Apple Automated Device Enrollment with Microsoft Intune MDM Set Up (for MacOS & iOS Devices)
Вставка
- Опубліковано 12 лип 2024
- In this video I show you how to configure Apple Business Manager and Microsoft Intune for automated device enrollment for macOS and iOS devices. This powerful technology allows you to ship devices directly to end-users and have them preconfigured with all of your policies, settings, and applications. The user can boot the device and go from box to production.
Set up MDM Push Certificate: • Set up MDM Push Certif...
Azure AD Federation with Apple Business Manager: • Microsoft Azure AD Fed...
____________________
Give this video a thumbs up if you enjoyed watching 👍
#microsoft #automation #business
Thanks for watching the video Apple Automated Device Enrollment with Microsoft Intune MDM Set Up (for MacOS & iOS Devices) - Навчання та стиль
This helped me so much. I really appreciate the time and effort you put into this!
Glad it helped!
You did an excellent job explaining this! Keep up the great work!
Glad it was helpful!
Now that's how you explain DEP...great job man...thank you so much.
Thanks!
You uploaded this 3 years ago and it is still useful today. You have saved us so much pain over MDM with apple. What's worse for my scenario is we are using third party iphones and those devices have to be used in the manual apple configurator process. It's great when it works and a nightmare when it throws errors.
exactly 👍👍👍👍👍👍👍👍
Nick you just solved an issue i've had getting this to work for ages. I didn't realise VPP required another token to get the apps from ABM to intune. Thank you so much.
Nice! Happy to help Jade.
Many thanks for your effort, this is great.
Thank you Sir for sharing, awesome vid.
This is one of the most complete and professional videos I've seen in UA-cam
glad it was helpful!
Awesome ..that's the clarification of concept.
Glad it was helpful!
Awesome clip, this has helped me greatly!
Glad it helped!
Great video i think you deserve a lot of likes
Thank you for this video
Thanks Rocky!
Amazing work !!! loaded with informations.
Glad it was helpful!
Excellent, thanks for sharing.
My pleasure!
great one, thank u man
Thank you!
Thanks this help me much...
Happy to help
Very helpfull
This is fantastic. Thank you. What do you like to use for multifactor?
Great video, have a question, does the Federated account need to be Local Admin for Mac to get configured?
Thank you this helped my figure out where I was going wrong with my setup. I did notice however that at the end you don't need to add intune into the app deployment as it automatically pulls it from ABM as you have one 2 below- Intune (iOS Volume Purchase programme app). You would just need to assign that one instead to all devices.
Good tip!
Azure IDS synced to APple Bus Manager wont work in IOS APP store since it is managed which is why you have to deploy apps from VPP
Thank you, but what to do if my devices are already with users ??
Hi, Greetings from Germany. Great video and really admire your efforts. Have you worked with SIMPLE MDM and Munki? I am eager to learn Simple MDM.
Nick, your videos have been really helpful. At 13:22 in this video, when you’re enabling the user to enter an Apple ID, my experience is that even thought the device is managed / in ABM, and we have federated Apple ID’s, the user can enter any Apple ID on first boot - or subsequently. Is there any way to control this, and enforce federated Apple ID’s on ADE devices? And what are the implications of a personal Apple ID on an ADE device - I assume it can’t be activation locked… Thanks
Hey Mark, there is no way that i know of to force the users federated apple ID upon boot much like you would see using windows autopilot. That would be a great feature though. If the user uses a personal AppleID that can still be ok if they subsequently still enrolled the device into intune with the company portal app. The device restrictions policy for iOS can still enable activation lock docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-ios
Nick - great video. I think I have everything setup and I'm ready to test on a new iPad that we have. I'm a little confused on how the compliance and configuration polices get pushed as part of the automatic device enrollment. I'm able to see the devices I've synced from ABM but I don't see a way to assign the policies to the devices directly. The only way I see to push these policies is to a group that has users assigned.
Hope this makes sense - thanks for the help!
Hey Chelsea, if you want to scope to individual devices vs users what i recommend is going in the Azure AD admin center>Groups and create a group with devices that are in AD that you want this policy to be applied to. Let me know if that makes sense.
@@t-minus365 I wanted to automate the whole process too. Policies be applied to the devices, like other MDM supports (jamf). Is applying the policies on the user groups a better way? I see I have to do the manual work of adding the users to the group.
