New iPad - "Invalid profile" Apple Business manager using Enrollment program tokens

Copper Contributor



I have recently created an Apple Business Manager account, purchased iPads through the Apple Business Store which linked directly into Devices under devices. 


I have configured MDM server (Intune) successfully via the Apple Business Manager. Everything seems to be Synced. For example, if I go to Intune, Enroll devices, Enrollment program tokens, I can see the new iPads in "ready to enroll". I've created a Profile and assigned it to the iPads. The state is "Not Contacted" but I figure that's normal until the enrolment is done?


I tried enrolling just a single iPad to start with and I'm hitting Invalid Profile (see screenshot).


Not sure what I've done wrong.


Appreciate some help.



13 Replies

Could you confirm al the tokens are still valid?
How are the devices enrolled into the ABM, with the apple configurator or by the supplier?

@Rudy_Ooms_MVP thanks for your reply. They are enrolled into ABM by the supplier (purchased through Apple Business Store). The token is valid as far as I can see.


Additional screenshots provided.


I've since tried updating the iPad through iTunes and performed a factory reset. Still the same error.


To be sure could you check

-if there any enrollment restrictions that would block it

-If the devices were assigned to an MDM server with DEP profile configured before running setup assistant on the device



And maybe to test it... do you have a mac ? so you can try to configure the iPad with the apple configurator

@Rudy_Ooms_MVP Please find enrollment restrictions attached


I'm quite certain the devices were assigned to the MDM server beforehand. Just in case they weren't though, is there a way to "reset" and start from scratch? I did try restoring the iPad to factory using iTunes but still the same error.


I don't have a Mac unfortunately.







In Apple Business Manager , sign in with an account that has the role of Administrator or Device Enrolment Manager.
Click Devices in the sidebar, search for a device in the search field, then select the device from the list.
After you have searched for devices, select the total number of devices at the top of the list, then click .



Do one of the following:

Choose Assign to server, then choose the MDM server you want to assign or reassign the device to.

Choose Unassign to unassign the device from an MDM server.


Note: If you select a device that is unassigned, you will not see the unassigned option.

Click Continue.


A new activity generates a list of the devices that are assigned or reassigned to the selected MDM server, or unassigned from an MDM server. You can wait for the activity to complete or click Close to close the window.



So if you can't click un unassigned, the device has no mdm server assigned..


Hi Rudy,

I reassigned them but I believe they were already assigned. Please see screenshot.

Interesting, when I connect the iPad to iTunes, it comes up with this now (see screenshot). However, I'm still getting invalid profile error.

@glennsfield Check if your MDM Push Certificate has expired. 

Here is the KB: Get an Apple MDM Push certificate

Was this ever resolved? I'm getting this same error now.

I saw this error on a tenant where the mobile device management authority ( was not configured.

Hi @glennsfield ,


In the enrollment profile, you have not selected any VPP tokens for installing the Comp portal. It is required to push Company Portal app as a VPP app and the correct token selected in the enrollment profile. Without this, enrollment will fail.


Best Regards,


Me too... brand new setup, Configurator 2, ABM, and Intune.
iPads were purchased via a consumer retail Apple store, so no reseller or organization ID.

Devices->iOS/iPadOS->iOS/iPadOS enrollment->Device platform restrictions->Select the default ->Properties->Edit (platform settings)->Set iOS/iPadOS to Allow (default is block)