In previous articles, we discussed what Microsoft Intune is and why it is worth implementing in a modern company that wants a simple and secure way to register and control devices and company data and ways to manage Apple devices.
Today, we will focus on the enhanced mode of managing Apple devices using the ABM service. This service additionally allows automatic device enrollment and easily integrates with Microsoft’s MDM solution.
What is ABM?
Apple Business Manager is a web portal that helps IT administrators manage iPhone, iPad, and Mac devices. This portal works with third-party MDM solutions, enabling easy and bulk purchase of content and licenses.
To automatically add devices to the Apple Business Manager service, the following conditions must be met:
- If the device was purchased directly from Apple, the buyer must use a registered and verified Apple customer ID.
- If the device was purchased directly from a participating Apple-authorized reseller or mobile operator, the device must be linked to that reseller’s ID.
- The device must have been ordered after March 1, 2011, regardless of whether it was purchased directly from Apple, an authorized Apple reseller, or a mobile operator.
Registering for ABM is simple and takes only a few minutes. Every company can register under the service terms. The first step is to register with D-U-N-S.
What is a “D-U-N-S” number?
The Data Universal Numbering System (commonly referred to as DUNS or D-U-N-S) is a proprietary system developed and managed by Dun & Bradstreet (D&B), which assigns a unique numeric identifier, known as a DUNS number, to a single business entity.
It was introduced in the 1960s for credit reporting purposes and is now a worldwide standard.
Each business entity is assigned a nine-digit number for identification purposes. The DUNS number is random, and the digits do not carry a specific meaning.
Why is a “D-U-N-S” number required to use Apple services?
When an organization decides to purchase Apple devices, it must subscribe to Apple Enterprise services to buy and manage them. ABM, Apple Developer Portal, etc., require the organization to have a DUNS number.
Similarly, if the organization wants to distribute apps in different geographical locations, it must have ABM subscriptions, and a DUNS number will be needed to register for ABM.
The D-U-N-S number will be used to verify the organization’s identity and legal status during the verification process when joining the Apple Developer Program or Apple Developer Enterprise Program. The company/entity must be recognized as a legal entity (such as a corporation, partnership, or limited liability company) to accept the legal terms and obligations of the Apple Developer Program agreements.
The ADP does not allow database administrators, fictitious businesses, trade names, or branches to register. Companies and educational institutions must provide a D-U-N-S number registered to their legal entity.
Steps for applying for a “D-U-N-S” number
D&B may have already assigned your organization a free D-U-N-S number. Before registering, check if your organization already has a DUNS number. You can submit your details to Dun & Bradstreet for a free DUNS number if your company is not listed.
When searching for your organization, you will be prompted to provide the following information:
- Legal entity name.
- Headquarters address.
- Mailing address.
- Your business contact information.
As part of the verification process, a D&B representative will contact you directly to gather more information (such as the type of business or the number of employees).
- Click or copy the following link to your browser: Obtain a D-U-N-S Number – Get Your Business Listed – D&B (dnb.com).
- Select the primary reason for registering a D-U-N-S number from the dropdown menu.
- Complete the sections with company information. You will need to provide details about your organization, such as your name, address, contact person’s name, and position.
- Review the details.
- Click “Submit” to complete the request.
- You will receive a confirmation email after completing the entire process. The assignment of the D‐U‐N‐S number, which you will receive via email for archival purposes, will take 24 to 48 hours.
The next step is to join Apple Business Manager. Let’s continue by logging into ABM. The registration process is as follows.
Registration for ABM
- Log in to Apple Business Manager or Apple School Manager.
- Click “Enroll Now.”
- Enter information about your organization, such as the organization’s name, DUNS number, phone number, etc.
The user who registers for ABM for the first time by default becomes the main ABM administrator, as they register on behalf of the organization. The administrator must agree to the program and software license agreements entered into by ABM. The main account administrator can create up to four other users as “administrators” in ABM. These accounts cannot be associated with any existing Apple ID or other Apple services.
Apple will review all the provided information and contact the listed representative, who may be asked for additional details via phone or email before the registration is approved.
Select the location where your organization is registered.
When the submission is received and Apple confirms that you are eligible for Apple Business Manager (ABM), you will receive an email asking you to accept the Terms and Conditions. Note that the link in the email is active for a specific period and will expire after a week. If you don’t complete this step within 7 days, you must contact Apple again to proceed.
