number of users that you expect to use the shared iPad. You can cache up to 24 users on a 32-GB or 64-GB device. If you choose a low number, it might take a while for your users' data to appear on their devices after they sign in. If you choose a high number, your users might not have enough disk space.

    Note

    If you want to set up Apple Shared iPad for Business, configure these settings:

    • In the User Affinity list, select Enroll without User Affinity.
    • In the Supervised list, select Yes.
    • In the Shared iPad list, select Yes.

    Temporary sessions are enabled by default and allow your users to sign in to a shared iPad without a Managed Apple ID account. You can disable temporary sessions on shared iPads by configuring iOS/iPadOS Shared iPad device restriction settings.

  9. In the Sync with computers list, select an option for the devices that use this profile. If you select Allow Apple Configurator by certificate, you need to choose a certificate under Apple Configurator Certificates.

    Note

    If you set Sync with computers to Deny all, the port will be limited on iOS and iPadOS devices. The port will be limited to only charging. It will be blocked from using iTunes or Apple Configurator 2.

    If you set Sync with computers to Allow Apple Configurator by certificate, make sure you have a local copy of the certificate that you can use later. You won't be able to make changes to the uploaded copy, and it's important to retain an copy of this certificate. If you want to connect to the iOS/iPadOS device from a macOS device or PC, the same certificate must be installed on the device making the connection to the iOS/iPadOS device.

  10. If you selected Allow Apple Configurator by certificate in the previous step, choose an Apple Configurator certificate to import.

  11. You can specify a naming format for devices that's automatically applied when they're enrolled and upon each successive check-in. To create a naming template, select Yes under Apply device name template. Then, in the Device Name Template box, enter the template to use for the names that use this profile. You can specify a template format that includes the device type and serial number. This feature supports iPhone, iPad, and iPod Touch.

  12. Select Next: Setup Assistant Customization.

  13. On the Setup Assistant Customization tab, configure the following profile settings:

    Department settingDescription
    DepartmentAppears when users tap About Configuration during activation.
    Department PhoneAppears when users tap the Need Help button during activation.

    You can choose to hide Setup Assistant screens on the device during user setup.

    • If you select Hide, the screen won't be displayed during setup. After setting up the device, the user can still go to the Settings menu to set up the feature.
    • If you select Show, the screen will be displayed during setup, but only if there are steps to complete after the restore or after the software update. Users can sometimes skip the screen without taking action. They can then later go to the device's Settings menu to set up the feature.
    • With Shared iPad, all Setup Assistant panes after activation are automatically skipped regardless of the configuration.
    Setup Assistant Screens settingIf you select Show, during setup the device will...
    PasscodePrompt the user for a passcode. Always require a passcode for unsecured devices unless access is controlled in some other way. (For example, a kiosk mode configuration that restricts the device to one app.) For iOS/iPadOS 7.0 and later.
    Location ServicesPrompt the user for their location. For macOS 10.11 and later, and iOS/iPadOS 7.0 and later.
    RestoreDisplay the Apps & Data screen. This screen gives users the option to restore or transfer data from iCloud Backup when they set up the device. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
    iCloud and Apple IDGive the user the options to sign in with their Apple ID and use iCloud. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
    Terms and conditionsRequire the user to accept Apple's terms and conditions. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
    Touch IDGive the user the option to set up fingerprint identification for the device. This also includes Face ID. For macOS 10.12.4 and later, and iOS/iPadOS 8.1 and later. On iOS/iPadOS 14.5 and later, the Passcode and Touch ID Setup Assistant screens during device setup aren’t working. If you use version 14.5+, then don't configure the Passcode or Touch ID Setup Assistant screens. If you require a passcode on devices, then use a device configuration policy or a compliance policy. After the user enrolls and they receive the policy, they're prompted for a passcode.
    Apple PayGive the user the option to set up Apple Pay on the device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0 and later.
    ZoomGive the user to the option to zoom the display when they set up the device. For iOS/iPadOS 8.3 and later.
    SiriGive the user the option to set up Siri. For macOS 10.12 and later, and iOS/iPadOS 7.0 and later.
    Diagnostics DataDisplay the Diagnostics screen. This screen gives the user the option to send diagnostic data to Apple. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later.
    Restore CompletedDisplay the Restore Completed screen after a backup and restore is performed on the device. If this screen isn't shown, the user can't see whether a restore from backup was completed during Setup Assistant.
    Software Update CompletedDisplay the Software Update Completed screen if a software update is performed during Setup Assistant. If this screen isn't shown, the user can’t see whether a software update is performed during Setup Assistant.
    Display ToneGive the user the option to turn on Display Tone. For macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later.
    PrivacyDisplay the Privacy screen. For macOS 10.13.4 and later, and iOS/iPadOS 11.3 and later.
    Android MigrationGive the user the option to migrate data from an Android device. For iOS/iPadOS 9.0 and later.
    iMessage & FaceTimeGive the user the option to set up iMessage and FaceTime. For iOS/iPadOS 9.0 and later.
    OnboardingDisplay onboarding informational screens for user education, like Cover Sheet and Multitasking and Control Center. For iOS/iPadOS 11.0 and later.
    Watch MigrationGive the user the option to migrate data from a watch device. For iOS/iPadOS 11.0 and later.
    Screen TimeDisplay the Screen Time screen. For macOS 10.15 and later, and iOS/iPadOS 12.0 and later.
    Software UpdateDisplay the mandatory software update screen. For iOS/iPadOS 12.0 and later.
    SIM SetupGive the user the option to add a cellular plan. For iOS/iPadOS 12.0 and later.
    AppearanceDisplay the Appearance screen. For macOS 10.14 and later, and iOS/iPadOS 13.0 and later.
    Device to Device MigrationGive the user the option to migrate data from an old device to this device. For iOS/iPadOS 13.0 and later.
    RegistrationDisplay the registration screen. For macOS 10.9 and later.
    FileVaultDisplay the FileVault 2 encryption screen. For macOS 10.10 and later.
    iCloud diagnosticsDisplay the iCloud Analytics screen. For macOS 10.12.4 and later.
    iCloud StorageDisplay the iCloud Documents and Desktop screen. For macOS 10.13.4 and later.
  14. Select Next to go to the Review + create tab.

  15. To save the profile, select Create.

Note

If you need to re-enroll your Automated Device Enrollment device, you need to first wipe the device from the Intune admin console. To re-enroll:

  1. Wipe the device from the Intune console.
    • Alternatively, retire the device from the Intune console and factory reset the device using the Settings app, Apple Configurator 2, or iTunes.
  2. Activate the device again and run through Setup Assistant to receive the Remote Management Profile.

