What is Apple Business Manager? | How to add devices to Apple Business Manager (ABM)?

How to add devices to Apple Business Manager (ABM)?

Mobile Device Manager Plus MSP enables IT admins to integrate and add devices to Apple Business Manager (ABM) to simplify the bulk onboarding of devices in the organization. This document provides the steps to manage devices using Apple Business Manager.

What is Apple Business Manager?

Apple Business Manager (ABM) is free Apple portal that enables enterprises to simplify and automate the bulk management and deployment of corporate-owned Apple devices, including iOS, iPadOS, macOS, and tvOS devices. Similar to Apple Business Manager (ABM), Apple also offers Apple
School Manager (ASM) a dedicated service for schools to simplify the management of Apple devices used for education, while Apple Business Manager is generally used by enterprises and business organizations.

Apple Business Manager (ABM) was previously known as Apple
Device Enrollment Program (Apple DEP) and users can automatically or manually add devices to Apple DEP for over-the-air management.

Prerequisites

Ensure the following pre-requisites are met to enroll Apple devices using Apple Business Manager (ABM) enrollment:

  • Apple Business Manager must be available in your country. Find the list of countries where ABM is supported here.
  • The devices must be purchased from Apple or its authorized resellers. You can view the list of Apple’s preferred resellers here.

In case of devices purchased neither from Apple directly nor from its authorized resellers, you can still add devices to Apple Business Manager (provided they’re running or capable of running iOS 11.0 or later versions) as explained here.

NOTE: The steps mentioned in this document are also applicable to the Apple School Manager portal.

How Apple Business Manager (ABM) works?

Apple Business Manager workflow

The process of managing with Apple Business Manager first starts, when your organization purchases Apple devices
from Apple or from Apple authorized resellers. You have to log into your Apple Business Manager account. If you already have an account with Device Enrollment Program, you can migrate to Apple Business Manager by following the prompts available on your DEP portal. You have to register MDM with the Apple
Business Manager portal. Once you have registered the MDM server, secure communication is enabled between the MDM server and the Apple portal. This is used
to synchronize the details of devices, purchased by your organization.
When you find the devices synced from the Apple portal, you can assign it
to users. Whenever the devices are activated, all restrictions and configurations
imposed using MDM are automatically installed on all your devices over-the-air (OTA). By configuring ABM, you can ensure all the
organization’s devices are managed by MDM by default as soon as they
are activated.

Apple Business Manager integration

If you do not have an ABM account, you can create one here. To know your DUNS number (which is one of the prerequisites), refer to this. You can also refer to this document to fully understand Apple Business Manager.

Benefits of Apple Business Manager (ABM) Enrollment

  • The device is Supervised which means you have additional control over the device. For detailed information
    on Supervised Devices, refer to this.
  • The devices can never go unmanaged from
    MDM at any point, even if the device is factory reset.
  • Users can skip initial setup steps for a faster device activation
  • Out-of-the-box enrollment to ensure devices are usage ready immediately upon activation.

Check out this video for a detailed walkthrough about Apple Business Manager

 

 

Integrating Apple Business Manager with MDM

After creating your organization’s Apple ID and deployment account by
following the steps mentioned in the ABM Program Guide, you need to carry
out the steps outlined below, to seamlessly enroll and manage your organization’s
corporate Apple devices into MDM using Apple Business Manager enrollment.

First, you need to link the MDM server to your organization’s
ABM account. For this:

  1. On the MDM server, navigate to Enrollment -> Apple
    -> Apple Enrollment (ABM/ASM).
  2. Download

    MDM Public Key

    which has to be uploaded on Apple Business Manager portal.

  3. MDM Public Key download for Apple Business Manager

  4. Sign in to Apple Business Manager portal using your organization’s managed Apple ID.
  5. Click on Settings -> Device Management Settings and navigate to Add MDM Server, to create a virtual server on the portal.
  6. MDM Public Key upload on ABM portal

  7. Enter a name for the server based on your organization’s locations or departments.
  8. Now, you need to upload

    MDM
    Public Key

    , downloaded earlier from
    MDM and click on Save.

