Apple / Intune ยท Modern Endpoint Guides
๐ŸŽ Microsoft Intune

Apple Device Management

Complete guide to managing iOS, iPadOS, and macOS devices with Intune โ€” from Apple Business Manager setup and ADE enrollment to VPP app deployment and compliance policies.

๐Ÿ“… Updated: May 2026 โฑ๏ธ Implementation: 4โ€“8 hours ๐ŸŽฏ Audience: Intune Admins, Apple Admins ๐Ÿ“‹ License: Intune P1

๐Ÿ“‹ Overview & Licensing

Intune manages Apple devices via three channels: APNS (push commands to enrolled devices), Apple Business Manager (ABM) for zero-touch enrollment, and Volume Purchase Program (VPP) for app licensing.

iOS iPhone & iPod

  • ADE supervised enrollment
  • BYOD User Enrollment
  • MAM without enrollment
  • Per-app VPN support

iPadOS iPad

  • Shared device mode (multi-user)
  • Student device scenarios
  • Managed Home Screen
  • Kiosk / Single App Mode

macOS Mac

  • Platform SSO (Entra ID auth)
  • ADE with Setup Assistant
  • Shell scripts deployment
  • Rosetta 2 / custom PKGS
FeatureLicense RequiredPlatforms
MDM Enrollment (ADE, BYOD)Intune P1iOS, iPadOS, macOS
MAM (app protection, no enrollment)Intune P1iOS, Android
VPP App LicensingIntune P1 + ABMiOS, iPadOS, macOS
Platform SSO (macOS)Entra ID P1macOS 13+
Conditional AccessEntra ID P1All platforms

๐Ÿข Apple Business Manager

Apple Business Manager (ABM) is required for zero-touch ADE enrollment and VPP app purchasing. Set up ABM at business.apple.com before connecting to Intune.

๐Ÿ”— Linking ABM to Intune

1

Generate MDM Server Token

In ABM โ†’ Settings โ†’ MDM Servers โ†’ Add MDM Server โ†’ Download token (.p7m file).

2

Upload to Intune

Intune admin center โ†’ Devices โ†’ iOS/iPadOS โ†’ Enrollment โ†’ Apple MDM Push Certificate โ†’ upload token.

3

Set Default MDM Server

In ABM, set Intune as the default MDM server for newly purchased or assigned devices.

4

Assign Devices

In ABM, assign purchased devices (or devices added via Apple Configurator) to the Intune MDM server.

๐Ÿ›’ Device Acquisition Methods

  • New purchase from Apple: Auto-assigned via reseller order
  • Apple Configurator 2: Add existing devices via USB pairing
  • Reseller: Reseller adds via Apple DEP portal
  • Carrier: Carrier adds cellular devices
Devices added to ABM can be re-assigned to a different MDM server within ABM โ€” Intune doesn't need to be involved until the device actually enrolls.

๐Ÿ“ก APNS Configuration

APNS certificate renewal must happen annually using the same Apple ID used to create it. If you renew with a different Apple ID, all enrolled Apple devices will lose management and must re-enroll!

๐Ÿ“œ APNS Setup Steps

1

Download CSR from Intune

Intune โ†’ Devices โ†’ iOS/iPadOS โ†’ Enrollment โ†’ Apple MDM Push Certificate โ†’ Download CSR.

2

Sign with Apple

Go to identity.apple.com/pushcert โ†’ Upload CSR โ†’ Download .pem certificate.

3

Upload to Intune

Upload the .pem file back to Intune. Certificate is valid for 1 year.

โฐ Renewal Best Practices

  • Set calendar reminder 30 days before expiry
  • Document the Apple ID used (store in password manager)
  • Renew โ€” do NOT create a new certificate
  • Intune will alert when expiry is approaching
  • Expiry does NOT immediately unenroll devices โ€” but commands stop working

โšก ADE โ€“ Automated Device Enrollment

ADE (formerly DEP) provides zero-touch supervised enrollment. The device is associated with your organization the moment it's powered on โ€” Setup Assistant guides the user through enrollment automatically.

