Kiến Thức Cho Người lao Động Việt Nam > Noindex > Connecting Core to Apple Business Manager

Connecting Core to Apple Business Manager

Connecting Core to Apple Business Manager

This section covers enabling User Enrollment for Apple Business Manager:

Once you have completed the above steps, then you can proceed to:

For instructions on using Federated authentication, see the Apple Business Manager User Guide on the Apple website. A login is required.

Before you begin 

  • You must have an Apple Business Manager account. See business.apple.com.
  • Read User Enrollment with Apple Business Manager

Manage MDM Settings

You will need to make some settings on the MDM page.

Procedure 

  1. In the Admin portal, click

    Settings > iOS > MDM

    .

  2. Select the

    Enable User Enrollment

    check box and then click

    Save

    .

  3. Check that your certificate is valid. If not valid, on the MDM page, click the Install MDM Certificate button.

    The MDM Certificate Generation dialog box opens.

  4. Click Download Certificate Signing Request.

  5. Click Upload MDM Certificate.

    The Upload MDM Certificate dialog box opens.

  6. Browse to the certificate, select it and then click

    Upload Certificate

    .

Add the Server Token

Download the server token from Apple Business Manager.

Procedure 

  1. Login to Apple Business Manager.
  2. Click

    Settings > Apps and Books

    .

  3. Download the server token for your location.

Create users to enable User Enrollment for local users and LDAP users

This section covers creating local and LDAP users and setting the User Enrollment for unsupervised Apple devices. User Enrollment will not work on supervised devices or devices enrolled in Apple’s Device Enrollment Program.

Procedure 

  1. In the Admin portal, go to Devices & Users > Users.

  2. Click Add > Local New User.

    Enter the new user information. For more information on how to create a user, see “Add New User window” in the Getting Started with MobileIron Core.

  3. Select a user and click Actions > Assign Roles.  

    The Assign Roles dialog box opens.

  4. Select Use Apple User Enrollment (For Apple unsupervised device only).

    A text field displays.

  5. Enter the Managed Apple ID for the user.

  6. Click Save.

Configure LDAP group members to inherit Apple User Enrollment Roles

You can configure LDAP group members to inherit Apple User Enrollment roles. This gives all the users in that group the Apple User Enrollment setting.

Before you begin 

Create your LDAP groups. For instructions, see “Configuring the set of LDAP groups” in Getting Started with MobileIron Core.

Procedure 

  1. In the Devices & Users > Users page, set the search criteria in the To field to: LDAP Entries and the Category field to: Authorized LDAP Groups. You can also choose different categories in your search.

    The search results display in the Users page.

  2. Select a group and click Actions > Assign Role(s).

    The Assign Roles dialog box opens.

  3. Select Use Apple User Enrollment (For Apple unsupervised device only) and add the email address for User Enrollment and Managed Apple ID. You can also use standard substitution variables, for example: [email protected]

    NOTE:

    Substitution variables are allowed for use with LDAP Groups only and not for LDAP Users.

Table 1.

Supported substitution variables for User Enrollment

Substitution variable

More information

Sample of substituted value

$USERID$

Login ID (email address format)

[email protected]

$EMAIL$

Email address

[email protected]

$EMAIL_DOMAIN$

The domain part of the email address (part after the ‘@’)

myCompany.com

$EMAIL_LOCAL$

The local part of the email address (part before the ‘@’)

jdoe

$FIRST_NAME$

First name

Jane

$LAST_NAME$

Last name

Doe

$DISPLAY_NAME$

Display name

Jane Doe, CEO

$USER_DN$

Distinguished Name

CN=Jane Doe,

OU=NA,OU=Users,

OU=XY,

DC=myCompany,

DC=com

$USER_UPN$

The Microsoft userPrincipalName attribute

[email protected]

$USER_LOCALE$

Locale

en_US

$USER_CUSTOM1$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM2$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM3$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$USER_CUSTOM4$

Custom field defined for LDAP

The value of the variable as defined in LDAP settings.

$CN$

Common Name (CN) attribute extracted from the distinguished name

Jane Doe

$OU$

Organizational Unit (OU) attribute extracted from the distinquished name

XY

$SAM_ACCOUNT_NAME$

The Microsoft sAMAccountName attribute

jdoe

$REALM$

The domain component of an LDAP entry

mycompany.com

  1. Click

    Save

    .

