Apple Business Manager (ABM) is a program with the combination of Automated device enrollment (ADE, formerly called DEP) and Volume purchase program (VPP). This is a web-based application which helps organizations to seamlessly onboard and manage devices starting with initial device setup.
We recently implemented Apple Business Manager internally for managing corporate procured devices (before this implementation, these devices used to enroll as BYOD). In this blog, I will be sharing our observations and learning.
As most of us are curious about what benefits/challenges we will have by having this additional service, here are some of the immediate benefits we observed during the implementation.
Apple Business Manager service can be used for any Apple device procured by organizations like Mac Devices, iPhone and iPads.
Simplifies the device lifecycle, for both IT and end users, from initial deployment to end of life.
Devices can be managed and configured with corporate policies from the initial device setup.
Automated enrollment increases the security of the device and decreases the time for devices to be ready for productive use.
Users will no longer have to configure their device manually, with a few simple operations from the user it will make the device ready to use.
IT professionals can control the behavior of the device setup and user experience based on the organization requirements.
You can have multiple enrollment profiles based on group/division requirements to control the user experience.
Same as benefits, we observed some of the challenges during the implementation of ABM service.
If the company portal app is installed manually before Intune deployed (with required intent), then the device registration will not work, and user see the error “Couldn’t add your device”.
If your organization has conditional access (CA) enforced, then CA requires the device to be registered in Azure AD. When device is enrolled to Intune using the ABM approach, by default device is not getting registered. To get the device to reregister without any problem the Company portal application requires to deploy from Intune and requires user sign-in to the app (currently there will be a user experience difference between IOS and Mac devices).
If the required company portal app (which deployed from Intune) is not the latest or no longer supported, then the users get a notification saying “Version is not supported” during the device registration action. This notification can potentially cause user confusion or delay in the device registration until it updates. This will be a challenge to IT professionals to keep the required application as latest version.
It is possible to have multiple ABM instances tied to a single MDM instance but there are some limitations:
There will be a challenge in verifying the device assignments for all the devices in one location, you need to toggle between them.
Apps and Books tokens (VPP) can’t be shared between two instances.
There is a potential issue if users try to migrate data from old device to new device during device setup. You can avoid this by hiding the “Restore” setting in the enrollment profile.
If your organization allow users to do the migration, you should allow users to unenroll the device by configuring the Enrollment profile setting “Locked enrollment” settings to “No”. And ensure that users do not perform a backup whilst the device is enrolled.
Now you might be wondering about the requirements to implement Apple Business Manager
Setting up a new Apple Business Manager Account is required to establish a process to get the device added to the service when organization procured any Apple device.
To control the permissions and provide access to operate the service, it requires managed Apple IDs and these can be created in ABM portal. (These accounts are not end user accounts, they are specific to ABM)
Apple MDM push certificate (APNs) is required to manage Apple Devices, and the certificate is valid for one year. Failure to renew the certificate before expiry interrupts the device management and requires re-enrolling all Apple devices.
Apple device enrollment program Token is required to establish communication between Intune and Apple Business manager service. With this token, new device details and enrollment profiles settings can sync between both the services (Once the device added to ABM, device show-up in Intune within 12 hours automatically but you can do manual sync once every 15 minutes). This certificate is valid for one year and requires renewing before expiry to avoid any synchronization issues between Intune and ABM.
Once you have completed the enrollment token configuration, now it is time to create enrollment Profiles to apply defined settings and control the behavior on the device. Based on your organization requirements you can configure multiple profiles (limit is 1000 enrollment profiles per token).
I hope this blog has helped in understanding the implementation of Apple Business manager service and integrate with Intune.