Microsoft Endpoint Manager (Intune) - A set up guide (Part 3 - iOS/iPadOS Enrollment Setup)

(This article is dated, and correct as of September 14th, 2020)

Overview

In the next few articles, I aim to lead you through setting up Apple enrollment from start to end.

This will cover:

• Initial setup prerequisites.
• Linking your Endpoint Manager (Intune) to Apple via an Apple MDM Push Certificate.
• Configuring Apple Business Manager.
• Configuring Managed AppleIDs by Federating Apple Business Manager with Azure AD.
• Setting up your Apple App Volume Purchase Plan - Just the setup... I will talk about actual App creation and assignment (Mobile App Management - MAM) in a later article.
• Apple's Automated Bulk Enrollment program (formerly Apple's Device Enrollment Program, or DEP).
• Manual bulk enrollment using Apple Configurator 2 software.

Let's get into it!

Initial Setup Prerequisites

Before we get into the details, you will need a few things here.

Apple ID considerations

First of all, you will need to create an identity in Azure AD to be used as your Apple ID. If you are going to EVER consider federating Apple Business Manager with your Azure AD tenant, it is important to create this as its own identity and NOT a secondary SMTP alias on a pre-existing identity. If you do not want to use this identity as your Apple Configurator 2 identity, you can create this as a Shared Mailbox.

I would recommend to keep the naming convention easy: [email protected] or [email protected] are pretty straight-forward. This account does not need to have any access within your domain, but it must have a mailbox, so assign a cheap, Exchange Kiosk license to meet that requirement, or create the identity as a Shared Mailbox. If you plan to also use Apple Configurator 2 software to manually bulk enroll devices, you should also assign this an Intune license.

Once you've created the identity in your Azure AD tenant, you must create an Apple ID for it.

Open an Internet browser and go to https://appleid.apple.com/

Click Create your Apple ID and fill in the details.

For now, this is all, but you may later want to consider creating separate Apple IDs for things like Line of Business App development certificates, Volume Purchase Plan setup, and others as required.

Email Considerations

During the setup, and afterwards, you will receive emails from apple.com

One thing to consider is that you should make sure emails from apple.com are not blocked or quarantined by your Email protection system (Spam / Malware filter)

Create and Configure your Apple MDM Push Certificate

Open up Endpoint Manager (Intune) and browse to Devices > Enroll Devices > Apple enrollment.

Click on Apple MDM Push certificate.

Click the box to tick I agree under "I grant Microsoft permission to send both user and device information to Apple".

Click on the Download your CSR link (CSR is a Certificate Signing Request)

Once that is downloaded, click on the Create your MDM push Certificate link.

This will open a browser that will direct you to https://identity.apple.com/pushcert/ where you will be prompted to sign in with your Apple ID (that you created in the Initial Setup Prerequisites section, above)

Click on the Create a Certificate button

Read the Terms of Use and then tick "I have read and agree to these terms and conditions" once you are satisfied.

Click Accept.

Enter some descriptive Notes and then click Choose File to browse to and select your downloaded CSR from Endpoint Manager (Intune).

Click Upload

You will then see a Confirmation page stating that:

You have successfully created a new push certificate with the following information:

• Service: Mobile Device Management.
• Vendor: Microsoft.
• Expiration Date: 1 year from today.

Click Download to download your lovely new Certificate.

You can close the Apple Push Certificates Portal browser window now if you want.

Go back to your Endpoint Manager (Intune) Portal

Enter your Apple ID (e.g. [email protected])

Under "Browse to your Apple MDM push certificate to upload", click on the folder icon to browse to and select your recently downloaded Apple MDM Push certificate.

Click Upload.

Give yourself a high five and get a beer (or a coffee if you are in the office), you just linked Apple to your Endpoint Manager (Intune).

Renewing your Apple MDM Push Certificate

I guess I should point out here that this certificate only last for 1 year.

It's really easy to renew the certificate.

Simply open Endpoint Manager (Intune) and browse to Devices > Enroll Devices > Apple enrollment - Apple MDM Push certificate.

Download your CSR again, and then click on Create your MDM push Certificate.

On the Apple Push Certificates Portal, find your certificate in the list and click Renew.

Browse to your newly downloaded CSR and Upload it.

Then Download the certificate.

Close the Apple Push Certificates Portal.

Back in Endpoint Manager (Intune), enter your Apple ID and browse to and Upload your newly downloaded certificate.