๐Ÿ“ฑ iOS ADE Features

  • Supervised mode: Enabled by default via ADE
  • Blocks user from removing MDM profile
  • Supports Activation Lock bypass
  • Allows screen time restrictions
  • App installation without user approval
  • Per-app VPN enforcement

โš™๏ธ Setup Assistant Customization

  • Skip or show specific Setup Assistant panes
  • Skip: Location Services, Siri, iCloud, etc.
  • Lock language and locale
  • Require user authentication at enrollment
  • Await final configuration (block until policies apply)

๐Ÿ’ป macOS ADE Features

  • Bootstrap token support (FileVault escrow)
  • Platform SSO with Entra ID
  • Silent app install via PKG
  • Shell script deployment at enrollment
  • System Preference lock capabilities
  • Automatic MDM enrollment on first boot

๐Ÿ” Platform SSO (macOS 13+)

  • Create local account at first login with Entra credentials
  • Entra ID becomes the authentication source
  • Password changes sync between local and Entra
  • Touch ID works with SSO extension
  • Requires: Entra ID P1, Company Portal app
# Create ADE Enrollment Profile via Graph API
POST https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings/{id}/enrollmentProfiles

{
  "displayName": "ADE Corporate iOS - Supervised",
  "description": "Zero-touch supervised enrollment for corporate iPhones",
  "isDefault": true,
  "requiresUserAuthentication": true,
  "configurationEndpointUrl": "https://contoso.manage.microsoft.com",
  "enableAuthenticationViaCompanyPortal": true,
  "requireCompanyPortalOnSetupAssistantEnrolledDevices": true,
  "isSupervised": true,
  "setupAssistantItems": [
    { "item": "Location", "enabled": false },
    { "item": "Siri", "enabled": false },
    { "item": "iCloudBackup", "enabled": false },
    { "item": "Diagnostics", "enabled": false }
  ]
}

๐Ÿ‘ค User Enrollment

๐Ÿ”’ User Enrollment Characteristics

  • Designed for BYOD โ€“ personal device privacy
  • Creates a separate managed APFS volume
  • Organization data isolated from personal data
  • IT cannot see personal apps, photos, or device info
  • Device serial number is NOT visible to IT
  • User can unenroll at any time (removes managed volume only)

๐Ÿšซ Limitations vs. ADE

  • Device is NOT supervised
  • Cannot enforce VPN for all traffic
  • Cannot manage system-level settings
  • Cannot see device hardware details
  • Cannot perform remote wipe (only selective wipe)
  • Cannot install certificates into system store
User Enrollment uses a Managed Apple ID linked to Entra ID via federation โ€” or an Apple ID created in ABM for the employee. This is the recommended approach for BYOD iOS devices in organizations that use ABM.

๐Ÿ“ฑ BYOD via Company Portal

๐Ÿ“ฒ Company Portal Enrollment

1

User installs Company Portal

Download from App Store. User signs in with corporate Entra ID credentials.

2

Choose enrollment type

User selects "I own this device" (User Enrollment) or "My company owns this device" (full MDM).

3

Install management profile

User is guided to Settings โ†’ General โ†’ VPN & Device Management โ†’ Install Profile.

4

Policies applied

Compliance, configuration, and app policies apply automatically after enrollment completes.

๐Ÿ“ต MAM Without Enrollment

  • App Protection Policies (APP) without MDM
  • Protects corporate data in Outlook, Teams, Edge
  • PIN required to open managed apps
  • Block copy/paste to personal apps
  • Remote wipe of app data only
  • No device-level visibility for IT
MAM-only is ideal for personal devices where full MDM enrollment is undesirable or restricted by policy.

โš™๏ธ Configuration Profiles

๐Ÿ“ง Email & Exchange

  • Native iOS Mail app configuration
  • Exchange ActiveSync or Modern Auth
  • S/MIME signing and encryption
  • Certificate-based authentication

๐ŸŒ Wi-Fi & VPN

  • WPA2/3 Enterprise (EAP-TLS)
  • Per-app VPN (always-on per app)
  • Always-On VPN (supervised only)
  • DNS settings and split tunneling

๐Ÿ”’ Restrictions

  • Disable App Store, Siri, AirDrop
  • Block screen capture
  • Require passcode complexity
  • Disable USB accessories

๐Ÿ’ป macOS-Specific Profiles

  • FileVault: Enable disk encryption, escrow recovery key to Intune
  • Gatekeeper: Enforce app notarization
  • Privacy Preferences (PPPC): Allow/deny app access to camera, mic, etc.
  • System Extensions: Approve kernel and system extensions
  • Login Window: Custom message, disable guest account

๐Ÿ“œ Custom Configuration Profiles

  • Deploy any Apple MDM payload as custom XML
  • Use Apple Configurator 2 to build profile XML
  • Upload .mobileconfig file to Intune
  • Useful for settings not yet in Intune UI
  • Works on iOS, iPadOS, and macOS

๐Ÿ“ฆ App Management (VPP)

Volume Purchase Program (VPP) licenses are purchased in ABM and synced to Intune. Apps are deployed silently without App Store credentials โ€” users don't need a personal Apple ID for managed apps.