Hello,
It's a very good and clear explanation of all round usage of DEP.
I have a query here related to enrollment profile ..
If we select enroll with user affinity and put don't use VPP .how will it look from end users perspective..
In video at the last you deployed the Intune company portal as a required app.
So once user gets the DEP device soon after the initial setup will be be getting the prompt to install company portal??
Hey this is a great question. If you dont use VPP then you cannot run single apple mode. The closest you could get is pushing the company portal app as a required app on the intune side but you would still have to instruct the user to go there and sign in with their ad creds. Is there a reason you dont want to use VPP?
Thank you for the detailed video. Is there a demo video of iOS automated enrollment?
This is the closest i have: ua-cam.com/video/JhDbxfFTOVg/v-deo.html
Hello, Great Video I do have a question regarding the setup with compnay portal. How are you able to setup someone with a new device if MFA is not setup on the mobile phone already. My company only allows for notifications or codes to be entered for MFA setup.
need a video with test on iphone ipad and mac for seeing that is working
thanks
Thanks for the informative video. Just one question, towards the end of the video you were assigning company portal app to the devices. But it previously, your had purchased it from VPP & it was a part of the enrollment profile. So why twice?
Thanks! I just wanted to show case both methods since you can do it both ways. You dont need both to be in place
Loved your video! How about enrolling existing iOS devices to Intune? We never had MDM or ABM solution in place and currently we have 100 iOS users who need to be registered with Intune.
Hey @T-Minus do you have some sources/references for the technical behaviour behind this whole thing? (need it for some scholastic things real quick) Your picture and explanation how ABM syncs with Intune etc. is nice, but I can't find a proof about that. I am searching for days now.
THANK YOU so much for this CLEAR and precise DEP explanation. You made me understand better the Intune Company Portal with the VPP token thing... I was trying to setup the deployment profile and was so confused with this Authentication method. The MS documentation isn't that clear....
Glad it was helpful!
Hi - Great video.
Quick question, if we take control on the VPP token, do you think this will affect the other MDM solution that is already setup (we're preparing a migration to Intune.)
What is the other MDM solution? I personally think it will have no effect at all
Thank you for this amazingly informative video, it made my life so much easier getting things all setup here. I have found at the 16:30 mark (adding devices) that I do not have an option for Device Assignments and have not yet found a way to add any as of yet. Under Devices I am only seeing "Devices" and "Assignment History", did I miss a step to add that maybe?
No, they removed this in one of their releases last year unfortunately
wait I am in the same place now. did you got to add the devices?
@@t-minus365 This kills me... trying for a week to get this up and running with federated ids (working), vpp (working), pretty much everything is working but no way for me to get that test-iPhone device into ABM and then into Intune to apply enrollment profiles. As of today it seems this is only possible with DEP enabled so either Apple or your dealer of choice pushes the serials into ABM for you or you use the "Apple Configurator 2" on a MacOS Device (there's no Windows alternative!) to manually add every iOS Device. I freaked out after seeing this option to add serial numbers in ABM in this video, didn't see it is 2yrs old by now. Now I'm here with 99% working and setup but no way to push the intune app on to the device because managed IDs can't use the app store and the device enrollment profiles ain't working because there is no device object. ARGH!
Real nice presentation. Is the power point available for download? The firs bit with the Vendor, ABM, serial and so on.
Thank you.
/Kristian
tminus365com.sharepoint.com/:p:/s/M365/Eb7gRRd45jJNjigv91e-G5YBv69kanuDF4fsYeDOOi_irw?e=Gt5CfF
thank you for share I would like to know this method not need microsoft intune company portal
Well Explained Nick !!! So when the device Turned ON (Brand new) it will be automatically enroll into Intune if the device has internet available ? Will it ask for official credentials (email id /Password) ?
Can you have more than one MDM in apple business manager? I would like to migrate from one MDM to another and role out new devices purchased under out VPP on Intune but leave devices that aren't available for a device upgrade on our current MDM. This will also give me ample time to test,
Has ABM removed the option to manually add devices? I am not seeing the same option as you show in your video. On the left column I don't have Device Assignments like you show, all I have is Devices and Assignment History (noting there). When I click on Devices it only presents the 2 options of entering Apple Customer Number and Reseller Number.
It does look like they did in August based on their release notes: support.apple.com/en-us/HT208802
@@t-minus365 Thanks for the reply. Great videos, keep up the good work.
