Your organization must already be registered with Apple Business Manager Deployment Programs. During the integration, Workspace ONE UEM suggests you not use Internet Explorer as your browser. Also, once you begin configuring the Apple Business Manager wizard in the UEM console, keep the browser session open. You cannot save your activity until you complete the final configuration step, so it is important to finish the entire configuration in one browser session.

Configure the Apple Business Manager Portal

Start in the UEM console to begin integrating your Workspace ONE UEM deployment with Apple Business Manager. Then move to the Apple Business Manager portal to create a virtual MDM server container for your organization's devices. You must download the Publick Key to integrate with Apple Business Manager.

To configure the Apple Business Manager Portal, begin integrating with the Apple DEP program by creating a virtual MDM server for devices that links to your own MDM servers, so you can manage devices directly in the UEM console. Workspace ONE UEM does not encourage using Internet Explorer to complete this process.

You can learn about Integrating Apple's Automated Device Enrollment into Workspace ONE UEM by going through the documentation or by watching this video.

Prerequisites

Procedure

What next : Configure your devices and the UEM console to create an initial profile.

Create or Edit the DEP Enrollment Profile

After assigning devices to the Apple Business Manager portal, use the Device Enrollment Program wizard in the Workspace ONE UEM console to create an initial DEP profile to configure authentication, MDM features, and the Setup Assistant to push down to devices.

You must assign this DEP profile before configuring the device's Setup Assistant that appears after you switch on the device for the first time. Devices only reach out to Apple's server once after configuring Wi-Fi to receive the DEP profile. If the correct DEP profile is not assigned to the device prior to Wi-Fi configuration, a factory wipe is required (using iTunes or directly on the device).

After you register devices with the Apple Business Manager portal, use the DEP Enrollment Program wizard to create a DEP enrollment profile in Workspace ONE Express or Workspace ONE UEM. An enrollment profile is a collection of DEP settings assigned to your registered devices. To provide a customized experience to users enrolling into Workspace ONE UEM with devices added to Apple Business Manager, see Custom Enrollment in DEP.

Create a DEP enrollment profile or edit an existing profile. If needed, you can create more profiles later.

1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program.

2. Select Upload and select Apple Server Token File (.p7m). Select Next. Now Workspace ONE UEM and Apple can authenticate each other.

   For clarity, use only one token at the customer organization group. Only add multiple tokens if your organization has a complex configuration, or if you are enrolling devices with multiple DEP accounts.

   Note: DEP tokens expire each year and must be renewed annually. You can set the console notifications for DEP token expiry. For more information, see Configure Notification Settings in Console Basics guide.

3. Configure the Authentication settings, based on whether you turn authentication On or Off. Authentication settings are only available for devices running iOS 7.1 or later. If devices running iOS 7.0 and earlier are assigned an authentication profile, the devices are automatically enrolled using staging authentication.

   • If you turn on Authentication, each user must tie a DEP device to their own user account.

   • If you turn off Authentication, you can enable staging of all devices under a single user account, and extra configuration options appear on the Settings page to accommodate this option.

   If you set Authentication to On, then configure:

   Setting	Description
   Device Ownership Type	Determines the ownership type of the device upon enrollment, which can be either Corporate-Dedicated or Employee-Owned.
   Device Organization Group	Select the organization group your where your end users authenticate. Only end-user accounts created at this level or a parent above it can authenticate their devices. End users can authenticate using either their Active Directory credentials or basic Workspace ONE UEM credentials, depending on which authentication type you have enabled under Enrollment settings.
   Custom Prompt	Turn On Custom Prompt to enable custom text to appear on the device authentication screen during the Setup Assistant. Authentication occurs when end users are prompted for their credentials. For Apple School Manager, turn Off Custom Prompt if you are deploying shared iPads.
   Message Template	Select a message template to send as a Custom Prompt. (Supported for English-language only.) This option is not available when Custom Prompt is Off.

   If you turn Authentication Off, then configure:

   Setting	Description
   Default Staging User	Select the Enrollment User assigned to the device.
   Device Ownership Type	Select the ownership type of the device upon enrollment, which can be either Corporate-Dedicated or Employee-Owned.
   Device Organization Group	Select the organization group where your devices are enrolled.