Dynamic groups in Azure Active Directory

You can use the enrollment Name field to create a dynamic group in Azure Active Directory (Azure AD). For more information, see Azure Active Directory dynamic groups.

You can use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile.

For the fastest policy delivery on ADE devices that have user affinity, make sure the enrolling user is a member, before device setup, of an Azure AD user group.

If you assign dynamic groups to enrollment profiles, there might be a delay in delivering applications and policies to devices after the enrollment.

Sync managed devices

Now that Intune has permission to manage your devices, you can synchronize Intune with Apple to see your managed devices in Intune in the Azure portal.

  1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens.

  2. Select a token in the list, and then select Devices > Sync:

    Screenshot that shows how to sync iOS and iPadOS devices to an enrollment program token.

    To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions:

    • A full sync can run no more than once every seven days. During a full sync, Intune fetches the complete updated list of serial numbers assigned to the Apple MDM server connected to Intune. If an ADE device is deleted from the Intune portal, it should be unassigned from the Apple MDM server in the ADE portal. If it's not unassigned, it won't be reimported to Intune until the full sync is run.
    • If a device is released from ABM/ASM, it can take up to 45 days for it to be automatically deleted from the devices page in Intune. You can manually delete released devices from Intune one by one if needed. Released devices will be accurately reported as being Removed from ABM/ASM in Intune until they are automatically deleted within 30-45 days.
    • A delta sync is run automatically every 12 hours. You can also trigger a delta sync by selecting the Sync button (no more than once every 15 minutes). All sync requests are given 15 minutes to finish. The Sync button is disabled until a sync is completed. This sync will refresh existing device status and import new devices assigned to the Apple MDM server. If a delta sync fails for any reason, the next sync will be a full sync to hopefully resolve any issues.

Assign an enrollment profile to devices

Before devices can be enrolled, you need to assign an enrollment program profile to them.

Note

You can also assign serial numbers to profiles in the Apple Serial Numbers pane.

  1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens. Select a token in the list.
  2. Select Devices. Select devices in the list, and then select Assign profile.
  3. Under Assign profile, choose a profile for the devices, and then select Assign.

Assign a default profile

You can pick a default profile to be applied to all devices that enroll with a specific token.

  1. In Microsoft Endpoint Manager admin center, select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens. Select a token in the list.
  2. Select Set Default Profile, select a profile in the list, and then select Save. The profile will be applied to all devices that enroll with the token.

Note

Ensure that Device Type Restrictions under Enrollment Restrictions does not have the default All Users policy set to block the iOS/iPadOS platform. This setting will cause automated enrollment to fail and your device will show as Invalid Profile, regardless of user attestation. To permit enrollment only by company-managed devices, block only personally owned devices, which will permit corporate devices to enroll. Microsoft defines a corporate device as a device that's enrolled via a Device Enrollment Program or a device that's manually entered under Corporate device identifiers.

Distribute devices

You enabled management and syncing between Apple and Intune and assigned a profile so your ADE devices can be enrolled. You're now ready to distribute devices to users. Some things to know:

  • Devices enrolled with user affinity require that each user be assigned an Intune license.

  • Devices enrolled without user affinity typically don't have any associated users. These devices need to have an Intune device license. If devices enrolled without user affinity will be used by an Intune-licensed user, a device license isn't needed.

    To summarize, if a device has a user, the user needs to have an assigned Intune license. If the device doesn't have an Intune-licensed user, the device needs to have an Intune device license.

    For more information on Intune licensing, see Microsoft Intune licensing and the Intune planning guide.

  • A device that's been activated needs to be wiped before it can enroll properly using ADE in Intune. After it's been wiped but before activating it again, you can apply the enrollment profile. See Set up an existing iPhone, iPad, or iPod touch

  • If you're enrolling with ADE and user affinity, the following error can happen during setup:

    You can resolve this error by trying to download the management again within 15 minutes. If it's been more than 15 minutes, to resolve this error you'll need to factory reset the device. This error occurs because of a 15-minute time limit on SCEP certificates, which is enforced for security.

For information on the end-user experience, see Enroll your iOS/iPadOS device in Intune by using ADE.

Renew an Automated Device Enrollment token

You'll sometimes need to renew your tokens:

  • Renew your ADE token yearly. The Endpoint Manager admin center shows the expiration date.
  • If the Apple ID password changes for the user who set up the token in Apple Business Manager, renew your enrollment program token in Intune and Apple Business Manager.
  • If the user who set up the token in Apple Business Manager leaves the organization, renew your enrollment program token in Intune and Apple Business Manager.

Renew your tokens

  1. Go to business.apple.com and sign in with an account that has an Administrator or Device Enrollment Manager role.

  2. Select Settings. Under MDM Servers, select the MDM server associated with the token file that you want to renew. Select Download Token:

    Screenshot that shows how to renew and download an Apple token in Apple Business Manager.

  3. Select Download Server Token.

    Note

    As it says in the prompt, don't select Download Server Token if you don't intend to renew the token. Doing so will invalidate the token being used by Intune (or any other MDM solution). If you already downloaded the token, be sure to continue with the next steps until the token is renewed.

  4. After you download the token, go to Microsoft Endpoint Manager admin center. Select Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens. Select the token.

  5. Select Renew token. Enter the Apple ID used to create the original token (if it's not automatically populated):

    Screenshot that shows the Renew token page.

  6. Upload the newly downloaded token.

  7. Select Next to go to the Scope tags page. Assign scope tags if you want to.

  8. Select Renew token. You'll see a confirmation that the token is renewed:

    Screenshot that shows the confirmation message.

Delete an Automated Device Enrollment token from Intune

You can delete an enrollment profile token from Intune as long as:

  • No devices are assigned to the token.
  • No devices are assigned to the default profile.
  • There are no enrollment profiles under that token.

To delete an enrollment profile token:

  1. In Microsoft Endpoint Manager admin center, select Devices > iOS/macOS > iOS/macOS enrollment > Enrollment Program Tokens. Select the token, and then select Devices.
  2. Delete all the devices assigned to the token.
  3. Go to Devices > iOS/macOS > iOS/macOS enrollment > Enrollment Program Tokens. Select the token, and then select Profiles.
  4. If there's a default profile or any other enrollment profile, they must all be deleted.
  5. Go to Devices > iOS/macOS > iOS/macOS enrollment > Enrollment Program Tokens. Select the token, and then select Delete.

Next steps

Backup and restore scenarios for iOS/iPadOS

iOS/iPadOS enrollment overview

Feedback

View all page feedback

Sours: https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios

Enrolling iOS devices using Apple Configurator

What is Apple Configurator ?

