Apple Business Manager

👋 Introduction

Apple Business Manager (ABM) is a web portal that helps organizations easily deploy and manage Apple devices, apps and accounts. It unifies device enrollment, app purchasing and managed account provisioning into a single, streamlined portal. You can also connect Apple Business Manager to your existing MDM to centralize management across your organization.

Key features

Automated Device Enrollment directly from the carrier or reseller
Central app and book purchasing
Federated managed Apple Accounts
Integration with MDM solutions

👨‍💼 Create Apple Business Account

Admins can sign up for Apple Business Manager and start using basic features in minutes without cost. You need to verify your organization to use the full feature set, like Automated Device Enrollment, App Store volume purchasing and managed Apple IDs.

TIP

Use a dedicated service account for the Apple Business Manager instead of a user email account. This email address becomes your administrator managed Apple Account. This ensures that your future access remains independent of specific employees.

Create the Account

Go to https://business.apple.com/ and select Sign up now, then Get Started.

Enter your information and select Continue.

Next, create and confirm a password for your new account, then enter your phone number.

IMPORTANT

A one-time verification code is sent to your email address first, then a different code is sent to your phone number.

Lastly follow the prompts to finish setting up your Apple Business Manager account.

Verify your company

After you created your Apple Business Account you should verify your company, so you can take full advantage of all the features of Apple Business Manager.

Without verifying your organization, you can’t access certain features of Apple Business Manager and Apple Business Essentials (An additional subscription service that provides a few additional features, but nothing important for device management. Learn more here):

Feature	without verification	with verification
Managed Apple Accounts	✅	✅
AppleCare support	✅	✅
Domain verification	✅	✅
Domain Capture	❌	✅
Connecting to an identity provider (IdP)	❌	✅
Federated authentication	❌	✅
Directory sync	✅	✅
Essentials app (This feature is available only with Apple Business Essentials)	✅	✅
User Enrolment	✅	✅
Device Enrollment	❌	✅
Automated Device Enrollment	❌	✅
Edit device management service assignments	❌	✅
Add device management service	❌	✅
Access beta features	❌	✅
iCloud sharing outside the organization	❌	✅
iMessage and FaceTime	❌	✅
Apps and Books Store	❌	✅
AppleCare repairs (This feature is available only with Apple Business Essentials)	❌	✅
2 TB iCloud storage (This feature is available only with Apple Business Essentials)	❌	✅
Device plans availability (This feature is available only with Apple Business Essentials)	❌	✅

INFO

Verification can take a few business days, depending on how busy Apple is and whether they can reach the contact you provided. If your organization isn’t approved in time, Apple will delete the organization and its data.

Go to https://business.apple.com/, sign in and open the settings page.
Go to the Organization Settings and select Verify, then enter your organization’s D-U-N-S (Data Universal Numbering System) Number (To learn more about locating or requesting a D-U-N-S Number click here).
Enter the contact information for someone Apple can call to verify your organization. This needs to be a person with authority to speak on behalf of your organization, such as your CEO, CTO or CFO.
Now wait and look for an email from Apple Business Manager with the subject “Your enrollment is in review”. During the review, Apple will contact your verification contact to confirm your information. Make sure emails from any apple.com address aren’t blocked, and call back quickly if you miss a call so the process can continue.

TIP

After your organisation is approved, create one additional user with the Administrator role as a backup, so you can recover access if your standard admin account gets lost. You can create users in the Users blade of the Apple Business Manager portal and assign roles via the Access Mangement blade, in the main menu.

🔗 Connect Apple Business Manager with Intune

Connecting an MDM to Apple Business Manager makes it easy to set up and manage Apple devices. New devices can configure themselves automatically with the right apps and settings, reducing the need for manual work. It also improves security and ensures your organization keeps control of its devices throughout their lifecycle.

Connect Apple Business Manager with Intune

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Apple tab.
Now select Apple MDM Push Certificate and start the configuration.

First you need to give Microsoft permission to exchange data with Apple.
Next, click on Download your CSR to download the Intune certificate signing request (.csr) file.
Now go to the Apple Push Certificates Portal and sign in with the same Apple ID you used for the ABM.
Select Create a Certificate and accept the terms and conditions.