4. Configure MDM features of the device.

   Setting	Description
   Profile Name	Enter the name of the profile as it appears in the UEM console.
   Department	Enter the name of your department as it appears in the device's About Configuration panel upon setup and enrollment.
   Support Number	Enter your organizational support contact phone number as it appears in the device's About Configuration panel upon setup and enrollment.
   Require MDM Enrollment	Select Enable and require end users to enroll into Workspace ONE UEM MDM. Use this setting to ensure end-user devices cannot be activated unless they enroll into Workspace ONE UEM MDM.
   Supervision	Enable the option to set the device in Supervised mode, which is an alternative to configuring Supervised devices using Apple Configurator. Supervision is required for shared devices.
   Shared Devices	Enable the option to use Shared iPads for Business or Shared iPads for Education. This option must be enabled for shared devices using Apple Business Manager or Apple School Manager, respectively.
   Lock MDM Profile	Select Enable and prevent end users from unenrolling from Workspace ONE UEM MDM. This setting ensures that end users cannot remove the Workspace ONE UEM MDM profile installed on the device. This option can only be enabled if Supervision is enabled.
   Anchor Certificate	Enable this option to upload the certificate as a trusted anchor certificate and push to devices during the DEP enrollment. These certificates are used as trusted anchor certificates when evaluating the trust of the connection to the MDM server URL. If no certificate is uploaded, the built-in root certificates are used.
   Device pairing	Enable the option to allow the device to sync with any Workstation through iTunes, Configurator, and iPCU. Optionally, set Device Pairing to Disable when deploying education functionality, and Upload a Device Pairing Certificate for supervised identities. From Workspace ONE UEM 9.2.2, you can upload Device Pairing Certificates whether Device Pairing is set to Enabled or Disabled.
   Await Configuration.	Enable this setting if the MDM server is expected to send extra commands before the device can allow the user to proceed in the Setup Assistant. Await Configuration is required for the education functionality. To override the Await Configuration setting on a device, navigate to Device > Details View and select the device to override. Select More Actions > Device Configured, note the device as configured, and skip the Awaiting Configuration screen during enrollment. If you enable Await Configuration, more options appear in the Setup Assistant section.
   Auto Advance Setup	Enable this setting to apply the DEP configuration automatically to an enrolling device. Users can skip all setup panes, and the device is automatically set to the most restrictive option by default within around 30 seconds after network active. Applies to ethernet-connected macOS 11.0+ and tvOS devices only.

5. Select the items seen by end users during the Apple Setup Assistant workflow that appears after the device is powered on for the first time. For Apple School Manager, Skip all Setup Assistant options.

   Setting	Description
   Passcode	Select Don't Skip and require the user to set a passcode during setup. If an MDM passcode profile is already set up through Workspace ONE UEM, select Skip.
   Touch ID	Select Don't Skip and prompt the user to configure Touch ID during setup.
   Location Services	Select Don't Skip and prompt user to enable or deactivate Location Services during setup. If you plan on tracking GPS locations for your devices, select Don't Skip.
   Restoring from Backup	Select Don't Skip and prompt user to restore from the backup during setup. You must select Don't Skip to allow users to move data from a previous device, including an Android Device.
   Move from Android	If Restoring from Backup is set to Don't Skip, select Don't Skip in this pane to prompt users to move accounts and data from an Android device during setup.
   Sign in with Apple ID and iCloud	Select Don't Skip and prompt the user to sign in with an Apple ID and iCloud account during setup.
   Terms of Use and Conditions	Select Don't Skip and prompt users to read and accept the Terms of Use and Conditions during setup.
   Siri	Select Don't Skip to prompt the user to configure Siri. If you select Skip, Siri is deactivated on enrolled devices.
   Diagnostics	Select Don't Skip and prompt the user to enable or deactivate sending diagnostic data to Apple. If you select Skip, sending diagnostic data is deactivated on enrolled devices.
   Registration	Select Don't Skip and prompt the user to register the device with Apple during setup.
   Apple Pay	Select Don't Skip and prompt the user to set up an Apple Pay account during setup. If you select Skip, Apple Pay is deactivated on enrolled devices.
   Zoom	Select Don't Skip and prompt the user to enable the zoom functionality during setup.
   FileVault 2	Select Don't Skip and prompt the user to set up a FileVault account. The device determines whether or not to display this setup step.
   Display Tone	Select Skip and allow users to skip the display tone setup step for enrolling iOS devices.
   Home Button Sensitivity	Select Skip and allow users to enroll devices without configuring the Home button sensitivity on enrolling iOS devices.
   Tap to Setup	Select Skip and allow enrolling tvOS devices to enroll without an associated iOS device.
   Screen Saver	Select Skip and allow users to enroll a tvOS device without configuring a screen saver.
   Keyboard	Select Skip and omit the prompt for users to select a keyboard type during the Setup Assistant process.
   Onboarding	Select Skip and prevent users from viewing on-boarding informational screens for the user education during the Setup Assistant process.
   Watch Migration	Set to Skip and prevent users from viewing options for the watch migration during the Setup Assistant process.
   Device to Device Migration	Set to Skip and prevent the users from being informed about device to device migration during setup.
   iCloud Analytics	Set to Skip and omit a user prompt to send analytics to iCloud during setup.
   iCloud Documents and Desktop	Set to Skip and prevent users from viewing iCloud Documents and Desktop screen in macOS.
   TV Home Screen Sync	Set to Skip and prevent users from toggling the TV home screen layout during setup.
   TV Provider Sign In	Set to Skip and prevent users from signing in to a TV provider during setup.
   Where is the TV?	Set to Skip and omit the Where is this Apple TV screen on tvOS devices enrolling through DEP.
   Privacy	Set Skip and omit the Privacy screen in the DEP setup assistant while onboarding.
   iMessage And FaceTime	Set to Skip and prevent the iMessage and FaceTime prompt during setup.
   Software Update	Set to Skip and prevent informing users about Software Updates during setup.
   Screen Time	Set to Skip and prevent informing users about Screen Time during setup.
   SIM Setup	Set to Skip and prevent users from viewing the SIM Setup screen during setup.
   Welcome	Set to Skip the Get Started screen during setup.
   Express Language	Set to Skip the Express Language Setup screen during setup.
   Preferred Language	Set to Skip the Preferred Language Order screen during setup.
   Appearance	Set to Skip the Choose Your Look screen during setup.
   Primary Account Setup	This item appears only if Await Configuration is set to Enabled. Select Don't Skip to require users to create an account during setup. Configure the type of account the user creates in Account Type. Select Skip if you have created a Directory Profile for the user and they do not need to create an account. Configure the admin account for this selection in the Admin Account Creation section and auto log in after the Setup Assistant is deactivated.