  9. Add ABM server on Apple Business Manager

  10. Click on Download Token to download the server token from ABM. Click on Download Server Token when prompted.                                      

  11. Download server token from Apple Business Manager

  12. Navigate back to your MDM console and add the Server Token under Upload Server Token

    .    

  13. Specify the e-mail address to receive notifications regarding Server Token expiry.
  14. Click on Upload to complete the uploading of the Server Token. You can configure the device activation settings as explained here.
  15. Upload server token from ABM portal

Setting a default server

Using Apple Business Manager you can automatically assign the purchased devices to particular servers once they have been added to the portal. Additionally, you can select different servers based on the type of device being enrolled. It is recommended to assign different types of devices to different servers. All of these servers can be integrated and managed using MDM. To select a default server for a particular type of device-

  1. Select the required server from the list and click on Edit.
  2. Under Default Device Assignment, select the device type.
  3. Click on Apply to ensure all the devices added to the portal are assigned to this server.

How to add devices to Apple Business Manager portal?

One of the advantages of adding devices like iPhones, macBooks and iPads to Apple Business Manager is that these devices can be enrolled without any user interaction. Learn how to add devices to ABM from the steps below.

There are two methods available to add devices into Apple Business Manager. IT admins can use any of the following methods to add devices to Apple Business Manager:

  • Adding reseller details to the ABM portal
  • Manually adding devices (iphone/ipad) in Apple Business Manager portal to MDM

Read on to find out how to add devices to Apple Business Manager using reseller details or manually.

Adding Reseller details into the ABM portal

To add devices to Apple Business Manager, the reseller details must be added to the ABM portal. So every time devices are purchased from the same reseller, the devices are added to the ABM portal and in turn, to the MDM server due to the integration of the ABM portal with the MDM server.

Note: On ABM, only the Administrator or Device Manager roles can add the reseller details.

  1. Log into ABM using your organization’s credentials. The option to add resellers is only available on the Device Manager’s console, apart from the Administrator’s console.
  2. Click on Settings -> Device Management Settings. Navigate to Customer Numbers to add your Apple Customer Numbers and ABM/DEP Reseller IDs.
  3. Click on Apply, to save the details.

How to manually add devices in Apple Business Manager to MDM?

After linking your MDM Server to the Apple Business Manager (ABM) portal, if you have devices purchased before integrating the portals, you can add devices to Apple Business Manager by following the steps mentioned below:

    1. On your Apple Business Manager portal, navigate to

      Devices

      .

    2. From the list of available devices, select the devices to be added and click on Edit Device Management.

    3. In the Assign to server field, select the MDM server which was configured earlier and click Continue

    4. The Apple devices are now added to the MDM server, automatically.

Add devices to Apple Business Manager

Device Activation Settings

On adding devices to MDM using Apple Business Manager enrollment, all the devices are enrolled successfully. Before the enrollment is complete, you have to configure the settings to be applied to the devices, on device activation. You can create and apply these settings to all your devices at one go, by following the steps mentioned
below:

  1. On MDM console, navigate to Enrollment
    -> Apple -> Apple Enrollment(ABM/ASM).
  2. Complete the required fields displayed under

    Device Activation Settings

    .

Device Activation Settings

  • Authenticate and auto-assign users on device activation (Applicable only for On-premises): If you want to automate the user assignment process, enable this option and select the group to which the device is to be added upon enrollment. This allows the users to assign devices to themselves, on device activation, using their Active Directory credentials.
  • Skip these configurations during device setup: During device activation, you are required to follow some initial setup steps. With MDM, you can optionally skip selective steps or completely skip the setup. Assuming your organization wants to prevent users from setting up Siri during the setup assistant process, you can do so by selecting Siri from the list of configuration settings provided. The list of configuration settings is given below.

All devices

iOS

macOS

tvOS

CONFIGURATION
DESCRIPTION

Sign in with Apple ID and iCloud
Select to skip Apple ID and iCloud sign in by the user during setup. This does not restrict the user from signing in once the device setup is completed.

Touch ID Setup
Select to skip Touch ID configuration during setup. The user can, later on, configure the Touch ID after completing the device setup.