Upload the Intune certificate signing request (.csr) file you downloaded earlier and select Upload.

After the upload is complete, you get a confirmation that the certificate was created successfully. Then download the Apple MDM push certificate (.pem) file.

Now back in the Intune portal, enter the Apple ID you used to create the Apple MDM push certificate, upload the .pem file you just downloaded from Apple and click Upload.
After that the status of the Apple MDM Push Certificate should show as Active.

Configure automatic enrollment token

To now set up automatic enrollment for Apple devices, you need to create an enrollment profile in Intune and assign it to the devices in Apple Business Manager.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Apple tab.
Now select Enrollment program tokens under the Bulk Enrollment Methods and click Create.

As before you neew to give Microsoft permission to exchange data with Apple and then Download your public key (.pem) file.
Then open the ABM portal and go to the Settings page.
Under Device Management Services, select Add.

Give your new MDM a name, create it, open it and then click Download Token.

In the window that appears, you should check the box for the MDM to be able to release devices, then upload the public key (.pem) file you downloaded from Intune and click Save.

The token you just created should now download and you can upload it back in Intune and enter your AppleID again.
Click Next, add Scope Tags if needed and Review + create.
Lastly you should go back to the ABM Portal and configure your default MDM per device type. You can do that by opening the settings page and selecting your MDM for the different device types under Management Assignment.

Configure automatic enrollment profile

Now that you have created the enrollment token, and the Status in the Intune Portal is Active, you can create an enrollment profile by clicking on the token in the list.

Click on Profiles, then click Create profile and select if you want to create an iOS/iPadOS or macOS profile.

Now give your profile a name and description, then click Next.
In the Management Settings section, you can configure how your devices should enroll.

iOS/iPadOS Profile	macOS Profile

User affinity: You can enroll with user affinity or without user affinity. iOS/iPadOS devices can additionally enroll in shared Entra mode.
Authentication Method: You can choose between Setup Assistant (legacy) or Setup Assistant with modern authentication. iOS/iPadOS devices can additionally use the Company Portal.
Locked enrollment: Prevents the user from removing the management profile through system preferences or terminal.
Await final configuration: Pauses and locks Setup Assistant before the home screen so Intune can finish applying critical settings.

In the Setup Assistant section, you can enter the Department and Phone Number you want to show up for the end user. You can also choose which Setup Assistant screens to show or hide during device enrollment.

Example:

In the macOS profile you can also configure additional Account Settings, for a potential local admin and user account on the device.

Then click Next and Review + create.
In the Profile you can now, next to the automatically assigned devices, also manually assign devices that are already in Intune.

If you now go back to the Profiles list directly under the Enrollment token, you can also set default profiles for iOS/iPadOS and macOS.

Configure enrollment Type & Notifications & Restrictions

If you additionally want configure a default enrollment method for non automated enrollments you can create an enrollment type profile.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Enrollment type profile.
Here you can create a profile with the default enrollment method.

Or you can set restrictions to which devices can enroll in the first place.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Enrollment restrictions or Enrollment Type Restriction.
Here you can set per platform if it is allowed at all, if personally owned devices are allowed and which version they need to have.

If you want to set additional notification about enrollments you can also do that.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Enrollment notifications in the Apple tab.
Here you can configure push and email notifications.

📱 Adding managed Apple devices

Adding your devices to the Apple Business Manager makes sure the devices are bound to your company while also allowing you to automatically enroll them in your MDM solution during the setup process. For this Apple provides the Automated Device Enrollment (ADE), formerly known as Device Enrollment Program (DEP). Here your reseller or carrier can directly add the devices to your ABM account during the purchase process, so your devices are automatically enrolled in Intune when they are unboxed and powered on for the first time. Like this you can send the devices directly from the reseller to end users without having to manually do anymore configuration.

To start adding devices to your Apple Business Manager account, go to the ABM portal and open the Devices page.
Here you first need to add your Apple Customer Number to be able to add devices that you purchased or the Reseller Number so your reseller adds new devices on your behalf automatically.

As soon as you have added devices to your ABM Account, you can assign them to an MDM solution (if you didn't set a default one already), release them from your org for reselling or turn off an activation lock.

After assigning devices to Intune, they should show up in the Intune portal under Devices -> iOS/iPadOS or macOS.
If you added an enrollment profile in the previous step, they will also automatically get that profile assigned.