Apple Configurator is a free utility tool that enables configuring, enrolling and deploying corporate-owned iOS, iPadOS and tvOS devices in the enterprise through a USB connection. Apple Configurator aids in the automated bulk enrollment of Apple devices using MDM and pre-loading the devices with the associated profiles and distributed apps before handing them out to users.

Apple Configurator 2 is the latest version of this tool available that makes the deployment process of corporate iOS devices easier and more efficient. You can also assign users to devices and supervise them, exercising additional control. Administrators can enforce mobile security on managed devices by importing existing profiles or creating new configuration profiles using Apple Configurator 2. You can use Apple Configurator 2 to enroll devices not purchased directly from Apple or its reseller with ABM as explained here.

Similarly, Mobile Device Manager Plus also supports enrollment of Apple TV using Apple Configurator 2. Follow the steps given here to learn how to use Apple Configurator 2 to enroll Apple TV.

Benefits of integrating MDM with Apple Configurator 2

The benefits of using Apple Configurator 2 is mentioned below:

  1. Push predefined configurations for corporate iOS devices.
  2. Automatic enrollment with Mobile Device Manager Plus.
  3. Enroll devices in bulk.
  4. Advanced control over the Supervised devices. For more details on Supervised devices and their benefits, refer this.

We have made your job simpler!

Learn how to set up Apple Configurator 2 in just 3 minutes through this demo video.

How to enroll iOS devices using Apple Configurator?

Prerequisites for enrollment:

  1. To use Apple Configurator 2, ensure your Mac is running on 10.7 or later versions of operating systems.
  2. It is recommended to update your iTunes before installing the Apple Configurator Utility.
  3. Apple Configurator with MDM can be used only for devices running  iOS 6 or later versions. If any device with lower versions is used, then the Operating System of the devices are automatically upgraded to the latest.

You can use Apple Configurator to enroll multiple devices at the same time. Follow the steps mentioned below to enroll multiple devices using Apple Configurator.

  1. Prepare Apple Configurator 2.0
  2. Enroll Devices
  3. Assign Users

Prepare Apple Configurator 2.0

After installing the Apple Configurator 2, you have to follow the steps mentioned below to Prepare Apple Configurator 2.0:

  1. On Apple Configurator 2, click File, select New Profile and then select Wi-Fi. Do not modify any other profiles as this might affect the profiles distributed using MDM.

    Creating New Profile on Apple Configurator

  2. Create a Wi-Fi profile and save it.

    Configuring Wi-Fi Profile on Apple Configurator

  3. Click File and choose New Blueprint and name it.

    Creating a Blueprint on Apple Configurator

  4. Open the newly created Blueprint and click Profiles, you have to add the newly created Wi-Fi profile (which was created in step #2).

    Add Wi-Fi profile to the Blueprint created on Apple Configurator

  5. Right-click and choose Prepare as shown in the below image.

    Preparing the Blueprint on Apple Configurator

  6. Specify the Configuration Type as Manual. If you wish to add mobile devices into your Apple Business Manager (ABM) portal from Apple Configurator 2, enable the Enable the Device Enrollment Program option. Learn how, from this document.

    Specify the Configuration Type on Apple Configurator

  7. Add the new server details by specifying the Server Name and Enrollment URL. Enrollment URL, which is configured in the MDM server.

    Creating New MDM Server on Apple Configurator

    Adding MDM Server Details on Apple Configurator

  8. Trust anchor certificates are automatically added. If Apple Configurator takes too long to fetch anchor certificates, skip and proceed directly to the Assign to organization step by clicking on Next.

    Fetching Anchor Certificates on Apple Configurator

  9. Specify the name and details of the organization by creating a new organization on Apple Configurator 2.

    Creating New Organization on Apple Configurator

    Adding Organization on Apple Configurator

  10. Choose Generate a new supervision identity to create a new Supervision identity on Apple Configurator 2.

    Creating a New Supervision Identity on Apple Configurator

  11. If you had enabled the option to add devices to DEP using Apple Configurator, enter your ABM account credentials

    Specifying ABM Account Credentials on Apple Configurator

  12. Configure iOS setup assistant by clicking Prepare.

    Configuring iOS Setup Assistant on Apple Configurator

  13. Once the configuration on Apple Configurator 2 is done, connect the devices to a Mac through USB. Now in Apple Configurator, select the device, choose the created blueprint and add it to the device to be enrolled. Once this is done, the device restarts and the process is completed by accepting the created profile in the device. After completion, the device gets added to the MDM Server from where the device can be assigned to the user.

Enroll Devices to the MDM server from Apple Configurator

In order to enroll devices, you have to specify the ME MDM server URL on Apple Configurator 2. You can find the URL, in the below-mentioned location:

  1. On the MDM Product server console, choose Enrollment
  2. Under iOS choose Apple Configurator
  3. Select Configuration Steps, navigate to the fifth slide and copy the URL. 
  4. On Apple Configurator 2, provide the URL which you have copied from the MDM server.

Assign Users

You can see all the devices are listed in the MDM server, under Apple Configurator. You can assign the devices to appropriate users. Once the users are assigned, you can see the devices listed under Managed devices view on the MDM server.

Troubleshooting Tips

  1. During device activation, you encounter the error A cloud configuration is already present on this device [mctunnelerrordomain – 0x36b2 (14002)].

    Connect the device back to Apple Configurator. Right-click the device and select Restore. This re-downloads configurations into the device and fixes the problem.

  2. While configuring the Blueprint on Apple Configurator, you are prompted to enter the Apple ID and password and you are unable to skip this step.

    This is a default screen which appears while configuring a Blueprint. You cannot skip this step if you have enabled the option to Add device to DEP portal in the first step. If you do not want to add the devices to ABM, uncheck the option and skip the step requesting for Apple credentials. Else, enter the ABM portal details and click on Next.

  3. When you choose Apply Configuration on Apple Configurator, you encounter a Session Time Out error.

    In this case, verify the Internet connectivity and retry applying configuration on Apple Configurator.

  4. While configuring the Blueprint, the screen gets stuck on Fetching Anchor Certificates or if the Certificates are not fetched

    You can safely click on Next as this step does not affect the blueprint creation.

  5. You are trying to enroll a device and get an unexpected error with Failed to retrieve IMEI.

    This error occurs when the device is already enrolled with Apple Configurator or when you enroll different types of devices like iPhones and iPads consecutively using Apple Configurator. Since an iPhone has an IMEI number (which is required for enrollment in some cases), it is automatically detected and the enrollment is completed. Since an iPad does not have an IMEI number this error is shown. Restore the device and try enrolling it again.
    NOTE: Certain iPads do have the IMEI number while enrolling which this error does not occur.

