Apple
      Back to home
      1. Help Center
      2. Onboarding
      3. Apple

      Preparing Intune for Apple Device Management

      This article provides a checklist of tasks to enable Intune for Apple device management.

      Introduction

      To enable our team to manage your Apple devices via Microsoft Intune, we require that Intune be set up for Apple device management. This article lists each of the setup tasks, along with a link to the official instructions required to complete them.

      Ensure that your Intune tenant has been enabled for Apple device management prior to your Kickoff meeting with our team.

      1. Create an Apple MDM push certificate

      The Apple MDM push certificate allows Microsoft Intune to manage Apple devices.
      If your organisation has already created an Apple push certificate then ensure that it does not have an impending expiry. We recommend proactive renewal at least 30 days before the expiry date.

      🔗 Create or renew an Apple Push Certificate (Microsoft)

      2. Setup Automated Device Enrollment

      Automated Device Enrollment (ADE) ensures a smooth, zero-touch setup experience for your users. To setup ADE you must register your organisation with the appropriate Apple enrollment program: Apple School Manager (ASM)  or Apple Business Manager (ABM)

      Once you have an ABM/ASM account the following subtasks are required to integrate the account into Intune.

      ➤ 2.1 Create an enrollment program token in Intune

      This step connects ABM/ASM with Intune so new Apple devices can be automatically enrolled during setup.

      If your organisation has already created an enrollment token then ensure that it does not have an impending expiry. We recommend proactive renewal at least 30 days before the expiry date.

      🔗 Create an enrollment program token in Intune (Microsoft)

      🔗 Renew your enrollment program token (Microsoft)

      ➤ 2.2 Block personally owned devices (Optional)

      Devices enrolled using Automated Device Enrollment are classified as corporate-owned, whereas Apple user enrollments with Company Portal are classified as personally-owned. You can prevent users from enrolling their own devices by blocking personally-owned device enrollments altogether.

      🔗 Blocking personally owned devices (Microsoft)

      ➤ 2.3 Set Up Apple VPP Token

      The Volume Purchase Program (VPP) token allows Intune to sync with your ABM/ASM account so that you can deploy apps to users without requiring individual Apple IDs.
      If your organisation has already created a VPP token then ensure that it does not have an impending expiry. We recommend proactive renewal at least 30 days before the expiry date.

      🔗 Upload an Apple VPP token

      🔗 Renewing VPP tokens (Microsoft)