Diagnostics
Select to omit a user prompt to send diagnostic data to Apple during device setup.

Display Tone
Select to skip the Display Tone setup assistant screen during device setup.

Location Services
Select to disable Location Services during setup. If disabled, Location Services are turned off. The user can modify the location settings after completing the device setup.

Passcode
Select to prevent users from setting up a Passcode during the setup assistant process. This can be skipped if a passcode profile is distributed through MDM.

Payment
Select to prevent users from setting up an Apple Pay account in the setup assistant. This does not restrict the user from configuring it once the device setup is completed.

Privacy
Select to omit the Privacy screen during the setup assistant process.

Restore backup from old device
Select to restrict user from restoring iCloud / iTunes backup to device.

Terms and Conditions
Select to disable the Terms and Conditions step during device setup. If disabled, the Terms and Conditions are accepted by default.

Siri
Select to restrict the user from configuring Siri during device setup. If restricted, Siri is turned off. This does not restrict the user from configuring it once the device setup is completed.

Zoom
Select to omit the Zoom functionality step during device setup.

CONFIGURATION
DESCRIPTION

Restore from Android device
Select to prevent users from restoring back up from an Android device.

Keyboard Selection
Select to prevent users from choosing a keyboard type during device setup.

Home Button Sensitivity
Select to allow users to enroll devices without configuring the Home button sensitivity during setup.

iMessage and FaceTime
Select to skip the iMessage and FaceTime prompt during the setup assistant process. This does not restrict the user from configuring the same once the device setup is completed.

New feature highlights
Select to skip on-boarding informational screens for user education during the setup assistant process (“Cover Sheet, Multitasking & Control Center”, for example).

Screen Time
Select to prevent informing users about Screen Time during device setup.

Mandatory software updates
Select to skip the Mandatory software update screen during the setup assistant process.

Watch Migration
Select to prevent users from viewing options for Watch Migration during the device setup.

Appearance
Select to skip the Choose your Look screen during mac setup.

CONFIGURATION
DESCRIPTION

FileVault
Select to prevent users from configuring a FileVault account during device setup. It is recommended to configure and distribute a FileVault Encryption profile through MDM.

iCloud diagnostics
Select to omit a user prompt to send diagnostics to iCloud during device setup.

iCloud storage
Select to skip iCloud Documents and Desktop screen during device setup.

Apple Registration
Select to restrict user from registering the device with Apple during setup.

CONFIGURATION
DESCRIPTION

Screensaver
Select to allow users to enroll a tvOS device without configuring a screensaver. This does not restrict the user from configuring the same once the device setup is completed.

Tap to Setup
Select to skip the option of setting up Apple TV using an associated iOS device (user needs to enter the account information and setting choices separately).

Home screen layout sync
Select to prevent users from toggling the TV home screen layout during device setup.

TV Provider SignIn
Select to prevent users from signing in to a TV provider during setup.

Where is this Apple TV? Screen
Select to omit the Where is this Apple TV step on tvOS devices during setup.

Mac Account Settings

As imaging for deploying Mac devices has been stopped by Apple, MDM provides a quicker and more efficient means of deployment by automating the creation of a local admin account on device activation. The local admin account created on the device has the following benefits:

  • Device maintenance is simplified as security checks and device audits can be carried out without user intervention and during non-work hours, thereby preventing loss of productivity.
  • The admin can install, update and also remove system configurations.
  • Troubleshooting system issues and user account problems, becomes easy and quick. In case of forgotten password, the admin can assist the users by resetting the password.
  • User accounts can be added and removed as and when required. For instance, the user account of the employee who leaves the organization can be removed from the corporate device and a new account created, before handing over the device to the next employee.

To configure a local admin account, enable Mac Account Settings and provide the required fields the details of which have been given below.

SETTINGS
DESCRIPTION

Display Name
Specify a name for the local admin account to be created on the Mac device.

Username
Specify a username to identify your account.

Password
A password can be set for the admin account which can be modified when needed.

Hide admin account
You can optionally hide the local admin account on the Mac device, if you do not want users to see the account while assisting them. Enabling this, hides the admin account on the login screen and also completely hides it further. Hiding the account keeps it safe from prying eyes.

