A few weeks ago I’ve discussed the integration of Apple Business Manager (ABM) with Azure AD, to provision the Managed Apple IDs and to provide a federation. That provides a very nice user experience, when used in combination with Microsoft Intune. This week I want to extend on ABM by further integrating it with Microsoft Intune. As a bare minimum for managing Apple devices it’s always required to use the Apple MDM Push certificate. I hope that every IT administrator can dream the required steps for such a certificate by now. On top of that, ABM can be used to facilitate company-owned devices and to facilitate volume purchased apps. That provides an even better experience on company-owned Apple devices. A great out-of-the-box experience together with the require licensed apps. Those apps can even be used in combination with User Enrollment. This post will start with a short introduction about Apple Automated Device Enrollment (ADE) and Apple Volume Purchase Program (VPP), followed with the steps to integrate those programs with Microsoft Intune.
Further introduction to the functionalities provided by Apple Business Manager
When looking at the functionalities of ABM, it basically provides additional functionalities for managing Apple devices and apps. It provides an identity by using Managed Apple IDs, it provides an out-of-the-box enrollment experience by using ADE and it provides company-licensed apps by using the VPP. All of these functionalities can be used in combination with Microsoft Intune, to provide the best experience on company-owned devices. For little bit more information about the different programs, see below.
- Automated Device Enrollment: This program can be used to provide organization with the ability to easily enroll large numbers of Apple devices (iPhones, iPads, MacBooks, etc.) without the IT administrator ever touching those devices. When the organization orders the Apple devices with an participating reseller (or Apple itself, or a cellular carrier), the devices can immediately be added to ABM by the reseller. When a connection is created between Microsoft Intune and ABM, the IT administrator can synchronize those devices automatically and can assign an enrollment profile to those devices. That will enable the organization to order those Apple devices and simply directly ship them to the users. When those devices arrive with the users, they can simply turn on their device and the out-of-the-box experience will guide them through the enrollment process.
- Supervision: This mode gives IT administrators more control over Apple devices and is often used in combination with ADE. An iOS, or iPadOS device can become supervised by using Apple Configurator, or by using Microsoft Intune and configuring it during the enrollment. A macOS device will become automatically supervised by using ABM (for macOS 10.14.4 or later) or by enrolling the device in Microsoft Intune. Starting with iOS 13 and later, iPadOS 13.1 and later, and macOS 14.4.4 and later, all devices will automatically be configured as supervised once they are added to ABM.
- Volume Purchase Program: This program can be used to provide an organization with the ability to purchase multiple licenses for an app that should be used on Apple devices (iPhones, iPads, MacBooks, etc.). The information about the app purchases can be synchronized to Microsoft Intune and that will help with tracking the usage. That helps with efficiently managing apps within the organization and controlling the spending on apps. The actual installation of the app is handled by Apple, as Microsoft Intune will simply connects with this program to tell Apple which app license should be assigned to which devices.
Add Apple Business Manager enrollment program token
The first integration to configure is the integration of Microsoft Intune with ABM for the use of ADE. That integration requires adding an enrollment token in to Microsoft Intune. Below are the steps for adding an enrollment program token to Microsoft Intune, followed with some information regarding assigning devices and working with one or more enrollment profiles.
- Open the Microsoft Endpoint Manager admin center portal navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens to open the Enrollment profile tokens blade
- On the Enrollment profile tokens blade, click Add to open the Add enrollment program token wizard
- On the Basics page, work through the following 5 steps (as shown in Figure 1 and described below) and click Next
Important: Keep this page open while performing all the required steps – even after downloading the certificate – or the downloaded certificate will be invalidated.
- Select I agree with I grant Microsoft permission to send both user and device information to Apple.
