Apple Business Manager (ABM) is free portal offered by Apple that enables businesses to simplify and automate the bulk deployment and management of corporate Apple devices, including iOS, iPadOS, macOS, and tvOS devices. Similar to Apple Business Manager (ABM), Apple also offers Apple School Manager (ASM) a dedicated service for schools to simplify the management of Apple devices.
Apple Business Manager (ABM) was previously known as Apple Device Enrollment Program (Apple DEP) and users can automatically or manually add devices to Apple DEP for over-the-air management.
Ensure the following pre-requisites are met to enroll Apple devices using Apple Business Manager (ABM) enrollment:
In case of devices purchased neither from Apple directly nor from its authorized resellers, you can still add devices to Apple Business Manager (provided they're running or capable of running iOS 11.0 or later versions) as explained here.
NOTE: The steps mentioned in this document are also applicable to the Apple School Manager portal.
The process first starts, when your organization purchases Apple devices from Apple or from Apple authorized resellers. You have to log into your Apple Business Manager account. If you already have an account with Device Enrollment Program, you can migrate to Apple Business Manager by following the prompts available on your DEP portal. You have to register MDM with the Apple Business Manager portal. Once you have registered the DC server, secure communication is enabled between the DC server and the Apple portal. This is used to synchronize the details of devices, purchased by your organization. When you find the devices synced from the Apple portal, you can assign it to users. Whenever the devices are activated, all restrictions and configurations imposed using MDM are automatically installed on all your devices over-the-air (OTA). By configuring ABM, you can ensure all the organization's devices are managed by MDM by default as soon as they are activated.
If you do not have an ABM account, you can create one here. To know your DUNS number (which is one of the prerequisites), refer to this. You can also refer to this document to fully understand Apple Business Manager.
After creating your organization's Apple ID and deployment account by following the steps mentioned in the ABM Program Guide, you need to carry out the steps outlined below, to seamlessly enroll and manage your organization's corporate Apple devices into MDM using Apple Business Manager enrollment.
First, you need to link the DC server to your organization's ABM account. For this:
Click on Download Token to download the server token from ABM. Click on Download Server Token when prompted.
Using Apple Business Manager you can automatically assign the purchased devices to particular servers once they have been added to the portal. Additionally, you can select different servers based on the type of device being enrolled. It is recommended to assign different types of devices to different servers. All of these servers can be integrated and managed using DC. To select a default server for a particular type of device-
One of the advantages of using Apple Business Manager to enroll your Apple devices is that the devices can be enrolled without any interaction with the devices. There are two methods available to add devices into Apple Business Manager. IT admins can use any of the following methods to add devices to Apple Business Manager:
To add devices to Apple Business Manager, the reseller details must be added to the ABM portal. So every time devices are purchased from the same reseller, the devices are added to the ABM portal and in turn, to the MC server due to the integration of the ABM portal with the DC server.
Note: On ABM, only the Administrator or Device Manager roles can add the reseller details.
After linking your DC Server to the Apple Business Manager (ABM) portal, if you have devices purchased before integrating the portals, you can add devices to Apple Business Manager using one of the three methods:
To add devices directly to DC, follow the steps mentioned below:
The Apple devices are now added to the DC server, automatically.
On adding devices to MDM using Apple Business Manager enrollment, all the devices are enrolled successfully. Before the enrollment is complete, you have to configure the settings to be applied to the devices, on device activation. You can create and apply these settings to all your devices at one go, by following the steps mentioned below:
|Sign in with Apple ID and iCloud||Select to skip Apple ID and iCloud sign in by the user during setup. This does not restrict the user from signing in once the device setup is completed.|
|Touch ID Setup||Select to skip Touch ID configuration during setup. The user can, later on, configure the Touch ID after completing the device setup.|
|Diagnostics||Select to omit a user prompt to send diagnostic data to Apple during device setup.|
|Display Tone||Select to skip the Display Tone setup assistant screen during device setup.|
|Location Services||Select to disable Location Services during setup. If disabled, Location Services are turned off. The user can modify the location settings after completing the device setup.|
|Passcode||Select to prevent users from setting up a Passcode during the setup assistant process. This can be skipped if a passcode profile is distributed through MDM.|
|Payment||Select to prevent users from setting up an Apple Pay account in the setup assistant. This does not restrict the user from configuring it once the device setup is completed.|
|Privacy||Select to omit the Privacy screen during the setup assistant process.|
|Restore backup from old device||Select to restrict user from restoring iCloud / iTunes backup to device.|
|Terms and Conditions||Select to disable the Terms and Conditions step during device setup. If disabled, the Terms and Conditions are accepted by default.|
|Siri||Select to restrict the user from configuring Siri during device setup. If restricted, Siri is turned off. This does not restrict the user from configuring it once the device setup is completed.|
