Apple - Device Enrolment

Enrollment guide: Microsoft Intune enrollment | Microsoft Learn

Device enrolment can be done in a variety of ways depending on the device’s operating system and ownership.

There are two main types of device ownership supported by Hwb that can be set during enrolment:

With user affinity - This is suitable for one-to-one devices that are primarily used by a single user.

For iPads and Macs, ‘owned’ devices are locked to that user via their Managed Apple Id. They are automatically logged into Apple products and services on that device.
With-out user affinity - This suitable for classroom or ICT suite usage where the device is not solely used by the same user.

For iPads, the behaviour will depend on whether the device is setup as a ‘user-less’ device or shared iPad. The Company Portal app cannot be used to install apps.

Enrolling an iPad as a 'shared iPad' enables a log on screen so users can sign in and have their own separate profile on the device. This is handy for access to Hwb services without having to sign out of them after use, users simply just log off the iPad ready for the next person.

Information

For devices enrolled with 'User affinity' or 'Without User Affinity + Shared iPads' a managed Apple Id is required. Please see Managed Apple Ids for more information.

Information

Consider using 'Without User Affinity + Shared iPad' with the guest account if you don’t want to use managed Apple Ids. The guest account clears data after signing out and is safer than all users sharing the same profile with a non-shared iPad.

iPadOS and MacOS - Automatic Device Enrolment

iPad and MacOS devices are added to Apple School Manager via Apple’s Automatic Device Enrolment (ADE). This is commonly done by an approved reseller at the time of purchase. Alternatively, the Apple Configurator app can be used to add iPadOS and MacOS to Apple School Manager.

After a device has been registered in ADE, it must be assigned to an MDM server in Apple School Manager and sync'd to be made available in the Intune portal. It can then be assigned an enrolment profile configured with one of the above types, and enrolled over-the-air. If the device needs to be wiped at a later date, it can easily be done remotely and re-enrolled over-the-air using the existing assigned profile.

Once enrolled, the device will be visible in the relevant device provisioning group, depending on the name of the enrolment profile used. The device will need to be added to any additional groups to receive additional configuration policies and apps – see Move or add a device to another group.

Using Apple Configurator for Mac
This method can only be used for iPads, and is useful to add devices in bulk connected via a trolley or docking station.
To add the device(s), follow the steps in the Apple School Manager User Guide.

Apple Configurator for iPhone
This method can be used for both iPads and Macs, and requires an iPhone or iPad with the Apple Configurator app installed. It does not need a physical connection but does need close proximity.
To add the device(s), follow the steps in the Apple Configurator for iPhone guide.

There is an option in the Apple Configurator for iPhone app to specify the MDM server assignment. If you do this, you do not need to log into Apple School Manager to assign the device and can go straight to assigning them an enrolment profile in Intune.
1. Log into Apple School Manager with an account that has the Device Enrolment Manager role.
2. Go to Devices and search for the device(s) to be assigned. There are several filters available to help find the target devices, including order number from the reseller.
3. Select the target device(s) (you can select more than one device by holding ‘CTRL’) or click All Devices to select all currently filtered devices.
  Please make sure you have applied a filter before selecting all devices.
4. Click Edit next to Edit MDM Server.
5. Select Assign to the following MDM and choose the appropriate entry from the drop down selection.
6. Click Continue
Devices will automatically sync with Intune every day, but you can also manually perform a sync:
1. Go to Intune -> Devices -> Enroll Devices -> Apple Enrollment -> Enrollment program tokens.
2. Select the MDM token for your local authority.
3. Select
4. Click on Sync
After a short period, the devices you assigned in Apple School Manager should appear. New devices can be identified by the ‘Profile assigned’ column being blank. You can also add the ‘Profile Name’ column to see what has been assigned to other devices.
1. Go to the Intune -> Devices -> Enroll Devices -> Apple Enrollment -> Enrollment Program Tokens.
2. Select the MDM token for your local authority.
3. Select Profiles
4. Click Create Profile -> iOS/iPadOS or
5. Configure the settings as required.
  1. Name the enrolment profile (which should be prefixed with the school number)
  2. Select the appropriate user affinity – With User Affinity (associate a user to the device) or Without User Affinity (user-less or shared devices).
    For With User Affinity, select Company Portal for authentication and an appropriate VPP token to use (ensuring it has enough licenses).
    For Without user affinity, optionally enable Shared iPad if desired.
  3. Enable locked supervision.
  4. Set a device name template (optional) – if set, this is enforced and cannot be changed even through Intune (the device name will revert to match that of the template).
  5. Specify a department name and phone number.
  6. Toggle which screens of the Setup assistant you wish to show during enrolment – we recommend enabling ‘location services’ as a minimum to set the correct time zone on the device.
6. Click Create
Enrolment profiles can also be created in bulk using a PowerShell script, available on request via the Hwb Service Desk.
1. Go to the Endpoint Portal -> Devices -> Enroll Devices -> Apple Enrollment -> Enrollment Program Tokens.
2. Select the MDM token for your local authority.
3. Select Profiles
4. Check the target device(s) and select Assign profile.
5. Select the appropriate enrollment profile from the drop down box and click
Enrollment profile assignment can be performed in bulk using a PowerShell script, available on request via the Hwb Service Desk.
1. Power on the device.
2. Join it to a network with open access to the Internet.
3. Follow the onscreen prompts to add the device management profile.

