A common migration mobile device management project will be migrating from a third party MDM solution e.g. MobileIron to Microsoft Intune. Some businesses may use Apple Business Manager to take advantage of "supervised" settings.
During this migration, you'll require configuring Automated Device Enrolment in Microsoft Intune and configure policies and deploy Apple VPP apps without impacting the current solution. This blog post will walk you through configuring Intune as a MDM server in Apple Business Manager and adding a new location in Apple Business Manager to allow for Intune to sync apps from your Apple Volume Purchase Program.
Assumptions:
- You have upgraded from DEP to Apple Business Manager
- You have a Apple Business Manager administrator account
- You have a MDM server e.g. MobileIron already in place which is managing your mobile devices. Note: if you have a "green field" Apple Business Manager environment, most of this blog post is still relevant.
- You have configured an Apple MDM Push Certificate in Microsoft Intune
Configure Enrolment Token
Follow this Microsoft guide for connecting Intune to Apple Business Manager: https://docs.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-device-enrollment-program-enroll-ios#get-an-apple-device-enrollment-token
Notes:
Use the Apple ID administrator account registered in your Apple Business Manager tenant to configure the enrolment program token.
Make sure you download the correct certificate for your new MDM server (Intune) in Apple Business Manager.
You should now see something like this once completed:
Now you have created your enrolment token and connected Intune to Apple Business Manager, you can create a Apple VPP Connector so Intune can deploy apps from ABM.
Configure Apple VPP Connector
In a scenario where there is already a MDM server being used in Apple Business Manager e.g. MobileIron you now face the issue of not disrupting apps being delivered to managed devices from the current MDM solution whilst connecting Intune.
Create a new location in Apple Business Manager that represents your site. This can be the same details used in the original location but using a different name.
2. Download the server token from Settings > Apps and Books > My server tokens (download ONLY the server token for the new location you've created).
3. Follow this Microsoft guide to create a Apple VPP Connector and upload your new server token: https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#upload-an-apple-vpp-or-location-token
4. You should have an active Apple VPP Connector.
You can now assign free new or existing apps to this location in Apple Business Manager.
If you have paid for licenses assigned to another location, a transfer will be required. Planning is strongly advised when doing this: https://support.apple.com/ru-ru/HT208257
Note: You can manually sync the Apple VPP Connector in Intune by right clicking the connector and pressing sync.
Note: The Available deployment intent is not supported for device groups, only user groups are supported.
Note: Intune (or any other MDM for that matter) does not actually install VPP apps. Instead, Intune connects to your VPP account and tells Apple which app licenses to assign to which devices. From there, all the actual installation is handled between Apple and the device.
Create Apple Enrolment Profile
Now you have configured two MDM servers in Apple Business Manager without impacting your end users. You are now ready to create an Apple Enrolment profile. Chose from the available options that suit your organisation.
Note: There are known issues when selecting Run Company Portal in Single App Mode even to this day. Microsoft generally recommend Setup Assistant with Modern Authentication as their preferred authentication during ADE: https://techcommunity.microsoft.com/t5/intune-customer-success/move-to-setup-assistant-with-modern-authentication-for-automated/ba-p/2556536
Once an enrolment profile has been created. Assign devices to the Intune MDM server in Apple Business Manager:
Once the device is assigned. Sync your enrolment token connector in Microsoft Intune to sync the device across to Intune:
Then assign your synced device to your enrolment profile.
4. Device wipe
Once this is done. You can wipe the device either from your MDM server e.g. MobileIron or manually on the device if you are able to do so.
Once wiped, the device will enrol into Intune once turned back on and connected to WIFI.