  6. You are trying to enroll a device and encounter the error The device does not recognize the host.

    This error occurs when the restriction Allow iTunes pairing and other USB connections have been applied to the device. This restriction prevents the connection with all other devices except the one used for Supervising it. Remove the restriction from the device or enroll using the machine previously used for Supervising the device.

  7. If you are trying to enroll devices not purchased from Apple or authorized resellers.

    Apple now allows adding ios 11 devices not purchased directly from Apple or authorized resellers into ABM. Follow the steps given here to use Apple Configurator to add devices to ABM.

  8. While enrolling a device you encounter an error "An unexpected error has occurred. Invalid Profile [MCProfileErrorDomain - 0x3E8 (1000) ]

    This error on Apple Configurator 2 Invalid Profile [MCProfileErrorDomain - 0x3E8 (1000) ] occurs if the device is currently enrolled in a different MDM solution. Remove the device from the MDM solution, factory reset, and try enrolling the device again to resolve the error Invalid Profile [MCProfileErrorDomain - 0x3E8 (1000) ].

  9. This happens only if the device cannot be upgraded to iOS 11 (refer this to know the list of iOS devices supporting iOS 11) or the device needs to be upgraded to iOS 11 manually and then added to DEP/ABM/ASM via Apple Configurator.

  10. If you're trying to add a device to DEP/ABM/ASM via Apple Configurator and receive the error An unexpected error has occurred: The device returned an unexpected status. (CommandFormatError) [com.apple.configurator.MobileDeviceKit.error – 0xfffffffff8028014...]

    You might encounter the error The device returned an unexpected status. (CommandFormatError) [com.apple.configurator.MobileDeviceKit.error – 0xfffffffff8028014...] only if the device cannot be upgraded to iOS 11 (refer this to know the list of iOS devices supporting iOS 11) or the device needs to be upgraded to iOS 11 manually and then added to DEP/ABM/ASM via Apple Configurator.

  11. Unable to verify the server’s enrollment URL. A server with the specified hostname could not be found.

    This message is shown on Apple Configurator when the MDM server is not reachable or the correct host URL is not entered. Verify if the MDM server, the Mac machine running Apple Configurator, and the devices to be enrolled are in the same network. Also, ensure that the host URL which is available on the MDM server, is entered correctly.

  12. While performing provisional enrollment of devices not purchased from authorised resellers, you receive the error Provisional enrollment failed: device is already in Device Enrollment Program.

    This error on Apple Configurator Provisional enrollment failed: device is already in Device Enrollment Program occurs when the device you are trying to enroll is already available in the ABM portal. Check if the device is available in the server titled Devices Added by Apple Configurator 2or is assigned to a different server in the ABM portal.

  13. While performing provisional enrollment of devices not purchased from authorised resellers, you receive the error Provisional enrollment failed: Network error.

    This error on Apple Configurator, Provisional enrollment failed: Network error occurs when the device you are trying to enroll is already available in the ABM portal. Check if the device is available in the server titled Devices Added by Apple Configurator 2 or is assigned to a different server in the ABM portal. If you are unable to find the device, try connecting to a different network to enroll the device.

  14. While adding devices to the ABM portal via Apple Configurator you encounter the error 'Provisional enrollment failed... The Cloud configuration server is unavailable or busy [MCCloudConfigurationErrorDomain - 0x80EF (33007)]'.

    This error Provisional enrollment failed... The Cloud configuration server is unavailable or busy [MCCloudConfigurationErrorDomain - 0x80EF (33007)] is shown if the device is unable to contact the ABM server. Factory reset the device and proceed until the Wi-Fi configuration step. Prepare the device using Apple Configurator and follow the steps for adding it to ABM.

  15. Why are my devices not listed under ABM tab when I add the devices to ABM using Apple Configurator?

    When devices are enrolled to ABM using Apple Configurator, the devices will be initially listed under Apple Configurator tab even though they are added to the ABM portal. When the user assignment is complete, these devices will be moved to Managed devices tab.

  16. While enrolling devices to the Device Enrollment Program or Apple Business Manager, you encounter an error Apple Configurator 2 cannot access the Device Enrollment Program

    You may encounter this error Apple Configurator 2 cannot access the Device Enrollment Program if there are network issues due to which https://mdmenrollment.apple.com is not reachable or when the Apple servers are down. Verify your network connectivity and try again after sometime

Sours: https://www.manageengine.com/mobile-device-management/help/enrollment/enroll_ios_devices_using_apple_configurator.html
  1. Narcissist know it all
  2. Pinterest planner ideas
  3. Synonym podium
  4. Fur real parrot

How to manually add devices in Apple Business Manager (ABM) or Apple School Manager (ASM)

This article is contributed. See the original author and article here.

By Marc Nahum Sr Program Manager | Microsoft Endpoint Manager – Intune


 


Any enterprise or education institution that owns iOS/iPadOS devices can take advantage of automatic enrollment to Intune, as well as the extra features and controls that Apple’s Automated Device Enrollment (ADE) – previously known as Device Enrollment Program (DEP) – provides.


 


When ADE was first introduced, only Apple resellers or telecom carriers were able to add devices to Apple Business Manager or Apple School Manager. However, since the release of iOS 11, Apple supports the ability to manually add iOS and iPadOS devices yourself with the Apple Configurator 2.5 (AC2) tool. This means that, regardless of where the device was purchased, you can benefit from using ABM or ASM.


 


This article will help IT pros and mobile device administrators understand the steps required to manually add iOS and iPadOS devices to Apple Business Manager or Apple School Manager, as well as enrolling them into the Intune service.


 


Note: Manually adding devices (new or old) is not supported for macOS. For these devices, the reseller must carry this out for you, no matter when they have been purchased.


 


Warning: The devices will be fully wiped during the process. This happens because Apple treats a device being in ABM as proof of ownership.


 


Before proceeding, there are some configurations, constraints, and restrictions to understand, after which the process is straightforward.


 


Prerequisites:



  • A Mac device (desktop or laptop), running at least macOS Catalina (macOS 10.15.6 or later). This is mandatory as AC2 only runs on macOS.

  • AC2 installed on the Mac from the App Store (Apple ID required). A version can be downloaded from the Apple developer site, but it requires an Apple developer membership account. This can be useful if you want to distribute the pkg with Intune on the Mac who will have to use it.

  • Physical access to the iOS/iPadOS device, which must be connected to the Mac device running AC2. It must not have Apple’s “Find My” turned on (Activation Lock off).

  • An ABM or ASM account with the role of “Device Enrollment Manager” assigned.