🍎 Managed Apple accounts

Using an Apple device you need an Apple ID. For personal devices, users usually create their own Apple ID, but for corporate devices this is not a good idea. If you allow this, you not only lose control over this part of your identitiy management and the security that this provides, but also create an unnecessary barrier for your users when they enroll their devices. You risk, your data getting out or saved to personal storage or mail accounts, creating potential data privacy compliance issues or simply who pays for needed apps and how this gets handelt by accounting. All unnecessary if you use Managed Apple IDs. This can easily be done by federating your Entra ID with Apple Business Manager. With this your users just use there already existing credentials for there Apple devices.

Open the ABM portal,go to the Settings page and select Managed Apple Accounts.
Here you find your automatically generated apple domain and you can start the federation process by clicking Get Started.

Next you select your Identity Provider of choice, in our case Microsoft Entra ID and select Sign in with Microsoft.

After signing in you need to consent to a view permission for the Apple Business Manager and then your Entra ID will be connected.

Now you see your newly federated domains in the list at the bottom of the page. Next to these you can click on Manage to turn on federation for the specific domains.

You click next to Sign in witch Microsoft Entra ID on Set up, the status will then change to Turning on Federation and shortly after it will be toggled on.

Now that your domains are federated, you need to add your user accounts to the ABM directory and for that you can enable the automatic account syncing, which will create your existing Entra users automatically in ABM as Managed Apple IDs. For this you click under Directory Sync on the 3 dots to the right and select Connect.

After the sync is done you can find the processed accounts info in your Activity blade.

And you find your users in the Users blade. Your users can start using their Entra accounts now as Apple IDs.

🛒 App Store volume purchasing

With the ABM you can also buy apps and books centrally in volume without the hassle of individual purchases or distributing credit card infos to your users. It’s called the Volume Purchase Program (VPP). It lets your organization retain ownership of purchased apps instead of tying them to individual accounts, making it easy to reassign licenses to other users.

To use the VPP with your MDM you must first connect it. For that you open the ABM portal, go to the settings page -> Payments and Billing. Here you can activate the Content Token and download the token file (.vpptoken). On this page you would also enter payment information for purchasing payed apps.

TIP

You don`t need to enter any payment information for free apps.

Now open the Microsoft Intune admin center, go to Tenant administration -> Connectors and tokens -> Apple VPP Tokens and click Create.
Enter a name for the token, the Apple ID you used to create the token and upload the .vpptoken file you downloaded from ABM and click Next.

On the next page you choose your Contry/Region and your Type of VPP account (Depending if you use the Apple Business Manager (Business) or Apple School Manager(Education)). In addition to that you can toggle if this token was used before by another MDM solution and Intune should take control (so you can continue using all the licenses seemlessly) and if you like, Automatic app updates. Then you also need to grant Microsoft the permission to exchange data with Apple, so it can send and receive data from ABM.

When you proceed to the next pages you can add scope tags and hit Review + create.

When you now go back to the ABM and select Locations you need to add a Location first, to assign apps.
If you select Apps and Book in the main menu then, you can find all your purchases there. To find and buy new apps you just enter the name in the search bar, select the location, the quantity and click Get.

After every buy the admin gets a mail with your purchase confirmation.

If you then go back to the Intune admin center the apps will automatically get synced to the Apps page with the Type iOS volume purchase program app (the platform at the start, changes with the type of app you purchased) and you can assign them to your devices or users.

⚙️ Device Management through Intune

Now that you got an Apple Account, connected it to Intune, got your managed apple id's, got your devices in and connected VPP, you can start the managing. Here now is no difference anymore between these devices and other corporate managed apple devices you might have added before via Company Portal or Apple Configurator.

➡️ Migrate Apple devices from other MDM's to Intune

When Apple released iOS/iPadOS/macOS 26 in August, they also added an MDM migration functionality as a new feature to ABM. That solved one of the main headaches people had with switching MDM solutions in the past. Usually, you had to do a factory reset on the devices before they could be manually re-enrolled. This new migration feature, which is directly built in to the ABM, lets IT admins move devices from one MDM to another without big end-user downtime.