@@t-minus365 how would you go about adding the devices if this was removed ?
Just FYI you cannot add serials anymore in Apple Business Manager, it's done within Apple Configurator on MAC so devices are auto populated through reseller ID
Not seeing some of these settings in my portal such as the iOS store app. Have those gone away with the recent updates?
Do you know if Apple has removed the add device by serial number option? It's not visible in my portal see minute 16:21 in video. I'd also like to add, great video, more complete than the hours of Microsoft Documentation I tried to initially follow.
Very good video, but I thought you said out-of-the-box user experience. I have intune configured in line with your example, however, the payload doesn't appear to download, and I have no/can find any visual device example of what or what not to expect.
Excellent video Nick. I have done everything as you have shown in the video, my MacBook is showing in Enrollment program tokens and also in Apple business manager. When I boot the device it tries to connect to our MDM server in Azure but I get an error "Unable to connect to MDM server" any ideas why this might be?
have you configured a conditional access policy? if you have not you will get errors as your users can't authenticate with azure ad.. i have set this up in my tenancy but kept the config profile as BYOD as that way the users can just use there own personal iOS/mac os devices and access company managed apps such as outlook and edge/teams etc, but if you decide you want to manage and protect company data you will need to also need to set up an app protection policy.. this is what i did, so no need for business manager etc as devices are byod so i just wanted a profile so if my users wanted to add company email to personal phone, they could but the app data would remain secure. Most people just blindly select agree when downloading new apps and so allot of apps read other app data etc which i needed to block as need company data kept secure.
Thank you very much about the content.
Let me ask you something, is it possible to auto enrroll without VPP?
Do you have a video showing the process?
I haven't found a single video or article that explains how to auto enroll without user affinity and without VPP. To me it seems that would be too difficult to do. We have been trying to get the configuration profiles and policies to push to an iPad for days, and it just wont push the settings... We found that we had no Intune Device Licenses and just added some to see if one of the iPads would finally get a push...
Have you been able to figure it out Delon? We've done everything we could think of. We meet all prerequisites at the device, OS version and subscription end. We just don't know what's wrong. Maybe we need to reset the iPads again?
@@ketofitforlife2917 we cant go on because we dont have vpp enable from our customer. I dont have expertise to say what is the root cause of it. Are you having issues even with vpp?
I got stuck today thanks.
Hey, thanks for the info however looks like the option to manually add non-DEP devices is not longer available, someone knows if there is a way to add these kind of devices these days?
As far as I know (trying this for the last couple of days 1st time myself) the only way is with thw app "Apple Configurator 2" installed on a MacOS Device.. then you are able to push your device IDs into ABM and from there sync into Intune. Because we don't have a Mac and don't wanna... we're going to register with our dealer for the DEP. So annoying.
If you enter the serial number from your device in Apple manager it will automatically regonized bij intune for enrolment ?
Quick question, how would we manage the look of the iOS device? I want to block certain apps or customize the dock.
It would be a device feature profile in intune: ua-cam.com/video/X1QBQxB-U-s/v-deo.html
Hi Nick, We have an ABM/DEP setup with Intune. Is it possible to setup a additional ABM/DEP to our one Intune console? I want to setup different countries with their own ABM/DEP into our Intune console.
Hey! So you can add multiple enrollment program tokens. Each token name would be the name of the country and represent another ABM portal.
Hi, thank you for your video. I had configured the Apple MDM Push certificate a few months ago, and now I want to migrate it to Automated Device Enrollment. Is there a way to migrate the currently enrolled devices? How does it work?
Also, in my Business Manager, the option to manually add devices via serial number doesn't appear. It only shows options to add Customer or Reseller numbers. Should I contact Apple for assistance? Thank you very much
I just noticed that the Apple MDM Push certificate is assigned to a different Apple ID. Should I delete the Apple MDM Push certificate and regenerate it with the new administrator Apple ID from Apple Business Manager?
When adding an application (as demonstrated by the Intune Company Portal in your video) that doesn't incorporate the VPP token? Shouldn't it be purchased in the apps/books section of ABM and synced to utilize VPP?
I would say its a necessity to do it through VPP if you are federating to Azure AD as the managed profiles need to access the apps that way. If you are not federating, i dont think it matters whether you push the app via intune or VPP unless i am missing something.
