Maximising Apple Device Management with Apple Business Manager & Microsoft Intune Integration


As a Microsoft Intune expert, I can confidently say that Apple and Microsoft are better together when it comes to managing Apple iOS or macOS devices using Microsoft Intune.

What is Microsoft Intune?

Microsoft Intune is a powerful solution that can help secure iOS, Android, Windows, and macOS devices. With Intune, you can deploy devices with company-defined security standards, secure corporate data on devices, and improve the user experience by automating apps, configurations, and updates installations, Wi-Fi, VPN, security policies, and enforcing configuration policies. Intune can also help maintain the end-to-end device lifecycle. It is the only solution that can protect Office 365 data on devices using Application Protection Policies with or without device enrollment.

What is Apple Business Manager?

Apple Business Manager (ABM) is a new portal that integrates Device Enrollment Program (DEP) and Volume Purchase Programs (VPP). ABM can be beneficial in managing company-owned device procurement, deployment, Apps & Books distribution, and roles management. ABM makes it easy to enroll devices, deploy content, and delegate administrative privileges.Also, you can have managed apple IDs which can Single sign on using organisation credentials. 

Integrating MS Intune with ABM can help organisations achieve faster enrollment, ease to implement security controls, remain compliant and provide a seamless device enrollment experience. Here are the top 10 reasons to integrate MS Intune with ABM:

1.    Enforce Intune Enrollment

To enroll a device in Intune (or any other MDM), the user must download the Comp Portal App (MDM App) from the App Store, sign in using company credentials, and enroll the device. Intune and ABM integration can help enforce the installation of the Company Portal app and device enrollment automatically. Users can be compelled to sign in with Company Credentials to activate the device instead of an Apple ID. Admin can add existing devices to ABM too using Apple Configurator.

2.    Customise out of the box user Experience

New devices must go through initial device setup and activation before they can be used. Users are prompted to enter a passcode, set up Touch ID, enable location services, set up Apple ID, and other features. Also, users are prompted to sign in with their Apple ID to install apps from the App Store. These steps can be controlled using Intune, and many levels can be disabled to minimize user interaction, resulting in a fast enrollment experience.  

3.    Bypass Apple ID requirements

An Apple ID is mandatory to install apps from the App Store. However, with the help of ABM and MS Intune integration, the Apple ID requirement can be entirely bypassed. Users can install company-owned apps procured using ABM from the Company Portal Apps instead of the App Store.

4.    Locked Enrolment

Users can easily bypass configured security by deleting the MDM profile, resulting in the device no longer being under Intune management, and policies are not enforced. Intune & ABM integration allows configuring devices with locked enrollment. This can only be set on devices managed using ABM or Apple Configurator.

5.    Authenticate user with Company Portal

During setup assistance, users are prompted to create or sign in with their Apple ID to install apps from the App Store, iMessage, iCloud backup, etc. However, this can be cumbersome when the employee does not have an Apple ID, cannot recall their password, or has multi-factor authentication set up. ABM and Intune integration can bypass Apple ID, and the user can sign in with company credentials to start using the device, resulting in faster device deployment.

6.    Supervised Mode

Supervised mode is a powerful feature that gives Intune administrators more control over devices than what is typically allowed. With this mode, administrators can enforce running iPhones or iPads in single app mode, configure always-on VPN, set wallpapers and messages on the lock screen, automatically install apps, change device names, and block Airdrop, among other things. Visit Apple support to learn about all supervised restrictions. The ABM and Intune integration allows for easy configuration of supervised mode on devices.

7.    Enforce Device Naming Standards

Enforcing device naming standards is also made easy with the ABM and Intune integration. Administrators can create apple device naming templates that assign unique names to devices, containing their serial number and device type. This makes it easier for IT admins and users to manage devices.

8.    Seamless App Installation without Pop-Ups

Devices managed using ABM are supervised, which allows for seamless app installation without any pop-ups. This saves time and allows users to be more productive and focus on more valuable tasks.


9.    Procurement and Asset Management
Managing device lifecycle, including procurement, allocation, tracking ownership, and decommissioning, can be challenging. However, the ABM administrator can add preferred suppliers to ABM, and all newly procured devices will be automatically added to Intune via ABM by the supplier. Intune shows the device state for lifecycle management. Devices are always enforced to sign in with company credentials, so lost or stolen devices cannot be sold on the black market or eBay.

10.           Minimise Support Cost with Zero Touch

Zero-touch enrollment can help minimize support costs. With ABM and Intune integration, IT can ship devices directly to users. Users can follow necessary steps to enroll devices and sign in using company credentials to access company email, apps, Wi-Fi, VPN, etc. This can help minimize IT support calls, helpdesk time, and improve user experience. Users can complete setup within five minutes. Devices are automatically enforced to sign in with company credentials, so they are protected out of the box. All apps can be automatically installed using the Company Portal without the need for an Apple ID.

To learn more about Apple Business Manager visit this link

Intune is most leading cloud solution, to get start visit this link.

Author: Pratik Dave www.daveinfotech.com.au  | https://twitter.com/prtkdv | https://au.linkedin.com/in/pratikrdave

About Author : Pratik Dave has more than 15 years of IT experience, delivering Modern Management and Security solutions to enterprises using cloud and on-premises solutions.

If you need help to manage, configure to evaluate Intune, please email pratik@daveinfotech.com.au.



Comments

  1. Exim DataApril 8, 2022 at 5:41 PM

    Thank you for the information, Your information is very helpful for us
    USA Buyers Details

    ReplyDelete

Post a Comment

Popular posts from this blog

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts...
Read more

Microsoft 365 Defender Security Portal : Managing email download and preview permissions

Image
Microsoft 365 is a comprehensive suite of tools and services that enables businesses to manage their data securely and efficiently. A crucial aspect of data administration is ensuring that the correct individuals have the appropriate access levels to perform their duties without jeopardising data security. Using the Microsoft 365 compliance centre (compliance.microsoft.com), we will walk through the process of assigning user permissions to access and preview email communications. I have endeavored to rectify this problem using the procedures provided below. As per the Microsoft Documentation Preview role needs to be assigned from Defender Portal. However, this feature is not available. You have to complete the steps using Microsoft 365 Compliance Portal. Please refer to detailed steps below: ISSUE : Administrator cannot preview or Download email from M365 Defender Security Portal (security.microsoft.com) Finally, here are the set of steps to be followed that I found that resolved the ...
Read more

Setup single sign-on to Apple devices apps and websites that use Microsoft Azure AD for authentication

Image
Configuring Microsoft Enterprise SSO Plug-In for Apple Devices: The Microsoft Enterprise SSO plug-in enables users to sign in to apps and websites that rely on Microsoft Azure Active Directory (Azure AD) for authentication, including Microsoft 365, using a single sign-on (SSO) process. This plug-in utilizes the Apple single sign-on app extension framework to minimize the number of authentication prompts that users receive when accessing devices managed by Mobile Device Management (MDM). Additionally, any MDM that facilitates configuring SSO profiles is supported. After configuring the Microsoft Enterprise SSO plug-in, apps that support the Microsoft Authentication Library (MSAL) automatically integrate with it. However, apps that don't support MSAL can also utilize the extension, such as browsers like Safari and apps that use Safari web view APIs. To do so, simply add the application bundle ID or prefix to the extension configuration. For example, you can enable a Microsoft a...
Read more