- Click Download your public key to download the public key certificate that is required to create the token
- Open Apple Business Manager and perform the following actions to download a token
- Navigate to Settings > Device Management Settings and click Add MDM Server to start the configuration to add Microsoft Intune as a MDM server in ABM
- On the Untitled MDM Server page, provide the following information and click Save
- MDM Server Name: Provide a name for the MDM server that represents Microsoft Intune
- Select Allow this MDM Server to release devices to enable Microsoft Intune someday in the future to release the devices from ABM
- Upload Public Key: Upload the public key certificate that was downloaded in the previous step
- Generate New Server Token: Download the generated server token after saving the configuration
- Apple ID: Save the Apple ID that was used in ABM to create the token
- Apple token: Provide the downloaded server token to enable Microsoft Intune to sync devices from the ABM account that is assigned to the MDM server that is associated with the token
- On the Scope tags page, configure the required scope tags click Next
- On the Review + create page, verify the configuration and click Create
Once the status is active, as shown in Figure 2, ABM can be used to assign devices to the MDM server that is associated with the Microsoft Intune tenant. That can be achieved by assigning a device, or multiple devices, to a MDM server (by using Devices > Edit Device Management). Besides that, it’s also possible to define a MDM server as the default for device assignment (by using Settings > Device Management Settings > Default Device Assignment). The chosen path will often be determined by the number of MDM server that are configured.
There can be multiple reasons to use multiple MDM servers within an ABM. A reason could be to differentiate between different environments for test and production, but another reason could be to differentiate between the profile that is automatically to the synchronized devices. The latter option can be used when ABM is used to assign a device to MDM server and automatically assign it to the correct enrollment profile in Microsoft Intune. That can be achieved when a default enrollment profile is configured for the enrollment program token in Microsoft Intune. A different default enrollment profile per enrollment program token. The chosen path will often be determined by who’s responsible for connecting the dots.
Create Apple Volume Purchase Program token
The second integration to configure is the integration of Microsoft Intune with ABM for the use of VPP. That integration requires uploading a location token in to Microsoft Intune. These location tokens were commonly known as VPP tokens. Below are the steps adding location token to Microsoft Intune, followed with some information regarding synchronizing of purchased apps.
- Open the Microsoft Endpoint Manager admin center portal navigate to Tenant administration > Connectors and tokens > Apple > Apple VPP Tokens to open the Connectors and tokens | Apple VPP Tokens blade
- On the Connectors and tokens | Apple VPP Tokens blade, click Create to open the Create VPP token wizard
- On the Basics page, work through the following 3 steps (as shown in Figure 3 and described below) and click Next
- Token Name: Provide an administrative name that represents this token in Microsoft Intune
- Apple ID: Save the Apple ID that was used in ABM to create the location token
- VPP token file: Open Apple Business Manager, perform the following actions to download a location token and add that token
- Navigate to Locations and click Add a new location to add a location that should be used
- On the Add New Location page, add the information about the location and click Save
- Navigate to Settings > Apps and Books and scroll down to My Server Tokens
- In the My Server Tokens section, click Download for the server token of the created location
- On the Settings page, work through the following 5 steps (as shown in Figure 4 and described below) and click Next
- Take control of token from another MDM: Select Yes when it’s required to reassign the token from a different MDM to this Microsoft Intune tenant.
- Country/Region: Select the country/region of the VPP store
Note: Microsoft Intune synchronizes apps from all locals from the specified country/region store.
- Type of VPP account: Select Business to specify that this is a business configuration
- Automatic app updates: Select Yes to have Microsoft Intune automatically detect app updates and automatically push the update to a device on check-in
Note: Microsoft Intune will automatically update apps with required and available install intents. For deployed apps – deployed as available install – the IT administrator will receive a notification.
- Select I grant Microsoft permission to send both user and device information to Apple to enable Microsoft to send the required information to Apple
- On the Scope tags page, configure the required scope tags click Next
- On the Review + create page, verify the configuration and click Create
Once the status is active, as shown in Figure 5, apps can be purchased -and properly licensed – in bulk via ABM. When purchasing apps, those apps can be assigned to the created location. That will enable Microsoft Intune to synchronize those apps and to assign to apps – and licenses – to users.
For more information about the Microsoft Intune and ADE or VPP, refer to the following docs.