Allow users to create additional accounts on activation You can configure the type of user account on Mac machines. The privileges for Standard account type include installing apps at the user level and modifying their settings. Standard account users cannot add other users or modify other user’s accounts. If Administrator is chosen, the user can add and manage other users, install apps at both system and user level, as well as modify settings.

Click Create.
Now, the configurations and settings get applied to the devices.

Syncing Devices

After creating the ABM profile and applying it to devices, you can choose to Sync Devices by navigating to Enrollment-> Apple -> Apple Enrollment
(ABM/ASM). On syncing, all devices get automatically
listed on the MDM console.

Only when the devices are activated
by the users
, the enrollment process is complete and the devices are listed under Enrollment-> Devices.

In case the devices are not new, the devices should
be factory reset, in order to be configured using ABM.

Assign Users to Devices

You can assign all the devices to individual users manually by navigating to Enrollment
-> Apple -> Apple Enrollment (ABM/ASM) -> Devices. The alternate and easier option is to add users through a CSV file. You can also automate user assignment if you are using on-premises MDM version. Automated user assignment ensures the users are authenticated and self-assigned when the device is enrolled. This option must be enabled
when ABM is configured or if already configured, you can enable the option from ABM settings. The only pre-requisite is, Active Directory must be
configured in MDM. When enrolling the device using ABM auto-assignment, the user name to be provided on the device must be in the format: domain
name\user name.

While assigning the users to devices, these devices can also be added to groups to automate the distribution of apps, profiles, and documents to devices.
The devices can also be simultaneously added to multiple groups while assigning users.

Sample CSV Format

USER_NAME,EMAIL_ADDRESS,GROUP_NAME

ANDREW,[email protected],zylker_drivers

NOTE

  1. The fields User Name and Email Address are mandatory. Group Name is an optional field. Ensure the specified group name is already created in the MDM server. If values are not provided, default values are taken.
  2. If multiple groups are specified, the group names must be separated with a slash (/).
  3. The first line of the CSV is the column header and the columns can be in any order.
  4. Blank column values should be comma-separated.
  5. If the column value contains a comma, it should be specified within quotes.

Supervision Identity Certificate

Supervision Identity contains the identity of the organization that manages the device and hence is unique to every organization. This identity is associated with the supervised devices during enrollment via ABM/ASM. The host Mac machine that has the matching supervision identity certificate installed will be considered supervising Mac and USB Access to supervised devices will be restricted only to the supervising Mac. Hence installing the supervision identity certificate on a Mac machine lets you authenticate and trust the machine, allowing you to securely pair iOS/iPadOS devices enrolled using ABM with them, even if USB pairing is restricted on the devices.

Steps to download Supervision Identity Certificate

  1. On the MDM Console, navigate to Enrollment -> Apple Enrollment (ABM/ASM)..
  2. In the Settings tab, click on Download under Supervision Identity Certificate.
  3. Once downloaded, you can import the certificate to Keychain Access.

Steps to import Supervision Identity Certificate

  1. Open the Keychain Access app on a host Mac machine to which you want to pair the devices and click on File -> Import Items.
  2. Select the certificate and click Open.
  3. Enter the password displayed on the console while downloading the certificate.

You have now successfully imported the certificate to your Mac machine and the imported certificate will be listed under My Certificates in Keychain Access app.

Regenerating Supervision Identity Certificate

Once the supervision identity is associated with a device, it cannot be changed later. Hence, the devices will need to be erased and re-enrolled if you are regenerating the certificate. Thus, ensure to download and have a back up of the existing certificate to pair your currently managed devices with Mac machines if you are regenerating the certificate. Only the devices enrolled after regenerating the certificate can be paired using the new certificate

Steps to regenerate Supervision Identity Certificate

  1. On the MDM Console, navigate to Enrollment -> Apple Enrollment (ABM/ASM)..
  2. In the Settings tab, click on Regenerate under Supervision Identity Certificate.
  3. Once regenerated, you can import the certificate to Keychain Access as explained above

Remove Devices from the ABM portal

To unmanage the device,
the admin must remove the device from the MDM server. Once the device is removed from the MDM server, the device is automatically removed from the ABM portal.

