14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Hexnode Integrations
  3. Apple Business Manager

Category filter

Apple’s Automated Device Enrollment

Jump To

Automated Device Enrollment (ADE) streamlines the deployment of your corporate Apple devices into an MDM environment. Once a device is activated, it is immediately configured, eliminating the need for the IT team to configure it physically. The following documentation shall explain how to use Apple Business Manager with Hexnode.

Note:


Only iOS 7.0.4, iPadOS 13.1, macOS 10.9 and tvOS 10.2 or later devices can be added to ABM.

Automated Device Enrollment Settings

The following steps are to be followed to integrate Hexnode with Apple Business Manager for device enrollment.

  • Go to Enroll > All Enrollments > No-Touch > Apple Business / School Manager.
  • Create an ADE Account and download the certificate file.

Here an ADE server token file is required which is to be uploaded to the portal.
Follow the steps below to download a server token:

    1. Log in to Apple Business Manager page.
    2. Click your name at the bottom left of the screen, and go to Preferences > MDM server assignment.
    3. Click on Add MDM Server button and name the server.
    4. Upload the public key obtained from the MDM console while setting up ADE and click Save.
    5. Click on Download Token.
    6. Log in to the Hexnode portal. Upload the downloaded server token and click on Next and Finish.



Renew the ADE Server Token

Apple ADE Server tokens need to be renewed every year. Therefore, renew the ADE token before the previous one expires.

Pre-approve DEP synced devices

To add ADE-enrolled devices as Pre-approved devices, check the option Add as Pre-approved Device under ADE Settings.
ADE-enrolled

Apple ADE Devices

Under Enroll > All Enrollments > No-Touch > Apple Business/School Manager > Devices, you can view the list of enrolled devices with ADE. The list will include information such as the serial number, model along with the enrollment profiles applied to the device, if any.
Configuring ADE account.

Associate profiles with devices

  1. Select the device.
  2. Click on the Associate Enrollment Profile button at the top. The following window pops up.

    3. Associating ADE Enrollment profile.

  3. Search for the profile you want to associate to the device and then click on Assign.

Sync with Apple Device Enrollment Program

To import devices enrolled in the configured Apple ADE account to the Hexnode portal you have to initiate an ADE sync.
Go to Enroll > All Enrollments > No-Touch > Apple Business/School Manager > ADE Devices > Sync with ADE.
Sync ADE-enrolled devices with the Hexnode portal.

Enrollment Profile

With Hexnode UEM, you can configure Enrollment Profiles and associate it with devices enrolled in Apple’s ADE. By navigating to Enroll > Platform-Specific > iOS/macOS/tvOS > Apple Business/School Manager > Enrollment Profiles, you can view, edit or create new enrollment profiles.

List of ADE Enrollment Profiles.

You can also edit the profile on this page and save it again.

Add a new profile

  1. Navigate to Enroll > Platform-Specific > iOS/macOS/tvOS > Apple Business/School Manager.
  2. Go to Enrollment Profiles.
  3. Click on Create Enrollment Profile.
  4. Fill out all the necessary fields and click on Save.

The following screen pops up with detailed information about the profile.
The following screen pops up with detailed information about the profile.

The following parameters are available to configure in Enrollment profiles:

  • General Settings

    By adjusting the general settings of an enrollment profile, you can configure device settings, choose the authentication mode for enrollment, manage activation lock settings, and set a custom EULA, among other options.

    The following fields lets you fill in the basic details related to the enrollment profile,

    • Display name – A display name of the enrollment profile.
    • Department – Name of the department to which the devices are assigned.
    • Support Phone Number – A contact number for users to reach out to if they need help during setup.
    • Support Email Address – An email address for the users to request support during setup.
    Device Settings
    • Edit device name: Select this setting to edit the device name for the devices to be enrolled. Enter the name for the device in the field provided.
      Note:


      The use of wildcards is allowed.