  • A network profile in AC2 (steps detailed below) to allow the iOS or iPadOS device to connect to the Internet during the process.

  • ABM or ASM configured with Microsoft Endpoint Manager as an MDM Server (Settings > Device Management Settings > Add MDM Server).


 


Preparing Apple Configurator:


There are a lot of options in AC2, so we will cover only the steps necessary to import the devices to ABM or ASM and assign them to the Microsoft Endpoint Manager MDM server. You can find full documentation from Apple here.


 


1. Creating a Wi-Fi profile


 


During the onboarding process, the device will need to connect to the internet. Therefore, it’s mandatory to have a Wi-Fi profile, which will allow it to automatically connect. The profile can be as complex as is required, but must not prompt the user for any action, or require a certificate to authenticate.


 



  1. In Apple Configurator go to the File menu and choose New Profile.

  2. Complete the Name of the profile in the mandatory General section.

  3. Complete the Wi-Fi section with your parameters.

  4. Once created, save it by clicking on the name on the top of the window. You can then close it and it will be used later.


 


Screenshot of a Wi-Fi profile and configured settings in Apple Configurator 2Screenshot of a Wi-Fi profile and configured settings in Apple Configurator 2


 


2. Generate MDM Server URL for Microsoft Endpoint Manager


 


Note: This step is not mandatory, but it will create a trusted configuration and avoid any doubts that the URL is the proper one.


 



  1. Open Microsoft Endpoint Manager admin center.

  2. Select Devices, then navigate to Enroll devices > Apple enrollment > Apple Configurator.

  3. Select Profiles > Create.

  4. Complete all required fields with your desired configuration, then click Create.

  5. Select the profile you just created, then click Overview > Export Profile.

  6. Copy the Profile URL from the Setup Assistant Enrollment section on the right-hand side. This will be used later.



Screenshot of the Apple Configurator - Default Enrollment Profile in the Microsoft Endpoint Manager admin centerScreenshot of the Apple Configurator – Default Enrollment Profile in the Microsoft Endpoint Manager admin center


 


Connect the device to Apple Configurator


 


Important: The device will be fully wiped during this process.


If this is the first time you are connecting the device to the Mac, a pop up will appear asking for the Mac to be trusted, select Trust. Now the device is ready to be prepared.


 



  1. In Apple Configurator, select Prepare from the toolbar or by doing a secondary click on the picture of the device.

    Screenshot of Apple Configurator 2 with an arrow pointing to the "Prepare" optionScreenshot of Apple Configurator 2 with an arrow pointing to the “Prepare” option


  2. The below settings must be selected:

    • Manual Configuration.

    • Add to Apple School Manager or Apple Business Manager.

    • Allow devices to pair with other computers.


     


    Do not select:



    • Activate and complete enrollment.

    • Enable Shared iPad.

      Apple Configurator 2 - Prepare Devices" menuApple Configurator 2 – Prepare Devices” menu




  3. If this is the first time the operation is run on this Mac, you will have to create a “New Server” with the following details:


    Name: “Microsoft Endpoint Management”


    URL: The one created in the step “Generate MDM Server URL for MEM


    Example URL: https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=<Intune_tenant_ID>&AADTenantId=<AAD_tenant_ID>

    Apple Configurator 2 - "Define an MDM Server" menuApple Configurator 2 – “Define an MDM Server” menu

    Note: If you decided to skip the step of creating the dedicated URL from the Intune portal, you can simply use “https://endpoint.microsoft.com” and acknowledge the warning “Unable to verify the enrollment URL” as per below:

    Apple Configurator 2 - "Define an MDM Server" menu with the warning text: “Unable to verify the enrollment URL”Apple Configurator 2 – “Define an MDM Server” menu with the warning text: “Unable to verify the enrollment URL”


  4. Add trust anchor certificate for MDM server.

    • Select the one with the Microsoft or Azure name on the list (this should be appleconfigurator2.manage.microsoft.com or portal.azure.com or endpoint.microsoft.com)




  5. Attach the device to your organization.

    • Next, authenticate to ABM/ASM with an account with the “Device Enrollment Manager” role assigned.

      Apple Configurator 2 - Sign in to Apple School Manager or Apple Business Manager menuApple Configurator 2 – Sign in to Apple School Manager or Apple Business Manager menu



    • If you did not set up the organization name, you will need to do that next. That Organization name will be displayed on the device.




    • The iOS setup assistant steps selected on the next screen are not important as they will be defined in Intune later.




    • Next, select the Network Profile previously created and, when prompted, enter your local password to initiate the process.




    • At this point, the device will be erased. When the device has restarted, steps in AC2 are complete.






 


Log on your Apple management console


You now need to assign it to Intune in the ABM/ASM console. By default, it’s assigned to an MDM server configuration named “Apple Configurator 2”:


 













Screenshot of an Apple iPhone 6 device in the ABM/ASM consoleScreenshot of an Apple iPhone 6 device in the ABM/ASM consoleScreenshot of the ABM/ASM console with associated Apple devicesScreenshot of the ABM/ASM console with associated Apple devices
You can reassign 1 device by selecting that device and choosing:
Edit Device Management > Assign to server and select the proper Intune one.
You can reassign multiple devices by doing the same with filters and choose “Edit Device Management” > “Apple Configurator 2”

 


Microsoft Endpoint Manager admin center


Once the device is assigned it will need to be synchronized. This occurs automatically every 12 hours or you can manually trigger the synchronization in Microsoft Endpoint Manager admin center:



  1. Navigate to Devices > Enroll devices > Apple Enrollment> Enrollment program tokens and select your token name.

  2. Navigate to Devices and click Sync.


 


Note: You can manually synchronize the devices from ABM/ASM to Intune at a maximum frequency of every 15 minutes.


 


At this point you should have successfully added your ADE device to Intune.


 


Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Like this:

LikeLoading...

Related

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Sours: https://www.drware.com/how-to-manually-add-devices-in-apple-business-manager-abm-or-apple-school-manager-asm/
How to enroll Apple IPAD or IPHONE device in Microsoft Intune or Microsoft Endpoint Manager

To add devices in Apple Business Manager there are a two options. You can either purchase a device directly from Apple or from a participating Apple Authorised Reseller and they will add the device to your Apple Business Manager. The other way is by using Apple Configurator 2 with a MDM solution. BIn this blog I will show how you can configure Apple Configurator with Intune to enroll devices in Apple Business Manager.

 

Prerequisites

Before you can add devices you first need Setup Apple Business Manager with Intune. To perform the enrollment you will need a MacOS computer with Apple Configurator 2 installed and a cable to connect a device (e.g. iPhone, iPad, etc) to your Mac. In this post I will use a Mac Mini and a Lightning cable to connect a first gen Apple SE to enroll in Intune.

