Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Apple Business Manager Setup: Complete Guide

Learn how to set up Apple Business Manager (ABM) integration with Intune for automated device enrollment of iOS and iPadOS devices, including token configuration and enrollment profiles.

By Ali Alame
intuneapple-business-managerabmadeiosipadosautomated-enrollmentdep

Apple Business Manager (ABM) integration with Microsoft Intune enables automated device enrollment for iOS and iPadOS devices purchased through Apple. This integration provides zero-touch enrollment, supervised mode, and streamlined device management for corporate-owned devices.

Understanding Apple Business Manager Integration

Automated Device Enrollment (ADE) with Apple Business Manager allows you to enroll corporate-owned iOS/iPadOS devices automatically. Devices purchased through Apple Business Manager can be configured to enroll in Intune automatically when users turn them on, without requiring manual enrollment steps.

Key Benefits

  • Zero-Touch Enrollment: Automatic enrollment during device setup
  • Supervised Mode: Enhanced management capabilities
  • Bulk Enrollment: Enroll large numbers of devices easily
  • Consistent Configuration: Standardized enrollment experience
  • Device Assignment: Assign devices to users automatically

For an overview, see Set up automated device enrollment (ADE) for iOS/iPadOS.

Prerequisites

Before setting up Apple Business Manager integration:

  1. Apple Business Manager Account: Active ABM or Apple School Manager account
  2. Apple MDM Push Certificate: Required for iOS/iPadOS enrollment
  3. Intune MDM Authority: Set Intune as MDM authority
  4. Device Purchase: Devices must be purchased through ABM
  5. Permissions: Intune Administrator role

Setting Up Apple Business Manager

Step 1: Download Intune Public Key

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > By platform > iOS/iPadOS > Enrollment > Enrollment program tokens
  3. Select Create
  4. Select I agree to grant permissions
  5. Select Download your public key to download .pem file
  6. Save the public key certificate

Step 2: Add MDM Server in Apple Business Manager

  1. Sign in to Apple Business Manager
  2. Navigate to Settings > MDM Servers
  3. Select Add MDM Server
  4. Enter server name (e.g., "Intune MDM Server")
  5. Upload the public key certificate (.pem file) downloaded from Intune
  6. Save the MDM server
  7. Download the server token (.p7m file)
  8. Save the token file

For detailed steps, see Get an Apple automated device enrollment token.

Step 3: Assign Devices to MDM Server

  1. In Apple Business Manager, navigate to Devices
  2. Select devices to assign
  3. Edit device management
  4. Select the MDM server you created
  5. Save changes

Note: Devices must be assigned to the MDM server in ABM before they can enroll in Intune.

Step 4: Upload Token to Intune

  1. Return to Intune admin center
  2. In the enrollment program token creation page:
    • Enter Apple ID used in ABM
    • Upload Apple token (.p7m file)
  3. Select Next
  4. Optionally apply scope tags
  5. Select Next
  6. Review and select Create

For step-by-step guidance, see Tutorial: Set up Microsoft Intune enrollment for iOS/iPadOS devices in Apple Business Manager.

Creating Enrollment Profiles

Step 1: Access Enrollment Profiles

  1. Navigate to Enrollment program tokens
  2. Select your token
  3. Go to Profiles tab
  4. Select Create profile

Step 2: Configure Profile Settings

Basics:

  • Name: Profile name
  • Description: Optional description

Device Management Settings:

  • Supervised: Enable supervised mode (recommended)
  • Locked enrollment: Prevent removal of management
  • Sync with Computers: Control computer sync

Device Naming:

  • Apply device name template: Yes/No
  • Name template: Use {{SERIAL}}, {{DEVICETYPE}}, etc.

Setup Assistant:

  • Department Name: Shown during activation
  • Department Phone: Support phone number
  • Setup screens: Show or Hide various screens

For detailed settings, see Step 4: Create an Apple enrollment profile.

Step 3: Choose Authentication Method

Options:

  1. Setup Assistant with modern authentication (recommended)
  2. Company Portal app
  3. Setup Assistant (legacy) (not recommended)

Company Portal Benefits:

  • Device wipe capability
  • Multifactor authentication
  • Password expiration handling
  • Microsoft Entra ID registration

Step 4: Assign Profile to Devices

  1. Navigate to Devices in enrollment token
  2. Select devices to assign
  3. Select Assign profile
  4. Choose enrollment profile
  5. Select Assign

Important: Ensure enrollment restrictions don't block iOS/iPadOS platform.

For details, see Step 5: Assign an enrollment profile to iOS/iPadOS devices.

Token Synchronization

Intune automatically syncs with Apple Business Manager:

  • Automatic sync: Every 12 hours
  • Manual sync: Available in token properties
  • Device sync: Devices appear in Intune after sync

Note: Devices can take up to 12 hours to appear after assignment in ABM.

Best Practices

1. Use Supervised Mode

  • Enable supervised mode for enhanced management
  • Provides additional management capabilities
  • Required for some advanced features
  • Recommended for corporate devices

2. Lock Enrollment

  • Enable locked enrollment
  • Prevents users from removing management
  • Maintains device compliance
  • Protects organizational data

3. Configure Setup Assistant

  • Hide unnecessary screens for smoother experience
  • Show only required screens
  • Provide department information
  • Guide users through setup

4. Use Modern Authentication

  • Prefer Setup Assistant with modern authentication
  • Use Company Portal when MFA needed
  • Avoid legacy authentication
  • Enable Microsoft Entra ID registration

5. Test Before Production

  • Test with pilot devices
  • Verify enrollment flow
  • Test authentication
  • Validate profile assignment

Troubleshooting

Common Issues

  1. Devices Not Appearing

    • Verify token is active
    • Check device assignment in ABM
    • Manually sync token
    • Wait for automatic sync

  2. Enrollment Fails

    • Check enrollment restrictions
    • Verify profile assignment
    • Review authentication method
    • Check device compatibility

  3. Token Issues

    • Verify token is not expired
    • Check token in ABM
    • Renew token if needed
    • Verify public key matches

Additional Resources

Conclusion

Apple Business Manager integration provides powerful automated enrollment capabilities for iOS/iPadOS devices. By following these best practices:

✅ Use supervised mode for enhanced management
✅ Lock enrollment to prevent removal
✅ Configure Setup Assistant for smooth experience
✅ Use modern authentication methods
✅ Test thoroughly before production

You can streamline device enrollment, reduce IT overhead, and provide a consistent enrollment experience for corporate iOS/iPadOS devices.

Remember: Devices must be purchased through Apple Business Manager and assigned to your MDM server in ABM before they can enroll in Intune. Always verify token status and device assignment before distributing devices to users.