    • Append number: Select this setting to append numbers to the device name specified under the Edit device name setting. Enter the name for the device in the field provided.
      Note:


      This setting is useful when you want to assign a common name to all associated devices. By appending numbers to the device name specified under Edit device name, you can easily differentiate between the devices (e.g., Devicename-1, Devicename-2, etc.).

    • Enroll devices in MDM: Enabling this option prevents users from bypassing “Remote Management” during initial device setup screen.
    • Enable Supervision: Check this option to make the device supervised upon enrollment.
    • Allow MDM Profile Removal: Check this to make the profile removable after device enrollment. If disabled, users will be blocked from manually removing the MDM profile from the device.
    • Allow iTunes pairing: Check this option to allow users to sync their devices with iTunes. Disabling this option will prevent every iTunes related action. To re-enable it, the device will have to be wiped and re-enrolled.
      Note:


      Supported only on iOS 13 and below.

    Authentication

    Choose the authentication method to be used for enrollment. The following options are available,

    • No authentication: When selected, the admin must choose the Domain and a Default user (available within the chosen domain) to assign the device.
    • Enforce Authentication: When selected, admins must choose the type of users to be enrolled (AD/Microsoft Entra ID/Local/OKTA/Google user). Users will be required to enter their directory or local credentials while enrolling the device.
    Activation Lock
    • Device-based Activation Lock: Enable this option to enforce device-based activation lock on the enrolled devices. The device-based Activation Lock is enabled by Hexnode and is associated with the Managed Apple Account of the user that created the MDM server token in ABM.
    • User-based Activation Lock: Enable this option to enforce User-based Activation Lock on the enrolled devices. Users can enable activation lock on their devices using the credentials of their personal Apple Accounts.
    Note:


    For Device-based Activation Lock, the activation lock cannot be disabled from the device itself. It can only be deactivated through the admin’s ABM portal.

    Custom EULA
    • Choose EULA: Select the necessary EULA. The available options are None, Custom T&C, and Terms of Use.

  • Account Creation

    Configuring Account Creation settings.

    Managed Admin Account

    Using the settings given below you can configure and set up a managed admin account on the devices during the enrollment procedure.

    • Create managed admin account: Enable this option to automatically create the managed admin account on the device during device enrollment.
      Note:


      Supported only on devices running macOS 10.11 or later.

    • Choose admin account: Choose an admin account to set up on the device. You can select an admin account from the drop-down if one was already set up during the configuration of previous enrollment profiles. You can also create a new admin account on the device by clicking on +Create new Account and fill in the details in the fields described below.
      • Full name : Enter the full name of the admin account.
      • Password : Enter the password for the admin account.
      • Account name : Enter the account name for the admin account.
      Note:

      • The Account name will be used as the name for the user’s home folder on the device.
      • To log in to the device, the user can use the Full name or Account name.
      • The use of wildcards is supported for the fields above.

    • Hide account from Login Window and Users & Groups: If this option is enabled, the account will be hidden from System Preferences > Users & Groups on the user’s Mac. Enabling this option will also hide the account name and only display the password prompt on the login window.
    Local User Account Creation

    Configure this setting to enforce users to create a local account during the device setup process. The following settings are available:

    • Account type: Choose the account type for local account creation. The available options are Administrator, Standard or you can choose Skip account creation.
      Note:

      • The option Create managed admin account must be enabled to enforce Standard account creation or Skip account creation.
      • The account creation step can be bypassed by selecting the Skip account creation option.

    • Autofill user’s full name: Enable this option to auto-populate Full name and Account Name for the local user account with the admin credentials specified under Managed Admin Account.
      Note:


      Supported on macOS 10.15+.

    • Lock user’s full name: If enabled, Full name and Account name of the user cannot be edited during account creation.

  • Setup Assistant

    Configuring Setup assistant settings.

    Hexnode UEM allows you to configure which panes are shown to the user in the Setup Assistant screen. You can also choose to skip the screen entirely.

    • Automatically advance through Setup Assistant: If enabled, the Setup Assistant screen will be skipped during enrollment.
      Note:


      Supported only on macOS 11+ and tvOS devices.

