Prepare Your Apple Business Manager Integration With Intune For Endpoint Management

Apple Business Manager (ABM) is a free, web-based portal that enables organizations to enroll, provision, deploy and manage their corporate Apple devices. Moreover, ABM enables the ability for organizations to purchase and manage their app licenses, making it more convenient and reduces the work of IT Admins. However, ABM relies on an Endpoint Management solution to streamline security, compliance, provide customized setup processes along with organization's standard. This is where Intune comes in as a bright choice for an advanced Endpoint Manager, even more if the organization is utilizing Microsoft's enterprise solutions as the backbone of their modern workplace.

Integrating ABM with Intune is straightforward, technically speaking. But do not fall into the trap of this perspective, otherwise your organization will face a lot of issues managing the corporate devices in the right way. We all do not want to be firefighters within our own house. Therefore, let's talk about planning the integration of ABM with Intune based on what Apple and Microsoft give us, make it the way that fits our demand at the moment, and have further space for extending in the near future.

I. How do you want to manage the ABM enrolled devices within your organization?

The question tells you exactly what needs to be addressed. Since the devices you are going to manage are all corporate-owned devices, the best choice here is to keep them all in handle by your IT Admins. That means you will need them to be supervised. Apple and Intune provide enough choices for you to provision not only the newly acquired Apple devices, but also the in-used ones. We will not talk about the personal-owned devices here today since Intune provided solution to manage them already without the need of ABM.

Upon choosing to supervise the ABM enrolled devices, you can think of adding more security layers during provision process as well as during end user's daily basis, for example, Intune Application Management for protecting organization's data within corporate apps, or Microsoft Entra ID Conditional Access to ensure all user access to be under control and secured.

II. How do you want end users to use the ABM enrolled devices?

In many nowadays scenarios for using a corporate device, sometimes due to business needs, the device is not going to be used by a single user but to be shared with the other users. Define the right usage scenarios and create different enrollment profiles for each scenario to prevent being confused during production roll out phase.

Apple and Microsoft provide enrollment processes with user affinity and without user affinity for mentioned scenarios. However, the configurations are different. That is the reason why during planning process, organizations should define the usage scope clearly before going on technical design and implementation.

III. Choosing the best authentication experience for end users during device setup and activation.

To use any Apple device, the end user must go through a process that is called Setup Assistant. This process starts at the time turning on the device and will guide the user through different configurations before the device is ready to use.

For corporate devices that are going to be managed by both ABM and Intune, to ensure the smooth experience, IT Admins need to choose the right way of asking users authenticate themselves. Those authentications are not also for Microsoft Intune, but also involve Apple ID if the IT Admins wanted to, based on the authentication methods that were chosen within enrollment profiles.

Every IT Admins will be confused while choosing the suitable authentication methods that will be shown to users. Let us explain and assist following your demands.

1. How do you want to push the Company Portal application to the device?
   Most of the time we will want the Company Portal application to be automatically installed so the users will not need to do it by themselves. However, Intune gives you two choices, to deploy the app using Apple Volume Purchase Program (VPP) or deploy using applications added through Intune. Both ways are automatic installations, but deploying using VPP does not require user to authenticate their Apple ID, while deploying through Intune apps will require user to enter their Apple ID for the device to access App Store before the app can be installed.
   Microsoft also recommends using the Company Portal application deployed using VPP, since organizations can enforce app update using ABM. The VPP's version is also the latest and most stable version that is suitable for enterprise.
   Configuring VPP in ABM and mapping it to Intune only requires some simple steps, so make sure you prepare this first.
2. Do you want to restrict users from using the device until they finish Intune enrollment?
   This question is right on the point of ensuring endpoint security. We recommend locking the device until users finish all the enrollment processes. This approach relies on below configurations within the Enrollment Profile:
   - Choose Intune Company Portal app as authentication method. Intune provides another authentication method using Setup Assistant (with Modern Authentication, of course, we do not recommend using the Legacy one), however, Setup Assistant allows users to access parts of the device even if the Company Portal app has not been installed.
   - Install Company Portal app with VPP is recommended, as explained earlier in this topic.
   - Enable Run Company Portal in Single App Mode until authentication. This option will be available if you choose to install Company Portal with VPP and will lock the device until users authenticate themselves with their Entra ID account in Company Portal and finish Intune enrollment process.
   - Make sure to enable Supervised.
   - Enable Locked enrollment. This will prevent the Intune management profile to be removed, hence no restrictions to be applied.

And that's it for today. We will come back with more blog posts so stay tuned!

Anh Luu and Nhan Pham