Thank you, but what to do if my devices are already with users ??
Thank you for video. What is not clear to me - are you actually able to manually add Devices into ABM 16:27 ? E.g. Old Mac Books that was ordered long time ago through some random store... for me, when I am going to Device Assignments , I am getting only option to add it through Reseller Number or Apple Customer Number, and as far as I read, it is not possible to add MAC devices manually into ABM. Is that correct , or I am just missing something ? :O
I would agree that manually adding is not possible. You could still add them to intune via installing the company portal app and enrolling on that device.
@@t-minus365 thank you. that is soilution that i ended up with.
Have they removed the ability to add devices manually using serial number (screen shown at 16:26).
Only way I can get devices to show up in ABM is to use apple configurator.
Hi and thanks for a great tutorial. I've done a similar setup in our organisation but there's one thing I just can't understand.
After macOS users have enrolled to Intune, they are not able to install the company portal, because the device is already enrolled into intune and it gives an error message.
However I would like our users to be able to use the company portal to install preferred apps etc. Am I missing something?
For iOS this seems to be automated, the company portal is installed etc, but for macOS...? Great thanks!
Hey there, happy to help here. How are the macOS users enrolled their devices into intune?
@@t-minus365 Thanks man! Actually I've done the setup pretty much exactly as you did here; ABM, MDM connected to Intune and from there the Enrollment program tokens profile configured with User affinity No, Locked Yes. I added a test macOS 15.5 device through Device Assignments in ABM by Serial and assigned my Intune profile. Works perfect, the device is added to Intune. But then I download the company portal but then in the installation process it gives me this error (I don't have the exact one but this may be it: "It looks like you're using a virtual machine. Make sure you've fully configured your virtual machine, including serial number and hardware model. If this isn't a virtual machine, please contact support."). Something about virtual machine, which is it not ofc. If I delete the machine from Intune, then I can proceed with the installation of company portal and the device is enrolled as well. Hope this makes sense. Thanks.
Hmm yes im tracking. You are saying it never even gives you the chance to sign in with the company portal app correct? Microsoft documents this error but doesnt seem to be very helpful docs.microsoft.com/en-us/mem/intune/user-help/unable-to-get-macos-device-managed
@@t-minus365 It login but then at step 2 when it's about to install the profiles it gives an error, my guess because there already is a profile ofc since the computer is already Intune-enrolled, but I can't understand the error related to "Virtual machine". Odd and yes the MS-help doc didn't say much. I guess I'll have to try again and ask MS about it...? Screenshot of error: ibb.co/16MF2VT
How to assign AD username to device ? Whether it must use Corp Portal app to login ?
Hey so this is controlled via the enrollment program profile you configure in Intune. You wouldnt be assigning a username to the device. The user would boot the device and signin, associating their ad account with that device. docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios
We have Company portal in Single apple mode until authentication enabled and it appears to be working with multi factor authentication. Without it enrollment wont be automatic as the user need to manually open Company Portal to sign in and complete the enrollment/setup process.
Im about to test this out for the first time, any other issues with Single App mode being checked for company portal?
@@joextremeno shouldn't be, i did the same and also created an app protection policy and conditional access policy, my users can just log in on there own iPhones and then download and log into company portal and it then pushes the apps which i selected and also prompts and guides them on how to download the profile and install. Its BYOD and much better this way as then the user is using there own phone and we don't manage it, we only manage the company apps and company data..
We have sister companies all in one 365 tenant. The company had their own Apple Business account before we purchased them. Is there a way to use inTune and have multiple DEP accounts to it?
That would not be possible
I followed these instructions but I am getting an "Invalid Profile" error when I boot the new device and selected Remote Enrollment. Any thoughts?
I have tested my setup based on your Video but I keep getting a pop up that says Guided Access app unavailable. Please contact your administrator. Right before Intune Company Portal Installs, the pop up just freezes the phone completely and nothing else happens. Any advice?
How can you assign the profile in bulk within Intune? Say you receive a large order and assign the profile withing ABM, sync from Intune, but now you have to manually assign each device. Is there a way to automate this? Thanks!
What i would do is create a dynamic group in 365 that looks for a certain attribute like the OS type to automatically pull in those devices to that group. From there you would just assign that group to the profile vs having to do each machine 1 by 1. Let me know if that answers your question.
if this isn't set can you not setup the update mac policies?