    • Default Language: Set the default language for the device.
      Note:


      Supported only on macOS 11+ and tvOS devices.

    • Default region: Set the default region.
      Note:


      Supported only on macOS 11+ and tvOS devices.

    • Don’t show the selected steps: With Hexnode you can have a customized setup experience for your ABM enrolled devices. Check the boxes corresponding to steps that you want to avoid during Apple devices’ setup.
    Available options
    All ADE Devices
    SetUp Assistant Options Supported versions Description
    Apple ID
    • iOS 7.0+
    • tvOS 10.2+
    • macOS 10.9+
    		 Skip Apple ID setup.
    Biometric
    • iOS 8.1+
    • macOS 10.12.4+
    		 Skip biometric setup.
    True Tone Display
    • iOS 9.3.2+
    • macOS 10.13.6+
    		 Skip True Tone Display pane.
    Apple Pay
    • iOS 8.1+
    • macOS 10.12.4+
    		 Skip Apple Pay setup.
    Restore
    • iOS 7.0+
    • macOS 10.9+
    		 Disable restoring from backup.
    Screen Time
    • iOS 12.0+
    • macOS 10.15+
    		 Skip the Screen Time pane.
    Appearance
    • iOS 13.0+
    • macOS 10.14+
    		 Skip the Choose Your Look window.
    Diagnostics
    • iOS 7.0+
    • tvOS 10.2+
    • macOS 10.9+
    		 Skip sending diagnostic information to Apple.
    Location Services
    • iOS 7.0+
    • macOS 10.11+
    		 Skip setting up Location Services.
    Privacy
    • iOS 11.3+
    • tvOS 11.3+
    • macOS 10.13.4+
    		 Skips the privacy pane.
    Siri
    • iOS 7.0+
    • tvOS 10.2+
    • macOS 10.12+
    		 Disable users from configuring Siri.
    Terms and Conditions
    • iOS 7.0+
    • tvOS 10.2+
    • macOS 10.9+
    		 Hide terms and conditions from the user.


    iOS only
    SetUp Assistant Options Supported versions Description
    Move from Android iOS 9.0+ Remove Move from Android option from the Restore pane.
    Keyboard iOS 11.0+ Skip the Keyboard pane.
    Watch Migration iOS 11.0+ Skip the screen for watch migration.
    iMessage and Face Time iOS 12.0+ Skip the iMessage and FaceTime screen.
    Passcode iOS 7.0+ Hides and disables the passcode pane.
    SIM Setup iOS 12.0+ Skip the add cellular plan pane.
    Onboarding iOS 11.0+ Skip on-boarding informational screens.
    Software Update iOS 12.0+ Skip the mandatory software update screen.
    Home Button Sensitivity iOS 10.0+ Skip the Home Button screen.
    Device to Device Migration iOS 13.0+ Skip Device to Device Migration pane.
    Zoom iOS 8.3+ Skip the Zoom pane which shows larger text and controls.
    Welcome/Get Started iOS 13.0+ Skip the Get Started pane.


    macOS only
    SetUp Assistant Options Supported versions Description
    FileVault macOS 10.10+ Disable FileVault Setup Assistant screen.
    iCloud Storage macOS 10.13.4+ Skip iCloud Documents and Desktop screen.
    iCloud Analytics macOS 10.12.4+ Skip the iCloud Analytics screen.
    Registration macOS 10.9+ Prevent users from filling out the registration form and send it to Apple.


    tvOS only
    SetUp Assistant Options Supported versions Description
    Screen Saver tvOS 10.2+ Skip setting up screen saver.
    TV Home Screen Sync tvOS 11.0+ Skip TV home screen layout sync screen.
    Where is this Apple TV? tvOS 11.4+ Prevent user from selecting the room for the Apple TV.
    Set up your Apple TV tvOS 10.2+ Prevent users from configuring their Apple TV.
    Sign In to your TV provider tvOS 11.0+ Skip the TV provider sign in screen.

  • App Packages

    Configuring app packages in enrollment profile.

