The Top 10 reasons to integrate Microsoft Intune with Apple Business Manager (ABM) for Company-owned Apple Devices.



Apple and Microsoft are better together. It is very true when it comes to managing the Apple iOS or macOS devices using Microsoft Intune.

What is Microsoft Intune?

Microsoft Intune can help to secure iOS, Android, Windows, and macOS devices. The Solution can deploy devices with company-defined security standards; it can help to secure corporate data on devices and improve user experience by automating apps, configuration, updates installation, Wi-Fi, VPN, Security Policies and enforcing configuration policies which can take hours to configure manually.  It can help to maintain end to end device lifecycle. Intune is the only solution which can protect data Office365 data on devices using Application Protection Policies with or without device enrollment.

What is Apple Business Manager?

Apple Business Manager (ABM) is a new portal integrating Device Enrolment Program (DEP) and Volume Purchase Programs (VPP).  ABM can be beneficial to manage company-owned device procurement, deployment, Apps & Books distribution and roles management. ABM makes it easy to enrol devices, deploy content, and delegate administrative privileges.
MS Intune and ABM can help organisations to faster enrolment, more device controls and provide seamless device enrolment experience. Here I have listed the top 10 reasons to integrate MS Intune with ABM.  

1.    Enforce Intune Enrollment

To enrol device in Intune (or any other MDM), the user must download Comp Portal App (MDM App) from App store, sign in using company credentials and enroll device.  Intune and ABM integration can help to enforce company portal app installation & device enrolment automatically. User can be compelled to sign-in with Company Credentials to activate the device instead of Apple ID. Admin can add existing devices to ABM too using Apple Configurator!

2.    Customise out of the box user Experience

The new device must go through initial device setup and activation before it can be used, users are prompted to enter a passcode, Touch ID, Zoom, location services, Apple ID, Zoom, Siri, Restore from iCloud or iTunes backup etc. Also, Users are promoted to Apple ID to install apps from AppStore. These steps can be controlled using Intune; many levels can be disabled to minimise user interaction which results in fast enrolment experience.  

3.    Bypass Apple ID requirements

Apple ID is mandatory to install Apps from AppStore. Apple ID can be bypassed entirely with the help to ABM and MS Intune integration. User can install Company-owned apps procured using ABM from Company Portal Apps instead of AppStore.

4.    Locked Enrolment

Users can easily bypass configured security by deleting MDM profile. As a result, device is no longer under Intune management and policies are not enforced. Intune & ABM integration allows configuring devices with locked enrollment. This can be only set on devices managed using ABM or Apple Configurator.

5.    Authenticate user with Company Portal

Apple iOS Device is required to go through setup assistance, part of initial setup users is promoted to create or sign in with exiting Apple ID to install apps from App Store, iMessage, iCloud backup etc. At times, it can be cumbersome when the employee does not have Apple ID, can’t recall password or have multi-factor authentication setup. ABM and Intune integration can bypass Apple ID, and the user can sign in with company credentials to start using the device. As a result, devices are deployed faster!

6.    Supervised Mode

Supervised mode allows Intune administrator to have more control on a device than typically permitted. It can enforce to run iPhone or iPad in single app mode, configure always-on VPN, set wallpaper, message on lock screen, automatic app installation, device name changes, block Airdrop etc.  Visit Apple support to learn about all supervised restrictions. ABM and Intune integration allows configuring supervised mode on devices.

7.    Enforce Device Naming Standards

ABM and Intune integration allows to apple device naming templates. Devices are created with a unique name contain serial number, device type to make it easier for IT Admins and users to manage devices.

8.    Seamless App Installation without Pop-Ups

Devices managed using ABM are supervised which allows seamless apps installation without any pop-ups. This can save time to install apps from AppStore or Intune company Portal manually. Users can be more productive and utilise time for more valuable tasks.

9.    Procurement and Asset Management

It is quite challenging to manage device lifecycle including procurement, allocation, management, tracking ownership and decommissioning. ABM Administrator can add preferred supplied to ABM, as a result, all newly procured devices automatically added in Intune via ABM by a supplier. Intune shows the device state for lifecycle management. Devices are always enforced to sign in with company credentials so lost or stolen device cannot be sold in black market or eBay!   

10.           Minimise Support Cost with Zero Touch

We all know the feeling of unwrapping brand-new gadget or device. Many companies have a process where IT support will open device and walk through enrolment process with users. This can be a productivity killer and create unnecessary IT overhead. Devices are automatically enforced to sign in with company credentials as result it is protected out of the box. All Apps can be automatically installed using Company Portal without Apple ID requirement.
ABM and Intune integration enabled IT to ship devices direct to the user. User can follow necessary steps to enroll devices and sign using company credentials to access company email, apps, Wi-Fi, VPN etc. This can help to minimise IT support calls, helpdesk time and improve user experience. User can complete setup within 5 mins.

To learn more about Apple Business Manager visit this link

Intune is most leading cloud solution, to get start visit this link.

Author: Pratik Dave www.daveinfotech.com.au  | https://twitter.com/prtkdv | https://au.linkedin.com/in/pratikrdave

About Author : Pratik Dave has more than 15 years of IT experience, delivering Modern Management and Security solutions to enterprises using cloud and on-premises solutions.

If you need help to manage, configure to evaluate Intune, please email pratik@daveinfotech.com.au.



Comments

  1. Exim DataApril 8, 2022 at 5:41 PM

    Thank you for the information, Your information is very helpful for us
    USA Buyers Details

    ReplyDelete

Post a Comment

Popular posts from this blog

Unable to add ipads to Apple DEP/Business Manager

Image
Issue :  Unable to add device to Apple DEP Program Manually using Apple Configurator 2 Error :  Apple Configurator 2 was showing following error message: Provisional Enrollment failed. Network Communication error MCCloudConfigErrorDomain – 0x80EF (33007), The Error screenshot is shown below.  Fix: Connect ipad to wifi or mobile network and restart the enrollment process.
Read more

How to deploy Application (offline installer DMG) on Apple MacOS Devices using Microsoft Intune

Image
Microsoft Intune does not support deployment of DMG file. As per the  Microsoft documentation   : " Only  .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported." Microsoft Intune have provided support to deploy shell script to macOS. In the example below, I will deploy Adobe Acrobat Reader DC 2020.009.20063 DMG file on MacOS Device. Save following script as .sh package i.e.  InstallAdobeReader.sh #! /bin/sh url=https://ardownload2.adobe.com/pub/adobe/reader/mac/AcrobatDC/2000920063/AcroRdrDC_2000920063_MUI.dmg   set -x tempd=$(mktemp -d) curl $url > $tempd/AdobeReaderDC.dmg listing=$(sudo hdiutil attach $tempd/AdobeReaderDC.dmg | grep Volumes) volume=$(echo "$listing" | cut -f 3) package=$(ls -1 "$volume" | grep .pkg | head -1) sudo installer -pkg "$volume"/"$package" -target / sudo hdiutil detach "$(echo "$volume" | cut -f 1)" rm -r
Read more

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts
Read more