After verification, the administrator will receive an email with instructions on how to set up ABM for the company. A verification code will be sent to your email and phone number provided when creating the managed ID. Enter the code for verification.
You will then be prompted to create a managed Apple ID. Accept the Apple Business Manager terms, and you’re done!
Managing Users, Permissions, and Roles in ABM
In Apple Business Manager, each user is assigned one or more roles that define their permissions in the system. Some roles also have permission to supervise other roles. For example, a user designated as an administrator can manage people in the manager or staff roles.
It’s worth noting that users in the Administrator or Manager role cannot sign in with federated authentication; these are local accounts. They can only supervise the federated authentication process.
Each role is defined by permissions that apply to all assigned users. Staff roles have minimal permissions, manager roles offer more, and administrator roles have the broadest range of permissions.
Each user in ABM must have at least one role, and each role has specific permissions. The following table helps you understand the roles available in ABM:
The privileges (permissions) associated with roles in ABM include:
- People privileges.
- Device permissions.
- Content permissions.
- Staff privileges.
- Basic permissions.
Adding a new user in ABM
- Log in to Apple Business Manager using a user with an administrator role (the user who first registers for ABM by default becomes the main ABM administrator).
- Click Users on the left sidebar, click Add, enter the required information, and click Save.
Creating login details for a new user
Log in to Apple Business Manager, click Users, and then search for the newly created user.
- Select the user from the list and click Create Login to generate new login information for the user.
- Choose how to send the information to the user. The information can be downloaded as a PDF or CSV file or emailed.
Integrating ABM with Intune
An Apple MDM push certificate is required to manage iOS/iPadOS and macOS devices in Microsoft Intune. This token allows devices to enroll through the Intune Company Portal or ADE/ASM/AC2. Follow the steps below to create an Apple MDM push certificate and upload it to the Intune portal.
Step 1. Grant Microsoft permission to send user and device information to Apple
- Log in to the Intune admin center and navigate to Device Enrollment > Apple Enrollment > Apple MDM Push Certificate.
- Select “I agree” to allow Microsoft to send data to Apple.
- Select “Download CSR request” to download and save the file locally. This file requests a trust relationship certificate from the Apple Push Certificates portal.
Step 2. Create the Apple MDM push notification certificate
- Select Create MDM Push Certificate to the Apple Push Certificates portal and sign in with your organization’s Apple ID. Remember to use your corporate Apple ID. Avoid using a personal Apple ID.
- Select Create a Certificate.
- Read and accept the terms. Then, select Accept.
- Select Choose File and choose the CSR file downloaded from Intune.
- Select Submit.
- On the confirmation page, select Download. The certificate file (.pem) will be downloaded to your device. Save this file, and we will upload it to Intune.
- Return to the admin center and enter your Apple ID as a reminder for when the certificate needs to be renewed.
- Go to Apple MDM Push Certificate to upload it. Select Upload to complete the configuration of the Apple MDM push certificate.
Step 3. Create and upload the Apple automated device enrollment token
Before enrolling iOS/iPadOS devices, an additional Apple server token file (p7m) is required. This token synchronizes information from Intune to ADE devices owned by your company. It also allows Intune to assign enrollment profiles to Apple and assign devices to those profiles.
Follow these steps to create and upload the ADE token:
- In the Intune portal, select Devices > iOS/iPadOS > iOS/iPadOS Enrollment > Enrollment Program Tokens > Add
- Select Download the Intune public key certificate required to create a token. This step downloads and saves a public key file (pem) locally. The pem file requests a trust relationship certificate from the Apple Business Manager portal.
- Click Create a Token through Apple Business Manager to open the Apple Business Manager portal and create an ADE (MDM server) token.
- Log in with your corporate Apple ID in the Apple Business Manager.
- Click your name at the bottom of the sidebar > Preferences, then click “Add” to add an MDM server.
- Upload the public key downloaded from Intune in step 2. You can enter a server name to quickly identify the MDM tenant.
- After saving the MDM server, select it and download the token (p7m file).
- Now return to the Intune portal — Step 4. Upload the token, click Next, and then save.
Step 4. Assign devices to the Apple token (server)
- In Apple Business Manager > Devices, select the devices you want to assign to this token. You can also select multiple devices at once or specify that all devices are automatically assigned to this token by default.
- Edit device management and choose the newly added MDM server.
Summary
Once your Apple Business Manager (ABM) instance is configured according to the steps above, you can start adding the devices you want to manage. You can add devices manually or ask the reseller to do it for you.
Leave a comment