23 thoughts on “Further integrating Apple Business Manager with Microsoft Intune”
Peter, do you know anyone who has actually successfully enrolled MacOS devices with ABM and Intune? I’ve spend 2 days now getting the enrollment to work with no luck. Setting it up is easy, my MacBook also picks up de enrollment profile and my policies (filevault on for example) are enrolled succesfully (says Intune :-). The first screenof the enrollment proces that comes after the System Management screen is setting up a local account, that’s where i’m stuck. No matter what accountname or password you type the first 3 or 4 times it says (after minutes of waiting) “cannot create account”. After a 4th attempt the enrollment finally continous but by then you already have 4 local accounts (of which 3 are not working) and a not so out of the box experience.
I haven’t heard of any recent major issues. Do keep in mind that the Setup Assistant currently doesn’t support MFA in combination with User Affinity. That will cause issues at this moment.
Hi Peter, do you know a way how to rename the Enrollment Token Program in Intune? We created one but want to rename it so it better suits the environment. Or can we safely delete it and recreate it?
And perhaps also how to rename the DEP profile in Intune , seems i cannot rename this. Thanks in advance!
You can select the enrollment profile, select Properties and click Edit with the Basics.
From what I’ve seen that would require you to recreate it and sync the devices again.
Thanks for your answer. I was afraid of that.
I wonder if I am missing something… I want to be able to enroll existing devices into Intune and use ABM with Federation (to our AzureAD tenant) to create managed appleids and VPP tokens to assign company apps. However most of the documentation keeps focusing on using ADE which I am not in a position to do, not wanting to wipe all the existing devices currently being used with Application Protection Policies.
I know I can enroll a device with the Company Portal app and most everything works except the VPP apps (I do have a valid VPP token uploaded from ABM to Intune) which do show up in Intune but don’t come down to the devices.
Is it the ADE token from Intune to ABM that I’m missing? As I said I don’t want to use ADE currently but is that token also a requirement for plain old device enrollment from Company Portal too?
Any insights would be appreciated.
ADE is not required for device enrollment via the Company Portal app.
I have ABM and Endpoint Manager all setup and enrolling apps with ‘volume purchase program app’. There’s still one thing I cannot wrap my head around is the fact that how can I enable users to download free apps in the AppStore on their device?
Any help on how to fix this much appreciated.
When you’re not allowing personal Apple IDs, the apps should be made available via Apple VPP.
Dear Peter, thank you very much for sharing these helpful articles.
In my company, we’ve set up the Apple MDM Push Certificate and followed the instructions from this article to set up the ABM enrolment program token with a default profile (user affinity / Setup assistant with modern auth.), and VPP token, so that the Apps we’ve purchased show up in Intune. We were able to enrol a device using Intune and Company Portal app is auto-installed, however the following prompt keeps showing up every few seconds: App installation: sign in to iTunes to allow ‘CompanyName’ to manage and install apps. I read on some forums that this is because of the following VPP token setting: Automatic app updates => set to ‘Yes’. Once I changed that option to ‘No’, the prompt no longer showed up.
When setting up Android devices using Android Enterprise, there is no need to set up a Google account in order for apps to be deployed to the Android device. Is it mandatory to sign in to iTunes for company owned devices when using VPP? If yes, is that done via Managed Apple IDs? Any advice / links to relevant articles would be greatly appreciated. Thank you!
That can depend on multiple things, like how the apps are licensed, if the app is already installed, etc.
i have my apple resellers id now but I occasionally purchase macbooks from various suppliers who arent resellers but distribution, will these devices become an issue enrolling to ABM?
At this moment you won’t be able to add those devices. From what I’ve read only, iOS 15 will provide the ability to perform that task.
Do you have any suggestions to solve “No apps available” when we open the Intune Company Portal? We have apps and if we click “Company Portal website”, we see them and can install, but I have seen them show up as tiles in a typical App Store manner before.
You don’t have the categories that link to the website, as shown here?
Hello Peter, nice tutorials, could you also make blog how the end user enroll his macOS out of the box?
I’ll put it on my list, but no guarantees 🙂