Managing users that belong to multiple groups

If a device user belongs to multiple groups (or nested groups) and is assigned a managed Apple ID substitution variable for various groups, this means there are more than one option available for each user. Core cannot determine which option to use. This results in Core creating an audit log entry (Logs > Audit Logs > filter by Managed Apple ID) with the error message: “More than one LDAP Group managed Apple ID option.”

To resolve this, assign the concrete Managed Apple ID for the specific LDAP user by using the following instructions.

Procedure 

  1. Go to Devices & Users > Users page, set the following parameters:

    • To:

      LDAP Entities

    • Category:

      LDAP users

    • search for: your LDAP user

  2. Select a user, click Actions > Assign Role(s).

    The Assign Roles dialog box opens.

  3. Select Use Apple User Enrollment (For Apple unsupervised device only) and add a unique email address for User Enrollment and Managed Apple ID.  

    NOTE:

    Apple ID substitution variables are not valid for individual users or local users. Use a valid, managed Apple ID, for example, [email protected]

  4. Click Save.

Match the Location and the Account

In order for the User Enrollment to work in Core, the Apple App License Account needs to be part of the same Apple Business Manager account. Within Apple Business Manager, if you have an account listed in Locations, you need to have an Apps and Books matched to the same location. You may need to add a new location (EXAMPLE: West Coast.)

NOTE:

Apple may change their Apple Business Manager software without notice.

Procedure 

If you have an Apple license account (VPP from Apple Business Manager) that is in the same Apple Business Manager account as the Managed Apple IDs that you will be using, you can skip steps 2 and 3.

  1. Go to Apple Business Manager and log in.

  2. In Apple Business Manager, go to

    Settings > Apps and Books

  3. Add a New Location, enter in the information and then click Save. 

    NOTE:

    It may take several minutes for the new location to display.

  4. Go to

    Accounts

    and search for the user name. 

  5. Select the user and click

    Edit

    .

  6. Give the user

    Content Manager

    permissions for the (new) location, for example, West Coast.) 

  7. Sign out of Apple Business Manager to allow the permissions to take effect. It is recommended you wait several minutes before going to the next step. 
  8. Log into Apple Business Manager. 
  9. Go to

    Locations

    and confirm the new location is displaying.

Distribute apps to Apple Business Manager devices

You can search for iOS apps on the Apple App Store and add them to the App Catalog for distribution to Apple Business Manager devices. You can also add your own in-house apps for iOS and macOS.

For more information, see “Importing licensed apps from Apple Licenses account” in the MobileIron [email protected] Guide.

NOTE:

Apple User Enrolled devices will not report unmanaged apps and are unable to convert an unmanaged app to a managed app. Please adjust compliance actions accordingly.

Before you begin 

Purchase your apps in Apple Business Manager.

Procedure 

Now you need to import the apps you just purchased into Core.

  1. In the Admin portal, go to

    Apps > Apple Licenses

    .

  2. Select the account name and then click

    Actions > Update licenses

    .

    The Update licenses dialog box opens.

  3. Select the applications you wish to import into Core and then click

    Import

    . It may take a few minutes to import into Core.

  4. Go to

    Apps > App Catalog

    and import the apps.

  5. Select a newly-imported app, for example, MobileIron [email protected], and then click Actions > Manage Licenses.

    The License Summary page displays.

  6. Click on the link of the license.

    The detailed license page displays.

  7. In the License Label management section, click Apply To labels.

    The Apply to Labels dialog box opens.

  8. Select the desired label and click

    Apply

    .

    NOTE:

    For License Type, it does not matter which option you select (user-based or device-based), it will always be a user-based license when the device was registered with Apple User Enrollment. If this app is shared with other types of enrollment, device-based would be the suggested setting so that your device user will not need to enter their iTunes/Apple credentials before installing the app.

From here, you can take optional actions:

  • Install apps – see “Using the wizard to import iOS apps from the Apple App Store” in the

    MobileIron [email protected] Guide

  • Apply labels – see “Managing Labels” in

    Getting Started with MobileIron Core

    .

Configuration settings for Apple Business Manager User Enrollment

This section covers additional configuration settings required for Apple Business Manager User Enrollment: VPN and Wi-Fi.

VPN for User-enrolled devices

User Enrolled devices can only have Per-App VPNs and can no longer have VPNs configured for the whole device. It is recommended that you create one or more VPN configurations specifically for User Enrollment. Now whenever the app is installed, the appropriate VPN configuration will also be installed automatically.