๐Ÿ›๏ธ VPP Setup

1

Purchase in ABM

Buy app licenses in Apple Business Manager for your org's content token location.

2

Download VPP Token

ABM โ†’ Settings โ†’ Apps and Books โ†’ Download VPP Token (.vpptoken).

3

Upload to Intune

Intune โ†’ Tenant Admin โ†’ Connectors โ†’ Apple VPP tokens โ†’ Upload token.

4

Deploy Apps

Intune โ†’ Apps โ†’ iOS Store App โ†’ Select VPP app โ†’ Assign to groups with "Required" or "Available".

๐Ÿ“ฑ App Types Supported

App TypeMethod
App Store appsVPP license assignment
Custom in-house appsLOB (IPA upload)
macOS PKG appsDirect PKG upload
Web Clips / ShortcutsWeb app (URL)
Microsoft apps (Teams, Outlook)VPP or direct store

โœ… Compliance Policies

๐Ÿ“‹ iOS Compliance Settings

  • Minimum OS version (e.g., iOS 17.0)
  • Passcode required, minimum length
  • Jailbroken device = Non-Compliant
  • Threat level (via MDE or MTD partner)
  • Encryption required (always on iOS)

๐Ÿ’ป macOS Compliance Settings

  • Minimum OS version (e.g., macOS 14.0)
  • FileVault disk encryption required
  • System Integrity Protection (SIP) enabled
  • Gatekeeper enforcement
  • Firewall enabled

๐Ÿ“Š Reports & Monitoring

๐Ÿ“ˆ Device Inventory

  • OS version distribution
  • Enrollment type breakdown
  • Supervised vs. unsupervised
  • APNS token expiry status

๐Ÿ“ฑ App Reports

  • VPP license usage and available count
  • App install status per device
  • App version compliance
  • Failed installations

๐Ÿ”’ Compliance Status

  • Compliant / Non-Compliant / Not Evaluated
  • Jailbroken device detection
  • Per-setting compliance detail
  • Noncompliant device report

๐Ÿ”ง Troubleshooting

โŒ Common Issues & Solutions

IssueCauseFix
Device not appearing after ADE setupNot assigned to Intune MDM server in ABMAssign device in ABM โ†’ sync in Intune
APNS commands not deliveredAPNS certificate expired or wrong Apple ID used to renewRenew APNS with SAME Apple ID; devices may need to re-enroll
VPP apps not installingVPP token expired or wrong content token locationRe-download and re-upload VPP token from ABM
Profile installation failsSupervision required but device is unsupervisedRestrict profile to ADE-enrolled (supervised) devices only
Platform SSO not workingCompany Portal not installed or old versionEnsure Company Portal 5.2303+ is installed and signed in
FileVault key not escrowedBootstrap token not establishedEnsure ADE enrollment with SecureToken; run sudo profiles renew

โœ… Implementation Checklist

๐Ÿข ABM & APNS

  • Apple Business Manager account created and verified
  • APNS certificate configured (document Apple ID!)
  • ABM linked to Intune MDM server token
  • APNS renewal reminder set (annual)
  • Reseller or Apple Configurator device assignment configured

โšก ADE Enrollment

  • ADE enrollment profile created for iOS
  • ADE enrollment profile created for macOS
  • Setup Assistant customized (skip unwanted panes)
  • Authentication method selected (Entra ID)
  • Devices synced from ABM and enrollment tested

๐Ÿ“ฆ Apps & Configuration

  • VPP token uploaded to Intune
  • Microsoft apps deployed via VPP (Outlook, Teams, Edge)
  • App Protection Policies configured for BYOD
  • Wi-Fi and VPN profiles deployed
  • macOS FileVault policy enforced with key escrow

โœ… Compliance & Access

  • iOS compliance policy (min OS, no jailbreak)
  • macOS compliance policy (FileVault, SIP, Gatekeeper)
  • Conditional Access policy requiring compliant device
  • Pilot group enrollment tested end-to-end
  • Helpdesk documentation created