This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
By Marc Nahum Sr Program Manager | Microsoft Endpoint Manager - Intune
Any enterprise or education institution that owns iOS/iPadOS devices can take advantage of automatic enrollment to Intune, as well as the extra features and controls that Apple’s Automated Device Enrollment (ADE) - previously known as Device Enrollment Program (DEP) – provides.
When ADE was first introduced, only Apple resellers or telecom carriers were able to add devices to Apple Business Manager or Apple School Manager. However, since the release of iOS 11, Apple supports the ability to manually add iOS and iPadOS devices yourself with the Apple Configurator 2.5 (AC2) tool. This means that, regardless of where the device was purchased, you can benefit from using ABM or ASM.
This article will help IT pros and mobile device administrators understand the steps required to manually add iOS and iPadOS devices to Apple Business Manager or Apple School Manager, as well as enrolling them into the Intune service.
Note: Manually adding devices (new or old) is not supported for macOS. For these devices, the reseller must carry this out for you, no matter when they have been purchased.
Warning: The devices will be fully wiped during the process. This happens because Apple treats a device being in ABM as proof of ownership.
Before proceeding, there are some configurations, constraints, and restrictions to understand, after which the process is straightforward.
Prerequisites:
- A Mac device (desktop or laptop), running at least macOS Catalina (macOS 10.15.6 or later). This is mandatory as AC2 only runs on macOS.
- AC2 installed on the Mac from the App Store (Apple ID required). A version can be downloaded from the Apple developer site, but it requires an Apple developer membership account. This can be useful if you want to distribute the pkg with Intune on the Mac who will have to use it.
- Physical access to the iOS/iPadOS device, which must be connected to the Mac device running AC2. It must not have Apple’s “Find My” turned on (Activation Lock off).
- An ABM or ASM account with the role of “Device Enrollment Manager” assigned.
- A network profile in AC2 (steps detailed below) to allow the iOS or iPadOS device to connect to the Internet during the process.
- ABM or ASM configured with Microsoft Endpoint Manager as an MDM Server (Settings > Device Management Settings > Add MDM Server).
Preparing Apple Configurator:
There are a lot of options in AC2, so we will cover only the steps necessary to import the devices to ABM or ASM and assign them to the Microsoft Endpoint Manager MDM server. You can find full documentation from Apple here.
1. Creating a Wi-Fi profile
During the onboarding process, the device will need to connect to the internet. Therefore, it’s mandatory to have a Wi-Fi profile, which will allow it to automatically connect. The profile can be as complex as is required, but must not prompt the user for any action, or require a certificate to authenticate.
- In Apple Configurator go to the File menu and choose New Profile.
- Complete the Name of the profile in the mandatory General section.
- Complete the Wi-Fi section with your parameters.
- Once created, save it by clicking on the name on the top of the window. You can then close it and it will be used later.
2. Generate MDM Server URL for Microsoft Endpoint Manager
Note: This step is not mandatory, but it will create a trusted configuration and avoid any doubts that the URL is the proper one.
- Open Microsoft Endpoint Manager admin center.
- Select Devices, then navigate to Enroll devices > Apple enrollment > Apple Configurator.
- Select Profiles > Create.
- Complete all required fields with your desired configuration, then click Create.
- Select the profile you just created, then click Overview > Export Profile.
- Copy the Profile URL from the Setup Assistant Enrollment section on the right-hand side. This will be used later.
Connect the device to Apple Configurator
Important: The device will be fully wiped during this process.
If this is the first time you are connecting the device to the Mac, a pop up will appear asking for the Mac to be trusted, select Trust. Now the device is ready to be prepared.
- In Apple Configurator, select Prepare from the toolbar or by doing a secondary click on the picture of the device.
Screenshot of Apple Configurator 2 with an arrow pointing to the "Prepare" option
- The below settings must be selected:
- Manual Configuration.
- Add to Apple School Manager or Apple Business Manager.
- Allow devices to pair with other computers.
Do not select:
- Activate and complete enrollment.
- Enable Shared iPad.
Apple Configurator 2 - Prepare Devices" menu
- If this is the first time the operation is run on this Mac, you will have to create a “New Server” with the following details:
Name: “Microsoft Endpoint Management”
URL: The one created in the step “Generate MDM Server URL for MEM
Example URL: https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=<Intune_tenant_ID>&AADTenantId=<AAD_tenant_ID>
Apple Configurator 2 - "Define an MDM Server" menu
Note: If you decided to skip the step of creating the dedicated URL from the Intune portal, you can simply use “https://endpoint.microsoft.com” and acknowledge the warning “Unable to verify the enrollment URL” as per below:Apple Configurator 2 - "Define an MDM Server" menu with the warning text: “Unable to verify the enrollment URL”
- Add trust anchor certificate for MDM server.
- Select the one with the Microsoft or Azure name on the list (this should be appleconfigurator2.manage.microsoft.com or portal.azure.com or endpoint.microsoft.com)
- Select the one with the Microsoft or Azure name on the list (this should be appleconfigurator2.manage.microsoft.com or portal.azure.com or endpoint.microsoft.com)
- Attach the device to your organization.
- Next, authenticate to ABM/ASM with an account with the “Device Enrollment Manager” role assigned.
Apple Configurator 2 - Sign in to Apple School Manager or Apple Business Manager menu
-
If you did not set up the organization name, you will need to do that next. That Organization name will be displayed on the device.
-
The iOS setup assistant steps selected on the next screen are not important as they will be defined in Intune later.
-
Next, select the Network Profile previously created and, when prompted, enter your local password to initiate the process.
-
At this point, the device will be erased. When the device has restarted, steps in AC2 are complete.
- Next, authenticate to ABM/ASM with an account with the “Device Enrollment Manager” role assigned.
Log on your Apple management console
You now need to assign it to Intune in the ABM/ASM console. By default, it’s assigned to an MDM server configuration named “Apple Configurator 2”:
 Screenshot of an Apple iPhone 6 device in the ABM/ASM console |
 Screenshot of the ABM/ASM console with associated Apple devices |
| You can reassign 1 device by selecting that device and choosing: Edit Device Management > Assign to server and select the proper Intune one. |
You can reassign multiple devices by doing the same with filters and choose “Edit Device Management” > “Apple Configurator 2” |
Microsoft Endpoint Manager admin center
Once the device is assigned it will need to be synchronized. This occurs automatically every 12 hours or you can manually trigger the synchronization in Microsoft Endpoint Manager admin center:
- Navigate to Devices > Enroll devices > Apple Enrollment> Enrollment program tokens and select your token name.
- Navigate to Devices and click Sync.
Note: You can manually synchronize the devices from ABM/ASM to Intune at a maximum frequency of every 15 minutes.
At this point you should have successfully added your ADE device to Intune.
Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.