It is recommended that when assigning labels to VPN configurations, the labels should not include devices that are User Enrolled. Using a filter label, you can filter out user enrolled devices by setting in the filter:

“ios.apple_user_enrolled_device”= false

Procedure 

The below steps ensure when the app is installed on the user device, the appropriate VPN configuration will also be automatically installed.

  1. Follow the instructions in Managing VPN Settings to setup a new VPN. Be sure to select

    Per App VPN

    as part of your configuration.

  2. Go to

    Apps > App Catalog

    .

  3. Click the link of an app and then click

    Edit

    .

  4. In the Per-App VPN Settings section, select the newly-created VPN and move it to the panel on the right.
  5. Click

    Save

    .

From here, you can optionally apply a label to your Apple license. See “Applying an Apple license label to an app” in the MobileIron [email protected] Guide.

NOTE:

MobileIron recommends that administrators modify labels for VPN configurations to exclude User Enrolled Devices if the VPN is not supported on User Enrollment. This can be done using the device detail “ios.apple_user_enrolled_device” and including it in the label definition, e.g.: AND “ios.apple_user_enrolled_device” = true

Wi-Fi Policy for user-enrolled devices

You need a Wi-Fi policy specifically for user-enrolled devices.

  1. In the Admin portal, go to

    Policies & Configs > Policies

    .

  2. Click

    Add New > Wi-Fi

    .

    The New Wi-Fi Setting dialog box opens.

  3. Enter the information. In the Proxy Type field, select Auto. This is the only proxy type that can be used for user-enrolled devices.

    For more information about Wi-Fi, see Wi-Fi settings.

Device user instructions for registering using User Enrollment

This section addresses the actions the device user needs to take for registering Apple User Enrollment. The below steps will work with any app your company purchased – the example app used is the MobileIron client app, [email protected]

Procedure 

  1. On the iOS device, open Safari (never Chrome) and type in the URL for [email protected]: registrations.company.com/go.

  2. The [email protected] login displays. The device user is to log in using their MobileIron local user or LDAP credentials.

    The registration page displays with a message saying the profile was downloaded.

    NOTE:

    You must complete registration within 10 minutes or you will have to start registration process over.

  3. Tap

    Settings

    . The Settings page displays.

  4. Tap Enroll in [Your Company Name].

  5. The User Enrollment page displays.

  6. Tap Enroll My iPhone.

    If you tap Cancel and Delete Profile, you will have to start the registration process all over again.

  7. You will be presented with a login for either Apple or your Federated account. Enter the password for your Managed Apple ID. (The Managed Apple ID will be listed at the top of your login page.) 

  8. You may be presented with the option to stay signed in, make a selection.

  9. A page displays stating the “Enrollment is Successful.”

Using Logs for Troubleshooting

To troubleshoot errors or issues for a User Enrolled device, start by reviewing the device MDM logs.

Procedure 

  1. In the Admin portal, go to Devices & Users > Devices.

  2. Click on the device to open up the Device Details page.

  3. Select the Logs tab.

    A list of available logs display.

  4. Select the

    MDM Activity

    link to display the list of MDM actions performed on the device.

  5. From the MDM Activity page, you can filter the actions based on a date range, the state of the action (for example, Error) or the action itself (for example, Install Managed Application.)

    If the action is in the Error state, a View Error link displays. Click this link to see more details about the error.

View reports on devices

You can see a report on devices by selecting the device , clicking the Log tab and then clicking the MDM Activity link.

Activation Error

Errors occur when the device is supervised. Users cannot use a supervised device for User Enrollment. There is no remedy for this as supervised devices cannot be used with User Enrollment.

App fails to install (AppAlreadyInstalled)

The most common Install Managed Application error is AppAlreadyInstalled. This error occurs when the device has the app installed in the private space. Since the MDM service is unable to see private apps and is unable to convert the app to managed, an Install Managed Application command sent for an already-installed app will get this error message.

Procedure 

  1. Instruct the device user to remove the app from the device.
  2. Instruct the device user to tap “Install” for the app within [email protected]

Procedure (Alternate)

Alternatively, you can send a new installation request to the device for that application.

  1. Navigate to

    Apps > App Catalog

    .

  2. Select the check box next to the app.
  3. Click

    Actions

    and select

    Send Installation Request

    .

  4. Select the option to Send request for new installations.
  5. Under Actions, choose Select devices to send message and then click

    Apply

    .

  6. Search for the device, select the check box and then click

    Send

    .

Bài viết liên quan
Bài Mới Nhất