How to manually add devices in Apple Business Manager (ABM) or Apple School Manager (ASM)

By Marc Nahum - Sr. Program Manager | Microsoft Intune

Updated 02/27/2023: This article has been updated to include the additional enrollment option using an iPhone for iOS/iPadOS and macOS.

Any enterprise or education institution that owns iOS/iPadOS devices can take advantage of automatic enrollment to Intune, as well as the extra features and controls that Apple’s Automated Device Enrollment (ADE) - previously known as Device Enrollment Program (DEP) – provides.

When ADE was first introduced, only Apple resellers and telecom carriers were able to add devices to Apple Business Manager or Apple School Manager. However, since the release of iOS 11, Apple supports the ability to manually add iOS and iPadOS devices yourself with the Apple Configurator 2.5 (AC2) tool. This means that, regardless of where the device was purchased, you can benefit from using ABM or ASM.

This article helps IT pros and mobile device administrators understand the steps required to manually add iOS and iPadOS devices to Apple Business Manager (ABM) or Apple School Manager (ASM), as well as enrolling them into the Intune service.

Warning: The devices are fully wiped during the enrollment process. Apple treats devices being added to ABM/ASM as proprietary to the account and requires all previous settings to be reset.

There are two options for adding an iOS/iPadOS or Mac device to ABM/ASM—either with an iPhone or with a Mac. Regardless of which method you use, once the new device is added, you must assign the devices to Intune.

Option 1: Add an iPhone, iPad or a Mac with an iPhone

The Apple Configurator for iOS is available with iOS/iPadOS 15 and macOS Monterey (macOS 12). This feature allows admin to enroll an iOS device running iOS 16 or later or a Mac with the T2 Security Chip or Apple silicon running macOS Monterey or later to an ABM/ASM with an iPhone, without needing to have a Mac onsite. This is especially helpful in eliminating the need to have resellers add devices to your ABM/ASM account as you are able to do so yourself from an iPhone.

Prerequisites:

• An iPhone running iOS 16 with Apple Configurator installed.
• An ABM or ASM account with the role of “Device Enrollment Manager” assigned.
• Physical access to the device being enrolled.
• An ABM or ASM configured with Intune as a mobile device management (MDM) Server. (Preferences > Your MDM Servers > Add). 

Preparing Apple Configurator:

Start the configurator application on the iPhone and log in with your ABM/ASM Apple ID.

By default, the device you import will automatically use the same network as the iPhone you’re using to set it up with is connected to. However, you can also use a configuration profile imported from the settings.

Note: Wireless networks using certificates are not supported. Be sure to use a password-protected network.

To import the new device into your ABM/ASM, you must have it within proximity of the iPhone being used to complete the setup. The iPhone will display setup prompts for the device being added.

Follow the steps outlined in the Apple Configurator User Guide to complete the setup process.

Once the device has been added to your ABM/ASM, assign the device to Intune. See the Assign the device in the Intune admin center section in this document.

Option 2: Add Apple devices with a Mac

Using a Mac to add Apple devices includes several steps.

Prerequisites:

• A Mac device (desktop or laptop), running at least macOS Monterey (macOS 12.4 or later). This is mandatory for installing and running AC2 on macOS.
• An iPhone running iOS 16 If you are running Apple Configurator.
• AC2 installed on the Mac from the App Store (Apple ID required). A version can be downloaded from the Apple developer site, but it requires an Apple developer membership account. This can be useful if you want to distribute the pkg with Intune on the Mac being setup.
• Physical access to the iOS/iPadOS device, which must be connected to the Mac device running AC2. The “Find My” feature must be turned off (Activation Lock off).
• An ABM or ASM account with the role of “Device Enrollment Manager” assigned.
• A network profile in AC2 (steps detailed below) to allow the iOS or iPadOS device to connect to the Internet during the setup process.
• ABM or ASM configured with Intune as an MDM Server (Preferences > Your MDM Servers > Add).

Preparing Apple Configurator

There are a lot of options in AC2, so we’ll cover only the steps necessary to import the devices to ABM or ASM and assign them to the Intune MDM server. See the Apple Configurator 2 User Guide for more information.

1. Creating a Wi-Fi profile

During the onboarding process, the device will need to connect to the internet. Therefore, it’s mandatory to have a Wi-Fi profile, which will allow it to automatically connect. The profile can be as complex as is required, but must not prompt the user for any action, or require a certificate to authenticate.