6. For certain configurations detailed in the Setup Assistant configuration, use the Primary User Account section to define the type of account the end users are allowed to create at the end of the setup. create an admin account for local and remote macOS device admin actions.

   Setting	Description
   Primary Account Creation
   Account Type	This item appears only if the Primary Account Setup is set to Don't Skip. Select Standard and give users access to a standard user account on their macOS device. If you select Standard, you must create an admin account to manage the Standard account. Select Administrator and allow users to create an Administrator account on their macOS device.
   Autofill	Enable the option to auto populate the primary account information.
   User Name	Enter the account name for the primary account. To automatically populate the enrollment user's organization user name, use the lookup values, such as {EmailUserName}, {EnrollmentUser}.
   Full Name	Enter the full name for the primary account. To automatically populate the enrollment user's first and last name, use the default lookup values, such as {FirstName}, {LastName}.
   Allow Editing	If the option is deactivated and the primary account user name and full name is predefined, the user cannot modify the User Name and Full Name fields in Setup Assistant. Note: Allow editing is applicable only if Autofill is enabled.
   Create New Admin Account	Enable the option to create a managed admin account during the DEP enrollment. Currently, on macOS only one managed admin account can be created.
   Admin Account Creation
   User Name	Enter the account name for the admin account.
   Full Name	Enter the full name for the admin account.
   Unique Random Password	Generate a unique random password of 14 characters, with at least 2 symbols, 1 lowercase, 1 uppercase, and 1 digit. If enabled, cannot be changed back to static password. (macOS 10.11)
   Password	Deactivate Unique Random Password toggle to create a static password for the account. This password will be used for all assigned devices that enroll with this configuration.
   Hidden	Select Enabled and hide the admin account on the macOS device. Hidden accounts are not visible in the Login Window to end-users. Select Disabled and make the admin account visible when a user logs in.

7. Select Save to view the Summary page and review the settings you have selected. Assign the settings to devices registered in the Device Enrollment Program.

   Setting	Description
   Sync Now and Assign to All Devices	Select Yes and save and deploy the DEP profile settings to all devices that are currently registered with the MDM server that you just created in the DEP portal. Selecting No saves the DEP profile settings but does not deploy them to devices.
   Auto Assign Default Profile	Select Yes and push the DEP profile settings to all devices that are currently registered once they are synced with Workspace ONE UEMand any devices from that point on as they are newly registered with Apple and synced with Workspace ONE UEM. Selecting No means that the newly registered devices do not automatically receive the DEP profile settings. Enable this setting if you plan to create multiple DEP profiles for different devices.

8. Once the deployment options are configured, select Save. You are now ready to manage profiles on DEP-enabled devices from the UEM console.

What next: Assign devices to the virtual MDM container in Apple Business Manager portal, so they can be managed through the UEM console.

Associate and Disassociate Devices from an MDM Server

Associate devices with the MDM server in the DEP portal so that they can be synced and managed with Workspace ONE UEM. You can assign additional devices later using these same steps, if necessary.

Assign Devices in ABM

You have successfully associated the devices to the MDM server group.

Unassign Devices in ABM

If necessary, you can manually disassociate a device from the Apple Business Manager. Do this if the device was lost or stolen.

1. Return to the Apple Business Manager portal and manually disassociate it from the MDM server that you initially created.
2. Navigate to Device Assignments > Choose Devices.
3. Enter the Serial Number.
4. In Choose Action, select Unassign Devices and click Done.
5. To sync the devices in the Workspace ONE UEM, navigate to Devices > Enrollment Status.
6. In the ADD dropdown menu, select Sync Devices and click Sync. Follow the prompt to complete the process.