This week a quick extra post. I noticed that there was not a lot of information available regarding manually adding devices to Apple Business Manager (ABM) for usage with Automated Device Enrollment (ADE). That makes sense, because the idea is that devices are automatically added to ABM after purchase. However, sometimes it’s useful to be able to manually add devices. Manually adding devices, can be achieved the easiest by following the two steps described below. Before starting with those steps make sure that:
- an enrollment program token is available and that the synchronization between ABM and Microsoft Intune is active,
- Find My {AppleDevice} is disabled, and that
- a mobile configuration is available that contains the WiFi configuration to simplify the enrollment
Step 1: Create an Apple Configurator enrollment profile
The first step is to create an Apple Configurator enrollment profile. That profile will not actually be used, but that’s a relatively easy action to retrieve the URL that is required in the second step. To retrieve that URL, simply follow the next seven steps.
- Open the Microsoft Endpoint Manager admin center portal navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator to open the Apple Configurator | Profiles blade
- On the Apple Configurator | Profiles blade, click Create to open the Create Enrollment Profile wizard
- On the Basics page, provide a valid Name and (optional) a Description and click Next
- On the Settings page, select Enroll without user affinity and click Next
Note: The actual configuration doesn’t really matter – this configuration simply requires the least steps – as we only need the enrollment URL
- On the Review + create page, click Create to finish the wizard
- Back on the Apple Configurator | Profiles blade, open the just created profile and click Export Profile to open the Setup Assistant Enrollment blade
- On the Setup Assistant Enrollment blade, copy the Profile URL
Step 2: Prepare the Apple device
The second step is to prepare the Apple device. That preparation will make sure that the Apple device will be registered in ABM and that the device will be prepared for the out-of-the-box experience. To prepare the device, simply follow the next ten steps on a MacBook.
- Open Apple Configurator 2 on a MacBook, connect the Apple device that should be prepared, select the device and click Prepare
- On the Prepare Devices page, provide the following information and click Next
- Prepare with: Select Manual Configuration as value
- Select Add to Apple School Manager or Apple Business Manager
- Select Allow devices to pair with other computers
- On the Enroll in MDM Server page, verify that New Server is selected and click Next
- On the Define an MDM Server page, specify the following information and click Next
- Name: Provide a valid name for the enrollment server
- Host name or URL: Specify the URL that was copied from the Apple Configurator profile in step 1
- On the Define an MDM Server page, select DigiCert Global Root G2 and click Next
- On the Sign in to Apple School Manager or Apple Business Manager page, sign in with a Managed Apple ID and click Next
- On the Create an Organization page, select Generate a new supervision identity and click Next
- On the Configure iOS Setup Assistant page, click Next
Note: The actual configuration doesn’t really matter – this configuration simply requires the least steps – as the configuration will be controlled by Microsoft Intune
- On the Choose Network Profile page, select the mobile config and click Next
- On the Automated Enrollment Credentials page, click Prepare to bring the device to Apple Business Manager and to prepare the device for Apple ADE
You can actually skip creating the Apple Configurator enrollment profile in intune. Within the Apple configurator just add http://localhost as mdm server.
When preparing the device just skip the mdm registration. The device will be added to Apple Business and from there you can sync it to Intune and assign the appropriate Enrolment profile.
Thank you for sharing your experience John!
Hi Peter
in step 1.4 you mention: On the Settings page, select Enroll without user affinity and click Next.
Do you know the resulting difference if user affinity is set?
Hi kimmedi,
That doesn’t matter. As mentioned in the post, the actual configuration will be configured in the enrollment profile in Intune.
Regards, Peter
Hi Peter and John
I have two issues with this type of enrollment compared to Supplier DEP/ADE added devices.
Do you know any ways of avoiding:
1. Intune enrollment options for which screens should be visible at first device startup is overruled by Apple configurator settings for visible steps in the setup assistant configuration, and it seems mandatory in Apple configurator
2. i’m pretty sure theres no workaround this choice from Apple.
When using Apple configurator there will be a 30 day period after enrollment, where the user is able to unenroll corporate owned devices as if they where BYOD, when using AC. even worse it’s mentioned at the bottom of the login screen on the device for the period.
Hi kimmedi,
I at least know for sure that the second is behavior as expected. See also the docs here: https://support.apple.com/en-gb/guide/apple-configurator-2/cad99bc2a859/mac.
Regards, Peter
I had to change the role on the account, to Device Enrollment Manager. It was set to staff.
That is correct. Thank you for the additional detail.
Regards, Peter
Hi Peter!
I’ve followed you guide to the letter and also tried the ‘localhost’ server address as suggested in one of the comments, but I can’t get it to work. I keep seeing the error “Provisional Enrollment Failed. The cloud configuration server is unavailable”.
I have access to 2 iPhones and also 2 different ABM tenants and I get the same error for both devices and both ABM tenants. Googling the error doesn’t really help.
Any idea? Have you seen this before?
Thanks and keep going with your blogs, they relly are very good 🙂
Hi Jamie,
There are only two things that come up at this moment, 1) does your account have enough permissions in ABM and 2) are the devices Internet connected?
Regards, Peter
Hi Peter,
A user have unenrolled a corporate iPad whitin 30 days. How can i add this device to ABM again? I get a error, ProvisionalEnrollmentRejected.
Greetings Tinus
You mean after you added it via Apple Configurator? If so, you have to re-add it again.
Regards, Peter
Thats the problem, then a gets this error.
Greetings Tinus
Hi Tinus,
In that case I would suggest to open a case with Microsoft for assistance.
Regards, Peter