Configuring Apple Business Manager

Apple Business Manager is a vital tool if you want to buy content, configure automatic device enrollment and create management (admin) accounts. It is also a vital component of creating Shared Apple IDs (we will cover that later)

In order to enroll for Apple Business Manager, open an Internet browser and go to: https://business.apple.com/#enrollment

You have to fill out your details, including:

• Organization Name, Phone Number, Website and Time Zone
• D-U-N-S Number (A unique 9-digit number provided by Dun & Bradstreet which is used to identify your business - For more info, go to https://www.dnb.com/duns-number.html)
• Your details (enter the details of your AppleID here)
• Verification Contact details (This is a person who can bind your organization t othe Apple Business Manager terms and conditions. e.g. your CIO or CTO, or a Director of Finance / Purchasing would be good choices. Apple WILL contact this person to confirm enrollment, so make sure you give this person a heads up that you are doing this)

Click Continue.

Review the information that you put in very carefully and, when you are happy, click Submit.

You should receive an email stating "Your enrollment is in review"

During this review, the Verification Contact is called and asked to confirm information about you and your organization before your enrollment is approved.

Once phone verification is complete, your Verification Contact will receive an email stating "Thank you for verifying your organization".

Ask them to open the email and click on the “Confirm” button to let your [email protected] user be an administrator of Apple Business Manager. They must also check the box indicating that they approve your [email protected] user to accept responsibility for signing the Apple Business Manager terms and conditions on behalf of the organization.

Your [email protected] account will then receive an email stating "Enrollment Complete".

Open that email and click on the "Get Started" button.

Log in to Apple Business Manager with your [email protected] account and accept the Terms and Conditions.

BOOM! You're in! That wasn't so hard, was it?

You can now add more Administrator accounts should you need to. Roles that you can add people to are:

• Administrator - Responsible for ABM and for accepting ABM Terms and Conditions (not to be granted lightly)
• People Manager - Responsible for specific locations and manage individuals and content for that location.
• Device Enrollment Manager - Manage devices and MDM Servers.
• Content Manager - Responsible for volume purchasing at their assigned locations, they manage licenses for apps and books.
• Staff - Non-managerial personnel with a Managed Apple ID (we will talk more about this in the next section). Can use devices and consume apps and books licenses. Cannot log in to ABM

Configuring Managed Apple IDs

If you know for a fact that none of your end users are using their company email addresses for Apple IDs, then I strongly recommend that you do this now.

If some of your end users ARE using their company email addresses for Apple IDs already, then this set up will require some planning and a LOT of communication to your users to explain what is happening.

What this basically involves is Federating your Apple Business Manager with your Azure Active Directory tenant.

What does that mean?

(from: https://support.apple.com/en-ca/guide/apple-business-manager/apdb19317543/web)

 “You use federated authentication to link Apple Business Manager to your instance of Microsoft Azure Active Directory (AD). As a result, your users can leverage their MS Azure AD user names and passwords as Managed Apple IDs. They can then use their MS Azure AD credentials to sign in to their assigned iPad or Mac and even iCloud on the web. Users can also use it to sign in on Shared iPad.”

It's important to note off the bat that if a user signs on to a corporate device with a Managed Apple ID, the user cannot purchase apps through the Apple App Store on that device. Apps must be assigned using Endpoint Manager (Intune). They will also not be able to use ApplePay on that device to enter personal credit card information.

What is a Managed Apple ID?

Traditionally, individual users create Apple IDs designed for personal use.

They are used for activities such as app licensing, managing iCloud accounts, accessing iCloud services, etc.

Once created, the original user is the only user able to access the ID.

This presents a number of difficulties when used at scale in a business environment (see below).

Managed Apple IDs is Apple’s latest solution to overcoming these difficulties while still providing similar functionality. The benefits include:

• Eliminates the requirement for using personal Apple IDs, or creating new @mycompany.com Apple IDs for your corporate devices – Apple Business Manager controls the Managed Apple IDs
• Eliminates redundancy and creates IDs en masse
• Provides another (yes, ANOTHER) method of enrolling into Endpoint Manager (Intune) for personal (Bring Your Own Device, or BYOD) devices, called User Enrollment. I'm not going to discuss this method, but you can read about it here: https://simplemdm.com/apple-user-enrollment/

How to go about getting this done (a.k.a. Let me do the planning for you)

Communication

This is going to be, by far, the most important piece of this.