 

Setup

The Setup consists out of a few steps:

  1. Create an Apple Configurator Enrollment Profile
  2. Setup Apple Configurator 2
  3. Prepare and add the iPhone

 

Apple Configurator Enrollment Profile

Before you start with these steps you first need to setup Apple Business Manager with Intune. During this step we’re going to configure the Apple Configurator profile. This profile will be used by the Apple Configurator to enroll devices in Apple Business Manager.

 

1. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment”  or press here. Select “Apple Configurator” to setup a new profile.

 

2. In the navigation pane select “Profiles” and press “+Create” to add a new enrollment profile.

 

3. Enter a Name and description and press “Next” to continue.

 

4. Select the settings you want to use for the enrollment and press “Next”

User affinityHere you can choose to use if you want to affiliate the device with an user to allow access to company data and email or not.
Select where users must authenticateOnly if you choose user affiliation you need to select where the users need to authenticate (Company Portal or Apple Setup Assistant).

 

5. Review the settings and press “Create” to create the enrollment profile.

 

6. After the enrollment profile has been created you will see an overview with all Apple Configurator profiles. Select the created profile.

 

7. Press “Export Profile” and copy the Profile URL. This you will need to setup the Apple Configurator app.

 

Setup Apple Configurator 2

During this step we’re going to configure Apple Configurator. During this setup we will add the following settings to Apple Configurator: a supervision identity, MDM server and a Wi-Fi profile for devices without a SIM card. These steps will all be performed on the MacOS computer.

 

1. Install Apple Configurator 2 on your MacOS device this is a free application which can be installed using the App Store on your Mac. Look for “Apple configurator 2”

2. Start Apple Configurator 2 and select “preferences”

 

3. Select “Organizations” in the top and press “+” to add a supervision identity.

 

4. Press “Next” to continue.

 

5. Enter your credentials for Apple Business Manager and press “Next

 

6. Select “Generate a new supervision identity” and press “Done”. This will create a self-signed root certificate.

 

7. A popup will appear to enter your credential to allow the creation of the certificate on your computer. Enter your computer credentials and press “Update Settings”

 

8. The supervision Identity has now been created. Select the “Servers” button to the MDM server.

 

9. Press the “+” sign to add a new MDM server.

 

10. Press “Next” to continue.

 

11. Enter the name of the user profile you’ve created in Intune in the “Name” field and past the Profile URL in the “Host name or URL:” field. Press “Next” to finish.

 

12. The MDM server has now been added to Apple Configurator. Close the preferences window. Next step is to add a Wi-Fi profile.

 

13. Select “File” -> “New Profile”

 

14. Select in the Navigation menu “Wi-Fi” and press “Configure”.

 

15. Enter the configuration data for the Wi-Fi Connection and close the screen.

 

16. Save the Wi-Fi profile. The configuration of Apple Configurator is now finished.

 

Prepare and add the iPhone

Before we can prepare the device with Apple Configurator we need to import the serial of the device and Assign a policy to the device in Intune.

 

1. Create a comma separated CSV containing two rows. The first row contains the serials of the device you want to import and the second row contains the description.

 

2. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” -> “Apple Configurator”  or press here. Select “Devices” and press “+Add” to add devices.

 

3. Select the created “enrollment profile” and select the csv file containing the devices. Press “Add” to upload the devices.

 

4. When the upload is finished the device will be displayed in the “Devices” overview. The device is now ready to be enrolled with Apple Configurator.

 

5. Connect the device to the Mac and start Apple Configurator 2. Select the connected device and press “Prepare”.

 

6. Use the default settings and press “Next”.

 

7. Select the configured profile and press “Next”.

 

8. Select the organization you want to use to supervise the added device and press “Next” to continue.

 

9. Select the steps you want to show to the user to configure and press “Next” to continue.

 

10. Select the Wi-Fi profile you’ve previously configured. This will be used to communicate with Apple Business Manager and Intune. Press “Prepare” to start the process.

 

11. The preparation process will now start. This will take some minutes to complete.

 

Results

The device will be visible in Apple Business Manager. One of the changes is the addition of a new MDM server called “Apple Configurator 2”. As you can see it has 1 device connected. This is the device we just enrolled.

 

When we take a look at devices, we see the new enrolled device “iPhone SE”. The source of the device is “Apple Configurator”. The device management of the device can also be changed by pressing “Edit Device Management”.

 

This way you can the enrollment from manual to Automated Device Enrollment.

 

 

End user Experience

After you turn the device on a few steps need to be performed by the end user before the device can be used. You will need to setup language, region and network. Once the homescreen is displayed the user needs to sign-in to Itunes to install the Company Portal and other apps. After the Company Portal has been installed the user needs to sign-in to the company portal to enroll the device and set the primary user.

 

Once the user has enrolled the device, the “Primary user” en “Enrolled by” will change to the enrolled user.

 

Apple, Apple Business Manager, Apple Configurator 2, Intune, iOS, iPadOS, macOS   Apple Business Manger, Apple Configurator 2, Intune, iOS, iPadOS

About Aad Lutgert

Almost 20 years of IT experience. Currently working as Senior IT Consultant for Detron in the Netherlands. Main focus on the Microsoft 365 suite.

View all posts by Aad Lutgert →

Sours: https://vmlabblog.com/2020/09/add-devices-in-apple-business-manager-with-intune/

Configurator intune apple

This week a quick extra post. I noticed that there was not a lot of information available regarding manually adding devices to Apple Business Manager (ABM) for usage with Automated Device Enrollment (ADE). That makes sense, because the idea is that devices are automatically added to ABM after purchase. However, sometimes it’s useful to be able to manually add devices. Manually adding devices, can be achieved the easiest by following the two steps described below. Before starting with those steps make sure that:

  • an enrollment program token is available and that the synchronization between ABM and Microsoft Intune is active,
  • Find My {AppleDevice} is disabled, and that
  • a mobile configuration is available that contains the WiFi configuration to simplify the enrollment

Step 1: Create an Apple Configurator enrollment profile

The first step is to create an Apple Configurator enrollment profile. That profile will not actually be used, but that’s a relatively easy action to retrieve the URL that is required in the second step. To retrieve that URL, simply follow the next seven steps.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices iOS/iPadOSiOS/iPadOS enrollment Apple Configurator to open the Apple Configurator | Profiles blade
  2. On the Apple Configurator | Profiles blade, click Create to open the Create Enrollment Profile wizard
  3. On the Basics page, provide a valid Name and (optional) a Description and click Next
  4. On the Settings page, select Enroll without user affinity and click Next

Note: The actual configuration doesn’t really matter – this configuration simply requires the least steps – as we only need the enrollment URL

  1. On the Review + create page, click Create to finish the wizard
  2. Back on the Apple Configurator | Profiles blade, open the just created profile and click Export Profile to open the Setup Assistant Enrollment blade
  3. On the Setup Assistant Enrollment blade, copy the Profile URL

Step 2: Prepare the Apple device

The second step is to prepare the Apple device. That preparation will make sure that the Apple device will be registered in ABM and that the device will be prepared for the out-of-the-box experience. To prepare the device, simply follow the next ten steps on a MacBook.

