Integrating and Configuring Workspace ONE UEM With Apple Business Manager (ABM/DEP) and Volume Purchase Program (VPP)

-

Integration with Apple Business Manager / Apple School Manager is a key step when using Workspace ONE to manage Corporate owned Apple devices. This extra step allows you to ensure that your devices are enrolled, and remain to be enrolled, in Workspace ONE. It also simplifies the enrollment process in that the the device is automatically enrolled into Workspace ONE UEM as part of the device setup process.


Part 1: Integrating UEM and DEP


Requirements: Apple Business Manager (ABM) or Apple School Manager (ASM) tenant.


  1. In the Workspace ONE UEM console, go to Settings > All Settings > Device and Users > Apple > Device Enrollment Program
  2. Click Configure
  3. Download the public key



In ABM, Click the Organization and then Preferences and the + to add an MDM Server


Graphical user interface, text, application, chat or text message Description automatically generatedGraphical user interface, application Description automatically generated


Give the MDM Server a Name and Upload the public key downloaded from the UEM console

Graphical user interface, text, application, email Description automatically generated


Download the Token (sToken)


Graphical user interface, text, application Description automatically generated


Graphical user interface, text, application, chat or text message Description automatically generated



Configure Default Device Assignment


Graphical user interface, application Description automatically generated


Upload the token into the UEM console


Graphical user interface, text, application Description automatically generated


Configure authentication settings for the DEP profile.


Note: Custom enrollment settings create a popup window on the device that can used to customize the enrollment as opposed to the standard Username and Password prompt that would be typically seen. This is shown in the enrollment screens towards the end of this document.


Device organization group can be overruled based on OG logic. Refer to https://kb.vmware.com/s/article/83132 for more details.


Graphical user interface, text, application Description automatically generated



Configure MDM settings for DEP profile


Graphical user interface, text, application, chat or text message Description automatically generated



Configure setup assistant screens


These are the screens that are shown during the device setup wizard. Note only Location Services is enabled here.


Graphical user interface Description automatically generated


Configure Sync and Assignment settings for DEP profile


Graphical user interface, application Description automatically generated


DEP Profile is complete


Graphical user interface, text, application, email Description automatically generated






Part 2: Integrate UEM and VPP


In Apple Business Manager, go to Preferences and Payments and Billing. Download the Server Token (sToken)


Graphical user interface, text, application Description automatically generated



In UEM, go to Settings > All Settings > Devices and Users > Apple > VPP Managed Distribution.


Provide a friendly name for the description and upload the sToken.


Graphical user interface, text, application, email Description automatically generated



Part 3: Adding a device to Apple Business Manger


Requirement: Apple Configurator 2 & macOS device


Connect your iOS device to the mac and launch Apple Configurator.


Select the device to make it active and click Prepare


Graphical user interface, application, PowerPoint Description automatically generated



Uncheck Activate and complete enrollment. Click Next.


Graphical user interface, text, application, email Description automatically generated


Select New Server and Click Next.


Graphical user interface, text, application, email Description automatically generated



Enter the name Apple Business Manager. Leave the URL as is and click Next


Graphical user interface, text, application, email Description automatically generated


Click Next on the warning


Graphical user interface, text, application, email Description automatically generated



Click next without entering any certificates

Graphical user interface, text, application Description automatically generated


Select New Organization and click Next


Graphical user interface, text, application, email Description automatically generated



Sign into Apple Business Manager. There will be a browser popup windows that you will need to sign into.


Graphical user interface, text, application Description automatically generated


Select Generate a new supervision identity and click Next


Graphical user interface, text, application, email Description automatically generated



Select Show all steps and click Next (They will be controlled in UEM)


Graphical user interface, application Description automatically generated


Click Prepare on the Network Profile screen


Graphical user interface, text, application Description automatically generated

Authenticate on the mac


Graphical user interface, text, application Description automatically generated


Apple Configurator will prepare the device and register it Apple Business Manager. You may need to factory reset your device after this process is complete.


