Hello Folks! in this blog I will walk you through the steps to set up an Apple automated enrollment token (ADE) in Intune
Using Automated Device Enrollment, you can automate Mobile Device Management (MDM) enrollment and simplify initial device setup. Activating devices without touching them allows you to monitor and lock MDM enrollment for ongoing management. Automated Device Enrollment allows administrators more control over devices than other enrollment methods. This is done by enabling Supervised Mode which enables advanced device management capabilities, such as silent app installation, restricted access to apps, lockable MDM enrollment, kiosk mode, activation lock bypass, etc. for example, preventing the MDM profile from being removed, enabling lost mode, etc.
Devices enrolled through automated device enrollment running iOS/iPadOS 11+ should be in supervised mode, which can be enabled in the enrollment profile. When enrolling devices running iOS/iPadOS 13.0 and later, Microsoft Intune ignores the is_supervised flag, since these devices are automatically put in supervised mode.
Automated Device Enrollment works on any of these devices
Apple's automated device enrollment supports iOS devices with iOS 7 or later, iPadOS, Mac computers with OS X Mavericks 10.9 or later and Apple TV devices (4th generation or later) with tvOS 10.2 or later.
How to add Devices (iOS/iPadOS & MacOS)
Devices must be purchased directly from Apple, Participating Apple Authorized Resellers, or from network/cellular carriers.
What about existing devices that have already been purchased?
Using Apple Configurator 2, you can add existing devices to Apple Business Manager regardless of where they were purchased.
Your reseller (Participating Apple Authorized Resellers) may be able to assign existing devices to your ABM account if the devices are purchased from them.
Prerequisites
Note: These prerequisites are only setting up apple automated device enrollment (ADE) token in Intune
Access to Microsoft Endpoint Manager (Intune)
Access to Apple Business Manager (ABM is free for organizations)
Enable Apple Push Notification Service (APNS) Certificate, I had written a blog on how to add APNS in Intune please find the Link
You can enroll your organization to ABM by following the below steps
Go to Apple Business Manager
Click "Enroll now."
Enter the information for your organization, you need to know your D-U-N-S Number
To verify your enrollment information, Apple will contact your verification contact - typically a legal representative of your organization.
When your enrollment is complete, you'll receive an email after your information is verified and your enrollment is approved.
ADE token limitations
The maximum number of profiles that can be created under one token is 1000
The maximum number of Automated Device Enrollment devices per profile is 200,000
The maximum number of Automated Device Enrollment tokens per Intune account is 2,000
The maximum number of Automated Device Enrollment devices per token is 200,000
Microsoft recommends that you don't exceed 200,000 devices per token. Otherwise, you might have sync problems. If you have more than 200,000 devices, split the devices into multiple ADE tokens.
Apple Business Manager syncs about 3,000 devices to Intune per minute. It is recommended that you hold off manually syncing from the admin console until all the devices have finished syncing (total number of devices/3,000 devices per minute).
Get an Apple automated device enrollment token
Now let's go through the configuration of Apple's automated enrollment token in Intune.
Step 1: Log in to the Endpoint Management Admin center Link, select Devices, and Select iOS/iPadOS from By Platform
Step 2: Select iOS/iPadOS enrollment and tap on Enrollment program tokens which will take you to the page where you will add the ADE token
Step 3: Tap on +Add to start adding an ADE token
Step 4: From the add enrollment program token page tick on I agree and tap on Download your public key this will download a public key which needs to be provided back in ABM to generate an apple token
Intune token is downloaded with the .pem extension
Step 5: Sign in to the Apple business manager Link with your AMB credentials
This will take you through 2-step verification please provide the details and tap on the appropriate options
Step 6: Tap on your account and select Preferences, you can see the MDM servers tap on Add to add a new MDM server.
Step 7: Provide an MDM server name, upload the public key download in step 4, and tap on Save
Tap on Download Token, this token is required to establish the connection and top on Download Server Token
Step 8: Provide the Apple ID used to establish the connection this is required for future reference, upload the Apple token downloaded on Step 7 and tap on Next
Step 9: Review the details and tap on Create, this will complete the Automated device enrollment and you can see the status as Active, Expiration date, days until expiration, and the last sync status.
You can see the token as active on the enrollment program token page
Conclusion
The purpose of this blog is to guide you through the process of adding an Apple automated enrollment token to Intune.