The devices that are enrolled with one ABM account cannot be enrolled in another. Therefore, these devices must be removed from the first ABM account before
enrolling into another. Follow the steps given below to remove the devices from the ABM portal.

  1. Log into the ABM portal and click on Devices.
  2. From the list of available devices, select the device to be unassigned and click on Edit Device Management->Unassign. If you are trying to remove multiple devices, you can upload a CSV file with the device
    details.
    This unbinds the device from this ABM account.

Apple Business Manager Unassign vs Release

To remove the devices, always select Unassign device and not Release device. Release device should be used only if the device
is lost or permanently damaged and will never be part of any workforce. Releasing devices is a non-reversible action and once disowned the device can never
be part of an organization.

Troubleshooting Tips

  1. After logging in to the Apple Business Manager (ABM) portal, you are unable to view the Add MDM Server button.

    The option to add MDM servers is available only when you have the Device Manager role assigned to you. Make sure the administrator has assigned
    the Device Manager role to you. Also, check if the admin has agreed to Apple’s terms and conditions. To learn more about role management and the difference between roles in ABM and other Apple Deployment Programs, refer to Roles in ABM user guide.

  2. MDM server is not able to contact ABM to sync devices.

    Check if mdmenrollment.itunes.apple.com is allowed along with other domains and ports listed here. Also, verify the availability of the required Apple services.

  3. Even after successful sync, the device is not listed in the MDM server under Enrollment -> Apple -> Apple Enrollment (ABM/ASM) -> Devices.

    Check if the device has been enrolled in the MDM server using an enrollment method other than ABM. Remove the device from management, reset the device and
    sync again with the server. The device is listed on under Enrollment -> Apple -> Apple Enrollment (ABM/ASM) -> Devices.

  4. During device activation, you encounter the error message “The configuration can’t be downloaded. The configuration is not available”.

    Check your network connectivity. Also, check if the MDM server is reachable using the browser of another device in the same network.

  5. During device activation, you encounter the error message “Cancelled”.

    Check your network connectivity. You can also try restoring the device which re-downloads the configurations. Once the device is restored, try enrolling it again.

  6. During device activation, you encounter the error message “NSURLErrorDomain error -1012”.

    Check your network connectivity. Also, check if the server certificate was copied correctly to the forwarding server while configuring it.

  7. During device activation, you encounter the error message “A server with the specified hostname could not be found.”.

    Check your network connectivity. Also, check if the MDM server is reachable using the browser of another device in the same network. If not, make the required changes to the server’s NAT settings.

  8. While adding devices to the Apple Business Manager portal you encounter the error “NOT_ACCESSIBLE”.

    This error is shown if the device is either not eligible for ABM enrollment or is either already enrolled or owned by another organization. Add the device to the correct ABM portal based on the device owner.

  9. While adding devices to the Apple Business Manager portal via Apple Configurator you encounter the error ‘Provisional enrollment failed’.

    This error is shown if the device is unable to contact the ABM server. Factory reset the device and proceed until the Wi-Fi configuration step. Prepare the device using Apple Configurator and follow the steps for adding it to ABM.

  10. Why are my devices not listed under Apple Business Manager (ABM) tab when I add the devices to ABM using Apple Configurator?

    When devices are enrolled to ABM using Apple Configurator, the devices will be initially listed under Apple Configurator tab even though they are added to the ABM portal. When the user assignment is complete, these devices will be moved to Managed devices tab. 

  11. You encounter the error “Technician removed from ABM server”.

    If the technician who created the ABM server is removed from the MDM console, a new technician must be assigned to the ABM server in order to continue enrolling devices via ABM.

    • To assign a new technician, in the Apple Enrollment tab, click on Servers and click on Modify Settings under Action for the respective server.
    • In the pop-up window, click on Modify without modifying any settings. This will assign the currently logged in user as the owner for the server.

    Technician Removed



    Copyright © 2021, ZOHO Corp . All Rights Reserved.

    ManageEngine