In Apple Business Manager, select Devices to verify that the device was added


Graphical user interface, application Description automatically generated



In UEM, click Fetch All Devices to sync with Apple Business Manager


Graphical user interface, text, application, email Description automatically generated



Go to Devices > Lifecycle and verify that the device is listed


Graphical user interface, application Description automatically generated


Part 4: Add Intelligent Hub as a purchased app


In Apple Business Manager, go to Apps and Books and search for Intelligent Hub


Graphical user interface, text, application Description automatically generated



Enter a license count and click Get


Graphical user interface, application Description automatically generated


In the UEM Console, Apps > Native > Purchased and click Sync Assets. Then select Intelligent Hub and click Enable Device Assignment (this will allow the app to be pushed without the user having to enter a Appstore Account ID).


Graphical user interface, application Description automatically generated


Using the regular assignment group method, assign Intelligent Hub to the iOS devices.


Part 5: Enrolling the DEP device


Reset factory device and work through the device setup process


Background pattern Description automatically generated with low confidence Graphical user interface, application Description automatically generated


Graphical user interface, text, application Description automatically generated Graphical user interface, text, application Description automatically generated


Graphical user interface, text, application Description automatically generated A screenshot of a phone Description automatically generated with low confidence


Text, letter Description automatically generated Text, letter Description automatically generated



In this example, Token based enrollment is in use. The Custom Enrollment setting popup is shown. If this setting was not used, the standard DEP Username/Password prompt would be displayed.


Text, letter Description automatically generated


A picture containing chart Description automatically generated



Note the only setup screen to be shown was Location Services, as per the settings in the DEP profile


Device enrollment is complete and Intelligent Hub downloads.


Text, letter Description automatically generated A screenshot of a cell phone Description automatically generated with low confidence


 

Comments

Post a Comment

Popular posts from this blog

Windows device lifecycle. Hands-off reprovisioning with Workspace ONE.

-
Image
There are multiple options available for onboarding a Windows desktop into Workspace ONE UEM. Different options are available depending on if the device is a Greenfield device (brand new out-of-the-box device) or a Brownfield device (currently used device, possible under a legacy device management system). But what about device recycling? How do you enroll a device that has been returned to IT? Typically, this is a hands-on approach and will involve multiple steps that will look something like: Re-imaging the device, via USB or Windows Deployment Services (WDS). Logging in as the staging account. Downloading Intelligent Hub. Enrolling as the staging user. Logging out. Handing the device off to the final end user, or placing it back into stock. Workspace ONE Tunnel (or other pre-auth VPN) if the device is to be domain joined. If testing using a VM, ensure that the VM has been assigned a serial number What if there was a better way? What if you could deploy a new image to a device and ha...
Read more

Deploying certificates to the Quest 2

-
Image
I spent some time working with the Workspace ONE XR Hub team (find out about HR Hub here ) and whilst it is very simple to install a certificate to a Quest enrolled in Workspace ONE, it's not that simple to install one on a non-enrolled device. Why would you want to install a certificate on an Oculus Quest you might ask? Well, I am a volunteer CS teacher for TEALS  and the school I was working with purchased some Quest 2 headsets for the students. Unfortunately, she was unable to connect them to the school network as the network was protected by securly an needed a certificate installed on the device before it was able to connect to the network. The schools IT team were unable to help and since I had experience with the Quest 2 while working with XR Hub team I was asked if I could help. The Quest 2 (like most VR/XR headsets) runs a version of Android AOSP  heavily customized by the OEM. If I could get to the underlying O/S, I would be ...
Read more

Adobe Acrobat Reader customizations for Windows

-
Image
Adobe Acrobat Reader is an essential tool when working with PDF documents but is not the easiest tool deploy to a fleet of Windows devices. Adobe has made available a customization wizard however that can be used to modify the package for easier deployment. Required items: Adobe Acrobat Reader MUI 64-bit Adobe Acrobat Customization Wizard 7-zip (or other zip archive utility) Note: The Customization Wizard only works in the multi-language, 64-bit version of Adobe Reader. Step 1: Download required software. Download both Adobe Reader and the Customization Wizard linked above. Step 2: Install the Customization wizard Step 3: Extract Acrobat Reader executable file into a folder Step 4: Launch the customization wizard and open AcroPro.msi Step 5: Modify the following items: Personalization options: Suppress display of End User License Agreement Installation Options: Make reader the default PDF viewer Run installation Silently (no interface) Suppress reboot Online services and features Disa...
Read more