I don’t see a way to manually add devices by serial number in ABM like you do. Is there a trick to that?
No, that is gone now unfortunately :(
What is the max number of iPads you can enroll using automated device enrollment
I do not see anything under device enrollment. It tells me i have to supply either a customer ID or a reseller id
How exactly does Company Portal get installed to a new device? I can't quite figure this out. I added it to Apple Business Manager, set up VPP token in Intune Connectors. Is that all I need to do? It doesn't show up in All Apps. I don't actually have a macOS device I can test on :/
You would still need to click sync on the token in intune. From there the app should appear in the apps section and your final step would be to assign that app to a group.
I am not seeing the option to manually enter Serial Number for Device Assignments. It only lets me enter an Apple Customer Number or Reseller Number. Is this option no longer available?
correct Apple did remove that functionality since the time of this recording
Can theese Turn of FMI
What happens if i add already in use Mac`s to DEP and enroll to intune... ? how will it affect the end user ?
To clarify are you saying the Macs are already in DEP? Or are these just macs the company owns that arent enrolled into anything?
@@t-minus365 No, Macs are not enrolled in anywhere. Mac`s are corporate owned but not managed. Im just starting to setup ABM account and thinking using ADE/DEP to enroll devices to Intune.
Thanks. Unless you are planning on wiping the device right now, then it wouldnt be able to be fully added to ADE. New devices you procure can and existing devices you could enroll into Intune and assign them an enrollment program token profile. THat way when you do wipe them in the future they would be part of that and get the OOBE you define.
Hello, in my Apple Business Manager, I cannot view the VPP token. How do I add the VPP token in Intune? When I attempt to deploy Apps via Intune to enrolled devices, it shows an installation status of "Waiting for install status". Please help
will a user profile be created in MAC Pc for user ( I.e will user be able to log into MAC PC with Azure AD Credentials)
it would ask them to sign in with an apple ID but if you have set up federation with Microsoft in ABM then the appleID creds would be tied to their Azure AD creds
@@t-minus365 My macbooks are getting stuck at the device management setup screen, asks me to enter credentials to our company but doesnt take them. Do you know if MFA could be causing the issue here? we have MFA setup for our company but apple isnt sending an MFA request. is it possible that MFA isnt supported in the setup assistant on MacOS?
Great Video, we saved thousands of $ for consulting with it. There is just one thing I don't understand. We have setup everything correct like you done in the video. When I open the company portal app (came through Apple Business Manager VPP) I have to login with my intune liscensced user (We have setup apple business manager and can create new managed apple id's on our old domain but did not federate with azure because we have issues with GDPR). But the problem is that with an managed apple id you are not allowed to download the apps I pushed via intune policy because it is directing me to apple app store. The thing is that managed apple id's aren't allowed to download apps. We want our employes coorperate phones have the chance to use apple appstore with their private apple id and all apps within company portal with their business apple id. Is this possible? Hope anyone can help us. Thank you so much for your support and the great video.
Hey Ben! Are you making the app assignment to the user or the device? I have seen use cases where this does not work if you assign the app to users but works ok if you assign to the device
I have set it up this very way for my organisation, so its called BYOD bring your own device, it allows our users to bring their own iPhones and use there own apple id, but when they download cp and log into there work email my policy kicks in and then downloads outlook, teams and edge etc and the data in these apps is kept encrypted on there device and separate from all other apps and storage etc this allows the users to use and keep there personal phones private but to also have company email and teams etc but data in outlook and teams etc is kept secure, you don't even need to use apple business manager for this, is all done by intone and company portal.. i also used a policy to block logging into work emails etc using the generic mail apps on android and iOS, so users must log into company portal and use the managed 365 apps... also i did not assign it to devices, i instead assigned it to a group of users.. this way any iOS devices or android, the minute they try to log into company email it blocks it and prompts them to download company portal and enrol that way...
How can i add custom app ?
how come I dont see the Device Assignment (16:18) when i log in to my Apple Business Manager. I have the administrator role
Apple got rid of this from their portal unfortunately with an update a while back
I need your help
Hi
Take a look at 7:53. You forgot to blur your info here.
Thank you Allen!
I followed all the steps but with ABM left menu it just says "devices" it doesn't say device management. I still don't know how to add the company devices to the system! dam apple makes everything so hard
That function was removed in ABM. You now have to add them using Apple Configurator.
Bro