Tutorial: Set Up Microsoft Intune Enrollment for iOS/iPadOS Devices in Apple Business Manager.
January 30, 2025
This tutorial walks you through the process of using Apple Business Manager (ABM) and Microsoft Intune to automate and streamline the enrollment of iOS/iPadOS devices purchased through Apple Business Manager. By setting up Automated Device Enrollment (ADE), you can ensure secure, over-the-air enrollment the first time a user turns on their device.
In this tutorial, you will learn how to:
- Obtain an Apple device enrollment token
- Sync managed devices to Intune
- Create an enrollment profile
- Assign the enrollment profile to devices
By the end of this tutorial, your devices will be ready for distribution and enrollment.
Prerequisites
Before beginning, ensure the following steps are completed:
- Set up mobile device management (MDM) authority.
- Obtain an Apple MDM Push certificate.
- Ensure you have new or wiped devices purchased through Apple Business Manager.
- Add purchase information under the device management settings in Apple Business Manager.
- If you don’t have an Intune subscription, sign up for a free trial account.
Step 1: Add MDM Server
In this step, you’ll create an MDM server profile for Microsoft Intune in Apple Business Manager. The token you download will enable the connection between Microsoft Intune and Apple Business Manager.
- Sign in to the Microsoft Intune admin center.
- Navigate to Devices > By platform > iOS/iPadOS > Device onboarding > Enrollment.
- Select Enrollment program tokens.
- Click Add and agree to grant Microsoft permission to send user and device information to Apple.
- Select Download your public key to download the server’s public key certificate (.pem file) to your local drive.
- Choose Create a token via Apple Business Manager and sign in with your company Apple ID.Important: Do not close the Microsoft Intune browser tab during this process. You'll return to it later.
- In Apple Business Manager, add an MDM server (e.g., TestMDMServer) and download the server token for it. For detailed instructions, refer to Link to a third-party MDM server.
- Save the server token locally as a P7M file (.p7m), then continue to Step 2.
Step 2: Assign Devices
Next, assign devices to the MDM server (e.g., TestMDMServer) in Apple Business Manager. Follow the instructions in the Apple Business Manager User Guide to assign, reassign, or unassign devices.
Once devices are assigned, proceed to Step 3.
Step 3: Upload MDM Server Token
- Return to the Microsoft Intune admin center.
- Upload the server token you saved earlier:Enter the Apple ID used to create the token.Under Apple token, upload the server token (P7M file).Click Next.
- Enter the Apple ID used to create the token.
- Under Apple token, upload the server token (P7M file).
- Click Next.
- Optionally, apply scope tags to control admin access (see Use role-based access control (RBAC) and scope tags for distributed IT for details).
- On the Review + create page, click Create to finalize linking Microsoft Intune and Apple Business Manager.
Intune will sync with Apple Business Manager, and devices should appear in the admin center within 12 hours. To manually sync, select your token and choose Devices > Sync.
Step 4: Create an Apple Enrollment Profile
Now, create an enrollment profile for your corporate-owned iOS/iPadOS devices. This profile defines the settings that will be applied to devices during enrollment.
- Select your token in the admin center.
- Navigate to Profiles > Create profile > iOS/iPadOS.
- On the Basics page, enter:Name: TestProfileDescription: Testing ADE for iOS/iPadOS devices(These details are for internal reference and won’t be visible to users.)
- Name: TestProfile
- Description: Testing ADE for iOS/iPadOS devices
- Click Next.
On the Management Settings page, decide whether to enroll with or without User Affinity:
- Enroll with User Affinity: If the device is tied to a specific user, enabling User Affinity allows users to interact with the Company Portal for app installations and more.
- Enroll without User Affinity: For shared or multi-user devices, select this option.
If enrolling with User Affinity, choose an authentication method for users:
- Authenticate with Company Portal: This option enables Multi-Factor Authentication and password management.
- Authenticate with Apple Setup Assistant: Use Apple’s basic HTTP authentication.
Decide if you want to use VPP (Volume Purchase Program) for the Company Portal app and whether to run it in Single App Mode until authentication is complete.
Under Device Management Settings:
- Set Supervised to Yes (recommended for corporate devices).
- Set Locked enrollment to Yes to prevent users from removing management.
- Optionally, set a Device Name Template to customize the naming convention of devices.
Click Next, and on the Setup Assistant page, enter:
- Department Name (e.g., Tutorial department).
- Department Phone for user support.
For a streamlined experience, set all screens to Hide during device activation. Then, click Next and Create.
Step 5: Assign Enrollment Profile to iOS/iPadOS Devices
To ensure devices are enrolled correctly, assign the enrollment profile to your devices:
- In the admin center, select your token.
- Go to Devices and select the devices you want to assign.
- Click Assign profile, then choose the profile you created and click Assign.
Important: Verify that the Device Type Restrictions under Enrollment Restrictions are correctly configured. Avoid blocking the iOS/iPadOS platform unless necessary, as this will cause automated enrollment to fail.
Step 6: Distribute Devices to Users
Your devices are now enrolled and ready for distribution. Devices with User Affinity require that each user be assigned an Intune license. Once devices are distributed, users can complete the enrollment process.