Maximising Apple Device Management with Apple Business Manager & Microsoft Intune Integration


As a Microsoft Intune expert, I can confidently say that Apple and Microsoft are better together when it comes to managing Apple iOS or macOS devices using Microsoft Intune.

What is Microsoft Intune?

Microsoft Intune is a powerful solution that can help secure iOS, Android, Windows, and macOS devices. With Intune, you can deploy devices with company-defined security standards, secure corporate data on devices, and improve the user experience by automating apps, configurations, and updates installations, Wi-Fi, VPN, security policies, and enforcing configuration policies. Intune can also help maintain the end-to-end device lifecycle. It is the only solution that can protect Office 365 data on devices using Application Protection Policies with or without device enrollment.

What is Apple Business Manager?

Apple Business Manager (ABM) is a new portal that integrates Device Enrollment Program (DEP) and Volume Purchase Programs (VPP). ABM can be beneficial in managing company-owned device procurement, deployment, Apps & Books distribution, and roles management. ABM makes it easy to enroll devices, deploy content, and delegate administrative privileges.Also, you can have managed apple IDs which can Single sign on using organisation credentials. 

Integrating MS Intune with ABM can help organisations achieve faster enrollment, ease to implement security controls, remain compliant and provide a seamless device enrollment experience. Here are the top 10 reasons to integrate MS Intune with ABM:

1.    Enforce Intune Enrollment

To enroll a device in Intune (or any other MDM), the user must download the Comp Portal App (MDM App) from the App Store, sign in using company credentials, and enroll the device. Intune and ABM integration can help enforce the installation of the Company Portal app and device enrollment automatically. Users can be compelled to sign in with Company Credentials to activate the device instead of an Apple ID. Admin can add existing devices to ABM too using Apple Configurator.

2.    Customise out of the box user Experience

New devices must go through initial device setup and activation before they can be used. Users are prompted to enter a passcode, set up Touch ID, enable location services, set up Apple ID, and other features. Also, users are prompted to sign in with their Apple ID to install apps from the App Store. These steps can be controlled using Intune, and many levels can be disabled to minimize user interaction, resulting in a fast enrollment experience.  

3.    Bypass Apple ID requirements

An Apple ID is mandatory to install apps from the App Store. However, with the help of ABM and MS Intune integration, the Apple ID requirement can be entirely bypassed. Users can install company-owned apps procured using ABM from the Company Portal Apps instead of the App Store.

4.    Locked Enrolment

Users can easily bypass configured security by deleting the MDM profile, resulting in the device no longer being under Intune management, and policies are not enforced. Intune & ABM integration allows configuring devices with locked enrollment. This can only be set on devices managed using ABM or Apple Configurator.

5.    Authenticate user with Company Portal

During setup assistance, users are prompted to create or sign in with their Apple ID to install apps from the App Store, iMessage, iCloud backup, etc. However, this can be cumbersome when the employee does not have an Apple ID, cannot recall their password, or has multi-factor authentication set up. ABM and Intune integration can bypass Apple ID, and the user can sign in with company credentials to start using the device, resulting in faster device deployment.

6.    Supervised Mode

Supervised mode is a powerful feature that gives Intune administrators more control over devices than what is typically allowed. With this mode, administrators can enforce running iPhones or iPads in single app mode, configure always-on VPN, set wallpapers and messages on the lock screen, automatically install apps, change device names, and block Airdrop, among other things. Visit Apple support to learn about all supervised restrictions. The ABM and Intune integration allows for easy configuration of supervised mode on devices.

7.    Enforce Device Naming Standards

Enforcing device naming standards is also made easy with the ABM and Intune integration. Administrators can create apple device naming templates that assign unique names to devices, containing their serial number and device type. This makes it easier for IT admins and users to manage devices.

8.    Seamless App Installation without Pop-Ups

Devices managed using ABM are supervised, which allows for seamless app installation without any pop-ups. This saves time and allows users to be more productive and focus on more valuable tasks.


9.    Procurement and Asset Management
Managing device lifecycle, including procurement, allocation, tracking ownership, and decommissioning, can be challenging. However, the ABM administrator can add preferred suppliers to ABM, and all newly procured devices will be automatically added to Intune via ABM by the supplier. Intune shows the device state for lifecycle management. Devices are always enforced to sign in with company credentials, so lost or stolen devices cannot be sold on the black market or eBay.

10.           Minimise Support Cost with Zero Touch

Zero-touch enrollment can help minimize support costs. With ABM and Intune integration, IT can ship devices directly to users. Users can follow necessary steps to enroll devices and sign in using company credentials to access company email, apps, Wi-Fi, VPN, etc. This can help minimize IT support calls, helpdesk time, and improve user experience. Users can complete setup within five minutes. Devices are automatically enforced to sign in with company credentials, so they are protected out of the box. All apps can be automatically installed using the Company Portal without the need for an Apple ID.

To learn more about Apple Business Manager visit this link

Intune is most leading cloud solution, to get start visit this link.

Author: Pratik Dave www.daveinfotech.com.au  | https://twitter.com/prtkdv | https://au.linkedin.com/in/pratikrdave

About Author : Pratik Dave has more than 15 years of IT experience, delivering Modern Management and Security solutions to enterprises using cloud and on-premises solutions.

If you need help to manage, configure to evaluate Intune, please email pratik@daveinfotech.com.au.



Comments

  1. Exim DataApril 8, 2022 at 5:41 PM

    Thank you for the information, Your information is very helpful for us
    USA Buyers Details

    ReplyDelete

Post a Comment

Popular posts from this blog

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts...
Read more

Network Driver for HP Elitebook 840 G1

Network Driver for HP Elitebook 840 G1 Issue :  HP elitebook 840 G1 does no PXE boot when network drivers are injected in boot image. environment SCCM 2012 SP1. Answer: To build HP elitebook 840 G1  inject the Windows 8 network driver.  Please see post below from Niall C. Brady on how to inject or test drive during task sequence. Thanks Niall C. Brady for this article:  http://myitforum.com/cs2/blogs/nbrady/archive/2011/08/31/missing-nic-driver-in-winpe-boot-image-no-problem.aspx . TO\o Download Driver click here   Unzip the file using 7 zip, go to \sp63299\Setup\Win8x64  folders and inject driver in boot image  from SCCM or using drvload command as explain in article.  Happy Days....
Read more

How to deploy Application (offline installer DMG) on Apple MacOS Devices using Microsoft Intune

Image
Microsoft Intune does not support deployment of DMG file. As per the  Microsoft documentation   : " Only  .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported." Microsoft Intune have provided support to deploy shell script to macOS. In the example below, I will deploy Adobe Acrobat Reader DC 2020.009.20063 DMG file on MacOS Device. Save following script as .sh package i.e.  InstallAdobeReader.sh #! /bin/sh url=https://ardownload2.adobe.com/pub/adobe/reader/mac/AcrobatDC/2000920063/AcroRdrDC_2000920063_MUI.dmg   set -x tempd=$(mktemp -d) curl $url > $tempd/AdobeReaderDC.dmg listing=$(sudo hdiutil attach $tempd/AdobeReaderDC.dmg | grep Volumes) volume=$(echo "$listing" | cut -f 3) package=$(ls -1 "$volume" | grep .pkg | head -1) sudo installer -pkg "$volume"/"$package" -target / sudo hdiutil detach "$(echo "$volume" | cut -f 1)" rm -r...
Read more