 I suggest that you create 3 succinct communications:

• Communication 1 - should go out at least 1 week before you start federation to tell users what is happening, when and why and what to expect.
• Communication 2 - should go out the day you flip the switch (to remind them)
• Communication 3 - can be a reminder sent throughout the switch over

 Apple automatically sends out emails and device notifications for Resolving User Conflicts once you flip the switch.

In order to prepare for these communications, you will need to ensure all users can receive emails from Apple by adding a whitelist entry for: [email protected] to your Email protection system.

Domain Verification

1. Login to Business.Apple.com with an Administrator account
2. Click Settings
3. Select Accounts
4. In the Domains section, click Edit
5. Click Verify next to MyCompany.com
6. Copy the TXT value
7. Login to your DNS management tool
8. Edit the @ TXT record
9. Paste the value that was copied above into a new Value line and Save it.
10. Wait for a period of time (it can take up to 2 hours for DNS changes to propagate)
11. Back in Apple Business Manager, click Check Now next to the verification to ensure this was successful.

Note: Once this is complete, the domain is locked and users will not be able to create new @mycompany.com Apple IDs

Federation

1.  Login to Business.Apple.com with an Administrator account
2. Click Settings
3. Select Accounts
4. In the Federated Authentication section, click Edit
5. Click Connect
6. Sign into Azure with a Global Administrator account
7. Click Accept to the Permissions request (see screenshot below)

8.     Click Done

9.     In the Domains section, click Edit

10.  Click Federate next to MyCompany.com

11.  Sign into Azure with a Global Administrator account

12.  Click Done

13.  Wait for the verification of Apple IDs using @mycompany.com completes

14.  Once complete, Apple Business manager will show how many Apple IDs are already using @mycompany.com 

15.  Click Send Notifications (see Resolving User Conflicts, below)

16.  Click on the slider to Enable Federation

17.  After 60 days, federation will be complete

Resolving User Conflicts

When you click on Send Notifications in point 15 (above), users will receive the following email:

For the first 30 days, users will receive this email, prompting them to sign in to AppleID.Apple.com from a macOS or iOS device on which they are using their Apple ID.

When they sign in, they will see the follow message asking them to enter a new email address to use as their Apple ID.

 They will also receive device notification (if their device is on iOS 11.3 or later).

On day 30, if the Apple ID is logged into any iCloud services, it will be logged out.

When the user logs back in using this Apple ID, they will get this same message (above) to enter a new email address to use as their Apple ID

On day 61, your company will assume ownership of the Apple ID.

At this stage, the @MyCompany.com Apple ID is essentially wiped and becomes a brand new Apple ID with no content.

Users who have not migrated their Apple ID to a non @MyCompany.com email address will be emailed with a temporary Apple ID with the same password as their original Apple ID. All of their content will be in the temporary Apple ID and they will be forced to change it to a non @MyCompany.com email address.

For more information on this and some useful wording for your communications to your end users, take a look at this Apple article: https://support.apple.com/en-ca/HT209349

Check the next article next week (hopefully) for

Setting up Apple Volume Purchasing Plan

Apple's Automated Bulk Enrollment program

Apple Configurator 2

Resources

I would recommend going through the Microsoft Endpoint Manager (Intune) Deployment Guide to give you more information about this planning.

I would also recommend creating a Reddit account and joining r/Intune. It is an extremely helpful and knowledgeable community of Intune users and admins.

For video tutorials and up to date training, another great resource is this Intune Training YouTube Channel

Introduction to me, Ed Collins.

I've worked in the IT industry now for over 20 years, in 3 different countries, becoming a "jack-of-all-trades" SME in a number of different technologies.

I started after University (where I graduated with a BSc (hons) degree in Computing Science back in 1999) in England as a Technical Author, writing manuals and HTML help systems for Accounting Software (combining 2 of the most notoriously nerdy industries, IT and Accounting!!).

In 2001, I moved into the Systems Admin space, where I stayed (albeit in 3 different countries, England, New Zealand and Canada) until today, traversing various roles from Systems Admin / Engineer or Senior Systems Admin, to Systems Manager, having a couple of forays into Project Management and ITIL & Change Management before landing in my current role as a "Microsoft Technical Analyst".

By far my favourite technology space I have worked in to-date has been Enterprise Mobility.

In this article, and a few to follow, I want to walk through my method of configuring Microsoft Endpoint Manager (Intune).

To some, this may not be relevant or may be boring.

To others, like me, this may be a fascinating topic to start a conversation and/or a useful article to help you.

Please feel free to contact me about this article to discuss the topics, correct me or add to the information provided.