|Zoom||Select to omit the Zoom functionality step during device setup.|
|Restore from Android device||Select to prevent users from restoring back up from an Android device.|
|Keyboard Selection||Select to prevent users from choosing a keyboard type during device setup.|
|Home Button Sensitivity||Select to allow users to enroll devices without configuring the Home button sensitivity during setup.|
|iMessage and FaceTime||Select to skip the iMessage and FaceTime prompt during the setup assistant process. This does not restrict the user from configuring the same once the device setup is completed.|
|New feature highlights||Select to skip on-boarding informational screens for user education during the setup assistant process (“Cover Sheet, Multitasking & Control Center”, for example).|
|Screen Time||Select to prevent informing users about Screen Time during device setup.|
|Mandatory software updates||Select to skip the Mandatory software update screen during the setup assistant process.|
|Watch Migration||Select to prevent users from viewing options for Watch Migration during the device setup.|
|Appearance||Select to skip the Choose your Look screen during mac setup.|
|FileVault||Select to prevent users from configuring a FileVault account during device setup. It is recommended to configure and distribute a FileVault Encryption profile through DC.|
|iCloud diagnostics||Select to omit a user prompt to send diagnostics to iCloud during device setup.|
|iCloud storage||Select to skip iCloud Documents and Desktop screen during device setup.|
|Apple Registration||Select to restrict user from registering the device with Apple during setup.|
|Screensaver||Select to allow users to enroll a tvOS device without configuring a screensaver. This does not restrict the user from configuring the same once the device setup is completed.|
|Tap to Setup||Select to skip the option of setting up Apple TV using an associated iOS device (user needs to enter the account information and setting choices separately).|
|Home screen layout sync||Select to prevent users from toggling the TV home screen layout during device setup.|
|TV Provider SignIn||Select to prevent users from signing in to a TV provider during setup.|
|Where is this Apple TV? Screen||Select to omit the Where is this Apple TV step on tvOS devices during setup.|
As imaging for deploying Mac devices has been stopped by Apple, DC provides a quicker and more efficient means of deployment by automating the creation of a local admin account on device activation. The local admin account created on the device has the following benefits:
To configure a local admin account, enable Mac Account Settings and provide the required fields the details of which have been given below.
|Display Name||Specify a name for the local admin account to be created on the Mac device.|
|Username||Specify a username to identify your account.|
|Password||A password can be set for the admin account which can be modified when needed.|
|Hide admin account||You can optionally hide the local admin account on the Mac device, if you do not want users to see the account while assisting them. Enabling this, hides the admin account on the login screen and also completely hides it further. Hiding the account keeps it safe from prying eyes.|
|Allow users to create additional accounts on activation||You can configure the type of user account on Mac machines. The privileges for Standard account type include installing apps at the user level and modifying their settings. Standard account users cannot add other users or modify other user's accounts. If Administrator is chosen, the user can add and manage other users, install apps at both system and user level, as well as modify settings.|
Click Create. Now, the configurations and settings get applied to the devices.
After creating the ABM profile and applying it to devices, you can choose to Sync Devices by navigating to Enrollment-> Apple -> Apple Enrollment (ABM/ASM). On syncing, all devices get automatically listed on the DC console.
Only when the devices are activated by the users, the enrollment process is complete and the devices are listed under Enrollment-> Devices.
In case the devices are not new, the devices should be factory reset, in order to be configured using ABM.
You can assign all the devices to individual users manually by navigating to agent and then on ABM/DEP to Devices.The alternate and easier option is to add users through a CSV file. You can also automate user assignment if you are using on-premises DC version. Automated user assignment ensures the users are authenticated and self-assigned when the device is enrolled. This option must be enabled when ABM is configured or if already configured, you can enable the option from ABM settings. The only pre-requisite is, Active Directory must be configured in DC. When enrolling the device using ABM auto-assignment, the user name to be provided on the device must be in the format: domain name\user name.
While assigning the users to devices, these devices can also be added to groups to automate the distribution of apps, profiles, and documents to devices. The devices can also be simultaneously added to multiple groups while assigning users.
Sample CSV Format
To unmanage the device, the admin must remove the device from the DC server. Once the device is removed from the DC server, the device is automatically removed from the ABM portal.
The devices that are enrolled with one ABM account cannot be enrolled in another. Therefore, these devices must be removed from the first ABM account before enrolling into another. Follow the steps given below to remove the devices from the ABM portal.
To remove the devices, always select Unassign device and not Release device. Release device should be used only if the device is lost or permanently damaged and will never be part of any workforce. Releasing devices is a non-reversible action and once disowned the device can never be part of an organization.