1. In Apple Configurator go to the File menu and choose New Profile.
2. Complete the Name of the profile in the mandatory General section.
3. Complete the Wi-Fi section with your parameters.
4. Once created, save it by clicking on the name on the top of the window. You can then close it and it will be used later.

Screenshot of a Wi-Fi profile and configured settings in Apple Configurator 2.

2. Generate an MDM Server URL for Intune

Note: This step is not mandatory, but it will create a trusted configuration and avoid any doubts that the URL is the proper one.

1. Open Microsoft Intune admin center.
2. Select Devices, then navigate to Enroll devices > Apple enrollment > Apple Configurator.
3. Select Profiles > Create.
4. Complete all required fields with your desired configuration, then click Create.
5. Select the profile you just created, then click Overview > Export Profile.
6. Copy the Profile URL from the Setup Assistant Enrollment section. This will be used later.

Screenshot of the Apple Configurator - Default Enrollment Profile in the Microsoft Intune admin center.

Connect the device to Apple Configurator

Important: The device will be fully wiped during this process.

If this is the first time you’re connecting the device to the Mac, a pop up will appear asking for the Mac to be trusted. Select Trust.

1. In Apple Configurator, select Prepare from the toolbar or by doing a secondary click on the picture of the device.
   
   Screenshot of Apple Configurator 2 with an arrow pointing to the "Prepare" option.
   
   
2. The below settings must be selected:
   • Manual Configuration.
   • Add to Apple School Manager or Apple Business Manager.
   • Allow devices to pair with other computers.

    

   Do not select:

   • Activate and complete enrollment.
   • Enable Shared iPad.
     
     Apple Configurator 2 - Prepare Devices" menu.
     
     
3. If this is the first time the operation is run on this Mac, you must create a “New Server” with the following details:
   
   

   Name: “Microsoft Intune”

   URL: The one created in the step, “Generate MDM Server URL for Intune”
   
   

   Example URL: https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=<Intune_tenant_ID>&AADTenantId=<AAD_tenant_ID>

   
   Apple Configurator 2 - "Define an MDM Server" menu.
   
   Note: If you decided to skip the step of creating the dedicated URL from Intune, you can use “https://endpoint.microsoft.com” and acknowledge the warning “Unable to verify the enrollment URL” as follows:
   
   Apple Configurator 2 - "Define an MDM Server" menu with the warning text: “Unable to verify the enrollment URL”.
   
   
4. Add trust anchor certificate for MDM server.
   • Select the one with the Microsoft or Azure name on the list (this should be appleconfigurator2.manage.microsoft.com or portal.azure.com or endpoint.microsoft.com)
     
     
5. Attach the device to your organization.
   • Authenticate to ABM/ASM with an account with the “Device Enrollment Manager” role assigned.
     
     Apple Configurator 2 - Sign in to Apple School Manager or Apple Business Manager menu.
     
     

   • If you didn’t up the organization name, you’ll need to do that next. That Organization name will be displayed on the device.

   • The iOS setup assistant steps selected on the next screen are not important as they will be defined in Intune later.

6. Select the Network Profile previously created and, when prompted, enter your local password to initiate the process.

   • At this point, the device will be erased. When the device restarts, steps in AC2 are complete.

Log onto your Apple management console

You now need to assign it to Intune in the ABM/ASM console.

1. Go to “Devices” and select “filter”.
2. Select “Source” and “Manually Added” > “Apple Configurator”.
   
   Screenshot of the Filters settings under the ABM/ASM console.
   
   You can multi select your devices with the “shift” key and select “Edit MDM Server”
   
   Screenshot of the ABM/ASM console with the "Edit" button highlighted next to the "Exit MDM Server" option.
   
   
3. Choose “Assign to the following MDM:” and select your Intune entry.

You can multi select your devices with the “Shift” key and select “Edit MDM Server”.

Assign the device in the Intune admin center

Once the device is assigned it will need to be synchronized. This occurs automatically every 12 hours, or you can manually trigger the synchronization in the Microsoft Intune admin center:

1. Navigate to Devices > Enroll devices > Apple Enrollment> Enrollment program tokens and select your token name.
2. Navigate to Devices and click Sync.

Note: You can manually synchronize the devices from ABM/ASM to Intune at a maximum frequency of every 15 minutes.

At this point you should have successfully added your ADE device to Intune.

Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Post updates:

02/27/23: This article has been updated to include the additional enrollment option using an iPhone for iOS/iPadOS and macOS.

04/03/23: updated post with an updated post link.