Niklas Blog

Exploring Device Management.

Microsoft Intune and Apple Business Manager for iOS management

31 December 2023

Microsoft Intune and Apple Business Manager for iOS management

Microsoft Intune is Microsoft’s client and mobile device management system from the cloud. Together with the Apple Business Manager, this system offers a very convenient and modern solution for managing company-owned Apple devices.

So today I would like to explain what steps are necessary to link the two systems together

Registration process

At the beginning you have to register with Apple, for this you can go to https://business.apple.com/ and select „Register now“:

Some data is now requested here, including a DUNS number (more on this at https://developer.apple.com/support/D-U-N-S/), your own personal data and the personal data of a person with power of attorney to confirm registration on behalf of the company. Registration is free of charge, but must be confirmed by a person with power of attorney. The registration process may take a few days, after this is complete the person who registered will be given access to Apple Business Manager.

Setup and connection to Microsoft Intune

To link Apple Business Manager to Microsoft Intune. To do this, we create a new „MDM Server“ in the Apple Business Manager, which in this context is a link to Microsoft Intune (or another MDM system).

You can link an MDM system via „Add MDM Server“:

For this we need a public key from the MDM. With Microsoft Intune, this can be created under Devices -> iOS/iPadOS -> iOS/iPadOS enrollment -> Enrollment program tokens.

Here we then create the Apple Business Manager via „Add“ and create the token.

To create the ABM token, we now need to grant permissions to Microsoft and then download the public key from Intune.

After clicking on „Download your public key“ we switch back to the Apple Business Manager to be able to upload the key for the new MDM server.

Then we click on the „Save“ button to confirm the server link.

The server will now appear in Apple Business Manager.

Now we define the standard assignment of devices to this MDM server. To do this, we click on „Change…“ under „Default Device Assignment“:

In this step we now select the device types that we want to assign to Microsoft Intune by default. In order to link the Apple Business Manager in Microsoft Intune, we still have to download a token from the Apple Business Manager and upload it to Intune. We can find the token in Apple Business Manager, on the MDM server:

After the token has been downloaded, we need to upload it to Intune with the Apple Business Manager ID used:

After saving, the link is established. Now we still have to create a profile for the enrollment of iOS devices in Intune, which we use to control the iOS enrollment process.

INFO: The enrollment token expires every 365 days and must be renewed before it expires. If the token expires and was not renewed early, then the iOS devices must be rolled out again, since the old token can no longer be used and Intune no longer has any authority on the devices

Here we select „iOS/iPadOS“ under „Create profile“ to create a profile:

In this configuration we now need to create a few configurations.

Context and Authentication

In the first step, we choose the rollout to run in the user context. The user must register for this. As an alternative for kiosk devices, you can also choose an enrollment without registration, but the device is then not intended for individual users. For authentication to Microsoft Intune, we select the Company Portal as the authentication method. It is recommended to install this via a VPP so that it runs independently of the user Apple ID.

Management Options

The security can be defined under the management options. Here you should definitely set the iOS devices to „Supervised“ mode (specified when enrolling via the Company Portal). This brings advanced management capabilities to the iOS devices, which can be controlled via Microsoft Intune. The „Locked Enrollment“ switch can be used to prevent users from removing the management profile from a managed device. This should be done. In addition, you can prevent synchronization with other computers to prevent devices from being synchronized on computers or data from being copied unintentionally.

Device Nameing

Finally, you can define a template for naming the iOS devices, using variables for the serial number and the device type.

Setting up and using the Volume Purchase Program (VPP) for app deployment

The Volume Purchase Program (VPP) is used to buy apps in volume and to distribute them as managed apps from Microsoft Intune via the Apple Business Manager. The advantage of this is that the apps are purchased and updated via the Apple Business Manager ID without the need for the user’s Apple ID. In order to be able to use this function, you have to agree to the VPP conditions in the Apple Business Manager under „Apps and Books“ and then you can buy all apps from the Apple AppStore here. This also includes free apps. After signing up for the VPP in Apple Business Manager, you need to create a link in Microsoft Intune. This is done under Tenant administration -> Connectors and tokens -> Apple VPP Tokens. We give the token a name, add the ABM Apple ID used and upload the VPP token, which we can download from the Apple Business Manager, to Intune.

Then the token is automatically synchronized and VPP apps appear in Intune. We can now assign and use these apps.

VPP apps can be recognized by the type „iOS volume purchase program app“.

INFO: The VPP token expires after 365 days, you should renew the token before it expires so that apps can continue to be rolled out and updated. The renewal of the token can be done via Intune in the „Connectors and tokens“ area.

User Management

The Apple Business Manager comes with an administrator for setup. However, companies can create additional users with individual authorizations.

Below you will find the roles:

  • Administrator
  • People Manager
  • Device Enrollment Manager
  • Content Manager
  • Staff

These roles serve different purposes, the administrator can manage all aspects, while the other roles are used for individual tasks such as managing users, devices or apps. The Staff role is used to create employees in the Apple Business Manager, so you can create „Managed Apple IDs“. With this feature, companies have control over Apple IDs and can, for example, synchronize them with the Azure AD account and there is the option of managing the Apple IDs of the users.

Reseller Connection

In order to be able to use the potential after setting up the Apple Business Manager, you should authorize your reseller. For example, you can buy devices from Deutsche Telekom and integrate them as a reseller in your own Apple Business Manager. This gives Deutsche Telekom the opportunity to register purchased devices for its own company in the Apple Business Manager. These purchased devices are then sent to the MDM server via the Apple Business Manager during the initial setup and register in the company’s device management. Thereby you force a management and have an anti-theft device. If one of your own devices is stolen, it cannot be used because it would keep registering via the MDM and can no longer be used without authentication.

To register as a reseller, you must receive the „Reseller Number“ from your reseller and integrate it into your ABM:

As verification you need to give your „Organization ID“ to your reseller. You can find this in your ABM in the settings under „Enrollment Information“