Warning

The Hwb account used to sign-in to the Apple Configurator app must have the Device Enrollment Manager role in Apple School Manager. This is only available to local authority administrators.

Warning

The Devices section of Apple School Manager is not scoped. All devices registered in ASM on the Hwb tenant will be visible by all admins, not just your own. Please be very careful that you are acting on the correct devices when making changes.

Information

The MDM server token in Intune will be created by Hwb but needs to be renewed annually by the local authority – see guide on Renew the MDM Token.

iPadOS - Manual enrolment using Apple Configurator for Mac

iPads can also be enrolled directly into Intune using Apple Configurator for Mac. Enrolment configurations are set in the Apple Configurator profile, and the iPad must be physically plugged into the Mac with app installed. Macs cannot be enrolled using this method.

The enrolment process is outlined in Apple Configurator User Guide (Prepare an iPhone, iPad or Apple TV manually in Apple Configurator)

We recommend only showing location services in the Setup Assistant, as that allows it to be turned on to set the correct region.

Information

Remember to rename the devices from Apple Configurator as the default name will be ‘iPad’ otherwise.

Warning

Directly enrolling an iPad using Apple Configurator 2 allows the user to remove the management profile from the iPad within 30 days of enrolment. In iPadOS 14 or later, the device is reset and automatically released from Apple School Manager if the enrolment profile is removed during this period.

Before enrolment, the devices must be authorised in Intune, otherwise the process with fail. You will also need the MDM server URL, which can be exported from the Apple Configurator enrolment profile in Intune.

1. Create a CSV file with the device information – the column headers should be serialnumber, details.
2. Go to Intune -> Devices -> Enroll Devices -> Apple enrollment -> Apple Configurator.
3. Select Devices -> Add.
4. Select an appropriate enrolment profile from the drop-down box.
5. Add the CSV file under Import Devices and select
1. Go to Intune -> Devices -> Enroll Devices -> Apple enrollment -> Apple Configurator
2. Select Profiles
3. Create the profile, if necessary:
  1. Name the profile (this should be prefixed with the school or local authority number)
  2. Select the user affinity required
4. Select the profile
5. Click on Export Profile and make a note of the URL

MacOS - Direct enrolment

Use direct enrollment for macOS devices | Microsoft Learn

With direct enrolment of MacOS, an enrolment profile is downloaded from Intune and installed on the Mac manually. It requires direct physical interaction with the Mac, and sets it up as a device without user affinity (shared device). The Mac must already be setup and logged in with a local admin account.

Open System Preferences -> Sharing.
Change the name of the Mac so that it starts with the relevant device provisioning identifier – this is to satisfy the provisioning devices group rule so the Mac appears in the right scope.
Go to Intune -> Devices -> Enroll Devices -> Apple enrollment -> Apple Configurator
Select Profiles
Create the profile, if necessary:
1. Name the profile (this should be prefixed with the school or local authority number)
2. Select the user affinity required
Select the profile
Click on Export Profile then Download profile.
Install the downloaded profile on the Mac, following the prompts.

It may a little time for the Mac to show in the Intune portal. If the device does not appear after some time, check the device name is correct.

White glove service

The white glove service, available from the reseller at time of purchase, enables the device to be fully setup before being shipped. This means it can be delivered straight to the school and is ready to use immediately.

For iPads, this service adds the device to Apple School Manager and enrols it, installing policies, apps, and updates, and applies any asset tags, screen protectors and cases.

Once the devices have been added to Apple School Manager, the reseller will need to notify an Intune admin in the local authority. The Intune admin will need to assign the devices to the MDM token in Apple School Manager, and the enrolment profile in Intune, before the reseller can continue. They may also need to add the device to additional device groups once enrolled to pick up additional policies or apps.

Apple - Device Enrolment

iPadOS and MacOS - Automatic Device Enrolment

Add devices to Apple School Manager using Apple Configurator

Assign devices to the MDM token in Apple School Manager

Sync devices from Apple School Manager to Intune

Create enrolment profile

Assign enrolment profile

Perform the device enrolment

iPadOS - Manual enrolment using Apple Configurator for Mac

Authorise the devices in Intune

Export the MDM Server URL

MacOS - Direct enrolment

White glove service