Prerequisites

Administrator or Device Enrolment Manager permissions in Apple Business Manager
Intune Administrator or Global Administrator permissions in Microsoft Intune
Devices with iOS, iPadOS or macOS 26 or later
Devices need to be enrolled with Apple Business Manager

IMPORTANT

To keep things working smoothly and make it easy for users, it's important that admins make sure Intune uses the same settings as the old MDM and use the Await final configuration setting. This way users don`t need to worry about new settings or a different experience and it makes the migration much smoother. Amending the settings to your liking should then be done gradually in a scond step, to not give the end user too many chances to compain about this whole IT "noncense" 😉 and there constant changes. drawing

MDM migration - Admin experience

Document the settings in your old MDM solution.
Add Intune as a MDM solution to ABM as explained above (Connect Apple Business Manager with Intune, Configure automatic enrollment token).

INFO

You can also configure your MDM per device type if you need to use more then one MDM solution in your environment.

Open the Intune admin center and set up the documented settings from your old solution in Intune and any additional configurations you need (enrollment profiles, compliance policies, configuration profiles, apps, etc.)

WARNING

Please test the migration process before rolling out to your production devices, to make sure your settings in Intune are actually the same as before and the user experience is not negatively impacted.

Then you can go back to ABM and switch the Device Management for your devices to Intune. For that open the Device you want to migrate, select the three dots on the top right and click Assign Device Management.

Now select the new MDM, click Continue, set a migration deadline for the user, click Continue again and then Confirm the change.

VPP

If volume purchased apps were part of the old MDM deployment, you should not set a migration deadline greater than 30 days so to not run into problems with automatic license queries from app developers.

Notifications

After you set the migration deadline, users receive ongoing re‑enrolment alerts:

daily until 24 hours before the deadline
hourly, until the final hour
during the final hour in 60, 30, 10 and 1 minute intervals.

MDM migration - User experience

TIP

I higly recommend informing your users beforehand about the upcoming notification and clicks they have to do. Even so it is a pretty straight forward process for the user, taking the time beforehand to inform and, depending on your endusers IT affinity, maybe issuing a short one page guide, will save you a lot of helpdesk calls in the end.

First the enduser gets a push notification on his device that he needs to re-enroll the device.
When the user clicks the notification and then Start Enrollment on mac or Start Enrollmentdirectly on iOS the rest of the process is completly automatic.

macOS	iOS/iPadOS

At the end the user will get a notification that the enrollment is complete and thats it for him.

The admin can now go back to the Intune portal and the device shows under devices, with no difference to any other device that Intune manages.

MDM migration - Volume purchased apps

You first need to open your old MDM and remove the VPP token there. If you get the option to remove the apps from the devices you should decline that.
Next you can download the same token from ABM again and add it to Intune, as shown above in the App Store volume purchasing section.

IMPORTANT

To make the old token work, you need to toggle the option "Take control of token from another MDM" while adding the token to Intune.

💡 Conclusion

Apple Business Manager (ABM) combined with Intune gives you a powerful, modern foundation for managing Apple devices at scale. ABM centralizes device enrollment, app purchases, and managed Apple IDs, while Intune brings policy, app distribution, and lifecycle management together in a single pane. Together they reduce manual steps, improve security, and make device provisioning far more predictable for admins and users alike.

Why use the ABM?

Automated Device Enrollment: Devices from resellers or carriers are assigned and enrolled automatically, cutting setup time for IT and end users.
Managed Apple IDs: Federating with Entra ID lets users sign in with familiar credentials and keeps organizations control intact.
Centralized App Licensing: VPP simplifies app distribution and license reassignment.

Why Intune?

Microsoft works directly with Apple to support the latest features mostly on the same day they release.
Microsoft also works constatly to bring more and more new features to Apple devices (LAPS for example).
Without knowing every single Apple MDM out there, Intune should be on-par or better then most of them by now.
If you are using M365 already, you got the nessecary linceses without extra costs and save on the overhead of managing multiple MDM solutions.
If you are using Intune or Defender already, you get a single pane of glass for all your devices and security.

So taking a look does not hurt, even if you are happy with your current MDM solution or not using Intune yet. Keeping your eyes open can sometimes reveal new synergies and save money in the future.

2024

2025

2025

Apple Business Manager

👋 Introduction