  1. Open Apple Configurator 2 on a MacBook, connect the Apple device that should be prepared, select the device and click Prepare
  2. On the Prepare Devices page, provide the following information and click Next
  • Prepare with: Select Manual Configuration as value
  • Select Add to Apple School Manager or Apple Business Manager
  • Select Allow devices to pair with other computers
  1. On the Enroll in MDM Server page, verify that New Server is selected and click Next
  2. On the Define an MDM Server page, specify the following information and click Next
  • Name: Provide a valid name for the enrollment server
  • Host name or URL: Specify the URL that was copied from the Apple Configurator profile in step 1
  1. On the Define an MDM Server page, select DigiCert Global Root G2 and click Next
  2. On the Sign in to Apple School Manager or Apple Business Manager page, sign in with a Managed Apple ID and click Next
  3. On the Create an Organization page, select Generate a new supervision identity and click Next
  4. On the Configure iOS Setup Assistant page, click Next

Note: The actual configuration doesn’t really matter – this configuration simply requires the least steps – as the configuration will be controlled by Microsoft Intune

  1. On the Choose Network Profile page, select the mobile config and click Next
  2. On the Automated Enrollment Credentials page, click Prepare to bring the device to Apple Business Manager and to prepare the device for Apple ADE

Related

Categories Apple Business Manager, Apple Configurator, Automated Device Enrollment, iOS, macOS, Microsoft Endpoint Manager, Microsoft IntuneTags Apple Business Manager, Apple Configurator, Automated Device Enrollment, iOS, ipadOS, macOS, Microsoft Endpoint Manager, Microsoft IntuneSours: https://www.petervanderwoude.nl/post/quick-tip-manually-adding-devices-to-apple-business-manager/
Managing Apple devices with Microsoft Endpoint Manager

Set up iOS/iPadOS device enrollment with Apple Configurator

Intune supports the enrollment of iOS/iPadOS devices using Apple Configurator running on a Mac computer. Enrolling with Apple Configurator requires that you USB-connect each iOS/iPadOS device to a Mac computer to set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:

  • Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
  • Direct enrollment - Does not wipe the device and enrolls the device through iOS/iPadOS settings. This method only supports devices with no user affinity.

Apple Configurator enrollment methods can't be used with the device enrollment manager. Note- Enrolling devices with Apple Configurator is only applicable to iOS/iPadOS Devices. This method does not work for enrolling macOS devices.

Prerequisites

Create an Apple Configurator profile for devices

A device enrollment profile defines the settings applied during enrollment. These settings are applied only once. Follow these steps to create an enrollment profile to enroll iOS/iPadOS devices with Apple Configurator.

  1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator.

    Create a profile for Apple Configurator.

  2. Choose Profiles > Create.

  3. Under Create Enrollment Profile, on the Basics tab, type a Name and Description for the profile for administrative purposes. Users do not see these details. You can use this Name field to create a dynamic group in Azure Active Directory. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about Azure Active Directory dynamic groups.

    Screenshot of the create enrollment profile pane with the Basics tab selected.

  4. Click Next to display the Settings page.

  5. For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • Enroll with user affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. The device must be affiliated with a user with Setup Assistant and can then access company data and email. Only supported for Setup Assistant enrollment. User affinity requires WS-Trust 1.3 Username/Mixed endpoint. Learn more.

    • Enroll without User Affinity - Choose this option for devices unaffiliated with a single user. Use this for devices that perform tasks without accessing local user data. Apps requiring user affiliation (including the Company Portal app used for installing line-of-business apps) won't work. Required for direct enrollment.

    Note

    When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup Assistant within the first 24 hours of the device being enrolled. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.

  6. If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.

    Note

    If you want do any of the following, set Authenticate with Company Portal instead of Apple Setup Assistant to Yes.

    • use multifactor authentication
    • prompt users who need to change their password when they first sign in
    • prompt users to reset their expired passwords during enrollment

    These are not supported when authenticating with Apple Setup Assistant.

  7. Choose Create to save the profile.

Setup Assistant enrollment

Add Apple Configurator serial numbers

  1. Create a two-column, comma-separated value (.csv) list without a header. Add the serial number in the left column, and the details in the right column. The current maximum for the list is 5,000 rows. In a text editor, the .csv list looks like this:

    F7TLWCLBX196,device details
    DLXQPCWVGHMJ,device details

    Learn how to find an iOS/iPadOS device serial number.

  2. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Devices > Add.

  3. Select an Enrollment profile to apply to the serial numbers you're importing. If you want the new serial number details to overwrite any existing details, choose Overwrite details for existing identifiers.

  4. Under Import Devices, browse to the csv file of serial numbers, and select Add.

Reassign a profile to device serial numbers

You can assign an enrollment profile when you import iOS/iPadOS serial numbers for Apple Configurator enrollment. You can also assign profiles from two places in the Azure portal:

  • Apple Configurator devices
  • AC profiles

Assign from Apple Configurator devices

  1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Devices > choose the serial numbers > Assign profile.
  2. Under Assign Profile, choose the New profile you want to assign, and then choose Assign.

Assign from profiles

  1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose a profile.
  2. In the profile, choose Devices assigned, and then choose Assign.
  3. Filter to find device serial numbers you want to assign to the profile, select the devices, and then choose Assign.

Export the profile

After you create the profile and assign serial numbers, you must export the profile from Intune as a URL. You then import it into Apple Configurator on a Mac for deployment to devices.

  1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose the profile to export.

  2. On the profile, select Export Profile.

  3. Copy the Profile URL. You can then add it in Apple Configurator to define the Intune profile used by iOS/iPadOS devices.

    Next you import this profile to Apple Configurator in the following procedure to define the Intune profile used by iOS/iPadOS devices.

Enroll devices with Setup Assistant

  1. On a Mac computer, open Apple Configurator 2. In the menu bar, choose Apple Configurator 2, and then choose Preferences.

