The case of the missing Apple Business Manager – or how to choose your vendor

I´m back blogging again, but Ill start with a short post straight from the trenches!

I am working on a MDM project where we are leveraging Microsoft Intune as well as JAMF for Macs. The implementation of Intune (and JAMF) will divide users into three different categories. The reason is due to very different security requirements, and will be covered in upcoming posts.

When we tested the enrollment process using ABM, we configured the enrollment profile in Intune as shown in the screenshot below:

The Intune Create profile page with "Locked enrollment" highlighted

 

 

 

 

 

 

 

 

While there are many parts of this screen that I find interesting this post will focus on the “Locked enrollment” part. This setting is applied to prevent the user from removing the device from management and if done, require a full wipe.

The challenge

We assigned a number of devices to the policy and started with the initial tests. The tests included attempts to remove management from the device, with some surprising results.

We realized that we are not only able to remove the device from management (which as expected required the device to be reset) but also from Apple Business Manager!

In the normal case, a removal of management on a ABM-enrolled device really wouldn’t be a problem. The device is reset and at next startup forced into management again. That makes it a rather boring device to steal. This ensures that sensitive data the device stores is remove when management is removed.

In this case we lost the connection to ABM. The device could be started again and it wouldn’t be forced into Intune management, which was not the goal.

The management profile page of an iOS device

Why was this happening? I´ve done plenty of projects where this had been working flawlessly, but this time the result was both a security risk as well as a surprise.

With some help from my Apple contacts we were able to figure it out. The solution were both an eye-opener for the customer as well as a good learning for myself.

The cause and the solution

The customer had ensured that when you procured iOS devices, their vendor promised to add them to ABM automatically – which is something I highly recommend that you do. When I took a look at the vendor I quickly realized that they were lacking the required certifications from Apple to provide this service. After a discussion between the customer and the vendor we got the following information:

The vendors purchases iOS devices from a number of different distributors, some of them are able to do the ABM upload on behalf of the vendor. This upload is the recommended approach. So far so good. When the vendor needs to deliver a larger numbers of devices, they sometimes were falling back to Apple Configurator for ABM upload. Which is a manual process and something you should avoid if possible.

This also takes us to the core challenge:

https://support.apple.com/en-nz/guide/apple-business-manager/apd200a54d59/web

According to the official documentation:

The user of a ABM enrolled device, that were added using Apple Configurator, are able to remove it from: “enrolment, supervision and MDM” – for a period of 30 days.

The default behavior of Apple Business Manager is also a challenge. When adding a new MDM server to ABM it allows the MDM to release devices from ABM on its own. This combined behavior caused the issues. In the end the customer wrote a new agreement with the vendor. The agreement requires the vendor to upload devices using their distributors, not Apple Configurator.

Server settings page in Apple Business Manager

Learnings and recommendations

So, what have we learned and what do I advise you as readers to do:

  • Choose your vendor. A verified Apple reseller with an official partner status is my strongest recommendation. Don´t try to go down the cheapest route, since it may cost you in the end.
    • This also more and more apply to vendors and resellers of both Windows and Android (especially Samsung) devices.
  • Avoid adding devices to ABM using Apple Configuration. It works great for testing, and small scale, but its not for production use.
  • Decide if the MDM should be able to release devices from ABM.
    • If not, de-select the option in Apple Business Manager.
  • Test the entire lifecycle of a mobile device when implementing or making changes to an MDM.

More blogs will follow on Microsoft Intune, management of Apple devices and Mobile devices security – stay (in)tuned!

********************************************************************************************************************************

Have you experienced the same with your iOS devices? Then you can always put them back in ABM using, guess what, Apple Configurator! There are plenty of instruction out there, but this video explains in rather well in my opinion.

Adding iOS Devices to DEP with Apple Configurator 2.5

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *