Apple Business Manager + JAMF

Sky-Knight

Sky-Knight

Well-Known Member
Reaction score
5,127
Location
Arizona
Does anyone have any good resources on how to get this going?

It's well outside of my usual areas of focus, but I've got a client that needs help here. The Apple Business Manager seems simple enough, federating it to Azure AD / Google Workspace has a little complexity from the documentation, but doesn't seem insurmountable.

And I haven't even gotten to hooking it to JAMF so we can do the MDM thing yet. But solutions like this are often riddled with hidden pitfalls that I'd rather avoid if possible.
 
How did you go with Apple Business? I'm looking at it for some clients, however not sure I can federated it as they are a franchise and use the main franchisors Azure.

DId you have to setup a new Apple ID or were you able to pull an existing one in as the admin and then the individuals?
 
ABM has its own setup, which has an application process approved by Apple. That's annoying because it's a legal process, but not overly difficult.

Then the MDMs all have instructions for booking the ABM to them, and their own processes for doing policies and profiles to configure said devices.

You can also hook ABM to Azure or Google to SSO things, so people can use their Microsoft / Google accounts to login instead of Apple accounts.

NOW, here's the dark spot I found...

With Apple, the difference between Apple PERSONAL and Apple BUSINESS is the ABM. ALL MOBILE APPLE DEVICES ARE PERSONAL DEVICES!

That is, until you enroll them in the ABM. Which requires an admin iPhone, that can scan those animated QR code things Apple does. When the device is enrolled, IT IS FACTORY RESET and becomes a "business" Apple device. Which an entirely new set of rules to live by, and those rules are determined by the Apple Business Manager cloud console.

ABM starts with a brand new Apple ID, linked to a defined master phone, which serves as the first ABM joined device and the source of truth for the entire organization. You can enroll more devices to perform this function... and you should...

So the way I see it you're looking at owning 3 iphones just to manage the ABM, one for use, two break the glass. That's three Apple Accounts for that purpose.

And all of this just to get your company Crapple devices under control. Hexnode is the cheapest MDM for SMBs. JAMF is the "best" for Apple, but 200 device minimum means not cheap. Intune can do the lifting on the MDM side but you need M365 Premium or another $6 / user / month. Apple has their own MDM now too.
 
learn.microsoft.com

Tutorial: Configure Apple Business Manager for automatic user provisioning with Microsoft Entra ID - Microsoft Entra ID

Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to Apple Business Manager.
learn.microsoft.com

Apple Business Manager User Guide

Use Apple Business Manager to manage staff, devices, and buy content.
support.apple.com

learn.microsoft.com

Tutorial - Use Apple Business Manager to enroll iOS/iPadOS devices in Intune - Microsoft Intune

In this tutorial, you'll set up Apple corporate device enrollment features with Intune to enroll iOS/iPadOS devices purchased through Apple Business Manager.
learn.microsoft.com

P.S. I forgot to mention that joining a personal Apple device to the ABM performs a factory reset. You can't just "upgrade" to Business Apple, it's a nuke and pave. So you cannot be doing this to personal devices.

If you screw up a configuration profile on the MDM side... another factory reset to fix. Get some test phones.
 
Sky-Knight said:
learn.microsoft.com

Tutorial: Configure Apple Business Manager for automatic user provisioning with Microsoft Entra ID - Microsoft Entra ID

Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to Apple Business Manager.
learn.microsoft.com

Apple Business Manager User Guide

Use Apple Business Manager to manage staff, devices, and buy content.
support.apple.com

learn.microsoft.com

Tutorial - Use Apple Business Manager to enroll iOS/iPadOS devices in Intune - Microsoft Intune

In this tutorial, you'll set up Apple corporate device enrollment features with Intune to enroll iOS/iPadOS devices purchased through Apple Business Manager.
learn.microsoft.com

P.S. I forgot to mention that joining a personal Apple device to the ABM performs a factory reset. You can't just "upgrade" to Business Apple, it's a nuke and pave. So you cannot be doing this to personal devices.

If you screw up a configuration profile on the MDM side... another factory reset to fix. Get some test phones.
Click to expand...
Thanks

I have some reading to do.

If I understand you right, Anything currently in any of the Apple ID's won't come across.

As for ABM Apple ID's it's for the device not the individuals, however an individual needs to log in with an ID. hope that makes sense.

Yes I will be testing with some of my old apple devices to see what goes on. I only have a couple so it might be interesting.
 
autumn said:
Thanks

I have some reading to do.

If I understand you right, Anything currently in any of the Apple ID's won't come across.

As for ABM Apple ID's it's for the device not the individuals, however an individual needs to log in with an ID. hope that makes sense.

Yes I will be testing with some of my old apple devices to see what goes on. I only have a couple so it might be interesting.
Click to expand...

The device is assigned to the ABM without an Apple ID, but then one is required for the user to signin. You can SSO that process to AzureAD or Google though, so that's not too bad.
 
You must log in or register to reply here.
Back
Top