    Warning

    Devices are reset to factory configurations during the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello screen when you connect the device. If the device was already registered with the Apple ID account, the device must be deleted from the Apple iCloud before starting the enrollment process. The prompt error appears as "Unable to activate [Device name]".

  2. In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server wizard. Choose Next.

  3. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant enrollment for iOS/iPadOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment profile URL exported from Intune. Choose Next.
    You can safely disregard a warning stating "server URL is not verified." To continue, choose Next until the wizard is finished.

  4. Connect the iOS/iPadOS mobile devices to the Mac computer with a USB adapter.

  5. Select the iOS/iPadOS devices you want to manage, and then choose Prepare. On the Prepare iOS/iPadOS Device pane, select Manual, and then choose Next.

  6. On the Enroll in MDM Server pane, select the server name you created, and then choose Next.

  7. On the Supervise Devices pane, select the level of supervision, and then choose Next.

  8. On the Create an Organization pane, choose the Organization or create a new organization, and then choose Next.

  9. On the Configure iOS/iPadOS Setup Assistant pane, choose the steps to be presented to the user, and then choose Prepare. If prompted, authenticate to update trust settings.

  10. When the iOS/iPadOS device finishes preparing, disconnect the USB cable.

Distribute devices

The devices are now ready for corporate enrollment. Turn off the devices and distribute them to users. When users turn on their devices, Setup Assistant starts.

After users receive their devices, they must complete Setup Assistant. Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices.

Direct enrollment

When you directly enroll iOS/iPadOS devices with Apple Configurator, you can enroll a device without acquiring the device's serial number. You can also name the device for identification purposes before Intune captures the device name during enrollment. The Company Portal app is not supported for directly enrolled devices. This method does not wipe the device.

Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps, cannot be installed.

Export the profile as .mobileconfig to iOS/iPadOS devices

  1. In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose the profile to export > Export Profile.

  2. Under Direct enrollment, choose Download profile, and save the file. An enrollment profile file is only valid for two weeks at which time you must re-create it.

  3. Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile to iOS/iPadOS devices.

  4. Prepare the device with Apple Configurator by using the following steps:

    1. On a Mac computer, open Apple Configurator 2.0.

    2. Connect the iOS/iPadOS device to the Mac computer with a USB cord. Close Photos, iTunes, and other apps that open for the device when the device is detected.

    3. In Apple Configurator, choose the connected iOS/iPadOS device, and then choose the Add button. Options that can be added to the device appear in the drop-down list. Choose Profiles.

      Screenshot Export Profile for Setup Assistant Enrollment with Profile URL highlighted

    4. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add. The profile is added to the device. If the device is Unsupervised, the installation requires acceptance on the device.

  5. Use the following steps to install the profile on the iOS/iPadOS device. The device must have already completed the Setup Assistant and be ready to use. If enrollment entails app deployments, the device should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in for the App Store.

    1. Unlock the iOS/iPadOS device.
    2. In the Install profile dialog box for Management profile, choose Install.
    3. Provide the Device Passcode or Apple ID, if necessary.
    4. Accept the Warning, and choose Install.
    5. Accept the Remote Warning, and choose Trust.
    6. When the Profile Installed box confirms the profile as Installed, choose Done.
  6. On the iOS/iPadOS device, open Settings and go to General > Device Management > Management Profile. Confirm that the profile installation is listed, and check the iOS/iPadOS policy restrictions and installed apps. Policy restrictions and apps might take up to 10 minutes to appear on the device.

  7. Distribute devices. The iOS/iPadOS device is now enrolled in Intune and managed.

Feedback

View all page feedback

Sours: https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-configurator-enroll-ios

You will also like:

Prepare an iPhone, iPad, or Apple TV manually in Apple Configurator 2

  • In Apple Configurator 2, select one or more devices you want to prepare or Blueprints, then do one of the following:

    • Click Prepare in the toolbar.

    • Choose Actions > Prepare.

    • Control-click the selected devices or Blueprints, and choose Prepare.

    The Prepare Assistant appears.

  • Select Manual Configuration, then choose any of the following options:

    • Add the devices to Apple School Manager or Apple Business Manager, and choose whether to activate the device and complete the enrollment.

    • Designate an iPhone, iPad, or Apple TV device as a supervised device.

      When a device is supervised, you’re granted ongoing control over its configuration, and you can reapply that configuration at any time just by reconnecting the device to the Mac with Apple Configurator 2 installed.

      Some payloads and restrictions are available only for supervised devices. For information about supervised-only restrictions, see Supervised-only restrictions in Mobile Device Management Settings for IT Administrators.

    • Allow devices to pair with other computers: Select this option if you want users to use a USB cable to sync with a Mac or PC.

      Note: Changing this restriction later requires you to erase, prepare, and supervise the devices again.

    • Enable Shared iPad: Select this option if you want users to use Shared iPad.

      See Intro to Shared iPad in Mobile Device Management Settings for IT Administrators.

  • When you have made your selections, click Next. Follow the Help buttons if you need further clarification.

  • If you don’t want to enroll with an MDM solution, select Do not enroll in MDM, then click Next and skip to step 5.

  • Select an existing MDM solution that was set up in Apple Configurator 2 preferences, or select New Server, then click Next, and create a new connection with the following:

    • Name: A description for the server, which may be based on location, grade level, or something easy for you to remember.

    • Enrollment URL: The fully qualified domain name (FQDN) or IP address of your MDM solution. Apple Configurator 2 then attempts to ask the MDM solution for the full enrollment URL.

      If the default FQDN or IP address doesn’t return the correct information, consult your MDM vendor.

    See MDM solution preferences.

  • When you’re done, click Next.

  • If necessary, enter a Managed Apple ID and password from Apple School Manager or Apple Business Manager and click Next to authenticate, or click Skip.

  • Choose your organization information.

    If you selected Supervision, you must select an existing organization or enter new information about your organization (only the name field is required). See:

    Important: After you prepare supervised devices with a supervision identity, changing that identity later requires that you erase, prepare, and supervise the devices again. The actual name of the supervision identity often isn’t critical, but you need to standardize on the use of that identity for all instances of mobile device management (MDM) and Apple Configurator 2.

  • When you’re done, click Next.

  • Select which panes of Setup Assistant to skip. For information on each Setup Assistant pane, see Setup Assistant panes in Mobile Device Management Settings for IT Administrators.

  • Click Prepare.

    Choose Window > View Activity to follow the progress as Apple Configurator 2 prepares the devices.

  • Sours: https://support.apple.com/sv-se/guide/apple-configurator-2/cad99bc2a859/mac


    1286 1287 1288 1289 1290