    To install required app packages on the device during the enrollment procedure,

    1. Click on Configure.
    2. Click on +Add to either add an app or a group of apps from the app inventory.
    3. Select the necessary apps and click on Done.

  • Shared Device Settings

    Configuring Shared Device settings.

    Note:


    Shared Device Settings is only supported on iPads running iPadOS 13.3 and later and added to Apple Business Manager or Apple School Manager organizations that are using X-Server-Protocol-Version 2 and later.


    You can configure the settings for shared iPads using the options below,
    • Enable shared device: Select this option to enable the shared device mode.
    • Configuration mode: Configure whether the device allows multiple users or allows temporary sessions only. There are two modes available:
      • User mode
      • Guest mode

      • Note:


      Guest mode is available only on devices running iOS 14.5, iPadOS 14.5 and later.

    The settings available to configure under User mode are the following,

    • Allocate storage based on: Select the method by which the storage allocation per user will be decided. There are two options available:
      • Number of users
      • Per-user quota
    • Expected number of users (for Number of users): Set the expected number of users. The available storage will be equally distributed amongst the specified number of users.
      If any additional space is needed for a new user, the local data for the oldest user is removed.
    • Per-user quota (for Per-user quota): Specify the storage quota allocated to each user. If any additional space is needed for a new user, the local data for the oldest user is removed.
    • Domains: Specify the domains to be displayed on the iPad login screen.
      Note:


      Supported only on iOS 16 and later versions

    • Skip Language and Locale: If enabled, the Language and Locale will be picked by the system for a new user.
      Note:


      Supported only on iOS 16.2 and later versions

    • Auto-Lock: Set the period of inactivity after which the device will be locked automatically.
      Note:


      Supported only on iOS 14.5 and later versions.

    • User timeout: Set the period of inactivity after which the user is logged out.
      Note:


      Supported only on iOS 14.5 and later versions.

    • Guest timeout: Set the period of inactivity after which the guest is logged out.
      Note:


      Supported only on iOS 14.5 and later versions.

    • Require Authentication: Specify the period after which a user is required to complete an online authentication (against Apple’s identity server).
      Note:


      Supported only on iOS 16 and later versions.

    • Passcode grace period: Specify the period up to which a user can unlock their account without using passcode.

    The settings available to configure under Guest mode are the following,

    • Auto-Lock: Set the period of inactivity after which the device will be locked automatically.
    • Guest timeout: Set the period of inactivity after which the guest is logged out.

  • Associate Policy

    Associating policy through Enrollment Profile.
    You can configure the devices by associating policies during the device enrollment procedure.

    1. Click Configure.
    2. Next, click on +Associate Policy.
    3. Select the required policies and click on Done.

View the details of any profile

  1. Navigate to Enroll > Platform-Specific > iOS/macOS/tvOS > Apple Business/School Manager.
  2. Go to Enrollment Profiles.
  3. Click on the name of the enrollment profile.
  4. The following screen pops up with detailed information about the profile.

The following screen pops up with detailed information about the profile.

You can also edit the profile on this page and save it again.

ADE Enrollment

If you have a non-activated device, start setting it up and get it connected to the internet. If you have an already activated device, reset the device to its factory settings and then activate it. Once it is connected to the internet, the user will be prompted to enable remote management for the device. This will enable MDM administration on the device. Note that the user can bypass this process if “Enroll Devices in MDM” is not enabled on the ADE Enrollment Profile.

Multiple ADE Account Management

You can configure multiple ADE accounts in Hexnode. So, even if your Apple devices are registered to different ADE accounts, you can enroll them in Hexnode by configuring all the ADE accounts in the Hexnode portal.
To configure multiple ADE accounts,

  1. Go to Enroll > All Enrollments > No Touch > Apple Business/School Manager > ADE Accounts.
  2. Click on Add ADE Account.
  3. Follow the same procedure to complete the configuration.

To sync all ADE accounts to Hexnode, click on Sync all ADE accounts. This will automatically import all the devices associated with the ADE accounts to Hexnode.

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Hexnode Integrations